#activeexploit — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #activeexploit, aggregated by home.social.
-
KnowledgeDeliver Zero-Day Flaw Exploited to Deploy Web Shells
KnowledgeDeliver LMS installations are being targeted by a zero-day deserialization vulnerability (CVE-2026-5426) caused by hardcoded machine keys, allowing attackers to deploy web shells and Cobalt Strike backdoors.
**If you run Digital Knowledge's KnowledgeDeliver LMS, immediately replace the default ASP.NET machine keys in your web.config with unique, cryptographically strong ones to block these attacks. If possible, restrict portal access to trusted IP ranges, and monitor Windows Application logs for Event ID 1316 (ViewState verification failures).**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/knowledgedeliver-zero-day-flaw-exploited-to-deploy-web-shells-5-x-f-c-n/gD2P6Ple2L -
Ghost CMS SQL Injection Flaw Exploited in Global ClickFix Malware Campaign
A critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) is being exploited to steal administrative keys and inject malicious 'ClickFix' scripts into over 700 websites. The campaign targets high-profile domains to deliver malware by tricking visitors into running malicious commands in their system terminal.
**If you run a Ghost CMS site, this is urgent. Check your version and update to version 6.19.1 or later. Then rotate all API keys and staff passwords since any credentials from before the patch may already be compromised. Also review your published articles for unauthorized scripts and check API logs for signs of suspicious activity.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/ghost-cms-sql-injection-flaw-exploited-in-global-clickfix-malware-campaign-d-m-c-f-3/gD2P6Ple2L -
Trend Micro Patches Actively Exploited Directory Traversal in Apex One
Trend Micro patched eight vulnerabilities in Apex One and Vision One, including a directory traversal flaw (CVE-2026-34926) that is exploited in the wild to inject malicious code into security agents.
**If you're using Trend Micro Apex One (on-premise) or Vision One, you are under attack. Immediately update to the patched versions (SP1 CP Build 18012 / SP1 Build 17079 for on-premise, or agent build 14.0.20731+ for cloud) since one of its flaws is actively exploited to push malware through your own security tools. Even if the exploited flaw requires authentication, obviously that is not difficult to obtain for hackers.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/trend-micro-patches-actively-exploited-directory-traversal-in-apex-one-r-u-9-l-z/gD2P6Ple2L -
Microsoft Patches Actively Exploited Defender Vulnerabilities
Microsoft and CISA confirmed active exploitation of vulnerabilities in Microsoft Defender, including a privilege escalation flaw (CVE-2026-41091) and a denial-of-service bug (CVE-2026-45498).
**Check that your Microsoft Defender engine version is 1.1.26040.8 or higher to ensure you are protected against these active exploits. While updates are usually automatic, manual verification is necessary for critical systems to confirm the patches were applied.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/microsoft-patches-actively-exploited-defender-vulnerabilities-0-b-g-y-f/gD2P6Ple2L -
Mass Exploitation of Four-Faith Industrial Routers for Botnet Expansion
Threat actors are conducting mass exploitation of a critical hard-coded credential flaw (CVE-2024-9643) in Four-Faith industrial routers to build botnets and gain footholds in corporate networks.
**Make sure all your Four-Faith industrial routers are isolated from the internet and only accessible from trusted networks. Then immediately update to the latest firmware to patch CVE-2024-9643, and disable the web management interface on any public-facing ports.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/mass-exploitation-of-four-faith-industrial-routers-for-botnet-expansion-v-x-5-k-e/gD2P6Ple2L -
Critical NGINX Heap Overflow Vulnerability Actively Exploited
F5's NGINX Open Source and NGINX Plus are facing active exploitation of a critical heap buffer overflow (CVE-2026-42945) that allows unauthenticated attackers to cause denial-of-service or remote code execution.
**If you're running NGINX Open Source or NGINX Plus, make sure that ASLR is enabled on your system. Then upgrade to a patched version (NGINX Open Source 1.30.1/1.31.0, or NGINX Plus R36 P4/R32 P6) before attackers find your server. If you can't upgrade right away, change any unnamed captures in your rewrite rules (like $1) to named captures (like (?<id>[0-9]+)) to block the attack path.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-nginx-heap-overflow-vulnerability-actively-exploited-q-8-4-h-o/gD2P6Ple2L -
Critical Authentication Bypass in Burst Statistics WordPress Plugin
A critical authentication bypass vulnerability in the Burst Statistics WordPress plugin (CVE-2026-8181) allows unauthenticated attackers to impersonate administrators and take over websites.
