Tag: vulnerability

38 Attack Reports | 0 Vulnerabilities

Attack reports

Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief

Several critical vulnerabilities in Microsoft SharePoint are being actively exploited, targeting on-premises servers in government, education, healthcare, and large enterprises. The vulnerabilities allow unauthenticated attackers to bypass security controls and gain privileged access, leading to da…
vulnerability
exploitation
web shell
sharepoint
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
on-premises
2025-07-23
unauthenticated access
Published: July 23, 2025
Downloadable IOCs: 0

Defending Against ToolShell: SharePoint's Latest Critical Vulnerability

A critical zero-day vulnerability named ToolShell (CVE-2025-53770) has been discovered in on-premises SharePoint Server deployments. This vulnerability allows unauthenticated remote code execution, posing a significant threat to organizations worldwide. SentinelOne has detected active exploitation …
vulnerability
zero-day
cybersecurity
remote code execution
threat detection
sharepoint
patch
CVE-2025-53770
toolshell
2025-07-23
Published: July 23, 2025
Downloadable IOCs: 2

SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers

A zero-day vulnerability dubbed 'ToolShell' targeting on-premises Microsoft SharePoint Servers has been actively exploited. The flaw, identified as CVE-2025-53770 with an accompanying bypass CVE-2025-53771, allows unauthenticated remote code execution. Three distinct attack clusters have been obser…
vulnerability
zero-day
webshell
remote code execution
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
2025-07-22
CVE-2025-49704
CVE-2025-49706
Published: July 22, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-49704
Downloadable IOCs: 3

Active Exploitation of Microsoft SharePoint Vulnerabilities

Unit 42 is tracking ongoing threat activity targeting on-premises Microsoft SharePoint servers, particularly within government, schools, healthcare, and large enterprises. Multiple vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) allow unauthenticated attackers to ac…
vulnerability
government
healthcare
exploitation
education
cve
CVE-2025-53770
CVE-2025-53771
2025-07-22
CVE-2025-49704
CVE-2025-49706
microsoft sharepoint
on-premises
Published: July 22, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-31324 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 8

Large-scale exploitation of new SharePoint RCE vulnerability chain identified

A new SharePoint remote code execution vulnerability chain, later named CVE-2025-53770 and CVE-2025-53771 by Microsoft, was discovered being exploited in the wild. The exploitation affected on-premise SharePoint Servers globally, with dozens of systems compromised during two attack waves on July 18…
exploit
vulnerability
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
2025-07-21
on-premise
Published: July 21, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1)
Downloadable IOCs: 4

Toolshell: Large-scale exploitation of new SharePoint RCE vulnerability chain identified

This pulse highlights an ongoing mass exploitation campaign targeting on-premises Microsoft SharePoint servers using a newly disclosed remote code execution (RCE) chain dubbed ToolShell. Discovered on July 18, 2025, by Eye Security, the attack chain is now tracked as CVE-2025-53770 and CVE-2025-537…
exploit
vulnerability
webshell
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
2025-07-21
on-premise
toolshell
Published: July 21, 2025
Downloadable IOCs: 0

Apache Under the Lens: Tomcat's Partial PUT and Camel's Header Hijack

In March 2025, Apache disclosed three critical vulnerabilities: CVE-2025-24813 in Apache Tomcat and CVE-2025-27636 and CVE-2025-29891 in Apache Camel. These flaws allow remote code execution, affecting millions of developers. The Tomcat vulnerability exploits partial PUT requests and session persis…
exploit
vulnerability
apache
remote code execution
CVE-2025-27636
CVE-2025-24813
CVE-2025-29891
2025-07-03
tomcat
Published: July 3, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-27636 (CVSS 5.6), CVE-2025-24813 (CVSS 9.8), CVE-2025-29891 (CVSS 4.2), CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 23

