CISA KEV Alerts and Mirai Campaigns: A Week of Widespread Active Exploits

The threat landscape this week highlighted a continued pattern of attackers prioritizing exploitable entry points across enterprise systems and IoT infrastructure. CISA added 10 vulnerabilities to its KEV catalog, including multiple issues affecting Cisco Catalyst SD-WAN Manager, along with vulnerabilities in Microsoft Defender, JetBrains TeamCity, Quest KACE Systems Management Appliance, Zimbra Collaboration Suite, Kentico Xperience, and PaperCut NG/MF. In parallel, active exploitation was observed targeting application-layer vulnerabilities, notably in the Breeze Cache plugin and LMDeploy, highlighting rapid weaponization timelines following disclosure.  

Additionally, malware activity remained prominent, with Mirai variants continuing to evolve and expand. According to Akamai, attackers exploited a vulnerability in D-Link routers to deploy the “tuxnokill” variant, while Fortinet reported exploitation of TBK DVR devices to distribute the Nexcorium botnet. Overall, the observed activity demonstrated a convergence of enterprise vulnerability exploitation and large-scale IoT botnet campaigns, reinforcing the persistent risk posed by unpatched systems and the rapid operationalization of publicly disclosed flaws.

Key points:

• 10 vulnerabilities added to the CISA KEV catalog
• Active exploitations detected in Breeze Cache plugin for WordPress and LMDeploy vulnerabilities
• Mirai-Based Nexcorium and Tuxnokill Botnets Leveraged DVR and Legacy Router Vulnerabilities

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-3844 - Unrestricted Upload of File with Dangerous Type vulnerability in Breeze Cache plugin for WordPress

An Unrestricted Upload of File with Dangerous Type vulnerability in Breeze Cache plugin allows unauthenticated attackers to upload and execute arbitrary files on affected websites. The flaw resides in the fetch_gravatar_from_remote function, where the plugin fails to validate file types when retrieving Gravatar images, enabling attackers to supply malicious files such as PHP web shells instead of legitimate images. Exploitation occurs when the “Host Files Locally – Gravatars” setting is enabled, allowing remote file fetching and storage without proper validation, ultimately leading to remote code execution and full site compromise. Reports indicate active exploitation, with automated scanning and attack attempts targeting vulnerable installations at scale. The issue has been addressed by Cloudways in version 2.4.5, and users are strongly advised to update immediately to mitigate the risk.

CVE-2026-20122 - Incorrect Use of Privileged APIs vulnerability in Cisco Catalyst SD-WAN Manager

An Incorrect Use of Privileged APIs vulnerability in Cisco Catalyst SD-WAN Manager allows an authenticated attacker to overwrite arbitrary files and potentially gain vManage user privileges due to improper file handling within the API interface. According to Cisco, the issue stems from missing authorization checks during file upload processing, where insufficient validation and weak enforcement of privilege-based access controls enable users with read-only API credentials to write files to unauthorized locations. Exploitation involves uploading crafted files via the API, leading to arbitrary file overwrite and potential privilege escalation. The vulnerability violates the principle of least privilege by allowing low-privileged users to perform high-impact actions within the system. Cisco has not disclosed technical details regarding exploitation in the wild or attributed the activity to any specific threat actor. The issue has been addressed in Cisco’s fixed software releases and has been added to the CISA KEV catalog, indicating active exploitation and elevated risk.

CVE-2026-20128 - Storing Passwords in a Recoverable Format vulnerability in Cisco Catalyst SD-WAN

A Storing Passwords in a Recoverable Format vulnerability in Cisco Catalyst SD-WAN allows an authenticated local attacker to gain DCA user privileges by accessing a credential file on the filesystem, and has been addressed through multiple vendor-released fixed versions. According to Cisco, the issue stems from improper credential storage, where DCA credentials are maintained in a readable format accessible to users with valid vManage credentials, even at low privilege levels. Exploitation requires initial authenticated access, after which attackers can retrieve sensitive credentials and leverage them for privilege escalation and lateral movement across connected SD-WAN systems, particularly in multi-node deployments. The vulnerability arises due to insufficient access control and improper file permission enforcement, violating secure credential storage practices such as hashing or vault-based protection. Successful exploitation enables unauthorized access to additional systems within the environment, significantly increasing the risk of broader compromise. The vulnerability has recently been added to the CISA KEV catalog, highlighting its active exploitation and critical impact.

