Threat

A critical authentication bypass vulnerability (CVE-2026-4670) in Progress MOVEit Automation allows an unauthenticated remote attacker to gain administrative access, potentially leading to full control over the application and sensitive file transfer workflows.

A remote, anonymous attacker can exploit multiple vulnerabilities in mutt to bypass security measures and cause a denial-of-service condition.

A remote buffer overflow vulnerability exists in the UploadCustomModule function of the /cgi-bin/cstecgi.cgi file in the POST Request Handler component of Totolink WA300 version 5.2cu.7112_B20190227, which can be exploited by manipulating the File argument.

A buffer overflow vulnerability exists in Shenzhen Libituo Technology LBT-T300-HW1 version 1.2.8 and earlier, allowing remote attackers to execute arbitrary code by manipulating the Channel/ApCliSsid argument in the start_lan function of the /apply.cgi file.

A buffer overflow vulnerability (CVE-2026-7674) exists in the Web Management Interface of Shenzhen Libituo Technology LBT-T300-HW1 devices, allowing remote attackers to execute arbitrary code by manipulating the vpn_pptp_server or vpn_l2tp_server arguments in the start_single_service function.

Jinher OA 1.0 is vulnerable to remote SQL injection via the DeptIDList parameter in the /C6/JHSoft.Web.PlanSummarize/UserSel.aspx file, potentially allowing attackers to execute arbitrary SQL queries.

InnoShop version 0.7.8 and earlier contains an improper authentication vulnerability in the InstallServiceProvider::boot function (CVE-2026-7630) that allows remote attackers to bypass authentication and gain unauthorized access to the installation endpoint.

The PixelYourSite Pro WordPress plugin is vulnerable to server-side request forgery (SSRF), allowing unauthenticated attackers to make arbitrary web requests from the server, potentially querying or modifying internal services.

The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in versions up to 2.0.46 due to a loose PHP comparison, allowing unauthenticated attackers to log in as any verified user by submitting a 'true' OTP value.

Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.

CVE-2026-7333 is a use-after-free vulnerability in the GPU component of Chromium, affecting Google Chrome and Microsoft Edge, potentially leading to arbitrary code execution.

A buffer overflow vulnerability exists in UTT HiPER 1200GW devices up to version 2.5.3-170306, stemming from manipulation of the `strcpy` function in the `/goform/formRemoteControl` file, which allows remote attackers to execute arbitrary code.

IBM Langflow Desktop versions 1.0.0 through 1.8.4 are vulnerable to remote command execution, allowing an attacker to execute arbitrary commands with the privileges of the Langflow process, potentially leading to sensitive data exposure and lateral movement.

In Q1 2026, email threats increased, including credential phishing, QR code phishing, and CAPTCHA-gated campaigns, with Microsoft's disruption of the Tycoon2FA phishing platform leading to a 15% volume decrease and shifts in threat actor tactics; BEC activity remained prevalent at 10.7 million attacks.

The Mini Shai-Hulud campaign injected malicious code into SAP NPM packages, targeting credentials and cloud secrets related to SAP Cloud Application Programming (CAP) and SAP cloud deployment workflows, exfiltrating data through public GitHub repositories.

A local privilege escalation vulnerability, dubbed 'Copy Fail' (CVE-2026-31431), affects Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions by exploiting a logic bug in the authencesn cryptographic template.

CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM, allowing unauthenticated remote attackers to gain administrative access by manipulating session data.

A local attacker can exploit an unpatched vulnerability in Microsoft Windows RPC to escalate privileges.

Multiple vulnerabilities in SonicWall SonicOS allow a remote attacker to escalate privileges, bypass security measures, or cause a denial-of-service condition.

Multiple official SAP npm packages were compromised via a supply chain attack, likely by TeamPCP, to steal credentials and authentication tokens from developers' systems.

Elinsky execution-system-mcp 0.1.0 is vulnerable to path traversal via manipulation of the context argument in the _get_context_file_path function, allowing remote attackers to access sensitive files.

UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.

A command injection vulnerability (CVE-2026-7211) exists in the GitSearchRequest function of dvladimirov MCP up to version 0.1.0, allowing a remote attacker to execute arbitrary commands by manipulating the repo_url or pattern argument.

A SQL injection vulnerability exists in dubydu sqlite-mcp version 0.1.0 and earlier within the extract_to_json function allowing remote exploitation through manipulation of the output_filename argument.

BlueNoroff, a subgroup of the Lazarus Group, is targeting North American Web3 companies through spear-phishing campaigns, impersonating Fintech legal professionals.