Decrement by one to rule them all: AsIO3.sys driver exploitation

The article details the discovery and exploitation of two critical vulnerabilities in the AsIO3.sys driver, used by ASUS Armory Crate and AI Suite applications. The vulnerabilities, a stack-based buffer overflow and an authorization bypass, were found in the IRP_MJ_CREATE handler. The author demons…
windows
vulnerability
privilege escalation
asus
driver exploitation
CVE-2025-1533
CVE-2025-3464
2025-06-26
kernel exploitation
asio3.sys
Published: June 26, 2025
Linked vulnerabilities : CVE-2025-1533 (CVSS 8.2), CVE-2025-3464 (CVSS 8.4)
Downloadable IOCs: 0

Beware of AI Pickpockets: Pickai Backdoor Spreading Through ComfyUI Vulnerability

A new backdoor named Pickai is exploiting ComfyUI vulnerabilities to spread and steal sensitive AI data. Developed in C++, Pickai offers remote command execution and reverse shell capabilities with strong persistence and evasion techniques. It uses multiple C2 servers for redundancy and has infecte…
backdoor
evasion
vulnerability
persistence
c2
supply chain attack
2025-06-13
pickai
comfyui
ai data theft
Published: June 13, 2025
Downloadable IOCs: 9

DanaBot C2 Server Memory Leak Bug

A critical vulnerability named DanaBleed was discovered in DanaBot's C2 server, causing memory leaks from June 2022 to early 2025. This bug, introduced in version 2380, exposed sensitive information including threat actor details, server data, and victim credentials. The leak resulted from uninitia…
vulnerability
cybercrime
danabot
malware-as-a-service
c2 server
smokeloader
operation endgame
information theft
2025-06-10
danableed
banking fraud
memory leak
Published: June 10, 2025
Downloadable IOCs: 2

Web Scanning SonicWall for CVE-2021-20016 - Update

There has been a significant increase in scanning activity targeting SonicWall devices, specifically looking for CVE-2021-20016 vulnerability. The activity has grown tenfold over the past 14 days, with multiple sources reporting probes related to two specific URLs. The most active IP addresses orig…
vulnerability
exploitation
scanning
sonicwall
network security
2025-05-15
CVE-2021-20016
Published: May 15, 2025
Linked vulnerabilities : CVE-2021-20016
Downloadable IOCs: 6

Post-Exploitation Activities Observed from the Samsung MagicINFO 9 Server Flaw

A vulnerability in Samsung MagicINFO 9 Server, a content management system for digital signage displays, has been exploited in limited incidents. Three separate attacks were observed, with two showing organized, identical commands and one appearing to be in a research phase. The attackers attempted…
vulnerability
exploitation
reconnaissance
post-exploitation
2025-05-10
digital signage
samsung
magicinfo
service installation
Published: May 10, 2025
Downloadable IOCs: 0

Apache Tomcat: CVE-2025-24813: Active Exploitation

A critical path equivalence vulnerability in Apache Tomcat, CVE-2025-24813, allows unauthenticated attackers to execute arbitrary code on vulnerable servers under specific conditions. The vulnerability affects Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98, and certai…
vulnerability
exploitation
remote code execution
CVE-2025-24813
patching
2025-03-28
path equivalence
apache tomcat
Published: March 28, 2025
Downloadable IOCs: 0

CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw

A critical vulnerability, CVE-2025-29927, with a CVSS score of 9.1 was disclosed on March 21, 2025. This flaw allows attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. The vulnerability affects applications using Middlewa…
vulnerability
CVE-2025-29927
2025-03-27
next.js
authorization bypass
javascript framework
Published: March 27, 2025
Linked vulnerabilities : CVE-2025-29927 (CVSS 9.1)
Downloadable IOCs: 0

Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns

A Windows .lnk file vulnerability, ZDI-CAN-25373, has been extensively exploited by state-sponsored and cybercriminal groups. The vulnerability allows hidden command execution through crafted shortcut files, exposing organizations to data theft and cyber espionage risks. Nearly 1,000 malicious .lnk…
apt
espionage
windows
vulnerability
data theft
zero-day
lnk
raspberry robin
command execution
2025-03-18
shortcut
Published: March 18, 2025
Downloadable IOCs: 851

