< ciso
brief />
Tag Banner

All news with #active exploitation tag

686 articles · page 17 of 35

Rapid Weaponization of SmarterMail Flaws via Telegram

🚨 Flare researchers observed rapid exploitation after disclosure of critical SmarterMail vulnerabilities CVE-2026-24423 and CVE-2026-23760. Within days, underground Telegram channels and cybercrime forums circulated proof-of-concept exploits, offensive tooling, and stolen administrator credentials, enabling mass scanning and automated compromise. CISA added CVE-2026-24423 to the Known Exploited Vulnerabilities (KEV). Organizations are urged to patch immediately, increase identity telemetry, and segment mail servers to limit lateral movement.
read more →

CISA Adds Two Exploited Vulnerabilities to KEV Catalog

⚠️ CISA announced the addition of two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation: CVE-2021-22175 (GitLab SSRF) and CVE-2026-22769 (Dell RecoverPoint for Virtual Machines hard-coded credentials). These issues represent common, high-risk attack vectors that can enable data access and unauthorized persistence. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by specified deadlines, and CISA strongly urges all organizations to prioritize remediation as part of routine vulnerability management.
read more →

CISA Adds Four Actively Exploited Flaws to KEV Catalog

🔔 CISA has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after observing active exploitation. The additions include CVE-2026-2441 (Chrome use-after-free), CVE-2020-7796 (Synacor Zimbra SSRF), CVE-2024-7694 (TeamT5 ThreatSonar arbitrary file upload), and CVE-2008-0015 (Windows Video ActiveX overflow). Federal agencies are urged to remediate by March 10, 2026.
read more →

UNC6201 Targets Dell RecoverPoint Zero-Day, Deploys GRIMBOLT

🔐 Mandiant and the Google Threat Intelligence Group (GTIG) identified exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines, CVE-2026-22769, used by UNC6201 since mid‑2024. The actor uploaded malicious WAR files to the embedded Tomcat Manager—leveraging hard‑coded admin credentials—to deploy a SLAYSTYLE web shell and gain root. In compromised appliances, UNC6201 established persistence by modifying convert_hosts.sh and later replaced BRICKSTORM implants with a native AOT‑compiled C# backdoor named GRIMBOLT. Investigators also observed novel VMware pivoting techniques, including temporary "Ghost NICs" and iptables‑based Single Packet Authorization. Dell published mitigations and GTIG/Mandiant released IOCs, YARA rules, and hunting guidance to aid detection and response.
read more →

CISA Adds Four Vulnerabilities to Known Exploited Catalog

⚠ CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The additions are CVE-2008-0015 (Microsoft Windows Video ActiveX remote code execution), CVE-2020-7796 (Synacor Zimbra SSRF), CVE-2024-7694 (TeamT5 ThreatSonar unrestricted upload of dangerous files), and CVE-2026-2441 (Google Chromium CSS use-after-free). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV entries by the due date, and CISA strongly urges all organizations to prioritize timely remediation as part of vulnerability management.
read more →

CISA orders federal agencies to patch BeyondTrust bug

🔒 CISA has ordered federal agencies to secure on‑premises BeyondTrust Remote Support and Privileged Remote Access instances within three days after disclosure of a critical remote code execution flaw (CVE-2026-1731) that is being actively exploited. The OS command injection allows unauthenticated attackers to run system commands and could lead to data exfiltration or service disruption. BeyondTrust patched SaaS instances on Feb 2; on‑premise customers must install fixes manually.
read more →

ClickFix Attack Uses nslookup DNS to Deliver PowerShell

⚠️ Microsoft has identified a novel ClickFix social-engineering variant that instructs victims to run an nslookup against an attacker-controlled resolver to retrieve a malicious PowerShell script embedded in the DNS NAME field. The response is parsed and executed via cmd.exe, then pulls a second-stage ZIP containing a Python runtime and scripts that lead to the ModeloRAT remote-access trojan. Organizations should monitor unusual DNS queries to untrusted nameservers and apply endpoint controls to block unauthorized script execution and persistence.
read more →

Google Groups Used to Deliver Lumma Stealer & Ninja Browser

🔒 CTM360 reports attackers are abusing Google Groups and Google-hosted redirectors to distribute credential-stealing malware, leveraging over 4,000 malicious groups and 3,500 hosted URLs to target organizations worldwide. The campaign uses industry-focused posts and shortened or Docs/Drive redirect links to lure victims and deliver OS-specific payloads. On Windows, victims receive a padded archive that reconstructs an AutoIt-based loader and a memory-resident Lumma infostealer; on Linux, users are served a trojanized Chromium-branded "Ninja Browser" with covert extensions and silent persistence. CTM360 advises inspecting redirect chains, blocking IoCs, auditing browser extensions, and monitoring scheduled tasks and endpoint activity.
read more →

Microsoft Details DNS-Based ClickFix Variant Targeting Users

🔍 Microsoft disclosed a DNS-based evolution of the ClickFix social-engineering tactic that coerces victims into running nslookup via the Windows Run dialog to retrieve a second-stage payload. The initial cmd.exe command queries a hard-coded external DNS server and extracts the Name: response to execute the next stage. The staged payload downloads a ZIP from azwsappdev[.]com, runs a malicious Python script, drops a VBScript that launches ModeloRAT, and establishes persistence via a Startup LNK.
read more →

