< ciso
brief />
Tag Banner

All news with #active exploitation tag

686 articles · page 16 of 35

CISA: RESURGE Malware Can Remain Dormant on Ivanti Devices

🔒 CISA warns that the RESURGE implant can remain latent on Ivanti Connect Secure devices, evading detection by awaiting a specific inbound TLS connection rather than beaconing to a command-and-control server. The 32-bit Linux Shared Object libdsupgrade.so hooks the web process, inspects TLS packets using a CRC32 fingerprint, and authenticates attackers with a forged Ivanti certificate. The agency notes related tools like liblogblock.so for log tampering and a kernel extraction script, and it urges administrators to use updated IoCs and hashes to discover and remove dormant infections.
read more →

Maximum-Severity Cisco SD-WAN Zero-Day Actively Exploited

🔒 A maximum-severity vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127 (CVSS 10.0), lets an unauthenticated remote attacker bypass authentication and obtain elevated administrative privileges by sending a crafted request. Cisco reports active exploitation across on-prem and Cisco-hosted deployments by a sophisticated actor identified as UAT-8616, with malicious activity dating to 2023. Customers should apply vendor fixes immediately, audit /var/log/auth.log for unexpected "Accepted publickey for vmanage-admin" entries, and follow CISA emergency guidance.
read more →

Five Eyes Emergency Directive: Exploited Cisco SD-WAN

⚠️ Federal and allied cybersecurity agencies issued an emergency directive after Cisco Talos disclosed active exploitation of a critical flaw in Cisco Catalyst SD-WAN controllers (CVE-2026-20127). The vulnerability allows unauthenticated attackers to bypass authentication and gain administrative access to SD‑WAN control-plane components. Cisco has released patches with no workarounds; CISA and Five Eyes partners urge immediate patching, inventorying of in-scope systems, log collection and active hunting for compromise.
read more →

Critical Cisco SD-WAN Authentication Bypass Exploited

⚠️ Cisco warns of a critical authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20127) that has been exploited in zero-day attacks beginning in 2023. The flaw allows attackers to authenticate as a high-privileged non-root account, add rogue peers, and manipulate NETCONF to alter SD-WAN fabric configuration. Cisco and partners report active exploitation, and vendors have issued software updates; there are no full workarounds, so immediate patching and hardening are urged.
read more →

Active Exploitation of Cisco SD‑WAN Controller by UAT‑8616

🔒 Cisco Talos reports active exploitation of CVE-2026-20127 in Cisco Catalyst SD-WAN Controller, enabling unauthenticated attackers to bypass authentication and obtain administrative privileges. Talos attributes the activity to a sophisticated actor tracked as UAT-8616 and finds evidence dating to 2023, including software downgrades and subsequent exploitation of CVE-2022-20775 to escalate to root. Customers are urged to follow vendor advisories, validate control peering events, and apply the detection and remediation guidance provided.
read more →

App Exploits Surge as AI Accelerates Vulnerability Use

⚠️ IBM X-Force warns of a 44% increase in attacks exploiting public-facing applications in 2025, driven by missing authentication controls and AI-enabled vulnerability scanning. Vulnerability exploitation accounted for 40% of incidents, while ransomware and extortion groups grew 49% year over year. The report highlights AI is speeding reconnaissance and exploitation and that supply chain compromises have nearly quadrupled since 2020.
read more →

Zyxel Issues Patch for Critical UPnP RCE Affecting Routers

🔐 Zyxel has released updates for a critical UPnP command-injection flaw tracked as CVE-2025-13942 that can allow unauthenticated remote attackers to execute operating system commands on affected routers, CPEs, ONTs, and extenders. Successful exploitation requires both UPnP and WAN access to be enabled; WAN access is disabled by default on these devices. Zyxel also patched two high-severity post-authentication command-injection bugs (CVE-2025-13943, CVE-2026-1459) and strongly urges administrators to apply firmware updates promptly.
read more →

CISA Emergency Directive: Mitigate Cisco SD‑WAN Risks

⚠ CISA issued Emergency Directive 26-03 requiring immediate mitigation of critical vulnerabilities in Cisco SD‑WAN systems, citing exploitable flaws including CVE-2026-20127 and CVE-2022-20775. Agencies must inventory systems, collect virtual snapshots and logs, apply patches, hunt for evidence of compromise, and implement vendor hardening guidance. CISA will monitor compliance, provide technical assistance, and deliver additional resources as needed. The directive is supported by the NSA, ASD’s ACSC, Canada’s Cyber Centre, NCSC-NZ, and NCSC-UK.
read more →

CISA and Partners: Guidance on Cisco SD‑WAN Exploits

🔔 CISA and international partners warn of active exploitation of Cisco SD-WAN systems, adding CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities Catalog. FCEB agencies are required by Emergency Directive 26-03 to inventory, update, and assess SD-WAN deployments. Organizations should collect artifacts, apply vendor updates, follow the Catalyst SD-WAN Hardening Guide, and hunt for evidence of compromise immediately.
read more →

CISA Adds Two Cisco SD-WAN Vulnerabilities to KEV Catalog

⚠️CISA has added two Cisco SD‑WAN vulnerabilities (CVE‑2022‑20775 and CVE‑2026‑20127) to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. These affect Cisco Catalyst SD‑WAN components and include a path traversal and an authentication bypass that can enable unauthorized access. Under BOD 22‑01, FCEB agencies must remediate by required due dates; CISA urges all organizations to prioritize timely mitigation.
read more →

