CISA Mandates Immediate Patching for Actively Exploited SolarWinds Web Help Desk RCE Flaw

CISA reports active exploitation of a critical flaw in SolarWinds Web Help Desk software (CVE-2025-40551). CISA has mandated that federal agencies apply the update within three days.

**If you are using Web Help Desk, this is urgent and important. Your Solar Web Help Desk is under attack. If your process allows for it, isolate Web Help Desk from the internet, then plan a quick update. If you can't isolate from the internet, patch now!**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-mandates-immediate-patching-for-actively-exploited-solarwinds-web-help-desk-rce-flaw-q-e-8-a-2/gD2P6Ple2L

Critical React Native Metro Server Bug Under Active Exploitation

Attackers are actively exploiting a critical command injection vulnerability (CVE-2025-11953) in the React Native Metro development server to deploy malware on Windows and Linux systems.

**This is now urgent and important. If you're a React Native developer, update @react-native-community/cli-server-api to version 20.0.0 or higher. Your tools are being actively exploited. If you can't update right away, start your Metro server with the --host 127.0.0.1 flag (like `npx react-native start --host 127.0.0.1`). Make sure to patch all projects on your computer and the globally installed version.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-react-native-metro-server-bug-under-active-exploitation-m-3-d-o-k/gD2P6Ple2L

ClawdBot AI Ecosystem Hit by Massive Supply Chain Attack Distributing NovaStealer

A supply chain attack targeting the ClawdBot AI assistant ecosystem loaded 386 malicious skills disguised as automated crypto traders and web summary bots. The malware is designed to steal cryptocurrency credentials and system passwords from macOS and Windows users.

**If you use ClawdBot, be extremely cautious and isolate it. Never run it on a primary computer and only give it very limited access. Be extremely careful of installing third-party skills, especially any related to cryptocurrency trading or web automation. Review your shell history for connections to the malicious IP (91.92.242.30), search your system for the "dx2w5j5bka6qkwxi" binary, and if found, assume your credentials and crypto keys are compromised and rotate them immediately.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/clawdbot-ai-ecosystem-hit-by-massive-supply-chain-attack-distributing-novastealer-9-a-z-b-u/gD2P6Ple2L

SmarterTools Patches Critical Unauthenticated RCE and Active Exploits in SmarterMail

SmarterTools patched multiple critical vulnerabilities in SmarterMail, including an unauthenticated remote code execution flaw and a bug currently under active exploitation.

**If you are using SmarterMail, this is urgent. Your server is actively exploited. Update SmarterMail to Build 9511 or later. Isolating isn't really an option since it's a mail server, it's purpose is to be exposed to the internet.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/smartertools-patches-critical-unauthenticated-rce-and-active-exploits-in-smartermail-e-q-q-h-5/gD2P6Ple2L

Ivanti Patches Critical Zero-Day RCE Flaws in EPMM

Ivanti released emergency patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile (EPMM) (CVE-2026-1281 and CVE-2026-1340) that allow unauthenticated remote code execution. Attackers are actively exploiting these flaws to gain full system control and access sensitive mobile device management data.

**If you are using Ivanti Endpoint Manager Mobile on premises, this is an URGENT advisory. Update your EPMM because it's already actively hacked. Apply the RPM patches immediately and remember to re-apply them if you upgrade the software version before the permanent fix in version 12.8.0.0 is released. And make sure to check the logs, because your EPMM may have already been compromised.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/ivanti-patches-critical-zero-day-rce-flaws-in-epmm-g-y-i-b-j/gD2P6Ple2L

Fortinet Patches Critical FortiOS SSO Authentication Bypass Under Active Attack

Fortinet patched a critical authentication bypass vulnerability (CVE-2026-24858) in FortiOS and related products that attackers are actively exploiting to hijack devices and steal configurations. CISA has mandated federal agencies to remediate the flaw by end of January 2026.

**Make sure all your Fortinet devices are isolated from the internet and accessible from trusted networks only. If you use FortiCloud SSO, you must upgrade your firmware immediately because Fortinet has blocked vulnerable versions from using the SSO service.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/fortinet-patches-critical-fortios-sso-authentication-bypass-under-active-attack-0-6-0-t-z/gD2P6Ple2L

WinRAR Path Traversal Bug Actively Exploited in New Campaign

Hackers are once again using a WinRAR flaw (CVE-2025-8088) to drop malware into Windows Startup folders for persistent access. This bug affects government, military, and financial sectors worldwide as attackers exploit unpatched software.

