From KEV Additions to Active Malware Campaigns: Key Cyber Threats This Week

The cybersecurity landscape witnessed a turbulent period marked by escalating exploitation activity, state-sponsored aggression, and AI-driven supply chain attacks that collectively underscored the growing sophistication of modern threat actors. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, affecting products from n8n, Omnissa Workspace ONE UEM, SolarWinds Web Help Desk, and Ivanti Endpoint Manager.  

Reflecting the intensifying cyber conflict between the United States and Iran, Iran-linked threat groups MuddyWater and Void Manticore were observed aggressively weaponizing high-impact vulnerabilities across multiple platforms including n8n, Ivanti, Laravel Livewire, and N-Central as part of broader espionage and disruption campaigns targeting Western enterprise infrastructure.Simultaneously, security researchers from StepSecurity, Socket, and Aqua Security uncovered an automated attack campaign driven by an AI-powered bot named Hackerbot-claw, which actively exploited misconfigured GitHub Actions workflows to compromise software supply chains and exfiltrate sensitive developer credentials.

Key points:

• 4 vulnerabilities added to the CISA KEV catalog  
• Iran-Linked MuddyWater and Void Manticore Weaponize High-Impact vulnerabilities
• Hackerbot-Claw Weaponizes GitHub Actions vulnerability

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-0953 - Authentication Bypass vulnerability in the Tutor LMS Pro plugin for WordPress

An Authentication Bypass vulnerability in the Tutor LMS Pro plugin for WordPress affecting versions up to and including 3.9.5 via the Social Login addon allowed unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own social account paired with a victim's email address. The flaw resided within the authenticate() function of the TutorPro\SocialLogin\Authentication class, where the plugin failed to verify that the email provided in the authentication request matched the email from the validated OAuth token instead blindly trusting user-supplied input over the verified response from providers like Google or Facebook. Discovered by researcher Phat RiO through the Wordfence Bug Bounty Program, the vulnerability was reported just five days after it was introduced into the codebase, with Wordfence blocking 283 active exploitation attempts within a single 24-hour window underscoring the immediacy of the threat. The vendor addressed this flaw in version 3.9.6, and all users are strongly urged to update immediately to mitigate the risk of full site compromise.

CVE-2026-1492 - Unauthenticated Privilege Escalation vulnerability in User Registration & Membership Plugin for WordPress

An Unauthenticated Privilege Escalation vulnerability in the User Registration & Membership Plugin for WordPress affecting versions up to and including 5.1.2 allowed unauthenticated attackers to designate themselves as administrators during a standard membership signup, requiring no existing account or elevated permissions. The flaw stemmed from improper privilege management during registration, where the plugin blindly accepted user-supplied role values rather than enforcing a server-side allowlist exposing over 60,000 websites to full administrative takeover, enabling attackers to exfiltrate sensitive data, install backdoors, and weaponize compromised sites for further attacks. Researchers at Defiant, the company behind Wordfence, reported blocking 83 active exploitation attempts targeting CVE-2026-1492 within a single 24-hour window, confirming active exploitation in the wild. The vulnerability was addressed in version 5.1.3, and all users are strongly urged to update immediately.

CVE-2026-1603 - Authentication Bypass vulnerability in Ivanti Endpoint Manager (EPM)

An Authentication Bypass vulnerability in Ivanti Endpoint Manager (EPM) allowed a remote unauthenticated attacker to bypass security checks and leak specific stored credential data, potentially enabling deeper access into the environment without requiring any prior authentication. At the time of writing, the Shadowserver threat monitoring platform tracked over 700 Internet-facing Ivanti EPM instances, with the majority located in North America, though the exact number of still-vulnerable instances remained unclear. Ivanti addressed this vulnerability with the release of Endpoint Manager version 2024 SU5, and organizations are strongly urged to prioritize this update immediately. This vulnerability has since been added to the CISA KEV catalog, strongly indicating that active exploitation has been observed in the wild, despite no known indicators of compromise at the time of initial disclosure.

CVE-2025-26399 - Deserialization of Untrusted Data vulnerability in SolarWinds Web Help Desk

A Deserialization of Untrusted Data vulnerability in SolarWinds Web Help Desk (WHD) resided in the AjaxProxy component, stemming from insufficient validation of user-supplied data that allowed attackers to deserialize malicious input and execute remote commands on the host machine in the context of SYSTEM without requiring any authentication.  Tracked as CVE-2025-26399, this vulnerability is particularly notable as it bypassed a previous fix for CVE-2024-28988, which itself was a bypass for CVE-2024-28986, revealing a persistent and recurring weakness in WHD's serialization handling with a proof-of-concept (PoC) publicly available, further elevating the risk of exploitation. SolarWinds addressed this vulnerability in September 2025 through the release of hotfix 12.8.7 HF1, and organizations running version 12.8.7 or prior are strongly urged to apply this update without delay. This vulnerability has since been added to the CISA KEV catalog, confirming active exploitation in the wild.

