< ciso
brief />
Tag Banner

All news with #active exploitation tag

686 articles · page 19 of 35

SolarWinds Web Help Desk RCE Vulnerability Exploited

⚠️ The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-40551 — a critical remote code execution flaw in SolarWinds Web Help Desk — to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The vendor patched multiple high-severity bugs on January 28 and assigned CVSS scores of 9.8. Administrators are urged to apply the vendor update to Web Help Desk 2026.1 immediately to mitigate unauthenticated deserialization and authentication-bypass risks.
read more →

Massive Citrix NetScaler Scans Use Residential Proxies

🔎 GreyNoise observed a coordinated reconnaissance campaign from Jan 28–Feb 2 that used tens of thousands of residential proxies to discover Citrix NetScaler/Citrix Gateway login panels and enumerate product versions. Over 63,000 distinct IPs launched 111,834 sessions, with roughly 64% appearing as residential ISP addresses and the remainder linked to a single Azure IP. The scans concentrated on /logon/LogonPoint/index.html and the EPA artifact /epa/scripts/win/nsepa_setup.exe, indicating pre‑exploitation mapping and version‑specific probing. GreyNoise recommends monitoring anomalous UA strings, flagging EPA artifact access, restricting internet‑facing Gateways, and disabling version disclosure.
read more →

AI-Driven AWS Attack: From Exposed Key to Admin in Minutes

⚠️ Sysdig researchers observed an AI-assisted intrusion in November 2025 that converted exposed AWS credentials in a public S3 bucket into full administrative control in under eight minutes. The attackers exploited an IAM user with Lambda and limited Amazon Bedrock access, injected malicious code into an existing Lambda function, and generated admin keys from the function output. They then moved laterally across multiple principals, invoked multiple foundation models (LLMjacking), disabled model-invocation logging, and attempted to provision costly GPU instances to run ML workloads. Sysdig recommends enforcing least privilege, restricting UpdateFunctionCode and PassRole, protecting S3 buckets, enabling Lambda versioning, and turning on Bedrock logging.
read more →

Hackers Exploit Metro4Shell RCE in React Native CLI

🔒 VulnCheck observed active exploitation of CVE-2025-11953 (Metro4Shell), a critical RCE in the @react-native-community/cli Metro Development Server first seen on December 21, 2025. With a CVSS score of 9.8, the flaw enables unauthenticated remote command execution and was weaponized to deliver a Base64-encoded PowerShell loader that adds Microsoft Defender exclusions. The loader opens a raw TCP channel to 8.218.43.248:60124 to fetch and execute a Rust-based binary with anti-analysis checks; VulnCheck links the activity to multiple attacker IPs and describes it as operational exploitation.
read more →

Exploit of React Native Metro Bug Breaches Dev Systems

🚨 Researchers report attackers are exploiting CVE-2025-11953 in the React Native Metro server to deliver malicious, cross-platform payloads to developer machines. The vulnerability stems from the /open-url endpoint accepting POST data that is passed unsanitized to the system open() call, enabling command execution on Windows and arbitrary executable launches on Unix-like hosts. JFrog disclosed the flaw in early November and it was fixed in @react-native-community/cli-server-api 20.0.0 and later, but active exploitation tracked as 'Metro4Shell' has been observed delivering base64-encoded payloads for both Windows and Linux.
read more →

Hackers Exploit React Native Metro Bug to Breach Systems

🔓 Security researchers warn that attackers are exploiting the critical CVE-2025-11953 flaw in the React Native Metro server to drop malicious Windows and Linux payloads. The issue abuses the development-only /open-url HTTP endpoint, which accepts POST requests and can pass a user-supplied URL unsanitized to the system open() call. JFrog disclosed the bug and it was fixed in @react-native-community/cli-server-api v20.0.0+, but active exploitation (Metro4Shell) has been observed delivering base64 PowerShell stagers and UPX-packed binaries.
read more →

