The Weaponization Window: Botnets, Ransomware, and Active Exploitation Converge

The defining trend this week was not a single vulnerability or threat actor, but the parallel exploitation of enterprise technologies by distinct adversary groups pursuing reconnaissance, initial access, credential theft, ransomware deployment, and social engineering at scale. Multiple campaigns demonstrated how rapidly newly disclosed vulnerabilities are incorporated into operational tradecraft across the cybercrime ecosystem.

The most significant trend was the rapid weaponization of newly disclosed vulnerabilities. Six critical vulnerabilities spanning Cisco Catalyst SD-WAN Manager, Arista EOS, Google Chromium V8, Check Point Security Gateway, BerriAI LiteLLM, and SolarWinds Serv-U were added to the CISA KEV catalog this week, reflecting widespread active exploitation across enterprise infrastructure and development platforms.

Simultaneously, threat actors weaponized a critical SQL injection vulnerability in Ghost CMS to compromise over 700 websites for large-scale ClickFix social engineering attacks, while active exploitation was confirmed in Langflow AI platform and UpdraftPlus WordPress plugin targeting both enterprise and open-source ecosystems.  

Botnet activity highlighted the increasing speed of vulnerability operationalization. The JDY botnet, linked to China-associated actors including Volt Typhoon, demonstrated the ability to identify and target newly disclosed Fortinet vulnerabilities within hours of public disclosure, enabling near real-time reconnaissance against internet-facing infrastructure. Simultaneously, the C0XMO botnet, a Gafgyt variant, leveraged multiple vulnerabilities across networking equipment, IT management platforms, and surveillance systems to expand infections and establish a broader foothold across exposed environments.  

Ransomware operators exhibited a similar focus on exploiting recently disclosed weaknesses. Qilin affiliates successfully weaponized authentication bypass vulnerabilities in Check Point Security Gateway appliances to gain initial access and facilitate enterprise network compromise.

Key points:

• 6 vulnerabilities added to the CISA KEV catalog
• Active exploitation detected in Langflow and UpdraftPlus WordPress plugin
• Ghost CMS Vulnerability Weaponized to Hijack 700+ Websites for ClickFix Social Engineering Attacks
• JDY Botnet Exploitation of Fortinet vulnerability
• C0XMO Botnet: Multi-Vulnerability Exploitation Campaign Discovered by Fortinet
• Exploitation of Check Point Security Gateway by Qilin Ransomware

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

Trending Section:

CVE-2026-5027 - Path Traversal vulnerability in Langflow

A Path Traversal vulnerability in Langflow, allowed unauthenticated attackers to write files to arbitrary locations on the filesystem by exploiting insufficient sanitization of the 'filename' parameter in the POST /api/v2/files endpoint, which failed to validate path traversal sequences ('../'). The vulnerability enabled remote code execution capabilities, with exploitation requiring no credentials due to Langflow's default unauthenticated auto-login functionality, whereby a single unauthenticated request was sufficient to obtain a valid session token before proceeding with the malicious file write operation. Active exploitation of CVE-2026-5027 was confirmed in the wild, with observed exploitation efforts weaponizing the bug to write test files on victim systems as an initial foothold for establishing persistent access and command execution. The vulnerability affected approximately 7,000 Langflow instances publicly exposed on the internet, with the majority located in North America, representing a significant attack surface targeting the infrastructure and tooling organizations use to build and deploy artificial intelligence applications. The project maintainers were contacted three times by Tenable (the vulnerability discoverer) in January and February 2026 before details were publicly disclosed on March 27, 2026, yet the flaw remained unpatched and under active exploitation, underscoring the urgent need for affected organizations to restrict network exposure of Langflow instances and implement immediate remediation measures to prevent unauthorized access and remote code execution.

