Tag: remote code execution

36 Attack Reports | 0 Vulnerabilities

Attack reports

Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

CVE-2025-55182, also known as React2Shell, is a critical pre-authentication remote code execution vulnerability affecting React Server Components and related frameworks. With a CVSS score of 10.0, it allows attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP re…
vulnerability
remote code execution
vshell
snowlight
CVE-2025-55182
react2shell
2025-12-15
etherrat
Published: December 15, 2025
Linked vulnerabilities : CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065, CVE-2025-55182 (CVSS 10.0), CVE-2025-66478
Downloadable IOCs: 50

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

A critical remote code execution vulnerability in React Server Components, CVE-2025-55182, has been widely exploited by various threat actors. China-nexus espionage groups and financially motivated actors have been observed leveraging this vulnerability to deploy malware such as MINOCAT tunneler, S…
remote code execution
CVE-2025-55182
react2shell
2025-12-13
Published: December 13, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-55184 (CVSS 7.5), CVE-2025-55183 (CVSS 5.3), CVE-2025-67779 (CVSS 7.5)
Downloadable IOCs: 7

React2Shell flaw (CVE-2025-55182) exploited for remote code execution

A critical vulnerability called 'React2Shell' (CVE-2025-55182) affecting React Server Components has been widely exploited. The flaw allows remote code execution through unsafe handling of incoming data during deserialization. Over 165,000 vulnerable IP addresses have been identified. Post-exploita…
persistence
remote code execution
obfuscated javascript
vshell
snowlight
deserialization
CVE-2025-55182
react2shell
2025-12-12
etherrat
linux loaders
state-sponsored attacks
Published: December 12, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 3

Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability

A critical vulnerability in Gladinet's CentreStack and Triofox products has been discovered, involving hardcoded cryptographic keys in their AES implementation. This flaw allows potential access to the web.config file, enabling deserialization and remote code execution. Attackers are actively targe…
vulnerability
cryptography
remote code execution
centrestack
triofox
deserialization
aes
CVE-2025-11371
2025-12-11
access ticket
Published: December 11, 2025
Linked vulnerabilities : CVE-2025-11371 (CVSS 6.2)
Downloadable IOCs: 1

Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

A critical remote code execution vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is being actively exploited. The flaw allows unauthenticated attackers to execute code on the server, potentially creating malicious admin accounts or injecting backdoors. Wordfence has blocked o…
ddos
botnet
wordpress
vulnerability exploitation
remote code execution
CVE-2025-1610
CVE-2025-2611
CVE-2025-6389
2025-12-09
frost
ictbroadcast
sneeit framework
trojan.karagany
xfrost
Published: December 9, 2025
Linked vulnerabilities : CVE-2025-1610 (CVSS 6.3), CVE-2025-2611 (CVSS 9.3), CVE-2025-6389 (CVSS 9.8), CVE-2025-66516 (CVSS 10.0)
Downloadable IOCs: 6

IPCola: A Tangled Mess

IPCola, a new proxy service, claims to have millions of active IPs sourced from IoT, Desktop, and Mobile devices. Investigation reveals connections to Gaganode, a decentralized bandwidth monetization service with features resembling a botnet. Gaganode's SDK includes remote code execution capabiliti…
iot
remote code execution
proxy service
2025-12-02
bandwidth monetization
chinese tv boxes
ipcola
instaip
nuochen technology
gaganode
popa
Published: December 2, 2025
Downloadable IOCs: 18

Oracle Security Alert Advisory - CVE-2025-61882

A critical security vulnerability (CVE-2025-61882) has been identified in Oracle E-Business Suite versions 12.2.3-12.2.14. This flaw is remotely exploitable without authentication, potentially leading to remote code execution. The vulnerability affects the BI Publisher Integration component of Orac…
remote code execution
CVE-2025-61882
2025-10-06
security alert
oracle e-business suite
Published: October 6, 2025
Linked vulnerabilities : CVE-2025-61882 (CVSS 9.8)
Downloadable IOCs: 5