Mirai Bot now incorporating (malformed?) DrayTek Vigor Router Exploits

A report details the incorporation of exploits targeting DrayTek Vigor routers into the Mirai botnet. Previously disclosed vulnerabilities affecting approximately 700,000 devices are being exploited, with attacks focusing on the 'keyPath' and 'cvmcfgupload' parameters. A curious spike in malformed …
exploit
vulnerability
iot
botnet
router
mirai
firmware
2025-03-17
vigor
draytek
Published: March 17, 2025
Downloadable IOCs: 3

Further insights into Ivanti CSA 4.6 vulnerabilities exploitation

This analysis examines the exploitation of critical vulnerabilities in Ivanti Cloud Service Appliance (CSA) 4.6 between October 2024 and January 2025. It confirms widespread exploitation leading to webshell deployments in September and October 2024. The report provides details on malicious activiti…
vulnerability
ivanti
exploitation
webshell
infrastructure
remote code execution
CVE-2024-8190
CVE-2024-8963
CVE-2024-9379
CVE-2024-9381
2025-02-11
reversessh
nhas reverse_ssh
csa
Published: February 11, 2025
Linked vulnerabilities : CVE-2024-8190 (CVSS 7.2), CVE-2024-8963 (CVSS 9.1), CVE-2024-9379 (CVSS 7.2), CVE-2024-9381 (CVSS 7.2), CVE-2020-1472, CVE-2022-1388, CVE-2023-3519, CVE-2021-4034, CVE-2021-44529
Downloadable IOCs: 19

NGC4020 Attacks: DameWare Mini Remote Control Vulnerability

The Solar 4RAYS team investigated a cyberattack on an industrial company, uncovering that attackers exploited a vulnerability in DameWare Mini Remote Control to deliver malware and disable security protections. The NGC4020 group initially compromised systems in December 2022 using CVE-2019-3980. Th…
vulnerability
quasarrat
reverse shell
antivirus bypass
2025-01-31
dameware
Published: January 31, 2025
Downloadable IOCs: 0

Zyxel vulnerability exploited by 'Helldown' ransomware group

The article details a cybersecurity incident where the "Helldown" ransomware group exploited a vulnerability in Zyxel firewall devices. The attackers gained administrator access to the firewall console, collected domain credentials, and compromised the infrastructure. They used VPN services to mask…
ransomware
vulnerability
2025-01-22
zyxel
Published: January 22, 2025
Downloadable IOCs: 0

Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI

The AIRASHI botnet, an evolved version of AISURU, has been observed conducting large-scale DDoS attacks and exploiting vulnerabilities in various devices. It utilizes a 0DAY vulnerability in cnPilot routers for propagation and employs sophisticated encryption techniques for communication. The botne…
vulnerability
rc4
encryption
ddos
botnet
proxy
chacha20
hellokitty
2025-01-16
hmac-sha256
airashi
CVE-2022-3573
cnpilot
aisuru
Published: January 16, 2025
Linked vulnerabilities : CVE-2021-36260, CVE-2022-3573
Downloadable IOCs: 9

Threat actors attempt to exploit a flaw in Four-Faith routers

A high-severity vulnerability (CVE-2024-12856) affecting Four-Faith router models F3x24 and F3x36 is being actively exploited. The flaw allows OS command injection if default credentials are used, potentially leading to unauthenticated remote code execution. Attackers have been observed leveraging …
vulnerability
router
reverse shell
CVE-2024-12856
2024-12-28
four-faith
Published: December 28, 2024
Downloadable IOCs: 0

