From Zero-Day Exploitation to Plugin Takeovers: A Week of High-Impact Cyber Threats

This week’s threat landscape was marked by targeted, high-impact activity rather than volume. CISA added a single vulnerability to its KEV catalog, flagging a zero-day actively exploited flaw in Cisco Unified Communications products, underscoring the continued risk to enterprise and collaboration infrastructure. In parallel, active exploitation was observed in the Academy LMS WordPress plugin, exposing education platforms to potential site takeover.  

On the advanced threat actor front, Cisco Talos warned of ongoing UAT-8837 campaigns targeting critical infrastructure in North America, highlighting sustained nation-state–linked activity focused on initial access and persistence.

Key points:

• 1 vulnerability added to the CISA KEV catalog.
• Active exploitation detected in Cisco Unified Communications products.
• Cytellite sensor telemetry detected exploit scanning activity targeting globally exposed assets.
• Multiple PRE-NVD vulnerabilities were observed, suggesting potential exploitation prior to public disclosure.
• Cisco Talos Warns of UAT-8837 Campaigns Against Critical Infrastructure in North America.
• LinkedIn Phishing Campaign Used DLL Sideloading and Open-Source Tools to Establish Persistent Remote Access.
• Malicious Chrome Extensions Impersonated HR and ERP Platforms to Hijack Enterprise Accounts.
• Russian-Aligned Hacktivists Escalated DDoS Attacks Against U.K. Critical Infrastructure and Government Services.

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-20045 - Code Injection vulnerability in Cisco Unified Communications products

A Code Injection vulnerability was identified across multiple Cisco Unified Communications products, including Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence Service (IM&P), Unity Connection, and Webex Calling Dedicated Instance, allowing an attacker to gain user-level access to the underlying operating system and subsequently escalate privileges to root. The flaw stemmed from improper validation of user-supplied input within HTTP requests, enabling crafted payloads to be processed as executable commands. Cisco confirmed that it was aware of active exploitation in the wild, classifying the issue as a zero-day and urging customers to immediately upgrade to a fixed software release, as no mitigations or workarounds were available. The vulnerability was added to the CISA KEV catalog, highlighting its real-world impact and urgency for remediation.

CVE-2026-20805 - Information Disclosure vulnerability in Microsoft Windows

An Information Disclosure vulnerability in Microsoft Windows Desktop Window Manager (DWM) allows an authorized local attacker to disclose sensitive user-mode memory information. Successful exploitation could expose section addresses from a remote ALPC port, potentially aiding further attacks. Microsoft has addressed the issue as part of its January 2026 Patch Tuesday security updates. While details around exploitation methods, scale or threat actors remain undisclosed, the vulnerability has now been added to the CISA KEV catalog, underscoring the need for immediate patching.

CVE-2026-23550 - Privilege Escalation vulnerability in Modular DS WordPress plugin

A privilege escalation vulnerability in the Modular DS WordPress plugin exposed more than 40,000 websites to potential unauthorized administrative takeovers by allowing unauthenticated attackers to bypass security checks and gain administrator access through simple URL parameter manipulation. The flaw, which affects versions 2.5.1 and below, stems from a broken “direct request” authentication mechanism that fails to require any cryptographic signature, secret key, or request validation. Security researchers at Patchstack observed active exploitation beginning in mid-January, with attackers abusing the weakness to implant backdoors and maintain persistent control over compromised sites.

CVE-2025-15521 - Privilege Escalation vulnerability in the Academy LMS - WordPress LMS Plugin for Complete eLearning Solution

An Unauthenticated Privilege Escalation vulnerability was identified in the Academy LMS WordPress plugin, allowing unauthenticated attackers to take over administrator accounts by exploiting a flaw in how password updates were authorized in versions up to 3.5.0. Instead of properly verifying user identity, the plugin relied on a publicly exposed nonce, which attackers could harvest to reset passwords for any account, including admins, and gain full control of the site. With administrative access, attackers could steal data, inject malware, modify courses, or redirect payments. Wordfence reported active exploitation attempts in the wild, urging site owners to immediately update vulnerable installations.

CVE-2025-37164 - Code Injection vulnerability in Hewlett Packard Enterprise OneView

A Code Injection vulnerability in the Hewlett Packard Enterprise OneView allows a remote unauthenticated attacker to achieve remote code execution, posing a severe risk to affected environments. This flaw impacts all OneView versions prior to 11.0.0, with hotfixes available for versions 5.20 through 10, as disclosed by the vendor. A detailed proof-of-concept was published by Rapid7 in December 2025, increasing the likelihood of exploitation. Reflecting its severity and real-world risk, the vulnerability was added to the CISA KEV catalog this week, prompting an urgent recommendation for organizations to apply updates or hotfixes immediately to mitigate potential compromise.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

WebRAT Malware Distributed via Fake GitHub PoC Exploit Repositories

According to Kaspersky, the WebRAT malware was distributed through GitHub repositories falsely claiming to host proof-of-concept exploits for recently disclosed vulnerabilities. First identified in early 2025, WebRAT initially targeted general users by masquerading as game cheats for titles such as Rust, Counter-Strike, and Roblox, as well as cracked software. By September, the threat actors expanded their targeting to include inexperienced information security professionals and students. In December, Kaspersky uncovered a campaign active since at least September that leveraged widely publicized, high-severity vulnerabilities- including CVE-2025-10294, CVE-2025-59230, and CVE-2025-59295 to lure victims, using well-crafted GitHub repositories with detailed vulnerability descriptions to build credibility, a tactic previously observed during abuse of the RegreSSHion vulnerability.

