< ciso
brief />
Tag Banner

All news with #active exploitation tag

686 articles · page 18 of 35

February 2026 Patch Tuesday: Six Exploited Microsoft Bugs

🔒 Microsoft’s February 2026 Patch Tuesday delivers 60 fixes, including six vulnerabilities the vendor says are actively exploited. Three are security feature bypass flaws in Windows Shell, MSHTML and Office OLE mitigations; two permit local elevation to System, and one enables local denial-of-service. Experts note patches are straightforward and require no post-patch configuration, but prioritization of the bypasses and cloud-related issues is urgent.
read more →

Microsoft Patch Tuesday — February 2026 Security Update

🔔 Microsoft released its February 2026 security updates addressing 59 vulnerabilities across Windows and cloud products, including two Critical issues in ACI Confidential Containers. Several vulnerabilities are reported as actively exploited and others have been publicly disclosed, impacting components such as Windows Shell, MSHTML, Office, Azure, Hyper-V, and GitHub Copilot. Talos is publishing a new Snort ruleset to detect exploitation attempts; administrators should apply Microsoft patches and update intrusion detection signatures promptly.
read more →

Patch Tuesday: February 2026 — Six Zero-Day Fixes Security

🔒 Microsoft released February 2026 Patch Tuesday updates addressing more than 50 vulnerabilities, including six actively exploited zero-days. Patches cover security feature bypasses in Windows Shell, MSHTML and Word, elevation-of-privilege flaws in Remote Desktop Services and Desktop Window Manager, and a denial-of-service risk in the Remote Access Connection Manager. Administrators and developers are urged to prioritize testing and deployment, maintain recent backups, and apply least-privilege controls to limit exposure, particularly for AI-assisted development workflows.
read more →

SolarWinds WHD Under Active Attack via January Zero‑Days

🔒 Analysis by Huntress shows SolarWinds Web Help Desk instances are being actively exploited through a chain of zero‑day and previously disclosed deserialization flaws from late 2025 and January. The incidents combine two January zero‑days—CVE-2025-40551 (deserialization RCE) and CVE-2025-40536 (authentication bypass)—with the earlier CVE-2025-26399. Organizations should urgently upgrade to WHD 2026.1, follow SolarWinds' release notes, reset service and admin credentials, and treat any unexpected Velociraptor, Cloudflared, or Zoho Assist activity and silent MSI installations as indicators of compromise.
read more →

Cyberattack on European Commission Targets MDM System

🔒 The European Commission disclosed a late-January cyberattack that targeted its mobile device management (MDM) platform. Attackers may have accessed names and phone numbers of some staff, though the Commission says there is no evidence that mobile devices themselves were compromised; the incident was contained and the system cleaned within nine hours. Investigators say the breach could be linked to actively exploited vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), with public exploit code and high-severity CVEs reported.
read more →

Deep Dive: XWorm Phishing Campaign Exploits Excel Files

🔍 FortiGuard Labs observed a phishing campaign delivering a new XWorm RAT variant via malicious Excel attachments that exploit CVE-2018-0802 to execute embedded shellcode. The chain uses an obfuscated HTA and PowerShell to load a fileless .NET module, which downloads a PE in memory and uses process hollowing into Msbuild.exe to run XWorm. The RAT establishes AES-encrypted C2, supports extensive commands and plugins, and enables data theft, remote control, DDoS, and ransomware operations. Fortinet protections including FortiMail, AV, IPS, and Web Filtering are effective against observed indicators.
read more →

CISA Adds Six Microsoft Vulnerabilities to KEV Catalog

⚠️ CISA added six Microsoft-related vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on February 10, 2026, citing evidence of active exploitation. The entries include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533, affecting Windows, MSHTML, and Office components. Federal agencies must remediate KEV entries under BOD 22-01, and CISA urges all organizations to prioritize patching to reduce exposure.
read more →

AVEVA PI Data Archive: Remote DoS (CVE-2026-1507) Advisory

⚠ AVEVA's PI Data Archive contains an uncaught-exception vulnerability (CVE-2026-1507) that can allow an unauthenticated remote attacker to crash PI core services and cause denial of service. Affected versions include PI Server <=2018_SP3_Patch_7, 2023 (including 2023_Patch_1), and 2024. The issue has a CVSS 3.1 base score of 7.5 (High). AVEVA recommends upgrading to PI Server 2024 R2 or applying vendor patches and restricting inbound access to TCP port 5450.
read more →

Warlock Ransomware Exploits Unpatched SmarterMail Instance

🔒 SmarterTools confirmed a network breach by the Warlock (aka Storm-2603) ransomware group after attackers exploited an unpatched SmarterMail instance on January 29, 2026. A single, unpatched VM allowed lateral movement to about a dozen Windows servers across the office network and a secondary QC data center, with hosted SmarterTrack customers most affected. Operators staged tools including Velociraptor and deployed a locker after gaining Active Directory control. SmarterTools urges immediate upgrade to Build 9526 and isolation of mail servers to limit further ransomware deployment.
read more →

Threat actors exploit SolarWinds WHD to deploy Velociraptor

⚠️ Researchers report attackers exploiting critical SolarWinds Web Help Desk (WHD) remote code execution flaws (CVE-2025-40551 and CVE-2025-26399) to gain access to at least three organizations. After initial compromise the actor installed Zoho ManageEngine Assist and used Cloudflare tunnels alongside an outdated Velociraptor build as a command-and-control platform. The intruders disabled Defender and the Windows Firewall, deployed persistence mechanisms including scheduled tasks and SSH backdoors, and researchers advise upgrading WHD to 2026.1, removing public admin exposure, and rotating credentials.
read more →