August Vulnerabilities of Note

In August 2025, eighteen high-impact vulnerabilities were identified for prioritized remediation, down from 22 in July. The month saw a focus on Citrix and D-Link flaws, with active exploitation of Citrix NetScaler products and D-Link routers. OS Command Injection was the most common weakness. One …
vulnerability
command injection
exploitation
remote code execution
snipbot
rustyclaw
patch management
deserialization
CVE-2025-8088
CVE-2025-25256
CVE-2025-8875
CVE-2025-8876
CVE-2025-20265
CVE-2025-7775
2025-09-15
mythic c2 agent
Published: September 15, 2025
Linked vulnerabilities : CVE-2024-8068, CVE-2024-8069 (CVSS 8.8), CVE-2025-54948 (CVSS 9.4), CVE-2025-8088, CVE-2024-26009 (CVSS 8.1), CVE-2025-25256 (CVSS 9.8), CVE-2025-8875 (CVSS 9.4), CVE-2025-8876 (CVSS 9.4), CVE-2025-20265 (CVSS 10.0), CVE-2025-43300 (CVSS 8.8), CVE-2025-7775 (CVSS 9.2), CVE-2025-7776 (CVSS 8.8), CVE-2025-8424 (CVSS 8.7), CVE-2025-57819, CVE-2007-0671, CVE-2013-3893, CVE-2020-25079, CVE-2020-25078, CVE-2025-48384, CVE-2022-40799
Downloadable IOCs: 11

CVE-2025-31324: Critical SAP Vulnerability & How to Protect Your Enterprise

A critical remote code execution vulnerability (CVE-2025-31324) affects SAP NetWeaver Development Server, allowing attackers to upload malicious files through the metadatauploader endpoint. This vulnerability enables unauthenticated remote code execution, potentially leading to enterprise network c…
exploit
vulnerability
remote code execution
auto-color
CVE-2025-31324
2025-09-10
netweaver
metadatauploader
sap
Published: September 10, 2025
Downloadable IOCs: 4

ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)

A critical ViewState deserialization vulnerability (CVE-2025-53690) was discovered in Sitecore products, affecting deployments using an exposed sample machine key. The attacker exploited this to achieve remote code execution, progressing from initial compromise to privilege escalation. Key events i…
viewstate
lateral movement
reconnaissance
privilege escalation
earthworm
remote code execution
sharphound
deserialization
2025-09-04
CVE-2025-53690
sitecore
dwagent
weepsteel
Published: September 4, 2025
Downloadable IOCs: 0

WinRAR Directory Traversal & NTFS ADS Vulnerabilities (CVE-2025-6218 & CVE-2025-8088)

Two high-severity vulnerabilities in WinRAR for Windows enable attackers to write files outside intended extraction directories. CVE-2025-6218 involves traditional path traversal, while CVE-2025-8088 extends the attack using NTFS Alternate Data Streams. Both flaws allow for reliable persistence and…
zero-day
remote code execution
winrar
CVE-2025-8088
CVE-2025-6218
2025-08-25
Published: August 25, 2025
Linked vulnerabilities : CVE-2025-8088, CVE-2025-6218
Downloadable IOCs: 4

Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild

A critical vulnerability (CVE-2025-32433) in Erlang/OTP's SSH daemon allows unauthenticated remote code execution, affecting critical infrastructure and operational technology networks. With a CVSS score of 10.0, it enables command execution by sending SSH connection protocol messages to open ports…
exploit
vulnerability
ssh
remote code execution
critical infrastructure
CVE-2025-32433
2025-08-11
erlang/otp
operational technology
Published: August 11, 2025
Linked vulnerabilities : CVE-2025-32433 (CVSS 10.0)
Downloadable IOCs: 2

Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

A routine monitoring by researchers uncovered an exploitation attempt on a honeypot server running TeamCity, a CI/CD tool. The attack exploited an exposed Java Debug Wire Protocol (JDWP) interface, leading to remote code execution, deployment of cryptomining payload, and establishment of multiple p…
xmrig
persistence
java
cryptomining
remote code execution
2025-08-08
teamcity
jdwp
debugging
Published: August 8, 2025
Downloadable IOCs: 17

CoinMiner Attacks Exploiting GeoServer Vulnerability

A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer has been actively exploited by threat actors to install CoinMiner malware. The attacks target both Windows and Linux environments with unpatched GeoServer installations. In South Korea, attackers exploited the vulnerabilit…
powershell
xmrig
coinminer
bash
mirai
netcat
remote code execution
condi
geoserver
monero
CVE-2024-36401
goreverse
2025-08-08
sidewalk
Published: August 8, 2025
Downloadable IOCs: 4

