Chained Exploits, Botnets, and Stealthy Persistence: How Threat Actors Capitalized on critical Weaknesses

The week witnessed a notable surge in vulnerability exploitation and defensive response efforts, reinforcing the persistent focus of threat actors on enterprise and network infrastructure. CISA expanded its Known Exploited Vulnerabilities (KEV) Catalog with five newly identified vulnerabilities, including multiple flaws affecting Ubiquiti UniFi OS, a vulnerability in Lantronix EDS5000 devices, and a critical issue impacting Splunk Enterprise. At the same time, active exploitation campaigns targeted Cisco Unified Communications Manager servers and the widely deployed SP Page Builder extension for Joomla, underscoring continued adversary interest in communication systems, network management platforms, and internet-facing web applications.

Additional threat activity during the week highlighted rapid weaponization of vulnerabilities across widely deployed enterprise and network products. Ubiquiti UniFi OS Server vulnerabilities were chained to bypass authentication and deploy a Mirai botnet variant via a malicious downloader, enabling in-memory persistence and large-scale propagation across connected devices. In parallel, GhostShell leveraged WinRAR-based exploitation to deliver Vidar v2 and a custom mTLS implant through Telegram-driven command-and-control infrastructure, strengthening stealth and resilience. Concurrently, Storm-2603 activity demonstrated overlapping intrusions across enterprise environments, using multiple exploited platforms to maintain persistent access and evade detection.

Key points:

• 5 vulnerabilities added to the CISA KEV catalog  
• Active exploitation detected in Cisco Unified Communications manager and SP Page Builder – Joomla Page builder extension
• Three critical vulnerabilities in UniFi OS Server chained to deploy Mirai Botnet
• GhostShell leveraged WinRAR flaws for multi-stage malware delivery
• Storm-2603 exploited Gladinet vulnerability to maintain persistent access

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-20230 - Server-Side Request Forgery vulnerability in Cisco Unified Communications Manager Server

A Server-Side Request Forgery vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) allows unauthenticated remote attackers to conduct SSRF attacks through improper input validation in the WebDialer component, where attackers exploit the handling of user-supplied URLs by sending crafted HTTP requests containing file:// URIs to force the application to write arbitrary files to the underlying operating system with attacker-controlled file paths and content. A successful exploit enables attackers to write files such as webshells to the device and achieve remote code execution by leveraging the SSRF vulnerability to bypass normal filesystem restrictions, ultimately escalating privileges to root through file-write operations that overwrite system files or place malicious code in execution paths. The vulnerability was disclosed to Cisco by SSD Secure on June 3, 2026 and exploitation requires attackers to first obtain the target system's hostname - information retrievable from the device itself before exploitation - making the attack chain practical and demonstrable. Active in-the-wild exploitation has been confirmed by Defused threat intelligence firm originating from a single IP address using properly constructed file:// payloads for reconnaissance (writing test files to /tmp/cve-2026-20230-test.txt) and file-write attacks, with full technical write-ups and proof-of-concept exploits now publicly available, driving expectation of broader exploitation attempts by additional threat actors targeting Cisco Unified CM deployments across enterprise communications infrastructure.  

CVE-2026-20253 - Missing Authentication for Critical Function vulnerability in Splunk Enterprise

A Missing Authentication for Critical Function vulnerability in Splunk Enterprise allows unauthenticated network attackers to create or truncate arbitrary files through an exposed PostgreSQL sidecar service endpoint that performs no application-level authentication, where any user able to reach the service over the network can invoke file operation endpoints without credentials or valid credentials (including blank ones). An attacker exploits path traversal sequences in the backup file parameter to achieve arbitrary file creation and truncation anywhere the Splunk user has write permissions, and abuses the PostgreSQL database name parameter to embed a malicious connection string that redirects the database connection to an attacker-controlled PostgreSQL server, enabling credential exfiltration and authentication as the privileged local database user without a password. This vulnerability chains into full unauthenticated remote code execution by leveraging crafted database restore operations to execute attacker-controlled SQL commands and arbitrary file writes, ultimately overwriting internal Python scripts that Splunk executes regularly to gain remote code execution under the Splunk service account, making it a critical foothold into security operations centers that rely on Splunk for log monitoring, data analysis, and security event correlation. Affected versions include Splunk Enterprise 10.2 below 10.2.4, 10 below 10.0.7, with patched versions 10.4.0, 10.2.4 and 10.0.7 released as primary defense (no workarounds available), and the vulnerability has been added to the CISA KEV catalog due to its severity and default enablement of the vulnerable sidecar on AWS deployments, where detailed exploit specifics have been publicly disclosed driving opportunistic exploitation attempts.

