Executive Summary
This week’s threat landscape was shaped by accelerated exploitation trends and sophisticated campaigns targeting critical software ecosystems.
CISA added four vulnerabilities to the KEV catalog affecting SolarWinds Web Help Desk, Sangoma FreePBX, and GitLab, while active exploitation was also observed in the Metro Development Server of @react-native-community/cli.
At the same time, malware-driven campaigns intensified, including Operation Neusploit linked to APT28, underscoring sustained attacker focus on weaponizing newly disclosed flaws. Check Point Research exposed cyber-espionage operations by the Amaranth-Dragon cluster associated with APT41, while FortiGuard Labs detailed the Interlock ransomware campaign exploiting a vulnerable driver and the EncystPHP web shell activity tied to INJ3CTOR3 targeting FreePBX systems. Together, these developments reflect a week marked by rapid vulnerability weaponization and increasingly sophisticated intrusion techniques across sectors.
Key points:
- 4 vulnerabilities added to the CISA KEV catalog.
- Active exploitation observed in Metro Development Server.
- APT28 Exploits CVE-2026-21509.
- Check Point Uncovers Amaranth-Dragon Cyber-Espionage Activity.
- Interlock Ransomware leveraged BYOVD Technique to target education sector.
- INJ3CTOR3 targeted FreePBX via EncystPHP Web Shell Deployment.
- Multiple open-source software (OSS) vulnerabilities identified across a broad range of vendors.
- Several pre-NVD vulnerabilities were observederved, indicating signs of potential exploitation activity before formal public disclosure.
What are the top trending or critical vulnerabilities observed this week?
Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.
CVE-2025-11953 - OS Command Injection vulnerability in React Native Community CLI
An OS Command Injection vulnerability in the Metro Development Server of the @react-native-community/cli npm package allows unauthenticated attackers to execute arbitrary commands via crafted POST requests. Researchers at VulnCheck observed active exploitation beginning December 21, 2025, where attackers delivered Base64-encoded PowerShell scripts that disabled Microsoft Defender protections, established TCP connections to 8.218.43[.]248:60124, and downloaded a Rust-based payload with anti-analysis features. The campaign originated from IPs 5.109.182[.]231, 223.6.249[.]141, and 134.209.69[.]155, with activity patterns indicating sustained operational exploitation rather than experimental probing.
CVE-2025-40551 - Deserialization of Untrusted Data vulnerability in SolarWinds Web Help Desk
A Deserialization of Untrusted Data vulnerability in SolarWinds Web Help Desk enables unauthenticated remote code execution by abusing the platform’s AjaxProxy functionality to construct and trigger malicious Java objects through the JSONRPC bridge. The flaw affects versions 12.8.8 HF1 and earlier and stems from improper validation and allowlist-based class filtering during the deserialization of user-supplied data, allowing attackers to leverage gadget chains in bundled Java libraries for full system compromise. SolarWinds has addressed the issue in Web Help Desk 2026.1, and organizations are strongly advised to upgrade to the patched release to mitigate risk. This vulnerability has recently been added to the CISA KEV catalog, underscoring evidence of active exploitation and the urgency of remediation.
CVE-2025-64328 - OS Command Injection vulnerability in Sangoma FreePBX
An OS Command Injection vulnerability in Sangoma FreePBX allows an authenticated user to execute arbitrary system commands through the testconnection → check_ssh_connect() function, impacting versions 17.0.2.36 and above prior to 17.0.3. The issue has been remediated in FreePBX 17.0.3, and organizations are advised to upgrade to the patched release to mitigate exposure. Threat research from FortiGuard Labs linked active exploitation to the deployment of the EncystPHP web shell, which leverages the flaw within the FreePBX Endpoint Manager interface to establish persistent access, enable remote command execution, and perform log manipulation. Attribution analysis associates the campaign with the INJ3CTOR3 threat actor, reflecting a continued focus on VoIP and PBX infrastructure. This vulnerability has recently been added to the CISA KEV catalog, highlighting confirmed in-the-wild activity and elevating its remediation priority.
CVE-2021-39935 - Server-Side Request Forgery vulnerability in GitLab Community and Enterprise Editions
A Server-Side Request Forgery vulnerability in GitLab Community and Enterprise Editions enables unauthorized external users to issue arbitrary server-side requests through the CI Lint API, affecting versions 10.5 up to but not including 14.3.6, 14.4 up to but not including 14.4.4, and 14.5 up to but not including 14.5.2. The flaw has been remediated in GitLab 14.3.6, 14.4.4, and 14.5.2 and later, and organizations are advised to upgrade to reduce exposure. GreyNoise reported that exploitation activity observed in March 2025 linked this vulnerability to a broader, coordinated surge in SSRF abuse across platforms including DotNetNuke, Zimbra Collaboration Suite, Broadcom VMware vCenter, ColumbiaSoft DocumentLocator, BerriAI LiteLLM, and Ivanti Connect Secure, indicating cross-platform attacker interest in server-side request capabilities. This vulnerability has now been added to the CISA KEV catalog, elevating its priority for remediation across affected environments.
