A Week of CISA KEV Alerts and Widespread active exploits

The latest threat landscape update highlighted a surge in actively exploited vulnerabilities and evolving attacker tactics across widely used technologies. During the week, Cybersecurity and Infrastructure Security Agency (CISA) added nine vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, reflecting ongoing exploitation across enterprise software. Of these, six vulnerabilities were associated with Microsoft products, impacting Windows, Exchange Server, Office, SharePoint Server, and Visual Basic for Applications, while two affected Adobe Acrobat and Reader, and one targeted Fortinet FortiClient EMS.

In parallel, active exploitation activity was observed in additional platforms, including Marimo, ShowDoc, and nginx-ui, indicating continued attacker focus on both enterprise and niche applications. Threat intelligence reporting further underscored the rapid evolution of adversary tradecraft, with Storm-1175 conducting high-velocity intrusion campaigns by chaining zero-day and N-day vulnerabilities to deploy ransomware within hours across multiple global sectors.

Key points

• 9 vulnerabilities added to the CISA KEV catalog
• Active exploitations detected in Marimo, Ngix-ui and ShowDoc vulnerabilities
• Microsoft Warns of high-velocity Medusa Ransomware attacks targeting global sectors

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-21643 - SQL Injection vulnerability in Fortinet FortiClient EMS

An SQL injection vulnerability in Fortinet FortiClient EMS allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests targeting the web interface. The flaw stems from improper input validation in the “Site” header, enabling attackers to inject malicious SQL statements with low complexity. Active exploitation of this vulnerability was observed in the wild, with reports highlighting its use in real-world attacks. The issue affects version 7.4.4 and was addressed in version 7.4.5 by Fortinet. The widespread exposure of vulnerable instances, as tracked by Shadowserver Foundation, significantly increased the risk of exploitation, prompting urgent mitigation measures such as patching and restricting external access. The vulnerability has now been added to the CISA KEV catalog, underscoring its active threat status.

CVE-2026-32201 - Improper Input Validation vulnerability in Microsoft SharePoint Server

An Improper Input Validation vulnerability in Microsoft SharePoint Server allows an unauthorized attacker to perform spoofing over a network. The flaw arises from insufficient validation of user-supplied input, enabling attackers to manipulate requests and impersonate trusted entities. The vulnerability affects Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016. The vulnerability was identified internally by Microsoft, with limited details available regarding the exploitation method, threat actors involved, or the scale of observed activity. Despite the lack of public technical details, Microsoft confirmed that the issue was actively exploited in the wild as a zero-day prior to remediation. The vulnerability was addressed in the April 2026 Patch Tuesday security updates. It has since been added to the KEV catalog by CISA, indicating ongoing risk and the need for immediate patching.

CVE-2026-33032 – Authentication Bypass vulnerability in Nginx-ui

An Authentication Bypass vulnerability in nginx-ui allows attackers to gain full control of the Nginx service by exploiting improper access controls in the /mcp_message endpoint. According to Pluto Security, the flaw arises because the endpoint enforces only IP allowlisting, which defaults to “allow all,” enabling unauthenticated access to critical MCP functionality. Attackers can chain this with CVE-2026-27944 to extract sensitive data such as credentials, SSL keys, and the node_secret, which can be used to establish a session and execute privileged actions. Successful exploitation enables modification of Nginx configurations, service restarts, traffic interception, and credential harvesting. The vulnerability has been reported among actively exploited issues, increasing the risk to exposed deployments. The issue was addressed in version 2.3.4, with exposure data from Shadowserver Foundation indicating thousands of internet-facing instances at risk.

CVE-2026-34621 - Prototype Pollution vulnerability in Adobe Acrobat and Reader

A Prototype Pollution vulnerability in Adobe Acrobat and Reader enables arbitrary code execution through manipulation of JavaScript objects within PDF documents. The flaw affects versions DC 26.001.21367 and prior, Reader DC 26.001.21367 and prior, as well as 24.001.30356 and earlier, and was addressed by Adobe in Security Bulletin APSB26-43. The vulnerability arises from improper handling of object properties in the JavaScript engine, allowing attackers to modify application behavior and execute malicious code. According to Haifei Li, the flaw has been exploited as a zero-day since at least December 2025 using specially crafted PDF files that bypass sandbox restrictions and abuse privileged APIs such as util.readFileIntoStream() and RSS.addFeed() to access and exfiltrate sensitive data. Analysis of a sample named yummy_adobe_exploit_uwu.pdf revealed low detection rates, highlighting the stealth of the exploit, while activity has been linked to APT-style operations with Russian-themed lures observed by Gi7w0rm. The vulnerability has now been added to the CISA KEV catalog indicating active exploitation and elevated risk.