CVE-2026-34908 - Improper Access Control vulnerability in Ubiquiti UniFi OS

An Improper Access Control vulnerability in Ubiquiti UniFi OS that allows unauthenticated attackers to bypass authentication by exploiting a request-parsing mismatch between the nginx front end (which inspects raw percent-encoded URIs for auth exemption) and the backend (which uses normalized URIs), enabling an attacker to craft a request appearing public with the "/api/auth/validate-sso/" prefix while resolving internally to authenticated routes like "/proxy//". This vulnerability chains with CVE-2026-34909 (similar URI-traversal authentication bypass) to reach the vulnerable package-update service handler, which then chains with CVE-2026-34910 (command injection via unvalidated pkg_name parameter in shell command execution) to achieve unauthenticated remote code execution with root privileges through a single malicious request, ultimately compromising the control plane of an organization's entire network infrastructure, and has been added to the CISA KEV catalog.  

CVE-2026-34909 - Path Traversal vulnerability in Ubiquiti UniFi OS

A Path Traversal vulnerability in Ubiquiti UniFi OS that allows network-accessible attackers to bypass access controls by exploiting URI normalization weaknesses, where the nginx front end validates requests against raw percent-encoded URIs (appearing to match auth-exempt paths like "/api/auth/validate-sso/") while the backend processes normalized URIs with decoded "../%2f" segments that traverse to restricted directories, enabling attackers to access sensitive files on the underlying system outside the intended application scope. This vulnerability chains with CVE-2026-34908 (authentication bypass via request-parsing mismatch) and CVE-2026-34910 (command injection in package management) to form a complete exploitation chain that allows unauthenticated remote code execution, with the path traversal component specifically enabling access to files that can be manipulated to compromise underlying system accounts and escalate privileges through passwordless sudo mechanisms. The vulnerability has been added to the CISA KEV catalog due to its critical nature in affecting UniFi OS control plane infrastructure across enterprise networks.

CVE-2026-34910 - Improper Input Validation vulnerability in Ubiquiti UniFi OS

An Improper Input Validation vulnerability in Ubiquiti UniFi OS that allows network-accessible attackers to conduct command injection by exploiting the package-update service handler, which interpolates caller-supplied package names (pkg_name parameter with by_cmd=true flag) directly into shell commands via "sudo /usr/bin/uos runnable latest-versions %v" without any sanitization or validation of shell metacharacters. This vulnerability chains with CVE-2026-34908 (authentication bypass via request-parsing mismatch) and CVE-2026-34909 (path traversal to reach the vulnerable handler) to achieve unauthenticated remote code execution, where an attacker injects arbitrary shell commands through the unvalidated pkg_name parameter to execute arbitrary code, pull and execute loaders, and escalate to root privileges through the ucs-update account's passwordless sudo mechanism (for example, by installing crafted .deb packages whose maintainer scripts run as root). This complete exploitation chain compromises the control plane of an organization's entire network infrastructure, and the vulnerability has been added to the CISA KEV catalog due to its critical impact on Ubiquiti UniFi OS deployments across enterprise, campus and small-business networks.

CVE-2026-48908 - Improper Access Control vulnerability in SP Page Builder

An Improper Access Control vulnerability in SP Page Builder, a popular Joomla page builder extension, allows unauthenticated remote attackers to upload arbitrary PHP files without authentication through the asset.uploadCustomIcon task endpoint, which processes uploaded files with no server-side file type validation or authorization checks, enabling attackers to upload a PHP web shell to a web-served folder and execute it to gain full remote code execution on the Joomla site. A successful exploit grants attackers complete control of the compromised site, allowing them to create hidden Super Administrator accounts (typically with usernames like "webeditor," "sitehelper," or "adminbk" and email addresses ending in @secure.local) and deploy persistent PHP file manager backdoors in multiple locations (such as /images//fonts/ and /media/com_admin/users.php) to maintain long-term access even after the initial upload vulnerability is patched. The vulnerability affects every version of SP Page Builder up to and including 6.6.1 and is actively being exploited in the wild to plant rogue admin accounts and webshell backdoors, making patching to version 6.6.2 or later critical on all affected Joomla installations, followed by immediate auditing for hidden Super Users and backdoor files to remove the attacker's existing foothold. This vulnerability is currently under active exploitation with no public evidence of mitigation or workarounds beyond patching.  