Single Threat Actor Behind 83% of Ivanti RCE Exploits

🛡️ GreyNoise telemetry indicates a single IP hosted by PROSPERO OOO is responsible for roughly 83% of active exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM), targeting CVE-2026-21962 and CVE-2026-24061. Between Feb 1–9 researchers observed 417 exploit sessions from eight source IPs, with a sharp spike on Feb 8. Activity appears automated, using OAST-style DNS callbacks consistent with initial access broker behavior; Ivanti has released hotfixes and will issue full patches in Q1.
read more →

Critical BeyondTrust RS Flaw Being Exploited in Wild

🔒 Researchers warn a critical pre-authentication command injection (CVE-2026-1731) in BeyondTrust Remote Support is being actively exploited to compromise self-hosted deployments, including legacy Bomgar B-series appliances. Attackers have deployed renamed SimpleHelp binaries, created domain accounts and escalated privileges to perform lateral movement. Patches are available, but end-of-life appliances and required version upgrades complicate remediation while a public proof-of-concept has accelerated exploitation.
read more →

CISA: Microsoft ConfigMgr RCE Patch Now Exploited in the Wild

⚠️ CISA has flagged a critical Microsoft Configuration Manager vulnerability (CVE-2024-43468) as actively exploited after Microsoft patched it in October 2024. The flaw is a SQL injection that can allow unauthenticated remote attackers to achieve remote code execution and run commands with elevated privileges on the server or site database. CISA ordered federal agencies to apply the patch or mitigations by March 5 under BOD 22-01 and urged all organizations to secure affected systems immediately.
read more →

CISA Adds Known-Exploited CVE for BeyondTrust RS/PRA

⚠️ CISA has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation of an OS command injection vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). CISA emphasizes that command injection flaws are a frequent and dangerous attack vector that pose significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the specified due date; CISA strongly urges all organizations to prioritize timely remediation and integrate these fixes into their vulnerability management processes.
read more →

Researchers Observe In-The-Wild Exploitation of BeyondTrust

🔴 watchTowr reported the first in-the-wild exploitation of a critical BeyondTrust vulnerability, CVE-2026-1731, with attackers abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. The flaw (CVSS 9.9) allows unauthenticated remote code execution by sending specially crafted requests and has been patched in Remote Support (BT26-02-RS, 25.3.2+) and Privileged Remote Access (BT26-02-PRA, 25.1.1+). The rapid weaponization highlights how quickly defenders must patch critical systems. CISA also added four actively exploited flaws to its KEV catalog and set federal remediation deadlines in February and March 2026.
read more →

Critical BeyondTrust RCE Now Exploited in Attacks Globally

🚨 A critical pre-authentication remote code execution vulnerability, CVE-2026-1731, in BeyondTrust Remote Support and Privileged Remote Access appliances is being actively exploited after a proof-of-concept was published. The flaw affects Remote Support ≤25.3.1 and Privileged Remote Access ≤24.3.4 and allows unauthenticated attackers to execute OS commands as the site user. BeyondTrust automatically patched SaaS instances on Feb 2, 2026; on-premises customers must install vendor updates immediately.
read more →

CISA Adds Four CVEs to Known Exploited Vulnerabilities

⚠️ CISA has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. The new entries are CVE-2024-43468 (Microsoft Configuration Manager SQL injection), CVE-2025-15556 (Notepad++ download of code without integrity check), CVE-2025-40536 (SolarWinds Web Help Desk security control bypass), and CVE-2026-20700 (Apple multiple buffer overflow). CISA cites their frequent use by malicious actors and urges prioritized remediation under BOD 22-01 guidance.
read more →

83% of Ivanti EPMM Exploits Traced to Single IP Address

🔍 GreyNoise attributes 83% of exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM) to a single IP hosted on PROSPERO bulletproof infrastructure. Between Feb 1–9, 2026 it recorded 417 sessions from eight source IPs, with 346 sessions from 193.24.123[.]42. Activity targeted CVE-2026-1281 (CVSS 9.8), showed automated tooling patterns and DNS OAST callbacks, and involved rotation through 300+ user-agent strings. Defused Cyber also reported a dormant "/mifs/403.jsp" sleeper shell deployed to some EPMM instances.
read more →

Notepad++ Updater Compromise by Lotus Blossom Revealed

🔒 Unit 42 identified that between June and December 2025 the state-sponsored group Lotus Blossom hijacked the Notepad++ update infrastructure by compromising a shared hosting provider and intercepting WinGUp traffic. Attackers delivered malicious NSIS installers that launched either a Lua-script chain loading Cobalt Strike Beacon or a DLL sideload that deployed the Chrysalis backdoor. Notepad++ released patches, moved hosting, implemented XML signature verification, and Unit 42 published IOCs and hunting guidance for defenders.
read more →

Microsoft Patches 59 Flaws, Six Actively Exploited

🔒 Microsoft released security updates fixing 59 vulnerabilities across Windows and related products, including six flaws Microsoft says are being actively exploited. The update includes five Critical, 52 Important and two Moderate fixes, addressing privilege escalation, remote code execution, spoofing and information disclosure. Microsoft and external researchers reported several actively exploited CVEs; CISA has added them to its KEV catalog with a March 3, 2026 remediation deadline for federal agencies.
read more →

Microsoft patches six actively exploited zero-days

🔒 Microsoft released updates to fix six actively exploited zero-day vulnerabilities, three of which have been publicly disclosed. The issues include security feature bypasses in Windows Shell, MSHTML and Word, plus elevation-of-privilege and denial-of-service flaws affecting DWM, Remote Access Connection Manager and Remote Desktop Services. None are rated critical and only five of 58 patches this month were classed as critical. Administrators should prioritise applying updates and monitoring for exploitation.
read more →