**If you use the Burst Statistics plugin for WordPress (versions 3.4.0 through 3.4.1.1), update immediately to version 3.4.2 or later, or deactivate the plugin until you can patch. The plugin is actively hacked. After updating, check your site for any unfamiliar administrator accounts and review logs for suspicious REST API activity. Attackers may have already taken over.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-authentication-bypass-in-burst-statistics-wordpress-plugin-o-l-7-2-f/gD2P6Ple2L -
Funnel Builder Plugin Flaw Exploited to Skim WooCommerce Stores
A critical unauthenticated vulnerability in the Funnel Builder plugin for WordPress is being exploited to inject payment skimmers into over 40,000 WooCommerce stores. Attackers use a flawed checkout endpoint to plant malicious scripts that steal credit card data and billing information.
**If you use the Funnel Builder (FunnelKit) plugin for WooCommerce, update it immediately to version 3.15.0.3 or later, then check your "External Scripts" settings for any suspicious code (especially fake Google Tag Manager or Analytics scripts) and remove anything you didn't put there yourself. Consider reviewing recent checkout transactions for signs of payment data theft and notify your customers. If you can't update right away, deactivate the plugin until you can.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/funnel-builder-plugin-flaw-exploited-to-skim-40000-woocommerce-stores-8-g-n-l-r/gD2P6Ple2L -
Microsoft Warns of Actively Exploited Zero-Day in Exchange Server OWA
Microsoft is warning of an actively exploited spoofing vulnerability (CVE-2026-42897) in on-premises Exchange Server that allows attackers to execute arbitrary JavaScript via Outlook Web Access XSS.
**If you run on-premises Microsoft Exchange Server (2016, 2019, or Subscription Edition), make sure the Exchange Emergency Mitigation Service (EEMS) is enabled so the M2.1.x mitigation for CVE-2026-42897 is active, or run the Exchange on-premises Mitigation Tool manually if your network is air-gapped. Keep the mitigation on even if it breaks OWA Print Calendar or inline images, and check if you can apply the permanent patch once Microsoft releases it.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/microsoft-warns-of-actively-exploited-zero-day-in-exchange-server-owa-5-p-7-i-w/gD2P6Ple2L -
Microsoft Warns of Actively Exploited Zero-Day in Exchange Server OWA
Microsoft is warning of an actively exploited spoofing vulnerability (CVE-2026-42897) in on-premises Exchange Server that allows attackers to execute arbitrary JavaScript via Outlook Web Access XSS.
**If you run on-premises Microsoft Exchange Server (2016, 2019, or Subscription Edition), make sure the Exchange Emergency Mitigation Service (EEMS) is enabled so the M2.1.x mitigation for CVE-2026-42897 is active, or run the Exchange on-premises Mitigation Tool manually if your network is air-gapped. Keep the mitigation on even if it breaks OWA Print Calendar or inline images, and check if you can apply the permanent patch once Microsoft releases it.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/microsoft-warns-of-actively-exploited-zero-day-in-exchange-server-owa-5-p-7-i-w/gD2P6Ple2L -
Microsoft Warns of Actively Exploited Zero-Day in Exchange Server OWA
Microsoft is warning of an actively exploited spoofing vulnerability (CVE-2026-42897) in on-premises Exchange Server that allows attackers to execute arbitrary JavaScript via Outlook Web Access XSS.
**If you run on-premises Microsoft Exchange Server (2016, 2019, or Subscription Edition), make sure the Exchange Emergency Mitigation Service (EEMS) is enabled so the M2.1.x mitigation for CVE-2026-42897 is active, or run the Exchange on-premises Mitigation Tool manually if your network is air-gapped. Keep the mitigation on even if it breaks OWA Print Calendar or inline images, and check if you can apply the permanent patch once Microsoft releases it.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/microsoft-warns-of-actively-exploited-zero-day-in-exchange-server-owa-5-p-7-i-w/gD2P6Ple2L -
Microsoft Warns of Actively Exploited Zero-Day in Exchange Server OWA
Microsoft is warning of an actively exploited spoofing vulnerability (CVE-2026-42897) in on-premises Exchange Server that allows attackers to execute arbitrary JavaScript via Outlook Web Access XSS.
**If you run on-premises Microsoft Exchange Server (2016, 2019, or Subscription Edition), make sure the Exchange Emergency Mitigation Service (EEMS) is enabled so the M2.1.x mitigation for CVE-2026-42897 is active, or run the Exchange on-premises Mitigation Tool manually if your network is air-gapped. Keep the mitigation on even if it breaks OWA Print Calendar or inline images, and check if you can apply the permanent patch once Microsoft releases it.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/microsoft-warns-of-actively-exploited-zero-day-in-exchange-server-owa-5-p-7-i-w/gD2P6Ple2L -
Microsoft Warns of Actively Exploited Zero-Day in Exchange Server OWA
Microsoft is warning of an actively exploited spoofing vulnerability (CVE-2026-42897) in on-premises Exchange Server that allows attackers to execute arbitrary JavaScript via Outlook Web Access XSS.
