Executive Summary
The past week highlights a continued pattern of active exploitation across enterprise software, open-source platforms, and network infrastructure, reinforcing how threat actors are rapidly operationalizing both newly disclosed and previously known vulnerabilities. . CISA added three vulnerabilities to its KEV catalog, affecting Ivanti Endpoint Manager Mobile (EPMM), Fortinet FortiClient EMS, and TrueConf Client, underscoring the urgency for patching widely deployed enterprise tools that function as critical control planes.
At the same time, multiple platforms faced ongoing exploitation activity, including the Ninja Forms File Upload WordPress Plugin, Flowise AI, Weaver E-cology, and Tianxin Internet Behavior Management System. These vulnerabilities span a wide range of weaknesses from file upload flaws and insecure input handling to command injection and exposed debug interfaces yet converge on a common outcome: remote code execution and full system compromise.
In parallel, threat intelligence reporting highlights evolving attacker tradecraft and large-scale campaigns. According to Microsoft Threat Intelligence, Storm-1175 has conducted high-velocity intrusions by chaining zero-day and N-day exploits to deploy ransomware within hours, targeting multiple global sectors. Meanwhile, the National Cyber Security Centre (NCSC) reported that APT28 has leveraged DNS hijacking via compromised routers to enable adversary-in-the-middle attacks and credential theft.
Key points:
- 3 vulnerabilities added to the CISA KEV catalog
- Active exploitation detected in Tianxin Internet Behavior Management System, Flowise AI, Ninja Forms - File Upload WordPress plugin
- Microsoft Warns of high-velocity Medusa Ransomware attacks targeting global sectors
- NCSC Warns of Router Exploitation and Credential Theft via Malicious DNS Infrastructure
What are the top trending or critical vulnerabilities observed this week?
Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.
CVE-2026-0740 - Unauthenticated Arbitrary File Upload vulnerability in Ninja Forms- File Upload WordPress Plugin
An unauthenticated arbitrary file upload vulnerability in Ninja Forms File Upload WordPress Plugin affecting versions up to and including 3.3.26, allows attackers to achieve remote code execution. The flaw existed in the handle_upload function of the NF_FU_AJAX_Controllers_Uploads class, where improper validation checked the source filename but not the destination filename, enabling attackers to bypass file-type restrictions by injecting a .php extension and exploiting path traversal to place files in sensitive directories. Wordfence reported that attackers could upload malicious PHP files, execute code, and establish persistence via web shells, leading to full site compromise. It also blocked over 500 exploitation attempts observed within 24 hours. The vulnerability was patched in version 3.3.27, mitigating the risk of further exploitation.
CVE-2026-1340 - Code Injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM)
A Code Injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) enables unauthenticated remote code execution and was exploited as a zero-day. In January 2026, Ivanti acknowledged this flaw and released patches for the affected versions. The vendor also mentioned that attackers can leverage crafted requests to achieve RCE, establish persistence via web shells/ reverse shells, and access sensitive device and configuration data. Ivanti also advised administrators to inspect the Apache access log at /var/log/httpd/https-access_log for indicators of attempted or successful exploitation using the following regex pattern: ^(?!127.0.0.1:\d+.$).?/mifs/c/(aft|app)store/fob/.*?404. As of now, Shadowserver Foundation tracks around 950 exposed EPMM instances globally, indicating ongoing exposure risk. This vulnerability is now added to the CISA KEV catalog following confirmed active exploitation.
CVE-2026-3502 - Download of Code Without Integrity Check vulnerability in TrueConf Windows Client
A Download of Code Without Integrity Check vulnerability in TrueConf Windows Client (versions prior to 8.5.3) allowed attackers to distribute tampered updates, resulting in arbitrary code execution across connected systems. The flaw stemmed from missing integrity validation in the update mechanism, enabling attackers controlling an on-premises server to push malicious packages without requiring endpoint-level compromise. According to Check Point Software Technologies, the vulnerability was actively exploited in early 2026 as part of the “TrueChaos” campaign, attributed with moderate confidence to a Chinese-nexus threat actor. The attack chain involved DLL side-loading using “7z-x64.dll,” retrieval of additional payloads (“iscsiexe.dll”) from external infrastructure, and execution via “poweriso.exe” to maintain persistence. The campaign is assessed to ultimately deploy the Havoc command-and-control (C2) framework, highlighting abuse of trusted update channels as a scalable malware distribution vector. The vulnerability was patched in version 8.5.3, released in March 2026. This vulnerability was subsequently added to the CISA KEV catalog following confirmed active exploitation in the wild.
CVE-2026-22679 - Unauthenticated Remote Code Execution in Weaver E-cology
An Unauthenticated Remote Code Execution vulnerability in Weaver E-cology affected E-cology 10.0 versions prior to 20260312, allowing attackers to execute arbitrary commands without authentication. The flaw resided in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where crafted POST requests manipulating interfaceName and methodName parameters enabled access to debug functionality and command-execution helpers. Exploitation activity was first observed on March 31, 2026, by the Shadowserver Foundation, confirming active abuse in the wild. The vulnerability posed severe risks, including data exfiltration, ransomware deployment, and persistent backdoor access across enterprise environments. VulnCheck, highlighted that attackers leveraged exposed developer tools as an execution pathway. Weaver released patches on March 12, 2026, and organizations were advised to update immediately, restrict access, and monitor logs for suspicious POST requests targeting the vulnerable endpoint.
