Resurfaced Vulnerabilities, Weaponized Workflows, and Exposed Operations Define the Week

This week's threat landscape was dense with critical disclosures across vulnerabilities, active exploitation, and malware campaigns reinforcing that aged patches, trusted platforms, and unmonitored endpoints remain the most reliable footholds for attackers.

CISA added five vulnerabilities to the KEV catalog this week. Palo Alto Networks PAN-OS saw active exploitation through an authentication bypass allowing attackers to forge VPN cookies and gain unauthorized network access. A two-year-old Oracle WebLogic Server flaw and a four-year-old Linux Kernel privilege escalation bug both resurfaced with confirmed exploitation, proof that available patches mean nothing if left undeployed. An Android Framework integer overflow was confirmed actively exploited as a zero-day before Google addressed it in June 2026 updates, and a critical deserialization flaw in Mirasvit Full Page Cache Warmer for Magento 2 enabled unauthenticated remote code execution via a single crafted cookie.

Active exploitation was observed across two platforms - Everest Forms Pro WordPress plugins was targeted to inject arbitrary PHP code, while Windows Netlogon's critical remote code execution flaw drew active exploitation warnings, though Microsoft has not confirmed the claims.

On the malware front, FortiClient EMS was weaponized to deliver the newly discovered EKZ Infostealer through its own trusted administrative workflow. Gamaredon, Russia's FSB-linked APT, exploited a critical WinRAR vulnerability to deploy a multi-stage modular espionage chain against Ukrainian targets. The Gentlemen ransomware group, the world's second most active in 2026, had its internal operations exposed through a leaked database revealing an aggressive and evolving exploitation pipeline. Threat actor INJ3CTOR3 deployed the self-healing JOMANGY webshell against FreePBX phone systems, silently routing fraudulent VoIP calls at victims' expense.

Key points:

• 5 vulnerabilities added to the CISA KEV catalog
• Active exploitation detected in Everest Forms Pro WordPress plugin and in Microsoft Windows Netlogon
• FortiClient EMS weaponized to deliver the newly discovered EKZ Infostealer
• Gamaredon deployed a modular four-stage espionage chain against Ukrainian government and military targets via a WinRAR path traversal exploit
• The Gentlemen ransomware, exposed through an internal database leak revealing an aggressive attack pipeline
• INJ3CTOR3's self-healing JOMANGY webshell hijacked FreePBX phone systems to route fraudulent VoIP calls silently at victims' expense

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-0257 - Authentication Bypass vulnerability in Palo Alto Networks PAN-OS

An Authentication Bypass vulnerability in Palo Alto Networks PAN-OS affects the GlobalProtect portal and gateway components of PAN-OS firewalls and Prisma Access, arising from insufficient validation and integrity verification of authentication override cookies, which allows remote unauthenticated attackers to forge valid cookies using the public key extracted from the reused HTTPS service certificate and establish unauthorized VPN connections without credentials. GlobalProtect is a widely deployed enterprise remote access VPN feature integrated into PAN-OS firewalls and Prisma Access, making its compromise a critical risk as successful exploitation can grant attackers VPN IP assignments and direct access to internal enterprise networks, as observed during active exploitation waves on May 17 and May 21, 2026. The root cause resides in the authentication override feature's failure to perform signature validation or integrity verification post-decryption, combined with certificate reuse between the HTTPS service and authentication override functionality, a configuration that directly exposed the public key required to forge arbitrary session cookies. Palo Alto Networks has released updated versions addressing CVE-2026-0257, with interim mitigations advising organizations to either disable the authentication override feature or deploy a dedicated certificate exclusively for authentication override functionality. Following confirmed active exploitation, CVE-2026-0257 has been added to the CISA KEV catalog.