**This is important and urgent! If you use WinRAR, update it to version 7.13 or later from the official WinRAR, because hackers are sending malicious archive attachments and if you open them you are hacked. Also, be very careful with any RAR file attachments in emails, especially unexpected ones.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/winrar-path-traversal-bug-actively-exploited-in-new-campaign-c-7-n-b-8/gD2P6Ple2L

Microsoft Issues Emergency Patch for Actively Exploited Office Zero-Day

Microsoft released emergency updates for an actively exploited Office zero-day (CVE-2026-21509) that allows attackers to bypass OLE security protections when a user opens a malicious file.

**For everyone using Microsoft Office, this is important and urgent. Hackers attack with malicious MS Office documents. Restart all Microsoft 365 and Office 2021 applications immediately to trigger the service-side security fix. For older versions like Office 2016, apply registry workarounds until Microsoft releases a formal patch.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/microsoft-issues-emergency-patch-for-actively-exploited-office-zero-day-v-8-i-f-4/gD2P6Ple2L

GNU InetUtils telnetd Authentication Bypass Exploited in the Wild

A critical authentication bypass in GNU InetUtils telnetd (CVE-2026-24061) is actively exploited only days after the public reporting of the flaw. It's urgent that you block any telnet server you are using from the Internet.

**THIS IS URGENT! Check if you are using Telnet anywhere in your network. IMMEDIATELY isolate the Telnet interface to trusted networks and patch the code. Then stop using Telnet and switch to SSH.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/gnu-inetutils-telnetd-authentication-bypass-exploited-in-the-wild-8-f-f-u-3/gD2P6Ple2L

Broadcom and CISA Warn of Active Exploitation in VMware vCenter Server

Broadcom and CISA report active exploitation of critical heap-overflow vulnerabilities in VMware vCenter Server that allow remote code execution.

**If you are using VMware vCenter Server or Cloud Foundation this is urgent. If you haven't patched your systems since 2024, first make sure they are isolated from the internet. Then start patching, because even if the VMware systems are isolated, a hacker may find a way in through another vulnerable system or through an endpoint compromise.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/broadcom-and-cisa-warn-of-active-exploitation-in-vmware-vcenter-server-q-v-l-e-o/gD2P6Ple2L

Critical SmarterMail Authentication Bypass Under Active Exploitation

SmarterTools SmarterMail contains a critical authentication bypass (WT-2026-0001) that allows attackers to reset administrator passwords and gain SYSTEM-level remote code execution. Attackers are actively exploiting this flaw in the wild.

**If you are using SmarterMail, this is urgent. Your first priority is patching, because hackers are actively exploiting this flaw. If you can't patch, block access to the password reset API until you patch. This will prevent users from resetting passwords, so this is a very temporary measure.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-smartermail-authentication-bypass-under-active-exploitation-1-w-g-n-0/gD2P6Ple2L

Attacks Target Freshly Patched Critical Fortinet Flaws

The Fortinet command injection flaw in FortiSIEM (CVE-2025-64155) is reported to be actively exploited to gain root access.

**This became urgent. FortiSIEM is actively attacked. Patch your FortiSIEM appliances to the latest version immediately and block port 7900 from any public access.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/attacks-target-freshly-patched-critical-fortinet-flaws-l-g-c-h-i/gD2P6Ple2L

Cisco Patches Actively Exploited Flaw in Unified Communications Products

Cisco patched a critical remote code execution vulnerability (CVE-2026-20045) in its Unified Communications products that attackers are actively trying to exploit to gain root access. The flaw allows unauthenticated attackers to take full control of enterprise telephony and messaging infrastructure via malicious HTTP requests.

**If you are using Cisco communication platforms, read this advisory in detail. Make sure the web management interface are isolated from the internet and accessible from trusted networks only. Then plan a quick update. Because someone will find a way to reach the vulnerable interface even if it's isolated.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisco-patches-actively-exploited-flaw-in-unified-communications-products-4-u-1-t-8/gD2P6Ple2L

Critical Privilege Escalation in Modular DS WordPress Plugin Actively Exploited

Attackers are actively exploiting a critical privilege escalation vulnerability (CVE-2026-23800) in the Modular DS WordPress plugin to gain full administrative control.

