< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 9 of 35

CISA Adds Four Vulnerabilities to KEV Catalog; Urges Fixes

🚨 CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation: CVE-2024-7399 (Samsung MagicINFO 9 path traversal), CVE-2024-57726 (SimpleHelp missing authorization), CVE-2024-57728 (SimpleHelp path traversal), and CVE-2025-29635 (D-Link DIR-823X command injection). The agency notes these are common attack vectors that present significant risk to the federal enterprise and reminds Federal Civilian Executive Branch agencies of remediation obligations under BOD 22-01. Although that directive applies only to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation as part of standard vulnerability management.
read more →

Tropic Trooper Uses Trojanized SumatraPDF to Access Hosts

🛡️ Zscaler ThreatLabz attributes a new campaign to Tropic Trooper that uses a trojanized SumatraPDF installer to deliver the AdaptixC2 Beacon post‑exploitation agent. Victims—primarily Chinese‑speaking individuals in Taiwan, with some targets in South Korea and Japan—are lured via military‑themed ZIP archives that show a decoy PDF while fetching encrypted shellcode. The backdoored reader launches a Xiangoop‑derived loader called TOSHIS, which stages payloads and only escalates to installing Visual Studio Code and configuring VS Code tunnels for persistent remote access on high‑value hosts.
read more →

LMDeploy SSRF Vulnerability (CVE-2026-33626) Exploited Rapid

🔒 A high-severity SSRF vulnerability in LMDeploy (CVE-2026-33626, CVSS 7.5) was exploited in the wild within 13 hours of disclosure. The flaw in the vision-language module's load_image() function allows fetching arbitrary URLs without validating internal addresses, enabling access to cloud metadata and internal services. Security researchers and Sysdig observed targeted port scanning, API enumeration, and out-of-band DNS callbacks, highlighting rapid weaponization of AI-infrastructure bugs.
read more →

Critical file upload flaw exploited in Breeze Cache

⚠️ Researchers warn that a critical vulnerability (CVE-2026-3844) in the Breeze Cache WordPress plugin allows unauthenticated attackers to upload arbitrary files via the fetch_gravatar_from_remote function. Exploitation can lead to remote code execution and complete site takeover, but successful attacks require the optional 'Host Files Locally - Gravatars' add-on to be enabled. Cloudways released a patch in version 2.4.5; administrators should update immediately or disable the add-on until patched.
read more →

UAT-4356 Targets Cisco Firepower with FIRESTARTER Backdoor

🔐 Cisco Talos reports that UAT-4356 exploited FXOS n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deploy a custom backdoor named FIRESTARTER on Cisco Firepower, ASA and FTD appliances. The implant injects into the LINA process, replaces a WebVPN XML handler, and executes shellcode delivered via specially crafted requests. Operators should follow Cisco advisories for detection, remediation and recommended software upgrades.
read more →

CISA Warns of FIRESTARTER Targeting Cisco ASA Devices

🔒 CISA published a malware analysis on FIRESTARTER, a backdoor that enables remote access and persistent control of Cisco Firepower and Secure Firewall devices running ASA or FTD software. The report, co-sealed with NCSC-UK, attributes exploitation to an APT using CVE-2025-20333 and CVE-2025-20362. CISA issued Emergency Directive 25-03 requiring FCEB agencies to identify affected devices, collect forensic data, apply vendor updates, and report findings to mitigate ongoing risk.
read more →

CISA Orders Patching of Microsoft Defender BlueHammer Flaw

🔒 CISA has ordered federal agencies to urgently patch a high-severity Microsoft Defender privilege escalation vulnerability tracked as CVE-2026-33825 and publicly dubbed BlueHammer, after evidence of active exploitation. Microsoft released a patch on April 14 following public disclosure and proof-of-concept code published by a researcher using the handle 'Chaotic Eclipse', who also revealed related Defender issues. Huntress Labs reported attacks showing hands‑on‑keyboard activity and suspicious FortiGate SSL VPN access tied to a Russia‑geolocated IP. Agencies must apply mitigations or update systems within two weeks, with a compliance deadline of May 7.
read more →