Cleo Software Actively Being Exploited in the Wild

A critical vulnerability in Cleo's LexiCom, VLTransfer, and Harmony software, used for file transfer management, is being actively exploited. The flaw allows unauthenticated remote code execution, affecting all versions up to and including 5.8.0.21. Attackers are exploiting this vulnerability to dr…
vulnerability
CVE-2024-50623
2024-12-10
cleo
file transfer software
lexicom
vltransfer
harmony
Published: December 10, 2024
Downloadable IOCs: 4

Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)

A new threat cluster, UNC5820, has been observed exploiting a zero-day vulnerability in FortiManager appliances across multiple industries. The vulnerability allows unauthorized execution of arbitrary code or commands on vulnerable devices. The attackers staged and exfiltrated configuration data fr…
vulnerability
zero-day
exploitation
fortigate
CVE-2024-47575
2024-10-24
fortimanager
cyber-espionage
configuration-exfiltration
network-security
Published: October 24, 2024
Linked vulnerabilities : CVE-2024-47575 (CVSS 9.8)
Downloadable IOCs: 4

FortiManager fgfmd vulnerability indicators

A critical vulnerability in FortiManager's fgfmd daemon allows remote unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. This vulnerability, classified as CWE-306 (Missing Authentication for Critical Function), has been exploited in the wild. The attack …
vulnerability
exfiltration
authentication
remote code execution
2024-10-23
CVE-2024-47575
fortimanager
Published: October 23, 2024
Linked vulnerabilities : CVE-2024-47575 (CVSS 9.8)
Downloadable IOCs: 3

New macOS vulnerability, "HM Surf", could lead to unauthorized data access

A new macOS vulnerability called 'HM Surf' has been discovered that could allow attackers to bypass the Transparency, Consent, and Control (TCC) technology and gain unauthorized access to protected user data. The exploit involves removing TCC protection for the Safari browser directory and modifyin…
vulnerability
macos
adload
CVE-2024-44133
2024-10-18
privacy
safari
tcc bypass
hm surf
browser security
Published: October 18, 2024
Downloadable IOCs: 0

Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine

CVE-2024-38178 is a type confusion vulnerability in JScript9.dll, patched by Microsoft in August 2024. It allows bypassing the CVE-2022-41128 patch through incorrect JIT engine optimizations. APT37, a North Korean threat group, exploited this vulnerability in June 2024 against South Korean targets.…
windows
vulnerability
zero-day
rokrat
remote code execution
CVE-2024-38178
2024-10-17
apt37
CVE-2022-41128
type confusion
jscript9.dll
Published: October 17, 2024
Downloadable IOCs: 0

Analysis of two arbitrary code execution vulnerabilities affecting WPS Office

ESET researchers discovered two code execution vulnerabilities in WPS Office for Windows. CVE-2024-7262 was exploited by APT-C-60, a South Korea-aligned cyberespionage group, to target East Asian countries. The vulnerability allowed arbitrary code execution via a malicious hyperlink in a spreadshee…
windows
vulnerability
plugin
CVE-2024-7262
CVE-2024-7263
2024-08-30
wps office
taskcontroler.dll
hyperlink
spyglace
spreadsheet
code execution
Published: August 30, 2024
Linked vulnerabilities : CVE-2024-7262, CVE-2024-7263, CVE-2024-7672 (CVSS 7.8), CVE-2924-7263, CVE-2022-24934
Downloadable IOCs: 5

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team uncovered a ransomware attack impacting banks and payment providers in India. The attack, initiated through a compromised Jenkins server at Brontoo Technology Solutions, is attributed to the RansomEXX ransomware group. This sophisticated threat actor employs tactics …
ransomware
vulnerability
india
banking
2024-08-20
jenkins
ransomexx
CVE-2024-23897
Published: August 20, 2024
Linked vulnerabilities : CVE-2024-23897
Downloadable IOCs: 18