**If you run on-premises Microsoft Exchange Server (2016, 2019, or Subscription Edition), make sure the Exchange Emergency Mitigation Service (EEMS) is enabled so the M2.1.x mitigation for CVE-2026-42897 is active, or run the Exchange on-premises Mitigation Tool manually if your network is air-gapped. Keep the mitigation on even if it breaks OWA Print Calendar or inline images, and check if you can apply the permanent patch once Microsoft releases it.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/microsoft-warns-of-actively-exploited-zero-day-in-exchange-server-owa-5-p-7-i-w/gD2P6Ple2L -
Cisco Catalyst SD-WAN Controller Authentication Bypass Actively Exploited
Cisco patched a critical authentication bypass (CVE-2026-20182, CVSS 10.0) in Catalyst SD-WAN components that allows remote attackers to gain administrative control and manipulate network fabric configurations. The flaw is being exploited in the wild and follows a similar critical vulnerability used by threat actors since 2023.
**Make sure all Cisco Catalyst SD-WAN Controller and Manager components are isolated publick access and only accessible from expected peer systems and networks, especially UDP port 12346 and TCP port 830. Then do a very qick upgrade to a fixed version and check logs for unauthorized peering, suspicious SSH keys in the vmanage-admin account, and signs of log tampering.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisco-catalyst-sd-wan-controller-authentication-bypass-actively-exploited-w-m-d-d-r/gD2P6Ple2L -
Cisco Catalyst SD-WAN Controller Authentication Bypass Actively Exploited
Cisco patched a critical authentication bypass (CVE-2026-20182, CVSS 10.0) in Catalyst SD-WAN components that allows remote attackers to gain administrative control and manipulate network fabric configurations. The flaw is being exploited in the wild and follows a similar critical vulnerability used by threat actors since 2023.
**Make sure all Cisco Catalyst SD-WAN Controller and Manager components are isolated publick access and only accessible from expected peer systems and networks, especially UDP port 12346 and TCP port 830. Then do a very qick upgrade to a fixed version and check logs for unauthorized peering, suspicious SSH keys in the vmanage-admin account, and signs of log tampering.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisco-catalyst-sd-wan-controller-authentication-bypass-actively-exploited-w-m-d-d-r/gD2P6Ple2L -
Cisco Catalyst SD-WAN Controller Authentication Bypass Actively Exploited
Cisco patched a critical authentication bypass (CVE-2026-20182, CVSS 10.0) in Catalyst SD-WAN components that allows remote attackers to gain administrative control and manipulate network fabric configurations. The flaw is being exploited in the wild and follows a similar critical vulnerability used by threat actors since 2023.
**Make sure all Cisco Catalyst SD-WAN Controller and Manager components are isolated publick access and only accessible from expected peer systems and networks, especially UDP port 12346 and TCP port 830. Then do a very qick upgrade to a fixed version and check logs for unauthorized peering, suspicious SSH keys in the vmanage-admin account, and signs of log tampering.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisco-catalyst-sd-wan-controller-authentication-bypass-actively-exploited-w-m-d-d-r/gD2P6Ple2L -
Cisco Catalyst SD-WAN Controller Authentication Bypass Actively Exploited
Cisco patched a critical authentication bypass (CVE-2026-20182, CVSS 10.0) in Catalyst SD-WAN components that allows remote attackers to gain administrative control and manipulate network fabric configurations. The flaw is being exploited in the wild and follows a similar critical vulnerability used by threat actors since 2023.
**Make sure all Cisco Catalyst SD-WAN Controller and Manager components are isolated publick access and only accessible from expected peer systems and networks, especially UDP port 12346 and TCP port 830. Then do a very qick upgrade to a fixed version and check logs for unauthorized peering, suspicious SSH keys in the vmanage-admin account, and signs of log tampering.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisco-catalyst-sd-wan-controller-authentication-bypass-actively-exploited-w-m-d-d-r/gD2P6Ple2L -
Cisco Catalyst SD-WAN Controller Authentication Bypass Actively Exploited
Cisco patched a critical authentication bypass (CVE-2026-20182, CVSS 10.0) in Catalyst SD-WAN components that allows remote attackers to gain administrative control and manipulate network fabric configurations. The flaw is being exploited in the wild and follows a similar critical vulnerability used by threat actors since 2023.
**Make sure all Cisco Catalyst SD-WAN Controller and Manager components are isolated publick access and only accessible from expected peer systems and networks, especially UDP port 12346 and TCP port 830. Then do a very qick upgrade to a fixed version and check logs for unauthorized peering, suspicious SSH keys in the vmanage-admin account, and signs of log tampering.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisco-catalyst-sd-wan-controller-authentication-bypass-actively-exploited-w-m-d-d-r/gD2P6Ple2L