CVE-2026-39987 - Pre-Authentication Remote Code Execution vulnerability in Marimo

A Pre-Authentication Remote Code Execution vulnerability in Marimo allows unauthenticated attackers to obtain a full pseudo-terminal (PTY) shell and execute arbitrary system commands. The flaw affects versions prior to 0.23.0 and resides in the /terminal/ws WebSocket endpoint, which fails to enforce authentication checks, enabling direct access to an interactive shell with the privileges of the Marimo process. Exploitation is trivial and requires no payload crafting, as attackers can simply establish a WebSocket connection to the exposed endpoint. Observed attacks demonstrated rapid weaponization, with threat actors performing proof-of-concept validation, filesystem reconnaissance, and targeted credential harvesting from files such as .env and SSH keys within minutes of initial access. This behavior highlights the risk of exposing development tools in production or internet-facing environments. The issue has been addressed in version 0.23.0, with evidence of active exploitation observed shortly after public disclosure.

CVE-2025-0520 - Unrestricted Upload of File with Dangerous Type vulnerability in ShowDoc

An Unrestricted Upload of File with Dangerous Type vulnerability in ShowDoc allows attackers to upload arbitrary PHP files and achieve remote code execution. The flaw stems from improper validation of uploaded file types, enabling unauthenticated attackers to deploy web shells and execute commands on the underlying server. Successful exploitation can result in full system compromise, particularly in internet-exposed instances. The issue affects versions prior to 2.8.7 and was disclosed as allowing direct upload and execution of malicious files. Recent reports from Vulncheck indicate that the flaw has come under active exploitation for the first time. The vulnerability was addressed in version 2.8.7, released in October 2020, with users advised to upgrade to the latest available version for mitigation.

CVE-2025-60710 - Link Following vulnerability in Microsoft Windows

A Link Following vulnerability in Microsoft Windows allows local privilege escalation by abusing improper handling of symbolic links during file operations. The vulnerability exists within the \Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration scheduled task, where taskhostw.exe processes directories in a user-controlled path without verifying whether they are symbolic links or junctions. By creating specially crafted GUID-named directories in the %LOCALAPPDATA% path, a low-privileged attacker can exploit this behavior to redirect SYSTEM-level deletion operations to arbitrary protected locations. Exploitation is triggered through specific Windows Notification Facility (WNF) state changes or system events, enabling attackers to manipulate file operations via race conditions or link redirection techniques. Successful exploitation can lead to arbitrary folder deletion or further abuse, such as writing malicious DLLs to protected directories through MSI rollback mechanisms, ultimately achieving persistent privilege escalation. Although the vulnerability was addressed by Microsoft in November 2025, it has been added to the CISA KEV catalog now, highlighting its active exploitation risk.

CVE-2023-21529 - Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server

A Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server allows authenticated attackers to achieve remote code execution on affected systems. The flaw arises from improper handling of serialized objects within Exchange components, where user-controlled input is deserialized without sufficient validation, enabling the injection of malicious payloads that execute arbitrary code. Successful exploitation can compromise the confidentiality, integrity, and availability of enterprise environments, given Exchange Server’s exposure to network traffic and its role in handling sensitive communications. Microsoft has reported that the financially motivated threat actor Storm-1175 has been actively exploiting this vulnerability since 2023, alongside other flaws, to gain initial access and deploy Medusa ransomware.

CVE-2023-36424 - Out-of-Bounds Read vulnerability in Microsoft Windows

An Out-of-Bounds Read vulnerability in the Windows Common Log File System enables local privilege escalation on Microsoft Windows systems. The flaw discovered by SSD Disclosure technical team, resides in the CLFS driver (clfs.sys), a kernel-level component responsible for high-performance transactional logging, where insufficient validation of buffer boundaries during processing of crafted log file data allows access to memory outside the intended allocation. This improper bounds checking can be exploited by an authenticated attacker to manipulate kernel memory and escalate privileges to SYSTEM level, posing significant risk in enterprise environments. Due to the driver’s kernel-level execution and its history as a frequent exploitation target, such vulnerabilities are highly valuable for attackers. Microsoft addressed the issue in a security update released in November 2023, and the vulnerability has now been added to the CISA KEV catalog.