Increased Activity Against Apache OFBiz CVE-2024-32113

Recently, there has been a surge in malicious activity targeting a critical vulnerability (CVE-2024-32113) in the Apache OFBiz framework, a Java-based platform for developing Enterprise Resource Planning (ERP) applications. This vulnerability, a path traversal issue that can lead to remote code exe…
vulnerability
CVE-2024-32113
apache
erp
2024-08-01
remote code execution
ofbiz
Published: August 1, 2024
Linked vulnerabilities : CVE-2024-32113
Downloadable IOCs: 5

SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and …
espionage
phishing
vulnerability
nation-state
javascript
targeted
CVE-2017-0199
CVE-2017-11882
2024-07-30
infrastructure
maritime
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 47

Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android

ESET researchers discovered a vulnerability named EvilVideo that allows attackers to share malicious Android payloads disguised as video files through Telegram for Android. The exploit makes the malicious files appear as multimedia content, tricking users into installing malware. The vulnerability …
malware
exploit
android
vulnerability
telegram
2024-07-23
android/spy.spymax.t
Published: July 23, 2024
Downloadable IOCs: 1

CVE-2024-4577 Exploits in the Wild One Day After Disclosure

One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attack…
rat
xmrig
vulnerability
cryptominer
gh0st rat
muhstik
CVE-2024-4577
2024-07-11
redtail
php injection
Published: July 11, 2024
Downloadable IOCs: 17

Increase In The Exploitation Of Microsoft SmartScreen Vulnerability CVE-2024-21412

Cyble analyzes an ongoing campaign exploiting a Microsoft SmartScreen vulnerability to deliver stealers through spam emails. The campaign employs lures related to healthcare, transportation, and tax notices to trick users into downloading malicious payloads. It utilizes techniques like DLL sideload…
phishing
vulnerability
stealer
CVE-2024-21412
spam
malicious
2024-07-11
lumma
meduza stealer
Published: July 11, 2024
Downloadable IOCs: 12

Ransomware: Activity Levels Remain High Despite Disruption

While overall activity levels dipped slightly in the first quarter of 2024, the number of claimed attacks remained high, with LockBit accounting for over 20%. The report explores the changing tactics employed by ransomware actors, including the exploitation of vulnerabilities, the use of Bring-Your…
ransomware
lockbit
vulnerability
blackcat
alphv
encryption
phobos
cyclops blink
CVE-2024-4577
noberus
tellyouthepass
blacksuit
2024-07-11
akira
warp av killer
qilin
disruption
Published: July 11, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)
Downloadable IOCs: 27

Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)

A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
backdoor
exploit
rat
xmrig
vulnerability
plugx
gh0strat
CVE-2024-23692
cobaltstrike
korplug
destroyrat
xenorat
2024-07-03
gothief
Published: July 3, 2024
Linked vulnerabilities : CVE-2024-23692 (CVSS 9.8)
Downloadable IOCs: 14

Exploiting CVE-2021-40444 to Infiltrate Systems

A recently detected attack exploited a vulnerability in Microsoft Office to deploy spyware called MerkSpy. The initial vector was a deceptive Word document posing as a job description. Opening it triggered the exploitation of CVE-2021-40444, allowing arbitrary code execution. This downloaded an HTM…
vulnerability
spyware
keylogger
2024-07-02
information theft
CVE-2021-40444
merkspy
Published: July 2, 2024
Linked vulnerabilities : CVE-2021-40444
Downloadable IOCs: 6

Malware Targets Message Queuing Services Applications

The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
evasion
cryptocurrency
vulnerability
persistence
apache
2024-06-06
irc
rocketmq
lateral
muhstik
CVE-2023-33246
Published: June 6, 2024
Linked vulnerabilities : CVE-2023-33246
Downloadable IOCs: 21

Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin

A recent surge of malicious JavaScript code has been observed targeting websites using vulnerable versions of the LiteSpeed Cache plugin for WordPress. The malware injects code into critical WordPress files or the database, creating unauthorized admin users like 'wpsupp-user.' It exploits the vulne…
vulnerability
javascript
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
wordpress
litespeed
plugin
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports