< ciso
brief />
Tag Banner

All news with #active exploitation tag

686 articles · page 20 of 35

Active Exploitation of Critical WinRAR CVE-2025-8088

⚠️ The Google Threat Intelligence Group (GTIG) has observed widespread exploitation of WinRAR via the critical path traversal vulnerability CVE-2025-8088, which attackers use to drop payloads into the Windows Startup folder by abusing Alternate Data Streams (ADS). Adversaries—from government-backed Russian and Chinese groups to financially motivated operators—craft RAR archives that conceal decoy documents and hidden ADS entries to achieve persistence. Defenders should prioritize installing the WinRAR patch, enable Safe Browsing protections, and hunt for ADS extraction activity and newly created Startup-folder LNK/HTA/BAT artifacts.
read more →

CISA Adds Five Known Exploited Vulnerabilities to Catalog

⚠️ CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation, affecting Linux Kernel, SmarterMail, Microsoft Office, and GNU InetUtils. The newly listed CVEs are CVE-2018-14634, CVE-2025-52691, CVE-2026-21509, CVE-2026-23760, and CVE-2026-24061 and represent frequent attack vectors that pose significant risks to federal and enterprise environments. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates, and CISA urges all organizations to prioritize timely remediation as part of vulnerability management.
read more →

CISA Flags Critical VMware vCenter RCE as Actively Exploited

🚨 CISA has added a critical VMware vCenter Server remote code execution flaw (CVE-2024-37079) to its catalog of vulnerabilities exploited in the wild and ordered federal civilian agencies to secure affected systems within three weeks. Patched in June 2024, the issue stems from a heap overflow in the DCERPC implementation of vCenter Server that can be exploited via a specially crafted network packet without credentials or user interaction. Broadcom confirms in-the-wild exploitation and urges immediate patching to the latest vCenter Server and Cloud Foundation releases; no mitigations are available.
read more →

CISA Confirms Active Exploitation of Four Enterprise Bugs

⚠️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities affecting enterprise software to its KEV catalog after observing active exploitation. Affected projects include Versa Concerto, Zimbra Collaboration Suite, the Vite frontend toolchain, and the eslint-config-prettier package used with Prettier. CISA requires federal agencies to apply vendor patches or mitigations, or stop using impacted products by February 12, 2026. Details on the nature and scope of in-the-wild exploitation remain limited.
read more →

Critical Telnetd Auth Bypass in GNU InetUtils Exploited

⚠️ A coordinated campaign is exploiting a critical authentication-bypass flaw in the GNU InetUtils telnetd server, tracked as CVE-2026-24061. The bug, present since 2015, lets attackers set the USER environment variable (for example USER=-f root) to bypass /usr/bin/login and obtain a root shell. Patches are in InetUtils 2.8; mitigations include disabling telnetd or blocking TCP port 23. GreyNoise observed limited, mostly automated exploitation activity and recommends immediate patching and hardening.
read more →

CISA Adds Four Actively Exploited Flaws to KEV Catalog

⚠️ CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, including a high-severity PHP remote file inclusion in Zimbra (CVE-2025-68645) and an authentication bypass in Versa Concerto (CVE-2025-34026). One entry describes a supply-chain compromise that trojanized eslint-config-prettier and six related npm packages to deliver a malicious DLL. Federal agencies are required to remediate under BOD 22-01 by February 12, 2026.
read more →

Fortinet: Active FortiCloud SSO Bypass on Patched FortiGate

🔒 Fortinet confirmed active exploitation of a FortiCloud SSO authentication bypass affecting fully patched FortiGate firewalls. The vendor said attackers exploited a new attack path that can circumvent patches addressing CVE-2025-59718 and CVE-2025-59719 by using crafted SAML messages when FortiCloud SSO is enabled. Observed activity includes creation of generic admin accounts, configuration changes to enable VPN access, and configuration exfiltration. Fortinet recommends restricting internet-facing administrative access and disabling the admin-forticloud-sso-login feature while a full remediation is finalized.
read more →

CISA Adds VMware vCenter CVE to KEV Catalog January 2026

⚠️ CISA has added CVE-2024-37079, an out-of-bounds write in VMware vCenter Server (Broadcom), to the Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of memory-corruption flaw is a common attacker vector and poses significant risk to the federal enterprise. Under BOD 22-01, FCEB agencies must remediate cataloged vulnerabilities by the required due date; CISA urges all organizations to prioritize timely remediation and to reduce exposure to active threats.
read more →

SmarterMail auth bypass exploited to hijack admins

🔒 An authentication bypass in SmarterTools SmarterMail allows unauthenticated actors to reset system administrator passwords via the publicly exposed 'force-reset-password' API endpoint. The endpoint accepts attacker-controlled JSON and an IsSysAdmin flag that, when set to true, triggers admin password reset logic without verifying the old password. watchTowr reported the issue on January 8 and SmarterMail released Build 9511 on January 15; researchers observed exploitation within days. Administrators should apply the update immediately to prevent full account takeover.
read more →

FortiOS Single Sign-On Abuse: Incident Analysis and Guidance

🔒 Fortinet issued an advisory describing two FortiCloud SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) discovered during an internal code audit. The flaws allowed crafted SAML assertions to bypass authentication on FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager when FortiCloud SSO was enabled. Recent reports show active exploitation, including instances against fully patched devices, indicating a new attack path. Fortinet advises monitoring IOCs, restricting administrative access, disabling FortiCloud SSO as a workaround, and treating affected systems as compromised.
read more →