CVE-2026-35616 - Improper Access Control vulnerability in Fortinet FortiClient EMS
An Improper Access Control vulnerability in Fortinet FortiClient EMS affected versions 7.4.5 through 7.4.6, allowing unauthenticated attackers to execute unauthorized code or commands. This vulnerability is in the EMS API that allows an unauthenticated attacker to bypass API authentication and authorization through crafted requests, resulting in unauthorized code or command execution on the server. Security firm Defused described the flaw as a “pre-authentication API access bypass” that enabled attackers to completely sidestep API authorization controls, noting that it was discovered through its upcoming Radar feature, a large-scale anomaly detection system designed to identify zero-days and unusual activity from vast volumes of honeypot telemetry. Fortinet confirmed that exploitation of this vulnerability was already occurring in the wild. The vendor also released hotfixes for the affected versions and planned a permanent fix in version 7.4.7. The vulnerability was later added to the CISA Known Exploited Vulnerabilities Catalog due to confirmed active exploitation.
CVE-2025-59528 - Remote Code Execution vulnerability in Flowise AI
A Remote Code Execution vulnerability in Flowise AI affecting version 3.0.5, allows attackers to achieve full system compromise, command execution, and sensitive data exfiltration. The flaw existed due to insecure input handling where the mcpServerConfig parameter was processed without validation, and user input was executed via the JavaScript Function() constructor after unsafe variable substitution. This vulnerability was triggered through the /api/v1/node-load-method/customMCP endpoint, resulting in arbitrary code execution within the Node.js runtime and access to sensitive modules such as child_process and fs. The issue was patched in version 3.0.6, mitigating the risk of further exploitation.
CVE-2021-4473 - Command Injection vulnerability in Tianxin Internet Behavior Management System
A Command Injection vulnerability in Tianxin Internet Behavior Management System allows unauthenticated attackers to execute arbitrary system-level commands, leading to potential full network compromise. The flaw existed in the Reporter component endpoint, where improper input sanitization of the objClass parameter enabled injection of shell metacharacters and output redirection. Shadowserver Foundation first observed active exploitation in the wild on June 1, 2024, with attackers writing malicious PHP files to the web root to achieve RCE. This enabled persistent access, lateral movement, traffic interception, and ransomware deployment across internal networks. VulnCheck recently released an advisory highlighting the risk and exploitation simplicity. A patch was made available via firmware update NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin or later, and organizations were urged to upgrade immediately to mitigate exposure.
What did Cytellite sensors detect this week?
Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.
Which vulnerabilities were abused by malware this week?
Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.
Storm-1175 Zero-Day Exploitation: Microsoft Warns of High-Velocity Medusa Ransomware Attacks Targeting Global Sectors
According to Microsoft Threat Intelligence, the China-linked threat actor Storm-1175 has leveraged a mix of zero-day and N-day vulnerabilities to conduct high-velocity intrusions against internet-facing systems. The group has targeted sectors including healthcare, education, professional services, and finance across Australia, the UK, and the US, often chaining exploits to gain initial access and escalate compromise. It has exploited vulnerabilities such as CVE-2025-10035 and CVE-2026-23760 as zero-days before public disclosure, followed by rapid data exfiltration and deployment of Medusa ransomware within hours to days. Post-compromise activity has included persistence via web shells, creation of new accounts, credential theft, and disabling security controls. The actor has also relied on LOLBins, Impacket, Mimikatz, and RMM tools like AnyDesk and ConnectWise ScreenConnect to blend malicious activity with legitimate operations. This rapid exploitation cycle has enabled Storm-1175 to take advantage of the window between vulnerability disclosure and patch adoption.
APT28 DNS Hijacking Campaign: NCSC Warns of Router Exploitation and Credential Theft via Malicious DNS Infrastructure
According to National Cyber Security Centre (NCSC), Russian threat actor APT28 has exploited routers to overwrite DHCP/DNS settings and redirect traffic through attacker-controlled infrastructure. This activity has enabled adversary-in-the-middle (AitM) attacks to harvest credentials, including passwords and OAuth tokens for web and email services. Since 2024 through 2026, the group has leveraged VPS infrastructure to operate malicious DNS servers, receiving traffic from compromised routers. Exploitation has included targeting devices such as TP-Link WR841N routers via vulnerabilities like CVE-2023-50224 to obtain credentials and modify DNS configurations. The campaign has been largely opportunistic, with broad targeting followed by selective intelligence-focused filtering. This activity has increased risks of credential theft, data manipulation, and wider network compromise across affected organizations.
What were the most trending OSS vulnerabilities this week?
Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.
Were any PRE-NVD vulnerabilities identified this week?
PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.
Conclusion
The breadth of affected technologies, spanning web plugins, AI orchestration tools, and enterprise management systems, highlights how rapidly the attack surface continues to expand, while attackers accelerate the weaponization of vulnerabilities across diverse environments. Together, these developments reinforce a threat landscape driven by speed, automation, and infrastructure-level compromise, where organizations must move beyond reactive security approaches. Platforms like Loginsoft Vulnerability Intelligence (LOVI) play a critical role in this shift by enabling proactive vulnerability tracking, real-time threat intelligence, and faster remediation, helping organizations stay ahead of exploitation cycles and strengthen their overall security posture.
FAQs
1) What is Flowise AI?
Flowise AI is an open-source platform that enables users to build and orchestrate large language model (LLM) workflows through a visual, drag-and-drop interface. It allows developers to create AI-powered applications without extensive coding by integrating models, APIs, and logic blocks. The platform is commonly used for building chatbots, automation pipelines, and customized AI solutions.
2) What is Weaver E-cology?
Weaver E-cology is an enterprise collaboration and office automation platform used to manage business workflows, documents, and internal communications. It serves as a centralized system for handling approvals, HR processes, and organizational data across large enterprises. The platform is widely deployed in corporate environments, often integrating with other business systems to streamline operations.
3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?
Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.
4) How does LOVI help organizations manage vulnerabilities effectively?
Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.
5) What is Cytellite?
Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.