CVE-2026-3300 - Unauthenticated Remote Code Execution vulnerability in Everest Forms Pro WordPress plugin

An Unauthenticated Remote Code Execution vulnerability in the Everest Forms Pro WordPress plugin up to and including 1.9.12 allowed unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field when a form used the Complex Calculation feature, stemming from the Calculation Addon's process_filter() function concatenating user-submitted input into a PHP code string without proper escaping before passing it to eval(). The vendor released the fully patched version on March 18, 2026, followed by Wordfence's public disclosure on March 30, 2026, a twelve-day gap between patch availability and public disclosure that nonetheless left approximately 4,000 active installations exposed once attackers became aware of the flaw. Exploitation activity began on April 13, 2026, with the Wordfence Firewall subsequently blocking over 29,300 exploit attempts targeting CVE since public disclosure, a volume that underscored the immediate and sustained attacker interest in weaponizing the flaw against unpatched WordPress installations. The root cause resided in the sanitize_text_field() function's failure to escape single quotes or PHP code context characters, rendering the input sanitization entirely ineffective against PHP code injection in an eval() context. Organizations running Everest Forms Pro were strongly advised to update to the patched version 1.9.13 immediately, as successful exploitation resulted in complete site compromise with no authentication, credentials, or prior access required.

CVE-2026-41089 - Stack-Based Buffer Overflow vulnerability in Microsoft Windows

A Stack-Based Buffer Overflow vulnerability in Windows Netlogon allows remote unauthenticated attackers to execute arbitrary code on a targeted Windows domain controller by sending a specially crafted network request, potentially granting complete control over the domain controller and all machines authenticating through it. The flaw was disclosed by Microsoft on May 12, 2026, with the company crediting its Windows Attack Research & Protection (WARP) team for the discovery, though at the time of disclosure Microsoft assessed the vulnerability as "less likely" to be exploited. The Centre for Cybersecurity Belgium (CCB) subsequently warned that CVE-2026-41089 is now subject to active exploitation in the wild, however, Microsoft has not confirmed these claims and has stated there is no proof to support CCB's assertion of observed in-the-wild exploitation activity. Netlogon is a core Windows background service handling domain-based authentication, and a successful compromise of its domain controller could cascade across every machine connected to the domain, a severity that makes the exploitation debate consequential regardless of which position proves correct. Organizations are strongly advised to apply the available patch immediately, given the critical severity of the flaw, Windows Netlogon's documented history as an attacker target, and the growing reality that AI-enabled adversaries are significantly shrinking the window between CVE disclosure and first exploitation.

CVE-2026-45247 - Deserialization of Untrusted Data vulnerability in Mirasvit Full Page Cache Warmer

A Deserialization of Untrusted Data vulnerability in Mirasvit Full Page Cache Warmer for Magento 2 allows remote unauthenticated attackers to achieve arbitrary code execution by supplying a crafted serialized PHP object via the CacheWarmer cookie, with no authentication, admin session, or configuration toggle required for exploitation. The root cause resides in the plugin's unrestricted call to PHP's native unserialize() function on attacker-controlled cookie data, which allows arbitrary class instantiation and when combined with gadget chains already present in Magento and its dependencies, escalates directly to remote code execution on the server. The vulnerability affects all Magento 2 installations running Mirasvit Full Page Cache Warmer versions prior to 1.11.12, and is exploitable on every storefront request since the vulnerable plugin runs globally, not exclusively on cache warmer traffic. Mirasvit released the patched version 1.11.12 on May 25, 2026, and all customers are advised to update immediately; exploitation attempts can be detected by monitoring for storefront requests carrying a CacheWarmer cookie whose value matches the pattern CacheWarmer:(Tz|Qz|YT) a strong indicator of a serialized PHP object injection attempt. CVE-2026-45247 was added to the CISA KEV catalog recently.

CVE-2025-48595 - Integer Overflow vulnerability in Android Framework

An Integer Overflow vulnerability in the Android Framework allows local attackers to escalate privileges on Android devices running versions 14, 15, 16, and 16 QPR2, enabling complete access to the device and its data without requiring any user interaction. Exploitation most likely occurs through malicious applications installed on targeted devices, and Google has confirmed the vulnerability has been actively exploited as a zero-day in limited, targeted in-the-wild attacks. Although technical details of the attacks remain undisclosed, similar Android Framework vulnerabilities have historically been weaponized by commercial spyware operators and nation-state threat actors against high-profile individuals and sensitive organizations. Google addressed and resolved this vulnerability as part of the June 2026 Android Security Patch updates. Following confirmed active exploitation, the vulnerability has been added to the CISA KEV catalog.