CVE-2026-7473 - Incomplete Comparison with Missing Factors vulnerability in Arista Extensible Operating System (EOS)

An Incomplete Comparison with Missing Factors vulnerability in Arista Extensible Operating System (EOS) allowed an attacker to inject traffic onto internal network segments by exploiting the switch's failure to verify tunnel protocol types during decapsulation, causing it to incorrectly decapsulate and forward unexpected tunneled packets with a destination IP matching its configured decapsulation IP. This behavior enabled attackers to bypass intended network segmentation and routing controls, as a device configured to decapsulate one tunnel type such as VXLAN also accepted and decapsulated other tunnel protocols including GRE, IPoIP, GUE, and NVGRE destined to the same IP. The vulnerability affected multiple Arista platforms configured as tunnel endpoints, including 7020R, 7280R/R2/R3, 7500R/R2/R3, and 7800R3 series running EOS with tunnel decapsulation configurations such as VXLAN VTEP, GRE, or IP decap-group. Indicators of compromise included unexpected traffic appearing on internal segments and tunneled traffic of non-configured protocols being decapsulated and forwarded across the network. Arista confirmed active in-the-wild exploitation and, given the risk of breaking existing configurations, opted against a software upgrade, instead recommending ACL-based mitigations on upstream switches or decapsulation devices alongside TCAM profile updates per the Arista EOS Hardening Guide. The CISA added this vulnerability to its KEV catalog in recognition of its active exploitation, reinforcing the criticality of implementing the recommended ACL-based mitigations and hardening measures without delay.

CVE-2026-10795 - Authentication Bypass vulnerability in UpdraftPlus WordPress plugin

An Authentication Bypass vulnerability in UpdraftPlus Plugin for WordPress allowed unauthenticated attackers to completely bypass standard security checks and execute arbitrary Remote Procedure Calls (RPCs) as the connected administrator by exploiting a cryptographic validation error in the UpdraftCentral integration when processing encrypted remote communications. The vulnerability stemmed from a registration of an unauthenticated listener on every page load that failed to verify a crucial decryption step, whereby an attacker supplying a malformed key caused the software to default to an insecure state using a deterministic cipher with an all-zero AES-128 key, enabling attackers to encrypt their own malicious commands locally and have the vulnerable server accept forged messages without requiring authentic keys. Successful exploitation enabled attackers to leverage RPC capabilities to trigger file upload commands, writing malicious ZIP files directly to the active disk and automatically activating the new plugin to gain arbitrary PHP and operating system command execution, resulting in total website compromise and administrator-level access. The vulnerability affected more than three million active installations worldwide, with Wordfence reporting active exploitation by blocking 4,987 attacks targeting the flaw in a single 24-hour period. The development team released a comprehensive security patch adding a strict return-value check to the broken cryptographic validation function, and website administrators must immediately update their UpdraftPlus plugin to the patched version to prevent ongoing compromise from this actively exploited critical vulnerability.

CVE-2026-11645 - Out-of-Bounds Read and Write vulnerability in Google Chromium V8

An Out-of-Bounds Read and Write vulnerability in Google Chromium V8 JavaScript and WebAssembly engine allowed a remote attacker to execute arbitrary code inside the sandbox via a crafted HTML page, affecting all Chromium-based browsers including Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi running versions prior to 149.0.7827.102/.103. The flaw additionally enabled the bypass of security protections such as Address Space Layout Randomization (ASLR), significantly increasing the likelihood of achieving arbitrary code execution when combined with additional vulnerabilities. Google confirmed active in-the-wild exploitation of CVE-2026-11645, marking it as the fifth Chrome zero-day patched in 2026, and consistent with standard practice, restricted access to technical bug details and exploitation specifics until a majority of users were updated. Google addressed the vulnerability through the Chrome 149 Stable channel update released on June 8, 2026, delivering versions 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux. With confirmed active exploitation posing a significant risk to users across multiple Chromium-based browsers, CISA added CVE-2026-11645 to its KEV catalog, making it imperative for organizations and end users to prioritize updating to the patched version immediately.

