All news with #active exploitation tag

Critical WordPress Plugin Flaws Exploited at Scale Globally

🔴 Wordfence warns that threat actors are actively exploiting three critical 2024 CVEs in popular WordPress plugins, GutenKit and Hunk Companion, which report more than 40,000 and 8,000 active installations respectively. The vulnerabilities permit unauthenticated attackers to install and activate arbitrary plugins or upload spoofed plugin files, enabling remote code execution (RCE) and straightforward site takeover when exploited or chained with other flaws. Discovered via Wordfence's bug bounty in late September and early October, the campaign reignited on 8 October and the vendor has already blocked nearly 8.8 million exploitation attempts while urging administrators to update or remove affected versions.

Qilin Ransomware Employs Linux Payloads and BYOVD Tactics

🔒 Qilin (aka Agenda, Gold Feather, Water Galura) has sharply increased operations in 2025, claiming dozens of victims monthly and peaking at 100 leak-site postings in June. Cisco Talos and Trend Micro analyses show affiliates gain initial access via leaked admin credentials, VPN interfaces and RDP, then harvest credentials with tools like Mimikatz and SharpDecryptPwd. Attackers combine legitimate remote-management software (for example AnyDesk, ScreenConnect, Splashtop) with a BYOVD vulnerable driver to disable defenses, exfiltrate data, and deploy a Linux ransomware binary on Windows systems before encrypting files and removing backups.

Critical Microsoft WSUS RCE Flaw Exploited in Wild Now

⚠️Microsoft released out-of-band updates to fully remediate a critical deserialization vulnerability in Windows Server Update Service (WSUS), tracked as CVE-2025-59287. The initial Oct. 14 fixes were incomplete, prompting emergency patches for multiple Windows Server versions. Exploits in the wild were reported after a public proof-of-concept was published, allowing remote code execution as SYSTEM on affected servers.

Mass Attacks Exploit Outdated WordPress Plugins in 2024

🔒 A large-scale campaign is exploiting outdated GutenKit and Hunk Companion WordPress plugins to achieve remote code execution by chaining unauthenticated or missing-authorization REST endpoint flaws (CVE-2024-9234, CVE-2024-9707, CVE-2024-11972). Wordfence observed 8.7 million blocked attempts across October 8–9. Attackers host a malicious ZIP plugin on GitHub that installs backdoors, and often drop the vulnerable wp-query-console plugin to gain RCE. Administrators should update affected plugins and scan for indicators of compromise immediately.

Microsoft issues emergency WSUS patch for critical RCE

⚠️ Microsoft released an out-of-band security update to address a critical WSUS remote code execution vulnerability, CVE-2025-59287 (CVSS 9.8). The flaw stems from unsafe deserialization of AuthorizationCookie objects at the GetCookie() endpoint, where AES-128-CBC-encrypted cookie payloads are decrypted and deserialized via BinaryFormatter without type validation, enabling SYSTEM-level code execution on servers running the WSUS role. Microsoft published updates for supported Windows Server releases and recommends installing the patch and rebooting; short-term mitigations include disabling the WSUS role or blocking TCP ports 8530 and 8531.

Critical WSUS RCE Flaw in Windows Server Exploited Now

⚠️Microsoft confirmed attackers are exploiting a critical Windows Server Update Service vulnerability tracked as CVE-2025-59287, a remote code execution flaw that affects servers running the WSUS Server role when configured as an update source for other WSUS servers. The bug can be abused remotely with low complexity and no user interaction to run code as SYSTEM, raising wormable concerns. Microsoft released out-of-band patches for all affected Windows Server versions and advised immediate installation or temporary disabling of the WSUS Server role; public proof-of-concept code and active scanning have been observed in the wild.

ToolShell Exploit Drives Surge in SharePoint Attacks

🛡️ Cisco Talos reports a rapid rise in exploitation of public-facing applications following the mid‑July 2025 disclosure of the ToolShell chain, which targets on‑premises Microsoft SharePoint servers via CVE-2025-53770 and CVE-2025-53771. In Q3, application exploitation featured in over 60% of Talos Incident Response engagements, with ToolShell activity implicated in nearly 40% of cases. Talos urges expedited patching and network segmentation to limit lateral movement and downstream impacts such as ransomware.

Threat Source: SharePoint Exploits and Patch Urgency

⚠ Cisco Talos reports a sharp increase in attacks against public-facing applications, with the ToolShell chain exploiting unpatched Microsoft SharePoint servers rising to over 60% of IR cases this quarter. Ransomware-related incidents fell to about 20% but show evolving tactics, including leveraging legitimate tools and compromised internal accounts for persistence and phishing. Organizations are urged to prioritize rapid patching, robust network segmentation, centralized logging, MFA, and user education to reduce exposure.

LockBit Resurges with New Variant and Fresh Victims

🛡️ LockBit has reemerged after a disruption in early 2024 and is actively extorting new victims. Check Point Research identified roughly a dozen organizations hit in September 2025, and about half of those incidents involved the new LockBit 5.0 variant, labeled ChuongDong. The group is deploying attacks across Windows, Linux and ESXi environments in Europe, the Americas and Asia. Check Point Harmony Endpoint and Quantum customers are protected via Threat Emulation, which can block these attacks before encryption occurs.