CVE-2025-68613 - Improper Control of Dynamically-Managed Code Resources vulnerability in n8n

An Improper Control of Dynamically-Managed Code Resources vulnerability in n8n's workflow expression evaluation system allowed an authenticated attacker to execute arbitrary code with the privileges of the n8n process, potentially resulting in a complete compromise of the instance enabling access to sensitive data, modification of workflows, and execution of system-level operations. The flaw affected all versions starting from 0.211.0 and higher, with data from the Shadowserver Foundation revealing over 24,700 unpatched instances exposed online at the time of writing more than 12,300 in North America and 7,800 in Europe highlighting the widespread exposure of this vulnerability across critical automation environments. n8n addressed this vulnerability with the release of v1.122.0, and organizations running affected versions are strongly urged to prioritize this update immediately to mitigate the risk of full instance compromise. This vulnerability has since been added to the CISA KEV catalog, confirming active exploitation in the wild.

CVE-2021-22054 - Server-Side Request Forgery vulnerability in Omnissa Workspace ONE

A Server-Side Request Forgery (SSRF) vulnerability in Ommissa Workspace ONE UEM formerly known as VMware Workscape ONE UEM allowed a malicious actor with network access to send unauthenticated requests and gain access to sensitive information, including AWS IAM credentials and internal network resources, with confirmed breaches across numerous Fortune 500 companies. The flaw resided within the BlobHandler component, where hardcoded encryption keys could be reverse-engineered to forge arbitrary server-side requests, affecting multiple versions from 20.0.8 through 21.5.0. This vulnerability was part of a broader coordinated SSRF exploitation surge tracked by GreyNoise on March 9, 2025, targeting organizations across the United States, Germany, Singapore, India, Lithuania, Japan, and Israel. The Workspace ONE team released a detailed workaround in November 2024, and this vulnerability has since been added to the CISA KEV catalog, confirming active exploitation in the wild.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Iran-Linked MuddyWater and Void Manticore Weaponize High-Impact vulnerabilities

According to Hunt.io and Rapid7, the Iranian state-sponsored threat group MuddyWater was observed leveraging reconnaissance tools including Shodan and Nuclei to identify potentially vulnerable targets, alongside Subfinder and ffuf to perform enumeration of target web applications findings derived from an analysis of the group's VPS server hosted in the Netherlands. MuddyWater was actively scanning and attempting to exploit a wide range of recently disclosed vulnerabilities, targeting platforms including BeyondTrust (CVE-2026-1731), Ivanti (CVE-2026-1281), n8n (CVE-2025-68613), React (CVE-2025-55182), SmarterMail (CVE-2025-52691), Laravel Livewire (CVE-2025-54068), N-Central (CVE-2025-9316), Citrix NetScaler (CVE-2025-5777), Langflow (CVE-2025-34291), and Fortinet (CVE-2024-55591, CVE-2024-23113, CVE-2022-42475).  

Operating in parallel, fellow Iranian threat actor Void Manticore the MOIS-affiliated group behind the Handala hacktivist persona was similarly observed weaponizing high-impact vulnerabilities to facilitate data exfiltration and psychological operations, with stolen data handed off to hacktivist personas to support broader disinformation campaigns. The combined activity of both groups underscores Iran's increasingly aggressive and opportunistic approach to exploiting newly disclosed vulnerabilities across diverse enterprise environments.

Hackerbot-Claw Weaponizes GitHub Actions vulnerability

StepSecurity and Socket, alongside Aqua Security, uncovered an automated attack campaign orchestrated by an AI-powered bot called Hackerbot-claw, which systematically scanned public repositories for misconfigured CI/CD pipelines and exploitable GitHub Actions workflows to harvest developer secrets targeting seven repositories belonging to Microsoft, Datadog, and Aqua Security between February 21–28, 2026. Operating by forking target repositories and concealing malicious payloads within CI scripts, the bot triggered pipelines through seemingly innocuous pull requests to steal secrets and access tokens. The highest-profile target was aquasecurity/trivy, where a stolen Personal Access Token (PAT) was leveraged to push a malicious VS Code extension to the Open VSX registry, weaponizing AI coding assistants including Claude, Codex, Gemini, and GitHub Copilot CLI to exfiltrate sensitive data using the victim's own authenticated GitHub CLI session. Aqua Security has since removed the malicious artifacts and advised affected users to immediately uninstall the extensions and rotate environment secrets. The incident is tracked under CVE-2026-28353.  

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

Overall, the week highlighted the continued exploitation of both newly disclosed and long-standing vulnerabilities across enterprise platforms. The involvement of advanced threat groups and the emergence of AI-driven attack automation further demonstrated the increasing sophistication of modern cyber campaigns. These developments reinforce the importance of timely vulnerability management and continuous threat monitoring. Platforms such as  Loginsoft Vulnerability Intelligence (LOVI) enable organizations to stay ahead by providing actionable insights into exploited vulnerabilities, emerging threats, and critical security risks.

FAQs

1) What is Omnissa Workspace ONE UEM?

Omnissa Workspace ONE UEM is a unified endpoint management platform used by organizations to manage and secure devices such as laptops, smartphones, tablets, and desktops. It enables centralized device configuration, application deployment, and security policy enforcement across enterprise environments. The platform helps IT teams maintain compliance, monitor device health, and protect corporate data.

2) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

3) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

4) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.