All news with #zero day exploitation tag

🔴 Palo Alto Networks' Unit 42 warns that threat actors are actively exploiting two critical zero-day vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — in Ivanti Endpoint Manager Mobile (EPMM). Both flaws allow unauthenticated remote code execution, enabling attackers to seize MDM appliances and install web shells, cryptominers, or persistent backdoors that can survive initial patching. Unit 42 says more than 4,400 EPMM instances are internet-exposed, proof-of-concept exploits are public, and multiple sectors and countries have been targeted.

🔒 Palo Alto Networks Unit 42 reports active exploitation of a critical sanitization bug in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), tracked as CVE-2026-1731 (CVSS 9.9), that allows OS command execution via the thin-scc-wrapper WebSocket interface. Threat actors have used the flaw for reconnaissance, deploying web shells and backdoors (including VShell and Spark RAT), lateral movement, and data theft. Multiple sectors across several countries are affected, and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.

🚨 On Feb. 6, 2026, BeyondTrust published an advisory for CVE-2026-1731, a critical pre-auth remote code execution vulnerability affecting BeyondTrust Remote Support and some Privileged Remote Access deployments. The flaw allows unauthenticated attackers to inject shell commands via the WebSocket remoteVersion field during the handshake, resulting in OS command execution as the site user. Unit 42 observed active exploitation that included web shells, C2 traffic, account tampering and data theft. Immediate patching for self-hosted appliances and engagement of incident response if compromise is suspected are recommended.

🔒 Researchers report a China-linked APT exploited a previously unknown vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) to achieve unauthenticated root command execution by leveraging hardcoded Apache Tomcat Manager credentials. Google’s Mandiant traced compromises to UNC6201, which deployed web shells and backdoors including BRICKSTORM and the newer GRIMBOLT. Dell released a patch (6.0.3.1 HF1) and a remediation script; customers are urged to upgrade and isolate appliances behind segmented networks.

🔍 In the January 27, 2026 OpenSSL security release, twelve previously unknown zero-day vulnerabilities were announced, all originally discovered and responsibly disclosed by our AI research system, AISLE. Ten of the issues were assigned CVE-2025 identifiers and two received CVE-2026 identifiers. One high-profile finding, CVE-2025-15467, is a stack buffer overflow with a NIST CVSS v3 score of 9.8 and has already produced public exploits. Five of the twelve accepted fixes were directly proposed by AISLE, and several bugs dated back to 1998–2000, including code inherited from the original SSLeay implementation.

🔒 A maximum-severity vulnerability (CVE-2026-22769, CVSS 10.0) in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus cluster tracked as UNC6201 since mid-2024. The flaw is a hard-coded Apache Tomcat Manager admin credential that allows unauthenticated attackers to upload a web shell (SLAYSTYLE) and deploy native backdoors (BRICKSTORM, later GRIMBOLT) for root access and persistence. Dell urges customers to upgrade to 6.0.3.1 HF1 (or follow staged upgrades from 5.3 SP4 P1) and to isolate RecoverPoint appliances on trusted, segmented networks until patched.

🔒 Dell has released a patch for a critical zero-day, CVE-2026-22769, in RecoverPoint for Virtual Machines after Mandiant reported exploitation by a suspected Chinese APT cluster since mid-2024. The flaw is a hardcoded credential that enables unauthenticated access to the underlying OS and potential root-level persistence on versions prior to 6.0.3.1 HF1. Mandiant links the intrusions to UNC6201, which deployed malware such as Slaystyle, Brickstorm and a native AOT C# backdoor called Grimbolt, and observed novel TTPs including VM "ghost NICs" and iptables-based single-packet authorization.

🚨 Unit 42 reports two critical zero-day RCEs in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 — are being actively weaponized. Both flaws arise from unsafe legacy bash script usage invoked via Apache RewriteMap and permit unauthenticated command execution through specially crafted HTTP GET requests. Observed activity includes reverse shells, JSP web shells, deployment of monitoring agents/cryptominers, and follow-on persistence. Apply vendor RPM patches immediately, hunt for web shells and backdoors, and engage incident response if compromise is suspected.

🔒 Security researchers report that a suspected Chinese state-backed actor, UNC6201, has been exploiting a critical hardcoded-credential vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024. Dell says versions prior to 6.0.3.1 HF1 permit unauthenticated access that can lead to root-level persistence. The intruders deployed a new C# backdoor called Grimbolt and used stealthy VMware pivot techniques, including hidden "Ghost NICs." Customers should apply Dell's updates and mitigations immediately.

🔐 Mandiant and the Google Threat Intelligence Group (GTIG) identified exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines, CVE-2026-22769, used by UNC6201 since mid‑2024. The actor uploaded malicious WAR files to the embedded Tomcat Manager—leveraging hard‑coded admin credentials—to deploy a SLAYSTYLE web shell and gain root. In compromised appliances, UNC6201 established persistence by modifying convert_hosts.sh and later replaced BRICKSTORM implants with a native AOT‑compiled C# backdoor named GRIMBOLT. Investigators also observed novel VMware pivoting techniques, including temporary "Ghost NICs" and iptables‑based Single Packet Authorization. Dell published mitigations and GTIG/Mandiant released IOCs, YARA rules, and hunting guidance to aid detection and response.

