Executive Summary
The past week saw a surge in actively exploited critical vulnerabilities targeting widely used enterprise and consumer technologies, signaling an urgent escalation in threat activity. CISA added five vulnerabilities to its KEV catalog, including two affecting Google products and one each impacting Microsoft SharePoint, Synacor Zimbra Collaboration Suite, and Wing FTP Server.
At the same time, Amazon Web Services Threat Intelligence reported an ongoing Interlock ransomware campaign exploiting a critical flaw in Cisco Secure Firewall Management Center, emphasizing the immediate risk to network infrastructure. Additionally, Google disclosed that the DarkSword exploit chain was actively used by multiple threat actors to compromise iOS devices across several regions through coordinated, multi-vulnerability attacks.
Key points:
- 5 vulnerabilities added to the CISA KEV catalog
- Interlock Ransomware exploited Cisco FMC Zero-Day for remote code execution
- Google Discloses Sophisticated iOS Exploit Chain "DarkSword" Targeting Global Users
What are the top trending or critical vulnerabilities observed this week?
Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.
CVE-2026-3909 - Out-of-Bounds Write vulnerability in Google Skia
An Out-of-Bounds Write vulnerability in Google Skia was identified that could be exploited via a crafted HTML page to corrupt memory and potentially achieve arbitrary code execution. The issue affected Google Chrome, ChromeOS, Android, Flutter and related products prior to version 146.0.7680.7, highlighting its broad impact across platforms. Successful exploitation could lead to browser crashes or full system compromise depending on execution context. Google remediated the issue with updates 146.0.7680.75/76 for Windows and Mac and 146.0.7680.75 for Linux. The flaw was subsequently added to the CISA KEV catalog, indicating active exploitation risk.
CVE-2026-3910 - Improper Restrictions of Operations Within the Bounds of a Memory Buffer vulnerability in Google Chromium V8
An Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability was identified in the V8 engine of Google Chrome, enabling a remote attacker to execute arbitrary code within the browser sandbox via a crafted HTML page. The flaw impacted Chromium-based browsers, including Chrome, Microsoft Edge, and Opera, prior to version 146.0.7680.75. As a core component of JavaScript execution, Chromium V8 remains a frequent target for attackers attempting sandbox escape and deeper system compromise. Google addressed the issue by releasing version 146.0.7680.75/76 for Windows and Mac and 146.0.7680.75 for Linux. The vulnerability was reported to be actively exploited in the wild and was subsequently added to the CISA KEV catalog.
CVE-2026-20963 - Deserialization of Untrusted Data vulnerability in Microsoft SharePoint
A Deserialization of Untrusted Data vulnerability in Microsoft SharePoint enabled an unauthenticated attacker to execute arbitrary code remotely over a network. The flaw affected SharePoint Server 2016, 2019, and Subscription Edition, and was reported to Microsoft by an anonymous researcher. According to Microsoft, the vulnerability could allow attackers to inject and execute malicious code without prior authentication, posing a significant risk to enterprise environments. The issue was addressed in security updates released in January 2026. It was subsequently added to the CISA KEV catalog, emphasizing its potential for active exploitation.
CVE-2025-47813 - Information Disclosure vulnerability in Wing FTP Server
An Information Disclosure vulnerability in Wing FTP Server was identified in versions prior to 7.4.4, where improper error message handling exposed sensitive information when a long UID cookie value was supplied. The flaw caused the application to leak its internal installation path through the /loginok.html endpoint due to insufficient input validation and path length handling. Although the issue was resolved in version 7.4.4 in May 2025, its inclusion in the CISA KEV catalog highlighted its security significance. No active exploitation had been observed at the time, and potential chaining with other vulnerabilities remained unclear.
CVE-2025-66376 - Cross-Site Scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS)
A Cross-Site Scripting (XSS) vulnerability in Synacor Zimbra Collaboration Suite Classic UI allowed attackers to abuse CSS @import directives in crafted emails, leading to execution of malicious JavaScript when opened. The flaw was exploited in “Operation GhostMail,” as reported by Seqrite Labs, targeting Ukraine’s State Hydrographic Service through phishing emails sent from compromised accounts. The malicious scripts enabled extensive data exfiltration, including credentials, session tokens, 2FA backup codes, and mailbox contents via DNS and HTTPS channels. The activity has been attributed to APT28, indicating a sophisticated espionage-driven campaign. The issue was remediated in versions 10.0.18 and 10.1.13 released in November 2025. The vulnerability was subsequently added to the CISA KEV catalog.
What did Cytellite sensors detect this week?
Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.
Which vulnerabilities were abused by malware this week?
Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.
Interlock Ransomware exploited Cisco FMC Zero-Day for remote code execution
According to Amazon Web Services Threat Intelligence, an active Interlock ransomware campaign was observed exploiting a critical vulnerability in Cisco Secure Firewall Management Center, a vulnerability stemming from insecure deserialization of user-supplied Java byte streams. The vulnerability allowed unauthenticated remote attackers to bypass authentication and execute arbitrary Java code with root privileges on affected devices. Analysis from AWS’s MadPot global sensor network indicated that exploitation began as a zero-day in late January 2026, prior to public disclosure by Cisco. The investigation further revealed that the threat actor inadvertently exposed parts of their operational infrastructure, providing visibility into a multi-stage attack chain, custom remote access tools, reconnaissance scripts, and evasion techniques.
Google Discloses Sophisticated iOS Exploit Chain "DarkSword" Targeting Global Users
According to Google, the DarkSword exploit chain was utilized by threat actors UNC6748, PARS Defense, and UNC6353 to compromise iOS devices through various campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine. This sophisticated operation leveraged six distinct vulnerabilities CVE-2025-31277, CVE-2026-20700, CVE-2025-43529, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520 to achieve full-chain exploitation. These actors deployed malicious payloads like GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE via Snapchat-themed decoys and "Watering Hole" attacks to exfiltrate sensitive data from targets. The vulnerabilities spanned remote code execution, sandbox escapes, and privilege escalation, all of which were successfully patched following the investigation.
What were the most trending OSS vulnerabilities this week?
Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.
Were any PRE-NVD vulnerabilities identified this week?
PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.
Conclusion
Overall, the week emphasized the rapid weaponization of newly disclosed vulnerabilities, reflecting an increasingly aggressive threat landscape. The convergence of active KEV additions, ransomware-driven exploitation, and multi-stage attack chains highlighted the growing speed and sophistication of modern campaigns. These developments reinforced the need for immediate patching, continuous monitoring, and proactive defense strategies. Platforms such as Loginsoft Vulnerability Intelligence (LOVI) enable organizations to stay ahead by providing timely, actionable insights into exploited vulnerabilities, emerging threats, and evolving risk exposure.
FAQs:
1) What is Google Skia?
A) Google Skia is an open-source 2D graphics rendering engine used to draw text, shapes, and images across platforms. It powers visual rendering in applications like Google Chrome, Android, and Flutter. Skia provides high-performance graphics by handling low-level drawing operations efficiently, making it a core component in modern UI and browser rendering systems.
2) Does inclusion in the CISA KEV catalog mean exploitation is widespread?
A) Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.
3) How does LOVI help organizations manage vulnerabilities effectively?
A) Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.
4) What is Cytellite?
A) Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.