Rclone versions prior to 1.73.5 are vulnerable to two critical unauthenticated remote code execution vulnerabilities (CVE-2026-41176 and CVE-2026-41179) when the remote control API is enabled without authentication, potentially allowing attackers to execute arbitrary commands and compromise the system.

Trigona ransomware is using a custom data exfiltration tool named 'uploader_client.exe' to steal data from compromised environments, enhancing speed and evasion.

UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.

China-nexus cyber actors are increasingly using large-scale networks of compromised devices, including SOHO routers and IoT devices, to obscure the origin of their attacks and conduct various malicious activities, from reconnaissance to data exfiltration.

CVE-2026-24177 describes an authentication bypass vulnerability in NVIDIA KAI Scheduler that could allow unauthorized access to API endpoints, leading to information disclosure.

Unpatched JetBrains TeamCity servers are being actively exploited via an authentication bypass (CVE-2024-27198) and path traversal vulnerability (CVE-2024-27199), allowing attackers to perform administrative actions and potentially conduct supply-chain attacks.

Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface, allowing an attacker to upload a malicious file and overwrite arbitrary files to gain vmanage user privileges.

KodExplorer up to version 4.52 is vulnerable to a path traversal attack via manipulation of the path argument in the share.class.php::initShareOld function, potentially allowing remote attackers to access sensitive files.

The Payouts King ransomware is leveraging QEMU VMs as a reverse SSH backdoor to execute payloads, store malicious files, and establish covert remote access tunnels, bypassing endpoint security measures.

A remote code execution vulnerability exists in Sagredo qmail versions prior to 2026.04.07 due to the use of `popen` in the `notlshosts_auto` function within `qmail-remote.c`, potentially leading to OS command injection.

Microsoft's April 2026 Patch Tuesday addresses 163 vulnerabilities, including 8 critical ones, ranging from Tampering to Remote Code Execution and Privilege Escalation, affecting various Microsoft products; it is recommended to apply patches immediately.

CVE-2026-32068 is a race condition vulnerability in the Windows SSDP Service that allows an authorized attacker to elevate privileges locally.

A use-after-free vulnerability in Microsoft Office Word (CVE-2026-33095) could allow a local attacker to execute arbitrary code by opening a specially crafted document.

CVE-2026-27917 is a use-after-free vulnerability in the Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) that allows a locally authorized attacker to elevate privileges.

A remote code execution vulnerability exists in NocoBase plugin-workflow-javascript versions up to 2.0.23 due to a sandbox escape in the createSafeConsole function, allowing unauthenticated attackers to potentially execute arbitrary code on the server.

Adobe patched CVE-2026-34621, a zero-day vulnerability in Acrobat and Reader exploited since December, allowing malicious PDFs to bypass sandboxes and execute arbitrary code, potentially leading to local file theft.

Detects a service principal authenticating to Azure AD followed by listing credentials for an Azure Arc-connected Kubernetes cluster, indicating potential adversary activity with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters.

A stack-based buffer overflow vulnerability in the Tenda F451 router (version 1.0.0.7) allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the fromRouteStatic function of the /goform/RouteStatic file.

The WordPress adivaha Travel Plugin version 2.3 is vulnerable to time-based blind SQL injection via the 'pid' GET parameter, allowing unauthenticated attackers to inject SQL code through the /mobile-app/v3/ endpoint for potential data extraction or denial of service.

PHPGurukul News Portal Project version 4.1 is vulnerable to SQL injection via the Comment parameter in /news-details.php, potentially allowing remote attackers to execute arbitrary SQL queries.

A critical vulnerability, CVE-2026-35616, exists in Fortinet FortiClient EMS (Endpoint Management Server) allowing unauthenticated attackers to bypass API authentication and authorization checks to execute arbitrary code or commands, potentially leading to full compromise of the EMS infrastructure.

CVE-2026-35616, a critical vulnerability in FortiClient EMS, allows unauthenticated remote attackers to execute arbitrary code or commands via crafted API requests due to improper access control, with Fortinet confirming active exploitation.

The Drift Protocol suffered a $280 million crypto theft orchestrated by North Korean hackers who spent six months building an in-person operational presence within the Drift ecosystem, engaging with contributors at crypto conferences and via Telegram.

A memory corruption vulnerability (CVE-2026-21372) exists when processing IOCTL requests with invalid buffer sizes leading to a heap-based buffer overflow, reported by Qualcomm with a CVSS v3.1 score of 7.8.

A code injection vulnerability (CVE-2026-5584) exists in Fosowl agenticSeek 0.1.0, allowing remote attackers to execute arbitrary code by manipulating the query endpoint through the PyInterpreter.execute function.