⚠️ Google warns IT administrators that an exploit for a newly disclosed Chrome zero-day (CVE-2026-2441) is active in the wild. The issue is a use-after-free bug in the browser's CSS engine that can allow remote code execution in the renderer sandbox when a user visits a crafted page. Patches are available — update to 145.0.7632.75/76 on Windows/Mac or 144.0.7559.75 on Linux — and Google is limiting technical details until most users are updated. Administrators should prioritize deploying the fixes and monitor browser versions and endpoints closely.

🔒 This weekly recap shows how small, trusted gaps are becoming major entry points — from a hijacked Outlook add-in (AgreeTo) turned into a phishing kit that stole over 4,000 Microsoft credentials to multiple actively exploited zero-days in Chrome and Apple platforms. It also covers a critical BeyondTrust RCE under active exploitation, new Linux botnet activity abusing SSH, and cloud-focused campaigns targeting exposed Docker, Kubernetes, and Redis instances. Attackers are combining legacy techniques, cloud misconfigurations, and AI assistance to scale access and persistence.

🔒 Google has released an urgent security update for Chrome to address CVE-2026-2441, a high-severity zero-day affecting desktop builds on Windows, macOS and Linux. The flaw, rooted in a CSS processing issue, can allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Google confirmed an exploit is already in the wild and credited researcher Shaheen Fazim for reporting the bug on February 11; the company issued the patch on February 13.

🔧 Google released emergency updates to fix a high-severity Chrome zero-day (CVE-2026-2441) that is being exploited in the wild. The flaw is a use-after-free caused by an iterator invalidation bug in CSSFontFeatureValuesMap, and Google pushed a backported patch across stable branches. Fixes are rolling out to Windows and macOS (145.0.7632.75/76) and Linux (144.0.7559.75); users should update or let Chrome apply updates automatically. Google noted additional related work remains tracked in bug 483936078.

⚠️ Google released updates for Chrome to patch CVE-2026-2441, a high-severity (CVSS 8.8) use-after-free vulnerability in CSS that has been confirmed as exploited in the wild. Discovered by researcher Shaheen Fazim on Feb 11, 2026, the bug can enable remote code execution inside Chrome's sandbox via a crafted HTML page. Users should update to 145.0.7632.75/76 (Windows/macOS) or 144.0.7559.75 (Linux) and ensure Chromium-based browsers receive equivalent fixes.

🛡️ GreyNoise telemetry indicates a single IP hosted by PROSPERO OOO is responsible for roughly 83% of active exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM), targeting CVE-2026-21962 and CVE-2026-24061. Between Feb 1–9 researchers observed 417 exploit sessions from eight source IPs, with a sharp spike on Feb 8. Activity appears automated, using OAST-style DNS callbacks consistent with initial access broker behavior; Ivanti has released hotfixes and will issue full patches in Q1.

🔴 watchTowr reported the first in-the-wild exploitation of a critical BeyondTrust vulnerability, CVE-2026-1731, with attackers abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. The flaw (CVSS 9.9) allows unauthenticated remote code execution by sending specially crafted requests and has been patched in Remote Support (BT26-02-RS, 25.3.2+) and Privileged Remote Access (BT26-02-PRA, 25.1.1+). The rapid weaponization highlights how quickly defenders must patch critical systems. CISA also added four actively exploited flaws to its KEV catalog and set federal remediation deadlines in February and March 2026.

🔒 Flashpoint reports that the median time between disclosure and exploitation fell 94% over five years, from 745 days in 2020 to 44 days in 2025. The vendor attributes the decline to rapid weaponization of researcher proof-of-concept code and the growing use of n-day exploits, which now represent over 80% of CVEs in its VulnDB KEV list. Attackers are combining turnkey exploits with mass-scanning tools to achieve large-scale compromise in hours. Limited asset inventories and a 'CVE blind spot' from vulnerabilities lacking CVE IDs further shrink defenders' remediation window.

🔒 Apple released updates for iOS, iPadOS, macOS Tahoe, tvOS, watchOS and visionOS to fix an actively exploited zero-day, tracked as CVE-2026-20700, a memory corruption flaw in dyld that can permit arbitrary code execution when an attacker has memory write capability. Google Threat Analysis Group (TAG) is credited with reporting the issue. Apple said the bug may have been used in extremely sophisticated targeted attacks and also issued related fixes for CVE-2025-14174 and CVE-2025-43529. Patches are available for supported recent devices and additional updates address vulnerabilities in older OS releases.

🔒 Apple issued security updates to fix a zero-day in dyld (CVE-2026-20700) that was exploited in an extremely sophisticated targeted attack against specific individuals. Apple warns an attacker with memory write capability may be able to execute arbitrary code on affected devices. Patches are available in iOS 18.7.5, iPadOS 18.7.5, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3 and visionOS 26.3; users and administrators should install them immediately to reduce risk.