CVE-2019-19006 - Improper Authentication vulnerability in Sangoma FreePBX
An Improper Authentication vulnerability in Sangoma FreePBX allows unauthorized users to bypass password verification and gain access to administrative services, affecting versions 15.0.16.26 and below, 14.0.13.11 and below, and 13.0.197.13 and below. Sangoma has remediated the flaw in patched releases 13.0.197.14, 14.0.13.12, and 15.0.16.27, and organizations are urged to upgrade to reduce exposure. Historical analysis from Check Point Research linked similar exploitation activity, including CVE-2019-19006, to the threat actor INJ3CTOR3, which monetized compromised VoIP systems through fraudulent outbound calling. This vulnerability has now been added to the CISA KEV catalog, underscoring ongoing attacker interest and the importance of prioritizing mitigation efforts.
What did Cytellite sensors detect this week?
Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.
Which vulnerabilities were abused by malware this week?
Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.
APT28 Exploits CVE-2026-21509
According to Zscaler, exploitation of CVE-2026-21509 has been linked to Operation Neusploit, a campaign attributed to the Russia-linked threat actor APT28, which uses weaponized RTF files to deliver staged malware. The attacks targeted users in Ukraine, Slovakia, and Romania, deploying the MiniDoor backdoor for email theft and the PixyNetLoader malware to bootstrap additional payloads, including Covenant Grunt implants. Analysis of the tooling, targeting patterns, and infrastructure indicates a coordinated espionage-focused operation leveraging Microsoft Office documents to establish persistent access.
Check Point Uncovers Amaranth-Dragon Cyber-Espionage Activity
According to Check Point Research, Amaranth-Dragon, a nexus of APT41, conducted targeted cyber-espionage campaigns in 2025 against government and law enforcement agencies in Southeast Asia, operating in alignment with China Standard Time and leveraging geopolitical lures. The group rapidly weaponized the CVE-2025-8088 WinRAR vulnerability within days of disclosure to deliver malicious RAR archives that enabled code execution and persistence. Campaign infrastructure relied on legitimate hosting services such as Dropbox, a custom Amaranth Loader, and the Havoc C2 framework, with Cloudflare-protected servers restricted to targeted regional IP ranges to enhance stealth. A newly identified malware component, TGAmaranth RAT, expands the toolkit with Telegram-based command and control and integrated anti-EDR and anti-AV evasion capabilities.
Interlock Ransomware leveraged BYOVD Technique to target education sector
FortiGuard Labs reported a prolonged intrusion campaign by the Interlock ransomware group targeting the education sector, leveraging a Bring Your Own Vulnerable Driver (BYOVD) technique that abused a legitimate anti-cheat driver vulnerable to CVE-2025-61155 to disable endpoint defenses. The attackers deployed the Hotta Killer tool to load the signed vulnerable driver, established persistence using MintLoader and a custom NodeSnake RAT, and later exfiltrated more than 250GB of sensitive data. The campaign escalated in October 2025 with the deployment of Linux- and JavaScript-based encryptors against Nutanix and Windows systems, followed by the creation of thousands of rogue domain accounts to disrupt response efforts. The operation highlights the increasing use of kernel-level exploits and custom tooling by ransomware actors to evade security controls and execute destructive attacks.
INJ3CTOR3 targeted FreePBX via EncystPHP Web Shell Deployment
FortiGuard Labs reported the discovery of a sophisticated web shell named EncystPHP, which supports remote command execution, persistence, and stealthy web shell deployment, and has been actively used in campaigns since early December through exploitation of CVE-2025-64328 in FreePBX. Threat analysis links the activity to the hacker group INJ3CTOR3, first observed in 2020 targeting CVE-2019-19006 and later shifting to Elastix via CVE-2021-45461 in 2022. The campaign follows a consistent pattern in which exploitation of FreePBX vulnerabilities is used to deploy PHP web shells in compromised environments, aligning with previously documented tactics and operational behavior associated with INJ3CTOR3.
What were the most trending OSS vulnerabilities this week?
Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.
Were any PRE-NVD vulnerabilities identified this week?
PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.
Conclusion
In conclusion, this week’s activity demonstrates how quickly threat actors are operationalizing newly disclosed vulnerabilities and combining them with advanced malware campaigns to target enterprise environments. The convergence of KEV-listed flaws, active exploitation, and sophisticated intrusion operations reinforces the need for continuous visibility and rapid response. Platforms like Loginsoft Vulnerability Intelligence (LOVI) play a critical role in helping organizations track emerging threats, prioritize remediation, and stay ahead of exploitation trends. Proactive intelligence-driven defense remains essential to reducing exposure in an increasingly fast-moving threat landscape.
FAQs:
1) What is CVE-2025-8088?
CVE-2025-8088 is a critical Path Traversal vulnerability in RARLAB WinRAR that could allow an attacker to execute arbitrary code by crafting malicious archive files. It has been actively exploited by multiple threat actors, including state-linked and financially motivated groups, to deploy malware such as STOCKSTAY and POISONIVY, making rapid patching essential.
2) What are OSS vulnerabilities?
Open-Source Software vulnerabilities are security weaknesses found in publicly available codebases, such as libraries, frameworks, and tools used across many applications. Because these components are widely reused, a single flaw can cascade risk across thousands of systems, making timely tracking, patching, and dependency management critical.
3) How does LOVI help organizations manage vulnerabilities effectively?
Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.
4) What is Cytellite?
Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.