A remote attacker can exploit CVE-2026-5554 in code-projects Concert Ticket Reservation System 1.0 to perform SQL injection by manipulating the searching argument in the process_search.php file.

North Korean threat actors (UNC1069) compromised the Axios npm package by socially engineering a maintainer with a fake Microsoft Teams update delivering a RAT, leading to the injection of a malicious dependency and a supply chain attack.

Multiple supply chain attacks, including the compromise of Axios and Trivy via hijacked GitHub repositories by TeamPCP, demonstrate the increasing threat to open-source software.

A SQL injection vulnerability exists in itsourcecode Online Enrollment System 1.0 within the Parameter Handler component at /enrollment/index.php, where manipulating the deptid argument can lead to remote code execution, with public exploits available.

The BRICKSTORM malware targets VMware vSphere environments, specifically vCenter Server Appliance (VCSA) and ESXi hypervisors, by exploiting weak security configurations to establish persistence at the virtualization layer, leading to administrative control and potential data exfiltration.

Hackers exploited a zero-day vulnerability (CVE-2026-3502) in TrueConf conference servers to execute arbitrary files on connected endpoints, potentially deploying the Havoc C2 framework.

Qilin ransomware employs a malicious msimg32.dll in a multi-stage infection chain to disable endpoint detection and response (EDR) solutions by evading detection and terminating EDR processes.

This rule detects a potential JAVA/JNDI exploitation attempt by identifying outbound network connections by JAVA to LDAP, RMI, or DNS standard ports followed by suspicious JAVA child processes such as shell interpreters and scripting languages, which may indicate a Java Naming and Directory Interface (JNDI) injection vulnerability exploitation attempt.

F5 has reclassified CVE-2025-53521, a vulnerability in BIG-IP APM, as a critical unauthenticated remote code execution vulnerability and reports it is being actively exploited in the wild.

Unauthenticated attackers can exploit CVE-2026-3055 (out-of-bounds read) to exfiltrate sensitive data from NetScaler ADC and Gateway, while CVE-2026-4368 (race condition) enables user session hijacking, necessitating immediate patching and enhanced monitoring.

Threat actors are actively exploiting CVE-2026-3055, a critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances configured as a SAML identity provider (IDP), to extract sensitive information, including authenticated administrative session IDs, potentially leading to full system takeover.

A threat actor compromised the PyPI package `telnyx`, uploading malicious versions 4.87.1 and 4.87.2 containing credential-stealing malware that exfiltrates data to a C2 server.

CrowdStrike enhances its CNAPP capabilities by incorporating adversary intelligence for risk prioritization, application-layer visibility, and runtime analysis, addressing critical gaps in cloud security and enabling faster remediation based on threat actor behavior like LABYRINTH CHOLLIMA and SCATTERED SPIDER.

CrowdStrike's CNAPP enhancements prioritize cloud risk based on adversary behavior, correlating application insights with cloud infrastructure telemetry to identify and address critical exposures targeted by specific threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER.

The TeamPCP threat actor compromised the Telnyx PyPI package, injecting credential-stealing malware hidden within WAV audio files to target Linux, macOS, and Windows systems.

The Silver Fox threat actor is conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses, exploiting the annual tax filing and organizational change season by sending emails containing malicious attachments that deploy ValleyRAT, leading to remote access, data theft, and persistence.

TeamPCP compromised CI/CD pipelines and GitHub accounts of multiple companies by deploying an infostealer to extract credentials from CI environments, .env files, and cloud tokens, impacting projects like Trivy, KICS, and LiteLLM.

The M-Trends 2026 report highlights the increasing sophistication of threat actors, including voice phishing attacks targeting SaaS environments, ransomware groups actively destroying recovery capabilities, and espionage groups exploiting edge devices for persistent access, revealing a shift towards faster hand-offs between initial access brokers and ransomware deployers.

NICKEL ALLEY, a North Korean threat group, is targeting technology professionals with fake job opportunities and malicious code repositories to deliver malware like PyLangGhost RAT and BeaverTail, aiming to steal cryptocurrency.

TeamPCP conducted a supply chain attack compromising the KICS GitHub Action, impacting users who integrated the compromised version into their CI/CD pipelines.

TeamPCP's CanisterWorm is a newly identified Kubernetes wiper targeting Iranian infrastructure, indicating a politically motivated destructive attack.

TeamPCP deployed the CanisterWorm malware on the NPM package registry following a compromise of the Trivy scanning tool.

A China-nexus threat actor is utilizing Google Calendar as a command and control (C2) infrastructure to conduct stealthy operations.