Cisco Talos Warns of UAT-8837 Campaigns Against Critical Infrastructure in North America

According to Cisco Talos, an advanced threat actor tracked as UAT-8837 and believed to be linked to China has been targeting critical infrastructure organizations in North America since at least 2025, with primary focus on gaining initial access by exploiting both known and zero-day vulnerabilities as well as compromised credentials. The group was recently observed abusing CVE-2025-53690, a ViewState deserialization zero-day in Sitecore products, a flaw that Mandiant reported as actively exploited in early September 2025 during campaigns that deployed a reconnaissance backdoor known as WeepSteel. Talos analysts assessed with medium confidence that UAT-8837’s activity overlaps in tactics, techniques, and procedures with other China-nexus actors, noting that post-compromise behavior included hands-on-keyboard operations, Windows-native command usage for host and network reconnaissance, disabling RDP RestrictedAdmin to facilitate credential harvesting, and extensive data collection. The group primarily relied on open-source and living-off-the-land tools, frequently rotating variants to evade detection, with Talos providing detailed indicators of compromise and tooling profiles to help defenders identify and mitigate ongoing activity.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

An overview of recently observed campaigns and tactics that reflect how threat actors are adapting tools, platforms, and social engineering methods.

• According to ReliaQuest, a new phishing campaign leveraged LinkedIn private messages to target high-value individuals and deliver a malicious WinRAR self-extracting archive designed to establish persistent remote access. The attack relied on DLL sideloading through a legitimate open-source PDF reader, dropping a Python interpreter that executed Base64-encoded shellcode directly in memory to evade detection. Once active, the malware created a Windows Registry Run key for persistence and attempted to connect to an external command-and-control server to exfiltrate data. The campaign highlighted how attackers increasingly abuse trusted open-source tools and social media platforms to bypass traditional email-based security controls and penetrate corporate environments.
• Socket Security uncovered five malicious Google Chrome extensions that impersonated trusted HR and ERP platforms such as Workday, NetSuite, and SuccessFactors to enable full account takeover via session hijacking. The extensions worked in tandem to steal authentication tokens, suppress incident response features, and maintain persistent access to compromised accounts. Although most were removed from the Chrome Web Store, they remained accessible through third-party download sites, extending their exposure. The findings highlighted how fake productivity tools and trusted brand mimicry are increasingly used to infiltrate enterprise environments.
• The U.K.’s NCSC warned of sustained DDoS campaigns by Russian-aligned hacktivist groups, particularly NoName057(16), targeting critical infrastructure and local government services to disrupt online operations. The actor leveraged its DDoSia crowdsourcing platform to mobilize volunteers and amplify attacks, despite recent law enforcement actions under Operation Eastwood that temporarily disrupted its infrastructure. NCSC noted the group’s ideological motivation and expanding impact on operational technology (OT) environments, increasing risks beyond traditional IT systems. The advisory emphasized the need for strong upstream defenses, rapid scaling, and tested response plans to maintain service resilience amid ongoing attacks.

In conclusion, this week underscored how critical risks can emerge from both enterprise platforms and web ecosystems while advanced threat actors continue to target infrastructure with precision. With a zero-day entering the CISA KEV catalog, active exploitation of a widely used WordPress LMS plugin, and sustained APT activity against critical infrastructure, the need for real-time, context-driven vulnerability intelligence is more urgent than ever. LOVI empowers security teams to track exploited CVEs, monitor threat actor campaigns, and prioritize remediation with clarity turning weekly insights into decisive action and stronger cyber resilience.

FAQs:

1) What is Desktop Windows Manager?

Desktop Windows Manager is a core Microsoft Windows component responsible for rendering the graphical user interface, including window composition, visual effects, and desktop animations. DWM runs in the background to manage how application windows are displayed on screen, and vulnerabilities in it can impact system stability or expose sensitive information.

2) What is Academy LMS-WordPress LMS Plugin for Complete eLearning Solution?

Academy LMS is a WordPress plugin designed to help organizations and educators build and manage full-featured eLearning platforms, including course creation, student enrollment, quizzes, and payment integration. It enables websites to deliver and monetize online training and educational content directly within the WordPress ecosystem.

3) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

4) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.