CISA Adds Four Known Exploited Vulnerabilities to KEV Catalog

🔒 CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog: CVE-2019-19006 (Sangoma FreePBX improper authentication), CVE-2021-39935 (GitLab SSRF), CVE-2025-40551 (SolarWinds Web Help Desk deserialization), and CVE-2025-64328 (Sangoma FreePBX OS command injection). Evidence indicates active exploitation and these issues pose significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by required deadlines. CISA strongly urges all organizations to prioritize timely remediation and will continue updating the catalog.
read more →

Russian APT28 Exploits Patched Microsoft Office Bug

🛡️ Ukraine's CERT warns that Russian state-linked actor APT28 is exploiting the recently patched CVE-2026-21509 in Microsoft Office. Malicious DOC files were observed days after Microsoft's emergency out-of-band update on Jan 26 and deploy a WebDAV download chain, COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image (SplashScreen.png), and a scheduled task named OneDriveHealth. The chain results in the launch of the COVENANT framework, which uses the Filen cloud storage service for command-and-control. Organizations are advised to apply Microsoft's updates for affected Office versions, ensure application restarts where required, and consider blocking or monitoring Filen-related traffic.
read more →

OpenClaw token flaw enables one-click remote RCE exploit

🔒 A high-severity vulnerability (CVE-2026-25253, CVSS 8.8) in OpenClaw allowed a crafted link or webpage to exfiltrate a stored gateway token and enable one-click remote code execution. The Control UI trusted the gatewayUrl query parameter and auto-connected on load while the server failed to validate WebSocket Origin headers. The issue was patched in v2026.1.29 (Jan 30, 2026); users should upgrade immediately.
read more →

Notepad++ Update Hijacked by Chinese State Hackers

🔒 Notepad++ developers say Chinese state-sponsored actors hijacked the project's update delivery last year, intercepting and selectively redirecting update requests to malicious servers by exploiting insufficient verification in older WinGUp updaters. The compromise began in June 2025 after a hosting provider breach and persisted until Dec 2, 2025, when the provider terminated access. The project migrated hosting, rotated credentials, patched the updater to verify certificates and signatures, and urges users to change SSH/FTP/MySQL credentials, review WordPress accounts, and update software.
read more →

Ivanti patches two critical EPMM RCE flaws under attack

🔒 Ivanti released stand‑alone RPM patches for Endpoint Manager Mobile (EPMM) to fix two unauthenticated code‑injection vulnerabilities, CVE-2026-1281 and CVE-2026-1340, each rated 9.8 by CVSS. The flaws affect EPMM’s In‑House Application Distribution and Android File Transfer Configuration features and are already being exploited in a limited number of customer environments. Administrators must manually install version-specific RPMs; Ivanti says a permanent fix will arrive in the 12.8.0.0 release.
read more →

China-Linked UAT-8099 Targeting IIS Servers in Asia

🔍 Cisco Talos has uncovered a late-2025 to early-2026 campaign by a China-linked actor tracked as UAT-8099 targeting vulnerable IIS servers across Asia, notably Thailand and Vietnam. The actor uses web shells, PowerShell, and red-team utilities to deploy GotoHTTP and maintain persistence via hidden accounts. Infections deliver the BadIIS SEO-fraud malware family, hijacking crawlers and injecting malicious redirects to manipulate search rankings.
read more →

Microsoft January 2026 Out-of-Band Office Update Patch

⚠️ Microsoft released three out-of-band updates in January 2026, including a security update addressing CVE-2026-21509 in Microsoft Office, which has been reportedly exploited in the wild. The vulnerability is rated Important with a CVSS 3.1 score of 7.8 and is considered local, requiring a user to open a malicious Office document or for an attacker to have system access. Microsoft notes the issue cannot be triggered via the Preview Pane and has published mitigation guidance. Talos published Snort and ClamAV detections and advises customers to apply the latest rules and SRU updates.
read more →

Interlock Ransomware: New Techniques, Same Old Tricks

🔒 Fortinet's FortiGuard Incident Response describes a protracted Interlock intrusion that targeted education organizations, linking MintLoader initial access to NodeSnakeRAT and Interlock RAT implants. The report highlights a novel process-killer, Hotta Killer, that abuses a signed but vulnerable gaming anti-cheat driver (CVE-2025-61155) in a BYOVD technique to terminate security processes. Operators exfiltrated about 250 GB using AZCopy before deploying JavaScript and ELF ransomware across Windows and Nutanix hosts. FortiGuard recommends blocking unnecessary remote-access tools, restricting PowerShell egress, and monitoring anomalous driver installations.
read more →

CISA Adds Ivanti EPMM Code Injection to KEV Catalog

🔔 CISA added CVE-2026-1281, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog after confirmed active exploitation in the wild. The advisory notes that code injection is a common and dangerous attack vector that can enable unauthorized execution and data compromise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by set deadlines, and CISA strongly urges all organizations to prioritize timely remediation.
read more →

Q4 2025 Talos IR: Public-Facing Exploits and Phishing

🔒 Talos Incident Response (Talos IR) reports that in Q4 2025 threat actors again favored exploitation of public-facing applications, appearing in nearly 40% of engagements, while phishing rose to the second-most common initial access vector. Notable exploit activity targeted Oracle E-Business Suite (CVE-2025-61882) and React2Shell (CVE-2025-55182), and attackers rapidly weaponized these flaws close to disclosure. Talos also observed deployment of APT-linked implants such as BadCandy and AquaShell, plus campaigns that targeted Native American tribal organizations for credential harvesting. The report emphasizes timely patching, strong MFA controls, centralized logging, and rapid incident response to limit impact.
read more →

Google: WinRAR CVE-2025-8088 Actively Exploited Widely

⚠️ Google’s Threat Intelligence Group warns that multiple actors — including state-backed clusters from Russia and China and financially motivated groups — are actively exploiting CVE-2025-8088, a WinRAR path-traversal bug patched in WinRAR 7.13. Attackers craft malicious archives that drop payloads into the Windows Startup folder (often via ADS-hidden LNKs) to achieve persistence and execute on login. Google advises upgrading to WinRAR 7.13+, monitoring Startup items and alternate data streams, and blocking malicious archive extraction.
read more →

Fortinet fixes FortiOS SSO bypass in active exploitation

🔒 Fortinet has released security updates to address a critical authentication bypass (CVE-2026-24858) affecting FortiOS, FortiManager, and FortiAnalyzer. The flaw allows a FortiCloud account with a registered device to access other devices when FortiCloud SSO is enabled, enabling creation of local admin accounts and configuration changes. Fortinet locked malicious FortiCloud accounts, temporarily disabled SSO, and urges customers to update firmware, audit configurations, and rotate credentials.
read more →

Fortinet blocks exploited FortiCloud SSO zero-day; patch due

🔒 Fortinet confirmed a critical FortiCloud SSO authentication bypass (CVE-2026-24858) actively exploited to gain administrative access to customer devices. The company has implemented server-side mitigations that block SSO logins from vulnerable firmware versions while patches for FortiOS, FortiManager, and FortiAnalyzer are developed. Administrators are advised to review accounts and credentials; disabling SSO remains an optional mitigation.
read more →

WinRAR path-traversal flaw exploited by many hackers

🔒 Security researchers report that the high-severity CVE-2025-8088 path traversal in WinRAR is being actively exploited by both state-sponsored and criminal groups to gain initial access. The flaw leverages Alternate Data Streams (ADS) inside archives to hide payloads and uses directory traversal to drop LNK, HTA, BAT, CMD or script files, frequently into the Windows Startup folder for persistence. ESET and Google observed campaigns beginning in July 2025 and continuing into 2026, tied to actors such as RomCom, Turla and APT44 as well as financially motivated operators. Organizations should apply patches, monitor ADS/archive extraction behavior, and block or alert on suspicious startup items.
read more →