CVE-2024-21182 - Improper Access Control vulnerability in Oracle WebLogic Server

An Improper Access Control vulnerability in Oracle WebLogic Server allows remote unauthenticated attackers with network access via the T3 and IIOP protocols to compromise affected server instances without requiring valid credentials, impacting versions 12.2.1.4.0 and 14.1.1.0.0. Oracle WebLogic Server is an enterprise-grade Java application server widely deployed as middleware for large-scale, multi-tier distributed applications across cloud and on-premises environments, making it a high-value target whose compromise can expose entire application ecosystems and the sensitive data they process. Successful exploitation can result in unauthorized access to sensitive data or complete access to all data accessible through the affected WebLogic Server instance, and publicly available proof-of-concept code released in 2024 significantly lowers the technical barrier for potential attackers, increasing the risk of widespread exploitation attempts beyond the originally targeted environments. Oracle addressed and resolved CVE-2024-21182 as part of its July 2024 Critical Patch Update, though no public reporting has yet identified the specific threat actors or exact attack methods involved in real-world intrusions. Despite the available patch, confirmed active exploitation has resulted in CVE-2024-21182 being added to the CISA KEV catalog.  

CVE-2022-0492 - Improper Authentication vulnerability in Linux Kernel

An Improper Authentication vulnerability in Linux Kernel allows attackers with limited administrative capabilities inside a container to escalate privileges by abusing the cgroups v1 release_agent feature, enabling container escape and full root-level code execution on the underlying host system. The root cause is a missing CAP_SYS_ADMIN capability check in the initial user namespace, which allows attackers operating within unprivileged containers to configure a malicious release_agent file that executes with full root privileges on the host once triggered. Successful exploitation grants complete control over the underlying Linux host, with containerized environments such as Docker being directly exposed through dedicated cgroup paths under /sys/fs/cgroup. Linux Kernel Organization addressed and resolved CVE-2022-0492 by adding the necessary capability checks to prevent unauthorized modification of the release_agent functionality, with fixes released in February 2022 and a proof-of-concept remains publicly available. Despite being patched over four years ago, confirmed active exploitation has resulted in CVE-2022-0492 now being added to the CISA KEV catalog.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Exploitation of FortiClient EMS to deliver EKZ Infostealer

According to recent findings from Arctic Wolf, a threat cluster exploited CVE-2026-35616, a critical improper access control vulnerability in FortiClient Endpoint Management Server (EMS), by sending specially crafted HTTP requests without valid credentials to bypass API authentication and gain unauthorized administrative access. Leveraging this access, the threat actors modified Remote Access Profiles and endpoint policies to insert malicious PowerShell scripts, pushing them across all managed endpoints through FortiClient's own trusted administrative workflow. The malicious payload, disguised as a fake Fortinet endpoint patch, deployed EKZ Infostealer, a previously unreported credential stealer that extracted browser credentials from Chrome and Firefox before exfiltrating them over HTTP POST to attacker-controlled infrastructure. Fortinet released out-of-band patches for affected FortiClient EMS versions 7.4.5 and 7.4.6 in early April 2026, addressing CVE-2026-35616 and closing the authentication bypass that enabled the entire attack chain.

WinRAR vulnerability exploited by Gamaredon

According to Sekoia's Threat Detection and Research (TDR) team, Gamaredon, a Russian FSB-operated cyberespionage group has been running a persistent intrusion campaign targeting Ukraine's government, military, and critical infrastructure, with Sekoia reconstructing the full January 2026 infection chain across a three-part research series. The chain begins with GammaPhish, the initial access stage, where victims receive a weaponized xHTML lure document that uses HTML smuggling to deliver a malicious RAR archive and it is exclusively at this stage that CVE-2025-8088, a critical path traversal vulnerability in WinRAR versions prior to 7.13, is exploited to silently drop a hidden HTA file into the Windows Startup directory, ensuring automatic execution on the next reboot. Once the HTA file executes, it contacts Gamaredon's C2 server and deploys GammaLoad, a cascading VBScript-based loader operating across four distinct execution stages responsible for fingerprinting the host, updating network configurations, and fetching further payloads, with CVE-2025-8088 playing no role beyond this point. Independently, GammaWorm, a highly obfuscated VBScript worm establishes persistence via scheduled tasks, conceals its modules within NTFS Alternate Data Streams, and propagates across USB and network drives entirely through its own mechanisms. GammaSteel, the final infostealer payload, is then deployed by GammaLoad via C2 communication, managing three concurrent data acquisition mechanisms to exfiltrate targeted documents all operating independently of the initial CVE exploit that first opened the door.