CISA Warns of Critical Lanscope Endpoint Manager Flaw

⚠️ CISA warns that attackers are exploiting a critical flaw (CVE-2025-61932) in Motex's Lanscope Endpoint Manager, enabling unauthenticated remote code execution via specially crafted packets. The issue affects client components in versions 9.4.7.2 and earlier; Motex has released patched client builds and noted managers do not require updates. No mitigations are available—install the vendor updates; CISA added the flaw to its KEV with a Nov. 12 remediation deadline for federal agencies.

Pakistan-linked APT36 deploys DeskRAT against BOSS Linux

🔍 Sekoia.io researchers uncovered a cyber-espionage campaign, beginning June 2025, that targets Indian government Linux systems using a new Golang RAT named DeskRAT. The operation primarily abused the Indian government‑endorsed BOSS Linux distribution via phishing ZIPs that executed Bash downloaders and displayed decoy PDFs. Attackers used dedicated staging servers and a new operator dashboard to manage victims and exfiltrate files.

North Korean Hackers Target European Defense Firms

🛡️ European defense and aerospace firms are being targeted in a renewed Operation Dream Job campaign attributed to North Korean-linked Lazarus actors, ESET reports. Active since March 2025, attackers use social-engineering job lures and trojanized documents to deploy ScoringMathTea and MISTPEN-like downloaders such as BinMergeLoader that abuse Microsoft Graph API. The goal is theft of proprietary UAV manufacturing know‑how and related intellectual property.

YouTube Ghost Network: Disrupting a Massive Malware Campaign

🛡️ Check Point Research uncovered the YouTube Ghost Network, a large-scale operation that used fake and compromised accounts to distribute infostealers like Rhadamanthys and Lumma. More than 3,000 malicious videos — often disguised as cracked software or game hacks — were reported and removed after being linked to password-protected archives that carried the malware. Compromised accounts, coordinated comment manipulation, and false endorsements were used to build trust and drive downloads.

Over 250 Magento Stores Targeted Using SessionReaper Bug

⚠️ Sansec warns that threat actors have begun exploiting CVE-2025-54236 (SessionReaper) in Adobe Commerce and Magento Open Source, with over 250 attack attempts recorded in 24 hours. The critical (CVSS 9.1) improper input validation flaw can enable customer account takeover via the Commerce REST API, and Adobe released a patch last month. Sansec cautions that 62% of Magento stores remain unpatched six weeks after disclosure, and observed activity includes dropping PHP webshells via '/customer/address_file/upload' and probing phpinfo from several attacker IPs.

CISA: Critical Lanscope Endpoint Manager Flaw Exploited

⚠️ CISA has added a critical defect in Motex LANSCOPE Endpoint Manager to its Known Exploited Vulnerabilities catalog after observing active exploitation. Tracked as CVE-2025-61932 (CVSS v4: 9.3), the flaw affects on-premises Client program and Detection Agent components and allows arbitrary code execution via specially crafted packets. Motex released patches for multiple 9.3/9.4 builds, and federal agencies are advised to remediate by November 12, 2025.

Prison kiosk hack and new PCI DSS limits on Magecart

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.

Active Exploitation of SessionReaper Flaw in Adobe Magento

⚠️ Sansec reports active exploitation of the critical SessionReaper vulnerability (CVE-2025-54236) affecting Adobe Commerce. The flaw enables account session takeover through the Commerce REST API; observed attacks delivered PHP webshells and phpinfo probes. Researchers report about 62% of stores remain unpatched six weeks after Adobe's emergency update. Administrators should apply Adobe's patch or recommended mitigations immediately.

PhantomCaptcha Phishing Targets Ukraine Aid Groups

🕵️ SentinelOne describes a coordinated spear-phishing campaign named PhantomCaptcha that used booby-trapped PDFs and a fake Zoom site to deliver a WebSocket-based remote access trojan (RAT). The October 8, 2025 operation targeted members of humanitarian and government organizations connected to Ukraine, including Red Cross, UNICEF Ukraine, and several regional administrations. Victims were lured to a ClickFix-style fake Cloudflare CAPTCHA that prompted a malicious PowerShell command, which fetched an obfuscated downloader and a second-stage payload. The final WebSocket RAT connects to wss://bsnowcommunications[.]com:80 and enables remote command execution, data exfiltration, and further malware deployment.

PhantomCaptcha campaign targets Ukraine relief organisations

🛡️Researchers uncovered the 'PhantomCaptcha' phishing campaign that impersonated the Ukrainian President's Office to target humanitarian and government organisations supporting Ukraine relief efforts. Beginning 8 October 2025, malicious PDFs directed recipients to a fake Zoom site and a Cloudflare-like verification page that tricked users into executing PowerShell via a 'Paste and Run' technique. The multi-stage malware included a large obfuscated downloader, a reconnaissance module and a WebSocket-based RAT. SentinelLABS and the Digital Security Lab of Ukraine advise monitoring PowerShell, enforcing execution policies and tracking suspicious WebSocket connections.

Google Careers Phishing Targets Job Seekers' Credentials

🔒 Scammers are impersonating Google’s Careers recruiting outreach to trick job seekers into a fake booking flow that ends on a spoofed Google login page, harvesting account credentials and cloud data. Researchers at Sublime Security documented HTML evasion techniques, abused delivery services, dynamic phishing kits and C2 servers. Organizations should enforce strong MFA, monitor anomalous logins, and train employees to treat unsolicited recruiter invitations with skepticism.