VoidStealer leverages Chrome debugging capabilities to extract sensitive information, such as credentials and session cookies, directly from the browser's memory.

A Russian APT group is exploiting a Zimbra XSS vulnerability (details unspecified) to target the Ukrainian government in an operation dubbed 'GhostMail'.

Analysis of North Korean IT workers reveals techniques for infiltrating Western tech companies, including fake identity creation, internal training, and recruitment of collaborators.

Kimsuky is using malware that leverages the Dropbox API for command and control, enabling file exfiltration and remote code execution.

A remote code execution vulnerability exists in the GNU Inetutils Telnet server, potentially allowing unauthenticated attackers to execute arbitrary code on vulnerable systems.

The Warlock group utilizes web shells and tunneling to deploy ransomware within compromised environments, impacting victim data confidentiality and availability.

An unpatched vulnerability in QEMU's virtio-snd component allows for a hypervisor escape due to an uncontrolled heap overflow.

CISA added CVE-2026-3909, an out-of-bounds write vulnerability in Google Skia, and CVE-2026-3910, an unspecified vulnerability in Google Chromium V8 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, highlighting the need for timely remediation.

CVE-2023-46604 is a remote code execution vulnerability affecting Apache ActiveMQ that is actively exploited in the wild by ransomware operators, allowing remote attackers to execute arbitrary shell commands.

The creation of ASPX files in web server directories, excluding legitimate processes, indicates potential web shell deployment for persistence on Windows systems.

A path traversal vulnerability in Samsung MagicINFO 9 Server could allow an attacker to write arbitrary files with system privileges, potentially leading to code execution or system compromise.

A relative path traversal vulnerability in JetBrains TeamCity (CVE-2024-27199) could allow limited administrative actions and has been linked to ransomware attacks.

This rule detects potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments on Windows systems.

A remote OS command injection vulnerability exists in the Totolink A8000RU router version 7.1cu.643_b20200521, allowing attackers to execute arbitrary commands by manipulating the 'tty_server' argument in the 'setAdvancedInfoShow' function.

This rule detects potential command and control activity where Internet Explorer (iexplore.exe) is started via the Component Object Model (COM) and makes unusual network connections, indicating adversaries might exploit Internet Explorer via COM to evade detection and bypass host-based firewall restrictions.

Attackers may disable AutoLogger sessions by modifying specific registry values to evade detection and prevent security monitoring of early boot activities and system events, a technique observed in intrusions involving IcedID and XingLocker ransomware.

Detection of non-browser processes accessing browser user data folders, a tactic used by malware such as Snake Keylogger to steal credentials and sensitive information.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

Unauthenticated remote attackers can exploit an arbitrary file read vulnerability (CVE-2022-50992) in Weaver E-cology 9.5 versions prior to 10.52 via the XML-RPC endpoint to access sensitive files.

This rule detects SMTP traffic on TCP port 26, an alternative to the standard port 25 that the BadPatch malware family has used for command and control of Windows systems.

Detection of regsvr32.exe being used with the silent and DLL install parameter to load a DLL, a technique used by RATs like Remcos and njRAT to execute arbitrary code.

Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library, often used by threat actors like APT29 (via WinELOADER) to load malicious payloads under the guise of legitimate applications, leading to defense evasion, persistence, and privilege escalation.

The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.

CVE-2023-27351 is an improper authentication vulnerability in PaperCut NG/MF that allows remote attackers to bypass authentication via the SecurityRequestFilter class, leading to potential ransomware deployment.

Attackers may leverage the xp_cmdshell stored procedure in Microsoft SQL Server to execute arbitrary commands for privilege escalation and persistence, often bypassing default security configurations.

ChatGPTNextWeb NextChat versions up to 2.16.1 are vulnerable to server-side request forgery (SSRF) due to improper input validation in the storeUrl function, allowing remote attackers to potentially access internal resources or conduct other malicious activities.

Detection of non-Chrome processes accessing the Chrome user data directory, potentially indicating credential theft or data exfiltration attempts by malware such as RATs or APT groups.

This analytic detects the creation of screen capture files in the TEMP directory, specifically targeting activity associated with the Braodo stealer malware, which captures screenshots of the victim's desktop as part of its data theft activities.

This brief covers a detection for suspicious script execution, such as PowerShell, WScript, or MSHTA, originating from common temporary directories, potentially indicating malware activity.

The execution of AdFind.exe, an Active Directory query tool, is often used by threat actors for post-exploitation Active Directory reconnaissance, as observed in campaigns involving Trickbot, Ryuk, Maze, and FIN6.