CVE-2026-20245 - Improper Encoding or Escaping of Output vulnerability in Cisco Catalyst SD-WAN Manager

An Improper Encoding or Escaping of Output vulnerability in Cisco Catalyst SD-WAN Manager allowed an authenticated local attacker with netadmin privileges to escalate privileges to root by supplying a crafted file to the affected system, stemming from insufficient validation of user-supplied input. Successful exploitation required valid netadmin credentials or prior exploitation of CVE-2026-20182 or CVE-2026-20127, enabling arbitrary command execution and command injection attacks on the affected system. In some observed cases, exploitation resulted in configuration changes being pushed to connected edge devices across the SD-WAN infrastructure. Cisco PSIRT confirmed limited in-the-wild exploitation in June 2026 and released interim fixes to remediate the vulnerability. Given its active exploitation, this vulnerability was added to the CISA KEV catalog, underscoring the critical need for immediate patching.

CVE-2026-28318 - Uncontrolled Resource Consumption vulnerability in SolarWinds Serv-U

An Uncontrolled Resource Consumption vulnerability in SolarWinds Serv-U allowed a remote unauthenticated attacker to crash the Serv-U service by sending specially crafted POST requests carrying the Content-Encoding: deflate header, forcing the service to consume excessive resources and creating a denial-of-service condition that rendered the service unavailable to all legitimate users. The flaw required only minimal bandwidth to exploit, meaning a single machine could disrupt file transfers, automated integrations, and backups across the affected deployment, posing a significant operational risk particularly in regulated industries such as healthcare, finance, and government where Serv-U is commonly deployed internet-facing. While the vulnerability resulted in denial-of-service conditions rather than full system compromise, successful exploitation could additionally serve as a distraction from other concurrent malicious activities targeting the affected environment. SolarWinds disclosed the vulnerability on June 3, 2026, alongside the release of Serv-U 15.5.4 Hotfix 1, with interim mitigations including configuring web application firewalls to block POST requests containing the Content-Encoding header and restricting access to known addresses. Active in-the-wild exploitation was confirmed, though SolarWinds disclosed no technical details regarding the observed attacks and no evidence currently linked the vulnerability to ransomware operations. The inclusion of CVE-2026-28318 in the CISA KEV catalog served as a stark reminder that vulnerabilities capable of only disrupting services, rather than enabling full system compromise, remain a credible and trackable threat, particularly when deployed in internet-facing file transfer solutions critical to regulated industries.

CVE-2026-42271 - Command Injection vulnerability in BerriAI LiteLLM

A Command Injection vulnerability in BerriAI LiteLLM's Model Context Protocol (MCP) server preview endpoints allowed any authenticated user holding even a low-privilege API key to execute arbitrary commands on the proxy host by supplying a crafted POST request to the /mcp-rest/test/connection or /mcp-rest/test/tools/list endpoints, which accepted full server configurations including command, args, and env fields without any validation or sandboxing. The flaw was further compounded by its ability to be chained with CVE-2026-48710, a Host header validation bypass dubbed "BadHost" in the Starlette framework, effectively transforming the vulnerability into unauthenticated remote code execution against deployments running Starlette versions 1.0.0 and below, as demonstrated by researchers at Horizon3.ai. Successful exploitation enabled attackers to execute arbitrary commands on the LiteLLM host, access model-provider credentials, steal API keys and secrets stored by the proxy, move laterally into connected AI infrastructure, and compromise downstream integrated systems. The vulnerability affected LiteLLM versions 1.74.2 through 1.83.6, with BerriAI addressing the flaw in version 1.83.7 by restricting the affected MCP test endpoints to the PROXY_ADMIN role. Active in-the-wild exploitation was confirmed, though no public information on threat actor attribution, specific targets, or whether attacks leveraged the full unauthenticated exploit chain has been disclosed at this time. CISA's addition of CVE-2026-42271 to its KEV catalog served as a critical indicator of the real-world risk posed by this vulnerability, particularly given LiteLLM's widespread deployment as an AI gateway holding sensitive credentials and access to internal AI workflows.