CVE-2020-9715 - Use-After-Free vulnerability in Adobe Acrobat

A Use-After-Free vulnerability in Adobe Acrobat enables arbitrary code execution when a user opens a specially crafted PDF document. The flaw affects multiple versions of Acrobat and Reader across both Continuous and Classic tracks on Windows and macOS, including DC 2020.009.20074 and prior, DC 2020.001.30002, 2017.011.30171 and prior, and 2015.006.30523 and prior. The vulnerability arises from improper object lifecycle management during PDF processing, where freed memory is later referenced, leading to memory corruption. Specifically, an encoding mismatch in cache key handling within the JavaScript engine results in stale pointers being retained, causing a use-after-free condition when previously freed objects are accessed. Attackers can exploit this condition through heap spraying, LFH manipulation, and memory reclamation techniques to establish arbitrary read/write primitives and ultimately hijack execution flow via Return-Oriented Programming (ROP). Adobe addressed the issue through security updates released in August 2020 as part of Security Bulletin APSB20-48. The vulnerability has now been added to the KEV catalog by CISA, indicating continued exploitation risk.

CVE-2012-1854 - Insecure Library Loading vulnerability in Microsoft Visual Basic for Applications

An Insecure Library Loading vulnerability in Microsoft Visual Basic for Applications enables remote code execution by improperly handling the loading of dynamic link libraries (DLLs). The issue was addressed by Microsoft through a security update released in July 2012. The vulnerability arises from insufficient restriction of paths used to load external libraries, allowing attackers to manipulate the DLL search order and introduce malicious DLLs. Successful exploitation allows attackers to execute arbitrary code with the same privileges as the logged-on user, potentially leading to full system compromise if administrative rights are present. Exploitation requires user interaction, typically by convincing a victim to open a legitimate Microsoft Office file placed alongside a malicious DLL in the same directory. Attack delivery can occur through email-based lures or network-based locations such as shared drives, UNC paths, or WebDAV resources hosting both the legitimate file and the attacker-controlled DLL. The vulnerability has now been added to the CISA KEV catalog indicating ongoing exploitation risk.

CVE-2009-0238 - Remote Code Execution in Microsoft Office

A Remote Code Execution vulnerability in Microsoft Office allows attackers to take complete control of affected systems by convincing users to open a specially crafted Excel file containing a malformed object. The flaw is triggered when the application attempts to access an invalid object within the document, leading to arbitrary code execution. The vulnerability affects multiple legacy versions, including Excel 2000 SP3, 2002 SP3, 2003 SP3, 2007 SP1, Excel Viewer variants, the Compatibility Pack for Office 2007 formats, and Excel in Office 2004 and 2008 for Mac. It was actively exploited in the wild as early as February 2009 in campaigns involving Trojan.Mdropper.AC, a loader used to deliver additional malware payloads. Upon initial disclosure, Microsoft issued a security advisory and released patches to mitigate the issue. The vulnerability has now been added to the CISA KEV catalog, highlighting its continued relevance in threat activity.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Storm-1175 Zero-Day Exploitation: Microsoft Warns of High-Velocity Medusa Ransomware Attacks Targeting Global Sectors

According to Microsoft Threat Intelligence, the China-linked threat actor Storm-1175 has leveraged a mix of zero-day and N-day vulnerabilities to conduct high-velocity intrusions against internet-facing systems. The group has targeted sectors including healthcare, education, professional services, and finance across Australia, the UK, and the US, often chaining exploits to gain initial access and escalate compromise. It has exploited vulnerabilities such as CVE-2025-10035 and CVE-2026-23760 as zero-days before public disclosure, followed by rapid data exfiltration and deployment of Medusa ransomware within hours to days. Post-compromise activity has included persistence via web shells, creation of new accounts, credential theft, and disabling security controls. The actor has also relied on LOLBins, Impacket, Mimikatz, and RMM tools like AnyDesk and ConnectWise ScreenConnect to blend malicious activity with legitimate operations. This rapid exploitation cycle has enabled Storm-1175 to take advantage of the window between vulnerability disclosure and patch adoption.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The continued exploitation of both newly disclosed and long-standing vulnerabilities highlights a threat landscape where speed and adaptability define attacker success. The targeting of widely used platforms alongside niche tools demonstrates that no environment remains immune to compromise. Rapid weaponization and chaining of vulnerabilities, as seen in recent campaigns, significantly reduce the response window for defenders. This underscores the need for continuous monitoring, timely patching, and proactive threat intelligence to mitigate risk effectively. Platforms like Loginsoft Vulnerability Intelligence (LOVI) play a critical role in enabling organizations to detect, prioritize, and respond to emerging threats before they escalate into large-scale incidents.

FAQs:

1) What is Marimo?

Marimo is an open-source Python notebook environment designed for interactive data analysis and application development. It combines the functionality of notebooks with reproducibility, enabling reactive execution where code and outputs stay in sync.  

2) What is Microsoft Visual Basic for Applications (VBA)?

Microsoft Visual Basic for Applications (VBA) is a scripting and development technology embedded within Microsoft Office applications, enabling automation and customization of tasks. It is based on the Visual Basic programming language and allows integration with existing data and enterprise systems.  

3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

4) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

5) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.