CVE-2025-67038 - Code Injection vulnerability in Lantronix EDS5000

A Code Injection vulnerability in Lantronix EDS5000 serial-to-IP device server allows unauthenticated network attackers to inject arbitrary OS commands into the username parameter during failed login attempts, where the HTTP RPC logging module concatenates the unsanitized username directly into a shell command executed with root privileges without any validation or escaping of shell metacharacters. An attacker crafts a malicious username containing operators such as semicolons, pipes, or backticks to break out of the intended logging command context and execute arbitrary OS commands as root, requiring no prior authentication, user interaction, or special network access since the vulnerability is reachable over the network via the HTTP RPC interface and triggered by a simple failed login attempt. This flaw is particularly dangerous because the EDS5000 device bridges legacy serial equipment - industrial controllers, SCADA protection relays, medical systems and point-of-sale terminals onto modern IP networks, making compromise of the device a direct foothold into operational technology networks for establishing reverse shells, exfiltrating configuration data, modifying device settings, or conducting lateral pivots into the surrounding critical infrastructure. Affected firmware versions prior to 2.2.0.0R1 are vulnerable, and the vulnerability has been added to the CISA KEV catalog due to its critical severity in impacting manufacturing floors, hospitals, retail chains and energy infrastructure environments.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Three critical vulnerabilities in UniFi OS Server chained to deploy Mirai Botnet

According to PWNDefend, CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 are three critical vulnerabilities in UniFi OS Server that attackers are chaining together in a single malicious request to bypass authentication and execute commands without needing a password. The attacker sends one crafted web request that tricks the server into running a script downloader (called zok) which then pulls and runs a Mirai botnet variant that works on multiple device types like routers and surveillance systems. The botnet hides itself by deleting its own files from disk while staying active in memory, making it hard to detect, and connects to attackers to receive commands for launching attacks on other networks. UniFi OS Server versions 5.0.6 and earlier are affected and must be updated to version 5.0.8 or later immediately to close the vulnerability gap.

GhostShell leveraged WinRAR flaws for multi-stage malware delivery

According to Synaptic Security Blog, the newly identified threat cluster GhostShell (MB-0009) targeted Ukraine's drone ecosystem, including military units, suppliers, and volunteer organizations, through Besomar-themed lures and malicious archives. The campaign exploited CVE-2025-8088 and CVE-2025-6218 to establish initial access, followed by the deployment of multiple payloads, including Vidar v2 (an infostealer malware) for credential theft and a custom in-memory implant secured with mutual TLS (mTLS). GhostShell employed a Telegram-based dead-drop resolver to dynamically retrieve command-and-control infrastructure, enhancing operational resilience and evasion capabilities. Additional functionality included host reconnaissance, screenshot capture, persistence through Windows Startup folder modifications, and exfiltration of sensitive data through attacker-controlled infrastructure. Synaptic Security assessed GhostShell as a highly organized threat actor that leveraged layered malware components and covert communication mechanisms to support sustained espionage operations against Ukraine’s drone defense sector.

Storm-2603 exploited Gladinet vulnerability to maintain persistent access

According to Microsoft’s Cyberattack Series No. 9, a ransomware engagement revealed concurrent malicious activity by the threat actor Storm-2603 and a second unidentified actor operating within the same compromised environment, creating significant challenges for incident response and attribution. The intrusion chain involved the exploitation of CVE-2025-49706, CVE-2025-49704, and subsequently CVE-2025-11371, enabling unauthorized access, credential theft, persistence, and lateral movement across affected systems. Microsoft observed the use of DLL sideloading, custom backdoors, Cloudflare tunnels, Zoho Assist, and SSH-based command-and-control channels to maintain access and evade detection. The overlapping operations allowed threat activity to blend together, obscuring attacker intent and complicating forensic analysis. Microsoft’s investigation highlighted how multiple threat actors independently exploited the same compromise, increasing operational risk and extending attacker dwell time within enterprise environments.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The week reflects sustained exploitation pressure across enterprise software, network infrastructure, and widely used productivity tools, with both known vulnerabilities and active threat campaigns being rapidly weaponized. CISA KEV additions and real-world attacks on platforms like UniFi OS Server, Cisco communication systems, and Joomla extensions highlight persistent targeting of exposed and frequently deployed systems. Advanced threat clusters such as GhostShell and Storm-2603 further demonstrate multi-stage intrusion techniques, combining credential theft, malware delivery, and persistence mechanisms across environments. Continuous visibility, rapid detection, and proactive threat intelligence - powered through platforms like LOVI - remain critical to reducing exposure and improving response against fast-evolving adversary activity.

FAQs

1) What is Cisco Unified Communications Manager Server?

Cisco Unified Communications Manager server is Cisco’s enterprise call-processing and communication platform that manages voice, video, messaging, mobility, and conferencing services across an organization. It serves as the central component of Cisco’s unified communications infrastructure.

2) What is Ubiquiti UniFi OS?

Ubiquiti UniFi OS is a management platform that provides centralized administration for UniFi networking, security, and surveillance products. It enables organizations to manage devices, monitor network performance, configure settings, and access security features from a unified interface.

3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

4) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

5) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.