CVE-2026-50751 - Improper Authentication vulnerability in Check Point Security Gateway

An Improper Authentication vulnerability in Check Point Security Gateway existed in deployments configured to use the deprecated IKEv1 key exchange protocol, where a logic flow weakness in the Remote Access and Mobile Access components' certificate validation allowed an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password. The flaw affected gateways accepting legacy Remote Access clients without requiring a machine certificate, and while additional post-authentication activity was required to access internal resources or escalate privileges, the bypass itself posed a critical risk to corporate network security. The vulnerability affected multiple versions including R80.20.X through R82.10 across Quantum Security Gateway and Spark Firewall platforms, with Check Point confirming active in-the-wild exploitation dating back to May 7, 2026, with an increase in activity observed in early June 2026. The campaign was characterized as limited in scope, affecting several dozen targeted organizations globally, with at least one incident linked with medium confidence to a Qilin ransomware affiliate leveraging dedicated VPS infrastructure and Rclone for data exfiltration. Check Point released hotfix sk185033 to address the vulnerability, with additional mitigations including disabling the deprecated IKEv1 protocol, enforcing IKEv2, requiring machine certificates, and enabling multi-factor authentication for remote access. CISA's inclusion of CVE-2026-50751 in its KEV catalog, coupled with its observed ties to ransomware activity, reflected the severity of the threat and the pressing need for affected organizations to apply the hotfix and recommended mitigations without delay.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Ghost CMS Vulnerability Weaponized to Hijack 700+ Websites for ClickFix Social Engineering Attacks

According to QiAnXin XLab, CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS Content API  enabled threat actors to compromise over 700 websites and inject malicious JavaScript loaders across universities, blockchain, AI, SaaS, and fintech sectors to fuel ClickFix attacks. The vulnerability allowed unauthenticated attackers to extract admin API keys from databases and manipulate published articles, with at least two threat clusters exploiting the flaw in a large-scale poisoning campaign detected since May 7, 2026. The injected malicious JavaScript functioned as a two-stage loader that served fake CAPTCHA pages to unsuspecting visitors, tricking them into copying Base64-encoded commands into Windows Run dialog, which deployed final-stage payloads including signed PuTTY clients and modified Grape desktop clients for persistence and remote command execution. The campaign leveraged Adspect cloaking service to evade security scanners while fingerprinting victim browsers and selectively delivering payloads only to intended targets. Ghost CMS administrators were advised to upgrade to version 6.19.1, rotate credentials, audit access logs, and notify users of potential compromise, underscoring how SQL injection vulnerabilities transform legitimate websites into platforms for mass social engineering attacks.

JDY Botnet Exploitation of Fortinet vulnerability

Black Lotus Labs identified a significant resurgence and expansion of the JDY botnet, a covert reconnaissance network comprising over 1,500 compromised SOHO and IoT devices linked to China-nexus advanced persistent threat actors including Volt Typhoon, which demonstrated the capability to rapidly identify and target newly disclosed vulnerabilities within hours of public disclosure. The botnet exhibited selective targeting behavior as evidenced by a dramatic spike in scanning activity targeting Fortinet equipment immediately following the disclosure of CVE-2026-35616 on April 5, 2026, indicating the threat actor's ability and intent to operationalize reconnaissance output for exploitation before patches achieved widespread deployment. JDY operated through a layered architecture utilizing concealed Tor nodes for command-and-control obfuscation while directing compromised devices to perform multiprotocol scans that collected service banners, TLS certificate details, and vulnerability-focused reconnaissance data, with particular focus on U.S. military networks and associated entities representing the primary targeting profile. Black Lotus Labs discovered that the botnet's growth more than doubled since prior takedown efforts, expanding from approximately 650 active devices in January 2024 to over 1,500 devices distributed across North America, Europe, and Asia, while diversifying beyond historically affected Cisco router models to include compromised equipment from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys manufacturers. The reconnaissance intelligence gathered by JDY directly supported downstream exploitation activities conducted by associated China-nexus APT actors, establishing the botnet as a foundational component within broader nation-state cyber operations targeting critical infrastructure sectors.