CVE-2026-20133 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Cisco Catalyst SD-WAN Manager

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Cisco Catalyst SD-WAN Manager allows remote attackers to access sensitive data on affected systems. According to Cisco, the issue resides in the API due to insufficient file system access restrictions, enabling authenticated users with low privileges to read data from the underlying operating system beyond their intended authorization scope. Exploitation is network-based with low complexity, requires minimal privileges, and does not require user interaction, primarily impacting confidentiality. Cisco has not disclosed technical details regarding exploitation in the wild or attributed the activity to any specific threat actor. The vulnerability has been addressed in fixed software releases provided by Cisco, and has now been added to the CISA KEV catalog, indicating active exploitation.

CVE-2026-33626 - Server-Side Request Forgery vulnerability in LMDeploy

A Server-Side Request Forgery vulnerability in LMDeploy, allows attacker to coerce the model server into making unauthorized requests to internal and external resources. The issue affects versions up to v0.12.2 and stems from missing hostname resolution checks, lack of private-network restrictions, and absence of protections for link-local addresses in the image-loading functionality used by vision-language models. According to Sysdig Threat Research Team, exploitation was observed within hours of disclosure, where attackers leveraged the image loader as an SSRF primitive to scan internal services such as AWS IMDS, Redis, MySQL, and administrative HTTP endpoints. The attack sequence included credential access attempts, external connectivity validation via DNS callbacks, and enumeration of hidden APIs such as /openapi.json. Further activity demonstrated attempts to interact with administrative controls like /distserve/p2p_drop_connect, indicating potential for service disruption. The vulnerability highlights how AI infrastructure can be rapidly weaponized, with SSRF enabling access to sensitive cloud resources and potentially leading to full cloud environment compromise. The issue has been addressed in version v0.12.3 and later, with immediate patching strongly recommended.

CVE-2026-33825 - Insufficient Granularity of Access Control vulnerability in Microsoft Defender

An Insufficient Granularity of Access Control vulnerability in Microsoft Defender, tracked as CVE-2026-33825 and publicly referred to as “BlueHammer,” enables a local authorized attacker to escalate privileges by abusing Defender’s file remediation logic. Initially disclosed as a zero-day with publicly available proof-of-concept code, the issue formed part of a broader wave of Defender-targeted vulnerabilities identified within a short timeframe in April 2026. Alongside “BlueHammer,” additional techniques such as “UnDefend,” which disrupts update mechanisms, and “RedSun,” which abuses cloud-tagged file handling for privilege escalation, demonstrated systemic weaknesses in Defender’s architecture. This sequence of vulnerabilities illustrates how attackers can chain multiple flaws to degrade protections, bypass defenses, and maintain persistent access even after partial remediation. The issue was addressed by Microsoft in the April 2026 Patch Tuesday release, and its subsequent inclusion in the CISA KEV catalog highlights its continued relevance in evolving attack chains.

CVE-2026-34197 - Improper Input Validation vulnerability in Apache ActiveMQ

An Improper Input Validation vulnerability in Apache ActiveMQ enables code injection and remote code execution, affecting ActiveMQ Classic versions prior to 5.19.4 and 6.2.3. According to Horizon3.ai, the issue bypasses protections introduced in CVE-2022-41678 by abusing the Jolokia JMX-HTTP bridge exposed at the /api/jolokia/ endpoint, where overly permissive access controls allow execution of operations on sensitive MBeans such as BrokerService.addConnector and addNetworkConnector. Exploitation involves supplying a crafted discovery URI leveraging the brokerConfig parameter to load a remote Spring XML application context, resulting in arbitrary code execution through malicious bean initialization. Successful exploitation can lead to system compromise, unauthorized message manipulation, and lateral movement across enterprise environments. The vulnerability was patched in ActiveMQ Classic versions 5.19.4 and 6.2.3, and has now been added to the CISA KEV catalog, underscoring its operational value to threat actors.

