All news with #active exploitation tag

🧩 Researchers at SentinelOne uncovered a modular malware framework compiled in 2005 that targeted engineering modeling software by corrupting high‑precision floating‑point arithmetic. The framework uses an embedded Lua VM inside a malicious service loader (svcmgmt.exe) and includes a kernel rootkit, fast16.sys, which applies 101 pattern rules to modify infected executables. The implant appears crafted for strategic sabotage, selectively altering simulation outputs and spreading across network shares to compromise multiple workstations.

🛡️ The Quick Page/Post Redirect WordPress plugin, installed on more than 70,000 sites, contained a hidden backdoor introduced through a malicious self-update mechanism in versions 5.2.1 and 5.2.2. Researcher Austin Ginder discovered the issue after multiple infections on his Anchor hosting fleet led to a security alert; WordPress.org has temporarily pulled the plugin pending review. A tampered 5.2.3 build, delivered from an external anadnet[.]com server, added a passive backdoor that only triggers for logged-out users and appears to have been used for cloaked SEO spam. Impacted sites should uninstall the plugin and replace it with a clean copy of version 5.2.4 from WordPress.org when it is available.

🚨 Researchers at Snyk warn that two authentication-bypass bugs in the open-source Qinglong task scheduler (affecting versions ≤2.20.1) have been chained to achieve remote code execution. The issues — CVE-2026-3965 and CVE-2026-4047 — stem from middleware authorization mismatches with Express.js routing, enabling unauthenticated access to admin endpoints. Active exploitation since early February has resulted in cryptominer deployments that run as a hidden '.fullgc' process and pull multiple binary variants from an external host. Users should apply the patched release and verify middleware authentication enforcement immediately.

🔒 CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect (CVSS 8.4), and CVE-2026-32202, a protection-mechanism failure in Windows Shell (CVSS 4.3). Patches were released in February 2024 and April 2026 respectively. The additions follow observed real-world exploitation, including chaining with other CVEs and activity attributed to both nation-state and criminal groups. Affected organizations and federal agencies should prioritize remediation and verify deployments of the relevant fixes.

🔓 LiteLLM's proxy contains a pre-auth SQL injection in its API key verification, tracked as CVE-2026-42208. An attacker can send a crafted Authorization header to any LLM API route to read and modify the proxy database, exposing API keys, master keys, provider credentials, and environment secrets. Exploitation was observed about 36 hours after public disclosure and targeted '/chat/completions'. Upgrade to 1.83.7 or apply the suggested workaround and rotate any exposed credentials.

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The entries are CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect, and CVE-2026-32202, a protection mechanism failure in Microsoft Windows. Under BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed flaws by specified due dates, and CISA strongly urges all organizations to prioritize timely remediation as part of vulnerability management.

🛡️ Microsoft confirmed active exploitation of a patched Windows Shell vulnerability, CVE-2026-32202, after correcting its advisory metadata. The flaw is a spoofing/authentication-coercion issue (CVSS 4.3) that can disclose sensitive information and was addressed in April Patch Tuesday. Akamai researcher Maor Dahan links the defect to an incomplete February fix for CVE-2026-21510 and says an APT28 campaign weaponized LNK/CPL/UNC/SMB chains to harvest credentials.

⚠️ CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X routers, citing evidence of active exploitation. The listed flaws include two SimpleHelp issues (CVE-2024-57726, CVE-2024-57728), a Samsung path traversal (CVE-2024-7399), and a D-Link command injection (CVE-2025-29635). Agencies are urged to apply fixes or retire affected devices by May 8, 2026.

⚠️ Shadowserver and CISA warn that more than 10,500 internet-exposed Zimbra Collaboration Suite instances remain vulnerable to an actively exploited cross-site scripting bug tracked as CVE-2025-48700. Synacor issued patches in June 2025, but the flaw can be triggered without user interaction when a maliciously crafted email is viewed in the Classic UI. CISA added the issue to its Known Exploited Vulnerabilities catalog and ordered federal agencies to secure affected servers by April 23.

🚨 CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation: CVE-2024-7399 (Samsung MagicINFO 9 path traversal), CVE-2024-57726 (SimpleHelp missing authorization), CVE-2024-57728 (SimpleHelp path traversal), and CVE-2025-29635 (D-Link DIR-823X command injection). The agency notes these are common attack vectors that present significant risk to the federal enterprise and reminds Federal Civilian Executive Branch agencies of remediation obligations under BOD 22-01. Although that directive applies only to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation as part of standard vulnerability management.