Vectra AI Leak Analysis - The Gentlemen Ransomware

According to Vectra AI, The Gentlemen, a Russian-speaking ransomware-as-a-service operation ranked as the second most active ransomware group globally in 2026, was exposed in May 2026 when the Ransom-ISAC research team extracted 3,366 internal Rocket.Chat messages, revealing the group's operational tactics, tooling discussions, and victim targeting details. The primary initial access vector was CVE-2024-55591, a critical authentication bypass vulnerability in FortiOS/FortiProxy, which the group exploited by sending specially crafted requests to exposed FortiGate firewall management interfaces maintaining an operational database of approximately 14,700 already-exploited FortiGate devices globally. Beyond CVE-2024-55591, internal communications leaked in May 2026 revealed that The Gentlemen were actively tracking and evaluating two newer vulnerabilities, CVE-2025-32433 and CVE-2025-33073, alongside continued exploitation of Cisco edge appliances, NTLM relay attacks, and harvested OWA/M365 credential logs, reflecting a flexible and continuously evolving exploitation pipeline. A shared operational handle Tinker - appeared across both Black Basta and The Gentlemen's internal communications performing the same negotiator role, anchored by a shared Matrix homeserver, reinforcing Vectra AI's central argument that ransomware operators do not retire, they simply rebrand.

Threat Actor INJ3CTOR3 Deploys JOMANGY Webshell Against FreePBX Systems

According to Cyble, the JOMANGY campaign is attributed with high confidence to INJ3CTOR3, a financially motivated threat actor with a documented history of targeting VoIP infrastructure since 2019. The campaign exploits FreePBX systems using two high-confidence candidate entry vectors - a critical CVE-2025-64328  post-authentication command injection vulnerability in the FreePBX Filestore module's check_ssh_connect() function, and CVE-2025-57819, a pre-authentication SQL injection vulnerability in the FreePBX Endpoint module via cron_jobs. Upon successful exploitation, INJ3CTOR3 deploys JOMANGY, a previously undocumented PHP webshell family, alongside the known ZenharR toolkit, with every deployed webshell instance carrying live VoIP toll fraud code that routes unauthorized calls through the victim's own SIP trunks at the victim's expense. JOMANGY is engineered with six independent persistence layers, including a process watchdog, immutable webshell copies planted across twelve FreePBX web tree paths, and 18 backdoor accounts making it capable of rebuilding the full infection stack from a single surviving component. It is important to note that while CVE-2025-64328 and CVE-2025-57819 are assessed as the primary entry vectors with high confidence, researchers were unable to forensically confirm the exact exploitation path due to the dropper's aggressive artifact removal behavior.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

This week's threat landscape sent a clear signal, attackers are not waiting for new vulnerabilities when unpatched old ones continue to deliver results. From five KEV additions spanning a four-year-old Linux flaw to an Android zero-day, to active exploitation of WordPress plugins, Windows Netlogon, and enterprise platforms like FortiClient EMS and FreePBX, the week demonstrated that every unpatched system, every trusted tool, and every delayed remediation cycle remains an open invitation. As threat actors grow more sophisticated from FSB-linked espionage chains to self-healing webshells and ransomware groups with professional internal operations, the need for continuous, real-time vulnerability intelligence has never been more critical. LOVI, Loginsoft's Vulnerability Intelligence platform, helps security teams cut through the noise by enriching CVE data, tracking emerging threats, and enabling proactive prioritization, ensuring organizations stay one step ahead before exploitation turns into impact.

FAQs

1) What is Mirasvit Full Page Cache Warmer?

Mirasvit Full Page Cache Warmer is a Magento extension designed to automatically preload and refresh cached website pages before visitors access them. By proactively warming the cache, it helps reduce page load times, improve website performance, and ensure users receive fast, cached content instead of triggering cache generation on demand.

2) What is Oracle WebLogic Server?

Oracle WebLogic Server is an enterprise-grade Java application server used to deploy, run, and manage large-scale business applications. It acts as middleware between user-facing applications and backend systems, providing scalability, reliability, security, and support for distributed enterprise environments.

3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?
Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

4) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

5) What is Cytellite?
Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.