CVE-2025-2749 - Path Traversal vulnerability in Kentico Xperience

A Path Traversal vulnerability in Kentico Xperience allows an authenticated user to upload arbitrary data to unintended file system locations via the Staging Sync Server API. According to watchTowr Labs, the issue arises from improper validation and sanitization of user-supplied file paths, where crafted traversal sequences such as ../ enable manipulation of file system paths beyond intended directories. Exploitation involves sending crafted HTTP/SOAP requests to staging endpoints responsible for file synchronization, allowing attacker-controlled data to be written to sensitive locations on the underlying system. This behavior violates file system boundary enforcement and can lead to arbitrary file overwrite, which may be leveraged for further compromise. While the vulnerability alone does not directly result in code execution, it can be chained with other weaknesses to achieve remote code execution or persistent access. The issue was resolved in hotfix 13.0.179 and later, released starting March 20, 2025, and has now been added to the CISA KEV catalog, indicating active exploitation.

CVE-2025-32975 - Improper Authentication vulnerability in Quest KACE Systems Management Appliance (SMA)

An Authentication Bypass vulnerability in Quest KACE Systems Management Appliance enables attackers to impersonate legitimate users without valid credentials, potentially leading to full administrative compromise. According to Arctic Wolf, active exploitation was observed beginning in March 2026, targeting unpatched and internet-exposed systems. Threat actors leveraged the flaw to take over administrative accounts, execute remote commands, and deploy Base64-encoded payloads from external infrastructure. Post-exploitation activity included creation of additional administrative accounts via runkbot.exe, registry modifications for persistence, and credential harvesting using Mimikatz. Further reconnaissance and lateral movement involved enumeration commands and RDP access to backup systems and domain controllers, indicating potential for full network compromise. Although this vulnerability was patched by the vendor in May 2025, the vulnerability has now been added to the CISA KEV catalog, acknowledging its active exploitation and critical risk.

CVE-2025-48700 - Cross-site Scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS)

A Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite allows attackers to execute arbitrary JavaScript within a user’s session, potentially leading to unauthorized access to sensitive information, and affects versions 8.8.15, 9.0, 10.0, and 10.1. The issue has been addressed in 8.8.15 Patch 47, 9.0.0 Patch 43, 10.0.12, and 10.1.4. According to Synacor, the vulnerability originates from inadequate sanitization of HTML content in the Classic UI, where crafted tag structures and attribute values, including those leveraging @import directives, enable script injection. Exploitation occurs when a user views a specially crafted email, requiring no additional interaction. Successful exploitation can result in session compromise and unauthorized access to sensitive data. The vulnerability has been added to the CISA KEV catalog, indicating active exploitation and elevated risk.

CVE-2024-27199 - Relative Path Traversal vulnerability in JetBrains TeamCity

A Relative Path Traversal vulnerability in JetBrains TeamCity enables authentication bypass within the web component, allowing limited administrative actions to be performed. The flaw arises from improper handling of path traversal sequences, where double-dot segments can be used to move from unauthenticated endpoints such as /res/, /update/, or /.well-known/acme-challenge/ to restricted application paths. Exploitation allows access to sensitive endpoints including /admin/diagnostic.jsp, exposing installation details, and /app/https/settings/uploadCertificate, enabling replacement of HTTPS certificates. Attackers can also modify configuration settings such as HTTPS port values, potentially causing denial-of-service conditions or enabling man-in-the-middle scenarios when combined with certificate manipulation. Additional endpoints like /app/availableRunners and /app/pipeline may be accessed, exposing internal configurations and system data. Although active exploitation was observed in March 2024 and a patch was released at that time, the vulnerability has now been added to the CISA KEV catalog, highlighting its continued exploitation risk.