🛡️ Zscaler ThreatLabz attributes a new campaign to Tropic Trooper that uses a trojanized SumatraPDF installer to deliver the AdaptixC2 Beacon post‑exploitation agent. Victims—primarily Chinese‑speaking individuals in Taiwan, with some targets in South Korea and Japan—are lured via military‑themed ZIP archives that show a decoy PDF while fetching encrypted shellcode. The backdoored reader launches a Xiangoop‑derived loader called TOSHIS, which stages payloads and only escalates to installing Visual Studio Code and configuring VS Code tunnels for persistent remote access on high‑value hosts.

🔒 A high-severity SSRF vulnerability in LMDeploy (CVE-2026-33626, CVSS 7.5) was exploited in the wild within 13 hours of disclosure. The flaw in the vision-language module's load_image() function allows fetching arbitrary URLs without validating internal addresses, enabling access to cloud metadata and internal services. Security researchers and Sysdig observed targeted port scanning, API enumeration, and out-of-band DNS callbacks, highlighting rapid weaponization of AI-infrastructure bugs.

⚠️ Researchers warn that a critical vulnerability (CVE-2026-3844) in the Breeze Cache WordPress plugin allows unauthenticated attackers to upload arbitrary files via the fetch_gravatar_from_remote function. Exploitation can lead to remote code execution and complete site takeover, but successful attacks require the optional 'Host Files Locally - Gravatars' add-on to be enabled. Cloudways released a patch in version 2.4.5; administrators should update immediately or disable the add-on until patched.

🔐 Cisco Talos reports that UAT-4356 exploited FXOS n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deploy a custom backdoor named FIRESTARTER on Cisco Firepower, ASA and FTD appliances. The implant injects into the LINA process, replaces a WebVPN XML handler, and executes shellcode delivered via specially crafted requests. Operators should follow Cisco advisories for detection, remediation and recommended software upgrades.

🔒 CISA published a malware analysis on FIRESTARTER, a backdoor that enables remote access and persistent control of Cisco Firepower and Secure Firewall devices running ASA or FTD software. The report, co-sealed with NCSC-UK, attributes exploitation to an APT using CVE-2025-20333 and CVE-2025-20362. CISA issued Emergency Directive 25-03 requiring FCEB agencies to identify affected devices, collect forensic data, apply vendor updates, and report findings to mitigate ongoing risk.

🔒 CISA has ordered federal agencies to urgently patch a high-severity Microsoft Defender privilege escalation vulnerability tracked as CVE-2026-33825 and publicly dubbed BlueHammer, after evidence of active exploitation. Microsoft released a patch on April 14 following public disclosure and proof-of-concept code published by a researcher using the handle 'Chaotic Eclipse', who also revealed related Defender issues. Huntress Labs reported attacks showing hands‑on‑keyboard activity and suspicious FortiGate SSL VPN access tied to a Russia‑geolocated IP. Agencies must apply mitigations or update systems within two weeks, with a compliance deadline of May 7.

🔒 A new Mirai-based campaign is actively exploiting CVE-2025-29635, a command-injection RCE that affects D-Link DIR-823X routers, to enlist devices into a botnet. Akamai's SIRT observed the activity in March 2026 and found attackers downloading and executing a shell script that installs a multi-architecture Mirai variant called tuxnokill. The affected DIR-823X line reached end of life in November 2024 and is unlikely to receive a vendor patch. Users are advised to replace EoL devices, disable remote administration, change default passwords, and monitor for configuration changes.

⚠️ Forescout Research Vedere Labs disclosed 22 vulnerabilities, labeled BRIDGE:BREAK, in popular Lantronix and Silex serial-to-IP converters that bridge legacy serial equipment to IP networks. Researchers located nearly 20,000 exposed devices online and warned that several flaws permit full takeover or tampering with serial traffic. Affected models include Lantronix EDS3000PS/EDS5000 and Silex SD330-AC; vendors have issued firmware updates and advisories. Operators should patch immediately, remove default credentials, segment networks, and avoid exposing these converters to the internet.

⚠️ CISA has flagged an information-disclosure vulnerability in Catalyst SD-WAN Manager (CVE-2026-20133) as actively exploited and gave federal agencies four days to secure affected systems. Cisco released patches in late February, stating the flaw is caused by insufficient file system access restrictions that can allow unauthenticated API access to sensitive OS information. CISA added the issue to its Known Exploited Vulnerabilities Catalog on April 20 and directed agencies to follow Emergency Directive 26-03 and Cisco hardening guidance or discontinue affected cloud services if mitigations are unavailable.

🔐 Shadowserver reported that over 6,400 publicly exposed Apache ActiveMQ servers are vulnerable to an actively exploited code injection bug tracked as CVE-2026-34197. The flaw, discovered by Horizon3 researcher Naveen Sunkavally with the help of the Claude AI assistant after 13 years, permits authenticated actors to execute arbitrary code. Apache issued patches on March 30 in ActiveMQ Classic 6.2.3 and 5.19.4, and CISA has warned of in-the-wild exploitation and ordered federal agencies to secure affected systems.