CISA Confirms Active Exploitation of FileZen Flaw Now

🚨 CISA has added a recently disclosed FileZen vulnerability, CVE-2026-25108 (CVSS v4 8.7), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The issue is an OS command injection that allows an authenticated user to execute arbitrary commands via specially crafted HTTP requests. Affected versions include 4.2.1–4.2.8 and 5.0.0–5.0.10; Soliton advises updating to 5.0.11 or later and changing passwords if exploitation is suspected. Federal agencies must remediate by March 17, 2026.
read more →

Critical SolarWinds Serv-U Flaws Allow Root Access

🔒 SolarWinds has released Serv-U 15.5.4 to patch four critical remote-code-execution vulnerabilities, including CVE-2025-40538, that can allow attackers with elevated privileges to create administrative accounts and execute arbitrary code as root on vulnerable Windows and Linux servers. The update also fixes two type-confusion bugs and an IDOR that can be chained to achieve root code execution. Organizations should apply 15.5.4 immediately, verify administrator account integrity, and review access logs for signs of unauthorized admin activity; Shodan shows over 12,000 Internet-exposed Serv-U instances.
read more →

CISA Adds FileZen Command Injection CVE to KEV Catalog

⚠️ CISA added CVE-2026-25108, a FileZen OS command injection vulnerability affecting Soliton Systems K.K., to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. Command injection is a frequent and high-risk vector that can enable remote code execution and system compromise. Under BOD 22-01 federal agencies must remediate KEV entries by required deadlines; CISA strongly urges all organizations to prioritize remediation, apply vendor fixes or mitigations, and monitor for related activity.
read more →

Russian-speaking Actor Uses GenAI to Compromise FortiGate

🔍 Amazon Web Services reported a low-skilled, Russian-speaking actor used commercial GenAI services to run an opportunistic campaign that compromised over 600 FortiGate devices across more than 55 countries between 11 January and 18 February 2026. The attacker scanned internet-exposed management interfaces, attempted commonly reused credentials and relied on AI-assisted scripts to parse stolen configurations and automate VPN access. AWS noted no exploitation of FortiGate vulnerabilities and that AWS infrastructure was not involved. Defenders are urged to prioritize patching, credential hygiene and post-exploitation detection.
read more →

CISA: Patched Roundcube Flaws Now Seen in Active Attacks

⚠️ CISA has added two recently patched Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to remediate affected systems within three weeks. The critical remote code execution bug CVE-2025-49113 and a separate XSS issue CVE-2025-68461 affect Roundcube 1.5.x and 1.6.x; vendor fixes (1.6.12 and 1.5.12) have been released. Shodan still enumerates tens of thousands of exposed instances, and organizations are urged to update, audit logs, and mitigate immediately.
read more →

Critical BeyondTrust Flaw Used to Deploy Web Shells

🔒 Palo Alto Networks Unit 42 reports active exploitation of a critical sanitization bug in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), tracked as CVE-2026-1731 (CVSS 9.9), that allows OS command execution via the thin-scc-wrapper WebSocket interface. Threat actors have used the flaw for reconnaissance, deploying web shells and backdoors (including VShell and Spark RAT), lateral movement, and data theft. Multiple sectors across several countries are affected, and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.
read more →

CISA Adds Two RoundCube Vulnerabilities to KEV Catalog

⚠️ CISA has added two RoundCube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-49113 (deserialization of untrusted data) and CVE-2025-68461 (cross-site scripting). These issues are tied to observed active exploitation and present significant risk to enterprise networks. Under BOD 22-01, Federal agencies must remediate cataloged CVEs by their due dates; CISA also urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

Critical Pre-auth RCE in BeyondTrust Remote Support

🚨 On Feb. 6, 2026, BeyondTrust published an advisory for CVE-2026-1731, a critical pre-auth remote code execution vulnerability affecting BeyondTrust Remote Support and some Privileged Remote Access deployments. The flaw allows unauthenticated attackers to inject shell commands via the WebSocket remoteVersion field during the handshake, resulting in OS command execution as the site user. Unit 42 observed active exploitation that included web shells, C2 traffic, account tampering and data theft. Immediate patching for self-hosted appliances and engagement of incident response if compromise is suspected are recommended.
read more →

Critical RCE in Grandstream GXP1600 VoIP Phones Exposed

🛡️ A critical stack-buffer overflow in Grandstream GXP1600 VoIP phones allows unauthenticated remote attackers to gain root and silently eavesdrop. Tracked as CVE-2026-2329 (CVSS 9.3), the issue affects six GXP1600 models running firmware before 1.0.7.81 and stems from an unauthenticated web API that fails to validate colon-delimited input. Rapid7 developed a Metasploit module to demonstrate the exploit; Grandstream issued firmware 1.0.7.81 on February 3 to address the vulnerability—apply updates immediately.
read more →

CISA orders feds to patch Dell RecoverPoint vulnerability

🔐 CISA has directed Federal Civilian Executive Branch agencies to apply fixes within three days for a maximum-severity hardcoded-credential flaw in Dell RecoverPoint (CVE-2026-22769) after active exploitation was observed since mid-2024. Researchers at Mandiant and the Google Threat Intelligence Group link the activity to UNC6201, which deploys multiple payloads including a new Grimbolt backdoor. CISA added the issue to its Known Exploited Vulnerabilities catalog and invoked BOD 22-01 guidance, urging mitigations or product discontinuation if patches are unavailable.
read more →