Exploitation of Check Point Security Gateway by Qilin Ransomware

According to Check Point Research, CVE-2026-50751, a critical authentication bypass vulnerability in Check Point Remote Access VPN and Mobile Access deployments configured with the deprecated IKEv1 key exchange protocol, experienced active exploitation beginning May 7, 2026, with confirmed post-compromise activity linked to Qilin ransomware affiliates conducting financially motivated attacks. The vulnerability stemmed from a logic flow weakness in certificate validation that allowed unauthenticated attackers to establish VPN sessions without valid user credentials, enabling direct access to corporate networks across multiple regions including Taiwan, Europe, and North America. Check Point assessed with medium confidence that the threat actor utilized dedicated VPS infrastructure hosted by Kaupo Cloud HK, Shock Hosting, and Vultr Holdings, adopted the Tox protocol for command-and-control communications, and coordinated exploitation attempts with observed Qilin Linux ransomware binary deployment efforts to maximize post-breach impact. The security investigation revealed that the observed exploitation remained limited to several dozen targeted organizations globally; however, the attack campaign's sophistication and correlation with ransomware deployment underscored the critical urgency for affected organizations to apply hotfix sk185033 and implement alternative IKEv2-based mitigations immediately.

C0XMO Botnet: Multi-Vulnerability Exploitation Campaign Discovered by Fortinet

According to Fortinet, FortiGuard Labs discovered a sophisticated Gafgyt botnet variant designated C0XMO in March 2026, which exploited multiple critical vulnerabilities across diverse device types including DD-WRT routers, D-Link networking equipment, GLPI systems, and Avtech surveillance devices. The threat actor leveraged CVE-2021-27137 (DD-WRT UPnP stack buffer overflow), CVE-2015-2051 (D-Link DIR-645 HNAP remote code execution), CVE-2022-35914 (GLPI htmLawedTest.php code injection), CVE-2016-15047 (Avtech DVR authentication bypass), and CVE-2025-34054 (Avtech DVR authentication bypass) as initial access vectors to compromise vulnerable systems across multiple architectures and device types. C0XMO demonstrated an advanced operational approach by separating its lateral movement functionality into a standalone Python-based scanner, enabling the malware to efficiently identify and compromise additional targets while adapting to various system architectures including ARM, MIPS, and x86 processors. The malware established persistence through cron jobs and shell modifications, deployed multiple DDoS attack vectors, and actively eliminated competing malware and red-team tools to maintain control of compromised infrastructure. Fortinet provided IPS signatures to detect exploitation attempts targeting these vulnerabilities and recommended organizations implement the FCF cybersecurity awareness training to strengthen foundational defenses against similar multi-vector attack campaigns.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The week's activity reinforces that organizations are no longer defending against isolated threats, but against an ecosystem of adversaries that rapidly adapt newly disclosed vulnerabilities for diverse objectives ranging from reconnaissance and initial access to ransomware deployment and large-scale social engineering. Maintaining visibility into emerging vulnerabilities, exploitation trends, and threat actor activity is critical to reducing exposure and accelerating response. Platforms such as Loginsoft Vulnerability Intelligence (LOVI) help security teams stay ahead of evolving threats by delivering actionable intelligence on exploited vulnerabilities, threat campaigns, and adversary tradecraft before they can be operationalized against their environments.

FAQs:

1) What is Arista Extensible Operating System?

Arista Extensible Operating System (EOS) is the network operating system that powers Arista's data-center and cloud switching and routing platforms. The vulnerability affects platforms configured as tunnel endpoints - for example, as a VXLAN VTEP, a GRE tunnel endpoint, or with an IP decap-group.

2) What is SolarWinds Serv-U?

SolarWinds Serv-U is a self-hosted managed file transfer and FTP server that allows organizations to securely transfer files over a network. It is frequently used in regulated industries such as healthcare, finance, and government, where data sovereignty and audit trails are required, and is commonly deployed internet-facing for file transfer.

3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

4) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

5) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.