Statistics Report on Malware Targeting Windows Web Servers in Q2 2025

AhnLab Security Intelligence Center analyzed attacks on Windows web servers during Q2 2025 using their Smart Defense infrastructure. The study focused on poorly managed servers, categorizing attack types and malware strains. It revealed that multiple threat actors often target vulnerable servers si…
windows
remote code execution
iis
web servers
vulnerabilities
web shells
apache tomcat
2025-08-08
wograt
Published: August 8, 2025
Downloadable IOCs: 4

Active Exploitation of CVE-2025-5394 in Alone WordPress Theme

A critical arbitrary file-upload vulnerability (CVE-2025-5394) in the Alone - Charity Multipurpose Non-profit WordPress theme versions 7.8.3 and earlier is being actively exploited. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to upload malicious ZIP archives containing PHP …
vulnerability
wordpress
remote code execution
web shells
CVE-2025-5394
2025-08-01
theme
alone theme
arbitrary file upload
Published: August 1, 2025
Downloadable IOCs: 0

Inside The ToolShell Campaign

FortiGuard Labs has identified a new exploit chain called 'ToolShell' targeting on-premises Microsoft SharePoint servers. This attack combines two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two zero-day variants (CVE-2025-53770 and CVE-2025-53771) to achieve remote …
zero-day
fileless
remote code execution
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
2025-07-25
keysiphon
exploit chain
ghostwebshell
Published: July 25, 2025
Downloadable IOCs: 0

Defending Against ToolShell: SharePoint's Latest Critical Vulnerability

A critical zero-day vulnerability named ToolShell (CVE-2025-53770) has been discovered in on-premises SharePoint Server deployments. This vulnerability allows unauthenticated remote code execution, posing a significant threat to organizations worldwide. SentinelOne has detected active exploitation …
vulnerability
zero-day
cybersecurity
remote code execution
threat detection
sharepoint
patch
CVE-2025-53770
toolshell
2025-07-23
Published: July 23, 2025
Downloadable IOCs: 2

CVE-2025-53770 and CVE-2025-53771: Actively Exploited SharePoint Vulnerabilities

Two critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, are affecting Microsoft SharePoint Servers, enabling attackers to upload malicious files and extract cryptographic secrets. These flaws are evolutions of previously patched vulnerabilities, CVE-2025-49704 and CVE-2025-49706, which wer…
remote code execution
CVE-2025-53770
CVE-2025-53771
2025-07-22
CVE-2025-49704
CVE-2025-49706
microsoft sharepoint
viewstate abuse
deserialization
unauthenticated attacks
Published: July 22, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 8

SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers

A zero-day vulnerability dubbed 'ToolShell' targeting on-premises Microsoft SharePoint Servers has been actively exploited. The flaw, identified as CVE-2025-53770 with an accompanying bypass CVE-2025-53771, allows unauthenticated remote code execution. Three distinct attack clusters have been obser…
vulnerability
zero-day
webshell
remote code execution
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
2025-07-22
CVE-2025-49704
CVE-2025-49706
Published: July 22, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-49704
Downloadable IOCs: 3

Apache Under the Lens: Tomcat's Partial PUT and Camel's Header Hijack

In March 2025, Apache disclosed three critical vulnerabilities: CVE-2025-24813 in Apache Tomcat and CVE-2025-27636 and CVE-2025-29891 in Apache Camel. These flaws allow remote code execution, affecting millions of developers. The Tomcat vulnerability exploits partial PUT requests and session persis…
exploit
vulnerability
apache
remote code execution
CVE-2025-27636
CVE-2025-24813
CVE-2025-29891
2025-07-03
tomcat
Published: July 3, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-27636 (CVSS 5.6), CVE-2025-24813 (CVSS 9.8), CVE-2025-29891 (CVSS 4.2), CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 23

Security Incident Response Team

A critical vulnerability in various Fortinet products allows remote attackers to execute arbitrary code via crafted HTTP requests. Observed exploitation on FortiVoice involved network scanning, erasing system logs, and enabling fcgi debugging to capture credentials. Affected products include FortiV…
credential theft
remote code execution
buffer overflow
network scanning
2025-05-14
fortivoice
CVE-2025-32756
fortindr
forticamera
fortimail
log manipulation
fortirecorder
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-32756
Downloadable IOCs: 6

