A Week of Active Exploitation and Fake Exploits Trap

This week’s cyber threat activity underscored the continued convergence of active exploitation, high-risk vulnerabilities, and social engineering campaigns targeting both enterprise and developer ecosystems.  

Two vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog one affecting Microsoft and remediated as part of the January 2026 Patch Tuesday release, and another impacting the Gogs self-hosted Git service. In parallel, active exploitation was detected in the Modular DS WordPress plugin, exposing thousands of sites to potential administrative compromise.  

Additionally, WebRAT malware was observed spreading through fake GitHub repositories posing as proof-of-concept exploits, leveraging vulnerabilities associated with WordPress and Microsoft to lure victims into downloading malicious payloads.

Key points:

• 2 vulnerabilities added to the CISA KEV catalog.
• Active exploitation detected in Modular DS WordPress plugin.
• Cytellite sensor telemetry detected exploit scanning activity targeting globally exposed assets.  
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.
• Kyowon group discloses ransomware incident affecting up to 5.5 million users.
• Chinese-speaking threat actors likely exploited SonicWall VPN to deploy a VMware ESXi exploit.
• Officials of Ukraine's Defense Forces targeted in a new charity-themed malware campaign.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-20805 - Information Disclosure vulnerability in Microsoft Windows

An Information Disclosure vulnerability in Microsoft Windows Desktop Window Manager (DWM) allows an authorized local attacker to disclose sensitive user-mode memory information. Successful exploitation could expose section addresses from a remote ALPC port, potentially aiding further attacks. Microsoft has addressed the issue as part of its January 2026 Patch Tuesday security updates. While details around exploitation methods, scale or threat actors remain undisclosed, the vulnerability has now been added to the CISA KEV catalog, underscoring the need for immediate patching.

CVE-2026-23550 - Privilege Escalation vulnerability in Modular DS WordPress plugin

A privilege escalation vulnerability in the Modular DS WordPress plugin exposed more than 40,000 websites to potential unauthorized administrative takeovers by allowing unauthenticated attackers to bypass security checks and gain administrator access through simple URL parameter manipulation. The flaw, which affects versions 2.5.1 and below, stems from a broken “direct request” authentication mechanism that fails to require any cryptographic signature, secret key, or request validation. Security researchers at Patchstack observed active exploitation beginning in mid-January, with attackers abusing the weakness to implant backdoors and maintain persistent control over compromised sites.

CVE-2025-8110 - Path Traversal vulnerability in Gogs

A path traversal vulnerability in Gogs, caused by improper symbolic link handling in the PutContents API, allows attackers to bypass prior protections and achieve remote code execution on versions 0.13.3 and earlier. The issue, which bypasses the earlier fix for CVE-2024-55947, enables arbitrary file writes through crafted symlinks and has been actively exploited in the wild. Gogs has released a patch addressing the flaw, and users are strongly advised to upgrade to a fixed version immediately. Following confirmed exploitation activity in December 2025, the vulnerability has now been added to the CISA KEV catalog.  

CVE-2026-0625 - Command Injection vulnerability in D-Link DSL gateway devices

A Command Injection vulnerability affecting legacy D-Link DSL gateway routers, including DSL-526B, DSL-2640B, DSL-2740R, and DSL-2780B was identified in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS parameters. According to VulnCheck, the flaw enables unauthenticated remote code execution and is linked to DNSChanger-style unauthenticated DNS modification, a technique historically abused at scale. Active exploitation was observed in the wild, following detection of a live attack on a honeypot operated by The Shadowserver Foundation, using a previously undocumented technique. D-Link has confirmed these devices reached end of life more than five years ago and will not receive patches; as mitigation, affected systems should be immediately decommissioned or isolated from the internet and replaced with supported hardware to prevent continued compromise.  

CVE-2025-37164 - Code Injection vulnerability in Hewlett Packard Enterprise OneView

A Code Injection vulnerability in the Hewlett Packard Enterprise OneView allows a remote unauthenticated attacker to achieve remote code execution, posing a severe risk to affected environments. This flaw impacts all OneView versions prior to 11.0.0, with hotfixes available for versions 5.20 through 10, as disclosed by the vendor. A detailed proof-of-concept was published by Rapid7 in December 2025, increasing the likelihood of exploitation. Reflecting its severity and real-world risk, the vulnerability was added to the CISA KEV catalog this week, prompting an urgent recommendation for organizations to apply updates or hotfixes immediately to mitigate potential compromise.  

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

WebRAT Malware Distributed via Fake GitHub PoC Exploit Repositories

According to Kaspersky, the WebRAT malware was distributed through GitHub repositories falsely claiming to host proof-of-concept exploits for recently disclosed vulnerabilities. First identified in early 2025, WebRAT initially targeted general users by masquerading as game cheats for titles such as Rust, Counter-Strike, and Roblox, as well as cracked software. By September, the threat actors expanded their targeting to include inexperienced information security professionals and students. In December, Kaspersky uncovered a campaign active since at least September that leveraged widely publicized, high-severity vulnerabilities- including CVE-2025-10294, CVE-2025-59230, and CVE-2025-59295 to lure victims, using well-crafted GitHub repositories with detailed vulnerability descriptions to build credibility, a tactic previously observed during abuse of the RegreSSHion vulnerability.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

An overview of recently observed campaigns and tactics that reflect how threat actors are adapting tools, platforms, and social engineering methods.

• The Kyowon Group, a major South Korean conglomerate operating across education and publishing, digital learning platforms, hospitality, and consumer services, disclosed a ransomware attack that disrupted operations, resulting in the exfiltration of customer data. Local media reported that information associated with up to 9.6 million registered accounts, representing around 5.5 million individuals may have been exposed.
• Chinese-speaking threat actors were suspected of abusing a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit chain developed as early as February 2024. Huntress observed the activity in December 2025 and disrupted it before reaching the final stage, which was assessed to likely culminate in ransomware deployment. The attack leveraged three VMware zero-day vulnerabilities disclosed by Broadcom in March 2025 - CVE-2025-22224, CVE-2022-22225, and CVE-2025-22226 enabling memory disclosure or code execution within the VMware VMX process.
• Officials of Ukraine's Defense Forces were targeted in a charity-themed malware campaign between October and December 2025 that delivered a backdoor known as PluggyApe. CERT-UA assessed the activity as likely linked to the Russian threat groups Void Blizzard and Laundry Bear, with medium confidence. The attacks used Signal and WhatsApp messages impersonating charitable organizations to distribute password-protected archives containing malicious .docx.pif executables. CERT-UA warned that the use of legitimate Ukrainian phone numbers, compromised accounts, and localized language made mobile-focused social engineering attacks particularly convincing.

With active exploitation and KEV additions signaling elevated risk, organizations cannot afford delays in patching and exposure management. Proactive visibility into emerging threats, exploit trends, and vulnerable assets is now critical. Platforms like Loginsoft Vulnerability Intelligence (LOVI) provide timely intelligence and actionable insights to help security teams prioritize remediation and stay ahead of evolving attack campaigns.

‍FAQs:

1) What is Desktop Windows Manager??

A) Desktop Windows Manager is a core Microsoft Windows component responsible for rendering the graphical user interface, including window composition, visual effects, and desktop animations. DWM runs in the background to manage how application windows are displayed on screen, and vulnerabilities in it can impact system stability or expose sensitive information.

2) What is Gogs?

A) Gogs is an open-source, self-hosted Git service written in Go that allows organizations and individuals to host and manage their own Git repositories with minimal resource requirements.

3) How does LOVI help organizations manage vulnerabilities effectively?

A) Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

4) What is Cytellite?

A) Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.