**If you are using Modular DS plugin for Wordpress, this is urgent. Your sites are being attacked. Immediately update Modular DS to version 2.6.0 and scan your user list for unauthorized accounts like 'PoC Admin'.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-privilege-escalation-in-modular-ds-wordpress-plugin-actively-exploited-a-v-g-r-3/gD2P6Ple2L

Critical Privilege Escalation in Modular DS WordPress Plugin Actively Exploited

Attackers are exploiting a CVSS 10.0 vulnerability in the Modular DS WordPress plugin to gain unauthenticated administrative access and full site control. The flaw, tracked as CVE-2026-23550, allows hackers to bypass authentication by manipulating URL parameters.

**If you are using Modular DS plugin, this is urgent! Updat to version 2.5.2 immediately, because your site is being hacked. If you can't update, disable the plugin. After patching, check your WordPress user list for any unauthorized administrator accounts created recently.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-privilege-escalation-in-modular-ds-wordpress-plugin-actively-exploited-k-y-l-e-j/gD2P6Ple2L

CISA warns of active attacks legacy PowerPoint flaw

CISA is warning about active exploitation of CVE-2009-0556, a critical memory corruption vulnerability in legacy Microsoft PowerPoint (2000-2003 versions) that allows attackers to execute malware and move laterally through networks via malicious .ppt files.

**If you're still running legacy Microsoft Office (2000-2003 or 2004 for Mac), remove it and upgrade immediately to a supported version. This 15-year-old PowerPoint flaw is being actively exploited to install malware. If upgrading isn't possible right away, remove PowerPoint from these old systems and avoid opening any .ppt files.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-warns-of-active-attacks-legacy-powerpoint-flaw-c-b-1-9-i/gD2P6Ple2L

CISA reports actively exploited Critical HPE OneView flaw

CISA reports a critical HPE OneView RCE flaw to its Known Exploited Vulnerabilities catalog. CISA requires federal agencies to patch by January 28, 2026, to prevent unauthenticated infrastructure takeover.

**Make sure all management devices like HPE OneView are isolated from the internet and accessible from trusted networks only. Then plan an update of the HPE OneView.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-adds-critical-hpe-oneview-and-legacy-powerpoint-flaws-to-kev-catalog-b-u-v-g-c/gD2P6Ple2L

Critical RCE Vulnerability Exploited in Legacy D-Link DSL Routers

D-Link legacy DSL are actively exploited using a vulnerability, CVE-2026-0625, which allows unauthenticated remote code execution and DNS hijacking.

**If you are using D-Link routers, check this advisory whether you are using any of the vulnerable devices. If yes, make sure the devices are isolated from the internet, reset to complex password and force trusted upstream DNS servers. Plan a very quick replacement for these devices, they are exploitable and won't be getting patches.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-rce-vulnerability-exploited-in-legacy-d-link-dsl-routers-j-2-i-i-g/gD2P6Ple2L

Massive holiday exploitation campaign targets adobe ColdFusion, other systems

A threat actor launched an exploitation campaign over the 2025 Christmas holiday, targeting Adobe ColdFusion and 47 other technology stacks using over 700 vulnerabilities. The attacker used automated scanning and out-of-band callbacks to identify vulnerable servers for potential initial access.

**If you run Adobe ColdFusion or other enterprise servers exposed to the internet, immediately block the attacker IPs listed (especially 134.122.136.119 and 134.122.136.96) and apply all available security patches for your stack. Especially for ColdFusion vulnerabilities. Monitor your systems for any connections to Interactsh domains. These may indicate your system have been compromised during the attack.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/massive-holiday-exploitation-campaign-targets-adobe-coldfusion-other-systems-8-j-l-8-p/gD2P6Ple2L

Massive Data Exposure as Attackers Exploit MongoBleed Vulnerability

Attackers are actively exploiting CVE-2025-14847 vulnerability in MongoDB dubbed MongoBleed to steal credentials. Over 75,000 internet-exposed databases are reported in security scans.

**Make sure all database servers are isolated from the internet and accessible from trusted networks only. Then patch ASAP! If you can't update your MongoDB instance immediately, disable zlib compression.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/massive-data-exposure-as-attackers-exploit-mongobleed-vulnerability-c-f-s-5-u/gD2P6Ple2L