Mirai Campaign Exploits RCE in EoL D-Link DIR-823X Routers

🔒 A new Mirai-based campaign is actively exploiting CVE-2025-29635, a command-injection RCE that affects D-Link DIR-823X routers, to enlist devices into a botnet. Akamai's SIRT observed the activity in March 2026 and found attackers downloading and executing a shell script that installs a multi-architecture Mirai variant called tuxnokill. The affected DIR-823X line reached end of life in November 2024 and is unlikely to receive a vendor patch. Users are advised to replace EoL devices, disable remote administration, change default passwords, and monitor for configuration changes.
read more →

22 BRIDGE:BREAK Flaws in Lantronix and Silex Converters

⚠️ Forescout Research Vedere Labs disclosed 22 vulnerabilities, labeled BRIDGE:BREAK, in popular Lantronix and Silex serial-to-IP converters that bridge legacy serial equipment to IP networks. Researchers located nearly 20,000 exposed devices online and warned that several flaws permit full takeover or tampering with serial traffic. Affected models include Lantronix EDS3000PS/EDS5000 and Silex SD330-AC; vendors have issued firmware updates and advisories. Operators should patch immediately, remove default credentials, segment networks, and avoid exposing these converters to the internet.
read more →

CISA flags new SD-WAN flaw as actively exploited in attacks

⚠️ CISA has flagged an information-disclosure vulnerability in Catalyst SD-WAN Manager (CVE-2026-20133) as actively exploited and gave federal agencies four days to secure affected systems. Cisco released patches in late February, stating the flaw is caused by insufficient file system access restrictions that can allow unauthenticated API access to sensitive OS information. CISA added the issue to its Known Exploited Vulnerabilities Catalog on April 20 and directed agencies to follow Emergency Directive 26-03 and Cisco hardening guidance or discontinue affected cloud services if mitigations are unavailable.
read more →

Actively Exploited Apache ActiveMQ Flaw Impacts 6,400 Servers

🔐 Shadowserver reported that over 6,400 publicly exposed Apache ActiveMQ servers are vulnerable to an actively exploited code injection bug tracked as CVE-2026-34197. The flaw, discovered by Horizon3 researcher Naveen Sunkavally with the help of the Claude AI assistant after 13 years, permits authenticated actors to execute arbitrary code. Apache issued patches on March 30 in ActiveMQ Classic 6.2.3 and 5.19.4, and CISA has warned of in-the-wild exploitation and ordered federal agencies to secure affected systems.
read more →

CISA Adds Eight Exploited Flaws to KEV Catalog, Fixes Needed

⚠️ CISA added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation and highlighting three flaws in Cisco Catalyst SD-WAN Manager. The list includes high-impact issues such as CVE-2025-32975 (Quest KACE SMA, CVSS 10.0) and authentication, path traversal, and XSS flaws in PaperCut, TeamCity, Kentico, and Zimbra. CISA noted prior ties of CVE-2023-27351 to Lace Tempest and recent Arctic Wolf telemetry on KACE abuse; Cisco confirmed active exploitation of two SD-WAN flaws in March 2026. Federal civilian agencies are urged to remediate the three Cisco vulnerabilities by April 23, 2026, and the remaining flaws by May 4, 2026.
read more →

Nexcorium Mirai Variant Exploits DVR Command Injection

⚠️Fortinet researchers observed a campaign exploiting a command injection flaw (CVE-2024-3721) in TBK DVR systems to deploy a Mirai-based, multi-architecture botnet called Nexcorium. Attackers deliver a downloader via crafted HTTP requests that retrieves ARM, MIPS and x86-64 payloads and executes them with elevated privileges. The malware leverages an XOR-encoded configuration, embedded credential lists for brute-force access and multiple persistence mechanisms, and network traffic includes a custom HTTP header referencing Nexus Team that may indicate the actor.
read more →