Appsmith authentication flaw enables account takeovers

🔒 A critical authentication vulnerability (CVE-2026-22794) in the Appsmith low-code platform allowed attackers to manipulate password reset links by supplying a malicious HTTP Origin header, causing reset tokens to be redirected to attacker-controlled infrastructure. Exploitation can lead to full account takeover, including administrator access. The flaw affects Appsmith 1.92 and earlier and was corrected in 1.93; internet scans identified 1,666 publicly accessible instances.
read more →

Zero-day and One-day Exploits Rose in 2025, Says VulnCheck

🔍 VulnCheck’s State of Exploitation 2026 report finds 28.96% of known exploited vulnerabilities (KEVs) were exploited before or on the day they were disclosed, up from 23.6% in 2024. In 2025 the firm observed exploitation of 884 vulnerabilities — a 15% year‑over‑year increase — across hundreds of vendors and products. Network edge devices (191 KEVs), content management systems (163) and open source software (129) were the most targeted, while operating systems saw the highest share of zero‑day and one‑day exploits. The report also notes time‑to‑exploitation patterns remained consistent and that ransomware attribution often lagged initial exploit disclosures.
read more →

Actively Exploited Cisco UC RCE Flaw Requires Patching

⚠️ Cisco has released patches for a critical remote code execution vulnerability, CVE-2026-20045, affecting Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw allows unauthenticated remote attackers to gain user access via crafted HTTP requests and then escalate privileges to root without user interaction. No workarounds exist; fixes are version-specific and organizations should apply the matching patch or migrate unsupported 12.5 systems.
read more →

CISA Adds Four Vulnerabilities to KEV Catalog; Agencies Urged

⚠️ CISA has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The entries include CVE-2025-31125 (Vite improper access control), CVE-2025-34026 (Versa Concerto improper authentication), CVE-2025-54313 (Prettier eslint-config-prettier embedded malicious code), and CVE-2025-68645 (Synacor Zimbra Collaboration Suite PHP remote file inclusion). CISA urges organizations to prioritize remediation and follow BOD 22-01 guidance to reduce exposure to active threats.
read more →

Fortinet FortiGate SSO Exploited to Steal Configs Remotely

🚨 Cybersecurity firm Arctic Wolf reports automated attacks against Fortinet FortiGate devices that exploit the FortiCloud SSO feature to create rogue admin accounts and rapidly export firewall configurations. The campaign began January 15 and mirrors December exploitation tied to CVE-2025-59718. Observed indicators include SSO logins from cloud-init@mail.io and IP 104.28.244.114. Administrators are advised to disable FortiCloud SSO until Fortinet issues a complete fix.
read more →

SmarterMail authentication bypass patched, now exploited

🔒 Researchers report an authentication bypass in SmarterTools SmarterMail (tracked as WT-2026-0001) being actively exploited days after a Jan 15, 2026 patch (Build 9511). An unauthenticated HTTP request to the /api/v1/auth/force-reset-password endpoint can set an IsSysAdmin flag and reset any administrator password if the attacker knows the admin username. The same privileged path enables SYSTEM-level remote code execution via the product's Volume Mount Command feature. watchTowr Labs went public after community reports showed the endpoint was used to change an admin password on Jan 17, indicating rapid patch reversal by attackers.
read more →

Automated Attacks Target Fortinet FortiGate SSO Configurations

🔒 Arctic Wolf warns of a new cluster of automated malicious activity that began on January 15, 2026, involving unauthorized configuration changes to Fortinet FortiGate devices. Attackers exploited SAML-related weaknesses (CVE-2025-59718, CVE-2025-59719) to bypass FortiCloud SSO, create generic admin accounts such as cloud-init@mail.io and names like secadmin or itadmin, and export firewall configurations to external IPs. Administrators are advised to disable the admin-forticloud-sso-login setting until mitigations are confirmed.
read more →

Cisco Fixes Actively Exploited Zero-Day in Unified CM, Webex

🔒 Cisco released patches for a critical, actively exploited vulnerability tracked as CVE-2026-20045 that affects multiple Unified Communications products and Webex Calling Dedicated Instance. The flaw (CVSS 8.2) allows unauthenticated remote attackers to execute arbitrary commands via crafted HTTP requests against the web-based management interface. Cisco urged customers to upgrade to fixed releases or apply published patch files; there are no workarounds. The U.S. CISA has added the issue to its KEV catalog with a remediation deadline of February 11, 2026.
read more →

Cisco fixes critical Unified Communications RCE zero-day

🔒 Cisco released patches to address a critical remote code execution vulnerability, CVE-2026-20045, actively exploited against Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw stems from improper validation of user-supplied input in HTTP requests to the web management interface and can allow an attacker to gain user access and escalate to root. Administrators should apply the version-specific updates or provided .cop patch files immediately, as Cisco reports no available workarounds.
read more →

Patched FortiGate Firewalls Still Being Compromised

🚨Fortinet customers report attackers bypassing a previously patched FortiGate authentication flaw (CVE-2025-59718) to create admin accounts on devices running FortiOS 7.4.9 and 7.4.10. Fortinet reportedly plans releases of FortiOS 7.4.11, 7.6.6 and 8.0.0 to fully remediate the issue. Until those updates are available, admins are advised to disable FortiCloud SSO using the GUI or the CLI mitigation steps Fortinet published. Shadowserver found over 25,000 devices with FortiCloud SSO enabled in mid-December, and CISA has listed the vulnerability as actively exploited and ordered expedited patching.
read more →