SolarWinds Web Help Desk RCE Used in Multi‑Stage Attacks

🔒 Microsoft reported a multi-stage intrusion that exploited internet‑exposed SolarWinds Web Help Desk instances to gain unauthenticated remote code execution and lateral access. Exploitation spawned PowerShell which used BITS to download payloads, and attackers deployed legitimate Zoho ManageEngine components to maintain persistent remote control. They enumerated domain users, established reverse SSH and RDP persistence, performed DLL side‑loading to dump LSASS, and in at least one case executed a DCSync. Organizations are advised to patch WHD, remove unauthorized RMM tools, rotate service and admin credentials, and isolate compromised systems.
read more →

Active Exploitation of SolarWinds Web Help Desk Observed

⚠️ Microsoft Defender observed in-the-wild exploitation of internet-facing SolarWinds Web Help Desk, enabling unauthenticated remote code execution and arbitrary command execution within the application context. Post-exploitation behaviors included PowerShell using BITS to download payloads, installation of ManageEngine RMM components for interactive control, credential theft via DLL sideloading and LSASS access, and persistence through scheduled tasks and reverse SSH/RDP tunnels. Organizations should patch WHD, restrict public admin access, hunt for unauthorized RMM artifacts, and rotate exposed service and admin credentials.
read more →

CISA: SmarterMail RCE Flaw Actively Exploited by Ransomware

⚠️ CISA warns that ransomware actors are actively exploiting CVE-2026-24423, a critical unauthenticated remote code execution vulnerability in SmarterTools SmarterMail via the ConnectToHub API. SmarterTools released a fix on January 15 (Build 9511) and issued further updates through Build 9526 on January 30. Agencies must apply updates or stop using the product by February 26, 2026, under KEV and BOD 22-01 guidance.
read more →

CISA Adds Two CVEs to Known Exploited Vulnerabilities

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-11953 (React Native Community CLI OS command injection) and CVE-2026-24423 (SmarterTools SmarterMail missing authentication for critical function). The additions reflect evidence of active exploitation and elevated risk to the federal enterprise. Under BOD 22-01 federal agencies must remediate KEV entries by the due date. CISA strongly urges all organizations to prioritize timely remediation.
read more →

WinRAR Windows Flaw Rapidly Exploited in Espionage

🔒 Check Point researchers say attackers rapidly weaponized CVE-2025-8088, a path traversal flaw in the Microsoft Windows version of WinRAR, to deliver crafted archives that execute arbitrary code and maintain persistence. The campaign used the open-source Havoc Framework and targeted government and law-enforcement organisations in Southeast Asia. Check Point attributes the activity to a group dubbed Amaranth-Dragon, whose tools and tactics resemble APT41. Organisations are advised to prioritise patching and monitor for suspicious archive files.
read more →

Threat actors hijack web traffic via React2Shell exploit

⚠️ Researchers at Datadog Security Labs report threat actors are exploiting the React2Shell vulnerability (CVE-2025-55182) in React 19 to execute code on servers and then target NGINX instances managed with Boato Panel, focusing on several Asian TLDs and Chinese hosting. Attackers use automated, multi-stage toolkits to discover targets, persist, and write malicious NGINX configs that redirect traffic for cryptomining, credential phishing, or malware delivery. Defenses include prompt patching, locking down configuration files, maintaining configuration records, and monitoring NGINX advisories.
read more →

Threat Actors Hijack Web Traffic via React2Shell Exploit

⚠️ Researchers at Datadog Security Labs report that threat actors are exploiting the React2Shell vulnerability to compromise servers running NGINX managed via Boato Panel and to hijack web traffic. Attackers deploy multi-stage scripts that discover targets, establish persistence, and generate malicious configuration files to redirect users or deliver malware. The campaign targets primarily Asian domains and Chinese hosting infrastructure, and unpatched React server components remain at high risk.
read more →

CISA Alerts on Five-Year-Old GitLab SSRF Exploitation

⚠️ CISA has ordered federal agencies to patch a five-year-old GitLab SSRF vulnerability (CVE-2021-39935) that is currently being exploited in attacks. GitLab issued a fix for the server-side request forgery bug in December 2021 after it was found that unauthenticated users could reach the CI Lint API when user registration was restricted. Under BOD 22-01, affected Federal Civilian Executive Branch agencies must remediate by February 24, 2026, and CISA urges all organizations to prioritize mitigation. Shodan currently identifies over 49,000 internet-exposed GitLab instances, many reachable on default ports.
read more →

EDR Killer Abuses EnCase Signed Kernel Driver Widespread

🔒 A custom EDR killer discovered by Huntress abused a long-revoked EnCase kernel driver to gain kernel-level access and repeatedly terminate security processes. The 64-bit tool leverages EnPortv.sys, registers as a fake OEM service for reboot persistence, and uses a kernel IOCTL kill loop to disable 59 EDR/AV processes every second. Huntress links the activity to ransomware and recommends MFA, HVCI/Memory Integrity, WDAC, and monitoring for OEM-masquerading kernel services.
read more →

Operation Neusploit: APT28 Exploits Office RTF Bug

🛡️ Security researchers at ZScaler ThreatLabz observed Operation Neusploit in January 2026, days after Microsoft patched CVE-2026-21509. The campaign used weaponized RTF attachments to trigger a critical Microsoft Office vulnerability and fetch dropper DLLs that branched into two distinct infection paths. One path deployed MiniDoor to harvest Outlook email and weaken registry protections, while the other used PixyNetLoader to install a Covenant Grunt implant for persistent .NET-based C2. ZScaler urged immediate patching and published IOCs and analysis to aid detection.
read more →