CVE-2023-27351 - Improper Authentication vulnerability in PaperCut NG/MF

An Improper Authentication vulnerability in PaperCut NG/MF allows remote attackers to bypass authentication via the SecurityRequestFilter class, affecting version 22.0.5 (Build 63914). According to Trend Micro, the flaw results from improper implementation of the authentication algorithm, where inadequate validation of incoming requests enables crafted requests to bypass security controls and access protected endpoints. Exploitation is network-based with low complexity and requires no prior authentication, allowing attackers to directly access application functionality and retrieve sensitive data such as user details, organizational information, and hashed credentials of internally managed accounts. The root cause lies in insufficient access control enforcement within the authentication filter, exposing critical resources to unauthorized actors. The vulnerability was patched in March 2023 with the release of versions 20.1.7, 21.2.11, and 22.0.9, and has now been added to the CISA KEV catalog, indicating continued exploitation.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Mirai-Based Tuxnokill botnet leveraging legacy router vulnerabilities

According to Akamai, threat actors were observed exploiting CVE-2025-29635, a command injection vulnerability in end-of-life D-Link DIR-823X routers, to deploy a Mirai botnet variant named “tuxnokill.” The activity was detected in early March 2026 through honeypot telemetry, where attackers used shell scripts to deliver and execute the botnet payload. The campaign also attempted to exploit additional vulnerabilities, including CVE-2023-1389 in TP-Link Archer AX21 devices and a remote code execution flaw in ZTE ZXV10 H108L routers. These coordinated attacks targeted unpatched and legacy IoT devices to recruit them into botnet infrastructure. Once compromised, devices were leveraged to support distributed denial-of-service (DDoS) operations. The campaign reflected the continued reuse of Mirai source code, enabling both sophisticated and low-skilled actors to participate in botnet activity. The findings highlighted the persistent risk posed by outdated IoT hardware and the growing scale of automated exploitation campaigns.

Mirai-Based Nexcorium Botnet Leveraging DVR and Router Vulnerabilities

According to Fortinet, a recent campaign exploited CVE-2024-3721, a command injection vulnerability in TBK DVR devices, to deploy a multi-architecture Mirai variant named Nexcorium. The activity targeted TBK DVR-4104 and DVR-4216 systems, where attackers leveraged the flaw to execute a downloader script that fetched architecture-specific botnet payloads. Once executed, the malware established control over compromised devices and demonstrated typical Mirai-based capabilities, including XOR-encoded configuration handling, watchdog mechanisms, and DDoS modules. The campaign also incorporated CVE-2017-17215 to further propagate by targeting Huawei HG532 devices within networks. In addition, the malware used hard-coded credentials to perform Telnet brute-force attacks, enabling lateral movement and infection expansion. Successful compromise allowed attackers to establish persistence through cron jobs and systemd services while connecting to command-and-control infrastructure for launching UDP, TCP, and SMTP-based DDoS attacks. The malware further employed defense evasion techniques by deleting its initial payload after execution. The campaign reflected continued exploitation of known vulnerabilities and weak credentials to build scalable IoT botnets capable of sustained and widespread impact.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The week’s activity reinforced that both enterprise platforms and IoT ecosystems remain persistently exposed when vulnerabilities are left unpatched or misconfigured. Large-scale exploitation and botnet expansion demonstrated how quickly threat actors operationalize weaknesses across diverse environments. This highlights the need for continuous monitoring, rapid remediation, and contextual threat intelligence to stay ahead of evolving campaigns. Platforms like Loginsoft Vulnerability Intelligence (LOVI) play a critical role in enabling organizations to detect, prioritize, and respond to active threats before they escalate into widespread compromise.

FAQs:

1) What is Cisco Catalyst SD-WAN Manager?

Cisco Catalyst SD-WAN Manager is a centralized network management solution used to configure, monitor, and control SD-WAN environments from a single interface. It enables administrators to manage routing, security policies, and device configurations across distributed branch networks efficiently. The platform provides visibility, automation, and orchestration capabilities to optimize network performance and ensure secure connectivity.  

2)What is Kentico Xperience?

Kentico Xperience is an enterprise-level digital experience platform that combines content management, digital marketing, and e-commerce capabilities in a single solution. It enables organizations to create, manage, and deliver personalized web content and customer experiences across multiple channels.

3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

4) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

5) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.