CISA Adds Eight Vulnerabilities to KEV Catalog After Exploitation

⚠️ CISA added eight vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog after observed active exploitation. The additions include flaws affecting PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Synacor Zimbra, and multiple issues in Cisco Catalyst SD‑WAN Manager. Under BOD 22‑01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by the prescribed due dates; CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

Three Microsoft Defender Zero-Days Exploited in the Wild

🔒 Huntress warns that threat actors are actively exploiting three recently disclosed Microsoft Defender vulnerabilities — codenamed BlueHammer, RedSun, and UnDefend — to gain elevated privileges and disrupt defenses. Microsoft addressed BlueHammer in this week's Patch Tuesday as CVE-2026-33825, but RedSun and UnDefend remain unpatched and have PoCs observed in the wild. Huntress reported weaponization beginning April 10 for BlueHammer and April 16 for RedSun and UnDefend, and said it isolated affected environments while investigating post-exploitation activity.
read more →

CISA: Active Exploitation of Apache ActiveMQ CVE-2026-34197

🔴 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that a high-severity Apache ActiveMQ flaw, CVE-2026-34197, is being actively exploited in attacks. The bug, present for 13 years, allows authenticated attackers to execute arbitrary code via improper input validation and injection. Apache released patches on March 30 for ActiveMQ Classic 6.2.3 and 5.19.4, and CISA added the CVE to its KEV catalog, ordering federal agencies to patch by April 30.
read more →

Leaked Windows zero-days exploited to gain SYSTEM privileges

🔓 Threat actors are actively using proof-of-concept exploit code for three recently disclosed Windows vulnerabilities to elevate privileges or disrupt Microsoft Defender. Researcher "Chaotic Eclipse" (aka "Nightmare-Eclipse") published PoCs for BlueHammer, RedSun, and UnDefend in protest over Microsoft’s handling of disclosure. Huntress Labs has observed exploitation in the wild, with BlueHammer seen since April 10, and Microsoft has patched only BlueHammer (CVE-2026-33825) so far while RedSun and UnDefend remain unaddressed.
read more →

CISA Adds Apache ActiveMQ RCE CVE-2026-34197 to KEV

⚠️ CISA has added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog after active exploitation reports targeting Apache ActiveMQ Classic. The flaw is an improper input validation issue that can enable code injection via the Jolokia management API, potentially allowing arbitrary OS command execution. While the bug typically requires credentials, default credentials and a prior authentication bypass in some versions can render it effectively unauthenticated. Users should upgrade to ActiveMQ 5.19.4 or 6.2.3 to remediate the issue.
read more →

Attempted Exploitation of CVE-2023-33538 in TP‑Link Routers

🔎 Unit 42 observed automated scans targeting CVE-2023-33538 in several end-of-life TP‑Link routers (TL‑WR940N, TL‑WR740N, TL‑WR841N). Payloads resembled Mirai-like botnet binaries and attempted to download and execute an arm7 ELF, but in-the-wild attempts were flawed and generally failed. Emulation and reverse engineering confirmed a real command-injection flaw in the ssid1 parameter that reaches a system shell, but successful exploitation requires web authentication (default credentials like admin:admin remain a practical risk). TP‑Link lists the devices as EOL with no patches; Unit 42 recommends replacing affected units and avoiding default credentials while using layered protections.
read more →

New Microsoft Defender 'RedSun' zero-day grants SYSTEM

⚠️ A proof-of-concept for a second Microsoft Defender zero-day, dubbed RedSun, was published by researcher 'Chaotic Eclipse', demonstrating a local privilege escalation that grants SYSTEM privileges on patched Windows 10, Windows 11, and supported Windows Server releases when Defender is enabled. The PoC exploits Defender's handling of cloud-tagged files via the Cloud Files API to overwrite system binaries and achieve code execution as SYSTEM. Security analyst Will Dormann of Tharros confirmed the exploit works; some antivirus products detect elements of the PoC due to an embedded EICAR test file. The researcher says the publication was a protest over interactions with the Microsoft Security Response Center.
read more →