CVE-2025-32756: FortiVoice Zero-Day Exploit Alert

A critical zero-day vulnerability (CVE-2025-32756) in multiple Fortinet products, including FortiVoice, has been actively exploited. The flaw is a stack-based buffer overflow that allows remote code execution without authentication. Attackers can gain full control of affected systems, access sensit…
zero-day
fortinet
patch
2025-05-14
fortivoice
remote-code-execution
credential-capture
CVE-2025-32756
network-scan
buffer-overflow
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-32756
Downloadable IOCs: 6

CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild

A critical vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox software has been discovered and is being actively exploited. The flaw involves hardcoded cryptographic keys in configuration files, allowing attackers to abuse ASPX ViewState for remote code execution. Affected versions …
cobalt strike
privilege escalation
remote code execution
meshcentral
CVE-2025-30406
2025-04-15
gladinet
hardcoded keys
aspx viewstate
centrestack
triofox
Published: April 15, 2025
Linked vulnerabilities : CVE-2025-30406
Downloadable IOCs: 6

Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)

A critical security vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure VPN appliances has been actively exploited since mid-March 2025. The vulnerability allows remote code execution through a buffer overflow. Two new malware families, TRAILBLAZE and BRUSHFIRE, have been deployed along …
espionage
zero-day
vpn
remote code execution
edge devices
buffer overflow
china-nexus
spawnsloth
CVE-2025-22457
2025-04-04
brushfire
spawnsnare
trailblaze
ivanti connect secure
spawnwave
Published: April 4, 2025
Downloadable IOCs: 0

Apache Tomcat: CVE-2025-24813: Active Exploitation

A critical path equivalence vulnerability in Apache Tomcat, CVE-2025-24813, allows unauthenticated attackers to execute arbitrary code on vulnerable servers under specific conditions. The vulnerability affects Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98, and certai…
vulnerability
exploitation
remote code execution
CVE-2025-24813
patching
2025-03-28
path equivalence
apache tomcat
Published: March 28, 2025
Downloadable IOCs: 0

Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 & CVE-2025-2747)

Two critical security flaws, CVE-2025-2746 and CVE-2025-2747, have been discovered in Kentico Xperience 13, a digital experience platform. These vulnerabilities allow unauthenticated attackers to bypass the Staging Sync Server's authentication, potentially gaining administrative control over the CM…
remote code execution
authentication bypass
CVE-2025-2746
CVE-2025-2747
CVE-2025-2749
2025-03-26
kentico xperience
Published: March 26, 2025
Linked vulnerabilities : CVE-2025-2746 (CVSS 9.8), CVE-2025-2747 (CVSS 9.8), CVE-2025-2749 (CVSS 7.2)
Downloadable IOCs: 0

Trimble Cityworks: CVE-2025-0994: Active Exploitation

A high-severity deserialization vulnerability in Trimble Cityworks, CVE-2025-0994, affects versions before 15.8.9 and Office Companion versions before 23.10. This flaw allows authenticated attackers to execute remote code on Microsoft IIS web servers. Exploitation indicators suggest the use of Rust…
cobalt strike
remote code execution
critical infrastructure
CVE-2025-0994
2025-02-20
vshell
trimble cityworks
iis web server
deserialization vulnerability
Published: February 20, 2025
Linked vulnerabilities : CVE-2025-0994 (CVSS 8.8)
Downloadable IOCs: 16

Further insights into Ivanti CSA 4.6 vulnerabilities exploitation

This analysis examines the exploitation of critical vulnerabilities in Ivanti Cloud Service Appliance (CSA) 4.6 between October 2024 and January 2025. It confirms widespread exploitation leading to webshell deployments in September and October 2024. The report provides details on malicious activiti…
vulnerability
ivanti
exploitation
webshell
infrastructure
remote code execution
CVE-2024-8190
CVE-2024-8963
CVE-2024-9379
CVE-2024-9381
2025-02-11
reversessh
nhas reverse_ssh
csa
Published: February 11, 2025
Linked vulnerabilities : CVE-2024-8190 (CVSS 7.2), CVE-2024-8963 (CVSS 9.1), CVE-2024-9379 (CVSS 7.2), CVE-2024-9381 (CVSS 7.2), CVE-2020-1472, CVE-2022-1388, CVE-2023-3519, CVE-2021-4034, CVE-2021-44529
Downloadable IOCs: 19

Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave

The Androxgh0st botnet, active since January 2024, has evolved to incorporate Mozi botnet payloads, expanding its attack surface from web servers to IoT devices. It exploits vulnerabilities in various platforms, including Cisco ASA, Atlassian JIRA, and PHP frameworks, utilizing remote code executio…
iot
botnet
credential theft
CVE-2024-4577
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
routers
CVE-2022-1040
mozi
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
2024-11-12
web servers
persistent access
Published: November 12, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2021-41773, CVE-2018-15133, CVE-2017-9841, CVE-2022-1040, CVE-2021-41277, CVE-2018-10562, CVE-2014-2120, CVE-2021-26086, CVE-2024-36401, CVE-2022-21587, CVE-2018-10561, CVE-2023-1389
Downloadable IOCs: 10

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The AndroxGh0st malware has expanded its capabilities by incorporating the Mozi botnet to target IoT devices and cloud services. This Python-based tool, known for attacking Laravel applications, now exploits a wider range of vulnerabilities in internet-facing applications. The malware uses remote c…
iot
botnet
wordpress
CVE-2024-4577
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
cloud services
credential stealing
CVE-2022-1040
2024-11-08
mozi
laravel
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
Published: November 8, 2024
Downloadable IOCs: 1

Attacker Abuses Victim Resources to Reap Rewards from Titan Network

An attacker exploited the Atlassian Confluence vulnerability CVE-2023-22527 to achieve remote code execution for cryptomining via the Titan Network. The malicious actor gathered system details using public IP lookup services and various commands. Multiple shell scripts were downloaded and executed …
cryptomining
aws
ssh
remote code execution
CVE-2023-22527
atlassian confluence
2024-11-04
titan network
cassini testnet
aleo-pool
Published: November 4, 2024
Linked vulnerabilities : CVE-2023-22527
Downloadable IOCs: 1

FortiManager fgfmd vulnerability indicators

A critical vulnerability in FortiManager's fgfmd daemon allows remote unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. This vulnerability, classified as CWE-306 (Missing Authentication for Critical Function), has been exploited in the wild. The attack …
vulnerability
exfiltration
authentication
remote code execution
2024-10-23
CVE-2024-47575
fortimanager
Published: October 23, 2024
Linked vulnerabilities : CVE-2024-47575 (CVSS 9.8)
Downloadable IOCs: 3

Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine

CVE-2024-38178 is a type confusion vulnerability in JScript9.dll, patched by Microsoft in August 2024. It allows bypassing the CVE-2022-41128 patch through incorrect JIT engine optimizations. APT37, a North Korean threat group, exploited this vulnerability in June 2024 against South Korean targets.…
windows
vulnerability
zero-day
rokrat
remote code execution
CVE-2024-38178
2024-10-17
apt37
CVE-2022-41128
type confusion
jscript9.dll
Published: October 17, 2024
Downloadable IOCs: 0

Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence

Trend Micro researchers have identified a new attack vector exploiting CVE-2023-22527 in older versions of Atlassian Confluence Data Center and Server. The attack deploys an in-memory fileless backdoor known as the Godzilla webshell, which uses AES encryption for communication and remains memory-re…
godzilla
remote code execution
2024-09-02
aes encryption
CVE-2023-22527
atlassian confluence
fileless backdoor
in-memory
Published: September 2, 2024
Linked vulnerabilities : CVE-2023-22527
Downloadable IOCs: 0

Increased Activity Against Apache OFBiz CVE-2024-32113

Recently, there has been a surge in malicious activity targeting a critical vulnerability (CVE-2024-32113) in the Apache OFBiz framework, a Java-based platform for developing Enterprise Resource Planning (ERP) applications. This vulnerability, a path traversal issue that can lead to remote code exe…
vulnerability
CVE-2024-32113
apache
erp
2024-08-01
remote code execution
ofbiz
Published: August 1, 2024
Linked vulnerabilities : CVE-2024-32113
Downloadable IOCs: 5
Click here to see more Attack Reports