Executive Summary
This week’s threat landscape was marked by a sharp escalation in confirmed, real-world exploitation, as defenders faced both newly weaponized zero-days and the resurfacing of long-standing flaws across enterprise, infrastructure, and open-source ecosystems. The CISA Known Exploited Vulnerabilities (KEV) catalog grew by seven additions, including two flaws in SmarterTools SmarterMail, and single entries affecting Microsoft, Broadcom, Fortinet, GNU InetUtils, and an eight-year-old Linux kernel vulnerability, highlighting the persistent risk posed by unpatched environments.
In parallel, the Google Threat Intelligence Group reported active malware campaigns exploiting the critical WinRAR vulnerability CVE-2025-8088 to establish initial access and deliver diverse payloads, while Trend Micro highlighted China-aligned APT activity leveraging the PeckBirdy JScript-based C2 framework including campaigns such as SHADOW-VOID-044, which abused CVE-2020-16040 alongside modular backdoors maintain persistent access across targeted environments.
Key points:
- 7 vulnerabilities added to the CISA KEV catalog.
- Cytellite sensor telemetry detected exploit scanning activity targeting globally exposed assets.
- Threat Actors leverage critical WinRAR vulnerability CVE-2025-8088.
- Trend Micro reported that China-linked APTs leveraged PeckBirdy framework.
- Multiple open-source software (OSS) vulnerabilities identified across a broad range of vendors.
- Several Pre-NVD vulnerabilities observed indicating signs of potential exploitation activity before formal public disclosure.
What are the top trending or critical vulnerabilities observed this week?
Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.
CVE-2026-21509 - Security Feature Bypass vulnerability in Microsoft Office
A Security Feature Bypass vulnerability in Microsoft Office allowed attackers to circumvent built-in protections by exploiting the platform's reliance on untrusted inputs in security decisions, enabling a locally unauthorized user to bypass OLE mitigations designed to block vulnerable COM/OLE controls. The flaw could be triggered by delivering a specially crafted Office file and persuading a victim to open it, while the Preview Pane was not considered an attack vector. Microsoft addressed the issue through updates for Microsoft 365 and Microsoft Office, though it did not disclose details about the scope or scale of exploitation. The vulnerability was actively exploited as a zero-day, and its addition to the CISA KEV catalog highlighted ongoing attacker interest and the need for prioritized mitigation across exposed deployments.
CVE-2026-23760 - Authentication Bypass Using an Alternate Path or Channel vulnerability in SmarterTools SmarterMail
An Authentication Bypass Using an Alternate Path or Channel vulnerability in SmarterTools SmarterMail affected build prior to 9511, allowing attackers to reset system administrator passwords through the unauthenticated /api/v1/auth/force-reset-password endpoint. The flaw originated in the SmarterMail.Web.Api.AuthenticationController.ForceResetPassword function, where a user-controlled IsSysAdmin flag enabled privileged logic to overwrite admin credentials and, once compromised, leverage built-in features to achieve SYSTEM-level command execution via the Volume Mount Command field. SmarterTools patched the issue in Build 9511, released in January 2026, but WatchTowr Labs observed exploitation attempts shortly after the fix, suggesting patch reverse engineering. Its inclusion in the CISA KEV catalog highlights active exploitation and reinforces the urgency for organizations to patch affected systems.
CVE-2026-24061 - Argument Injection vulnerability in GNU InetUtils
An Argument Injection vulnerability in GNU InetUtils telnetd allows attackers to achieve remote authentication bypass and root access by abusing how the service handled the USER environment variable, affecting versions up to 2.7-2. The flaw originated from a source code commit that reached production in the 1.9.3 release in May 2015, and was later detailed by GNU contributor. By supplying a crafted value such as "-f root" and invoking Telnet with the -a or --login option, the server passed the unsanitized input to /usr/bin/login, which interpreted the -f flag to bypass authentication and grant root access. Despite Telnet being considered a legacy protocol, the vulnerability posed risk to Unix/Linux systems, embedded devices, and OT-adjacent infrastructure where the service remained enabled. The issue has since been added to the CISA KEV catalog signaling active risk and the need for prioritized remediation.
CVE-2026-24858 - Authentication Bypass Using an Alternate Path or Channel vulnerability in Fortinet Multiple products
An Authentication Bypass Using an Alternate Path or Channel vulnerability in Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy allowed attackers with a FortiCloud account and registered device to log into other customers' devices when FortiCloud SSO was enabled. Fortinet confirmed the flaw was actively exploited as a zero-day, with abuse traced to two malicious FortiCloud accounts. The company released multiple patched versions to address the issue and expanded its list of IP addresses and account identifiers linked to the attacks. The vulnerability has since been added the CISA KEV catalog, reinforcing the need for immediate upgrades and monitoring.
CVE-2025-52691 - Unrestricted Upload of File with Dangerous Type vulnerability in SmarterTools SmarterMail
An Unrestricted Upload of File with Dangerous Type vulnerability in SmarterTools SmarterMail allowed unauthenticated attackers to upload arbitrary files to any location on the mail server, potentially leading to remote code execution, and affected builds 9406 and earlier. The flaw originated in the SmarterMail.Web.Api.FileUploadController.Upload() API exposed via the /api/upload route, where a user-controlled GUID parameter could be manipulated through crafted multipart/form-data requests to place malicious files, including web shells, into sensitive directories such as the web root. Researchers observed that although uploads were scanned using ClamAV, detection or enforcement failures allowed malicious payloads to pass through. SmarterTools addressed the issue in Build 9413, and while the Cyber Security Agency of Singapore (CSA) initially reported no active exploitation in December 2025, in-the-wild activity has since been observed. The vulnerability has now been added to the CISA KEV catalog, underscoring its real-world impact and remediation priority.
CVE-2024-37079 - Out-of-Bounds Write vulnerability in Broadcom VMware vCenter Server
An Out-of-Bounds Write vulnerability in Broadcom VMware vCenter Server affected the DCE/RPC protocol implementation, impacting vCenter Server 7.0 and 8.0 as well as VMware Cloud Foundation 4.x and 5.x, and allowing attackers with network access to achieve remote code execution through specially crafted network packets. The flaw was part of a broader set of DCE/RPC weaknesses later discussed at Black Hat Asia 2025, where researchers showed how related issues, including CVE-2024-38812 and a privilege escalation flaw - CVE-2024-38813, could be chained to gain unauthorized root access and control over ESXi. Although this vulnerability was addressed and resolved in 2024, it has now been added to the CISA KEV catalog, underscoring confirmed in-the-wild abuse and continued risk posed by unpatched deployments.
CVE-2018-14634 - Integer Overflow vulnerability in Linux Kernel
An Integer Overflow vulnerability in the Linux Kernel was identified in the create_elf_tables() function, enabling an unprivileged local user with access to a SUID binary to escalate privileges and gain full system control. Exploitation required local access to trigger a buffer overflow condition that allowed malicious code execution in a highly privileged context. Discovered by Qualys and dubbed “Mutagen Astronomy,” the flaw affected kernel versions released between July 2007 and July 2017, impacting major distributions including Red Hat Enterprise Linux, CentOS, and Debian. Qualys reported the issue to Red Hat in August 2018 and to Linux kernel maintainers in September 2018, and despite being long addressed, the vulnerability has been added to the CISA KEV catalog now, highlighting continued risk from unpatched legacy systems.
What did Cytellite sensors detect this week?
Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.
Which vulnerabilities were abused by malware this week?
Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.
Multiple Threat Actors Leverage Critical WinRAR Vulnerability CVE-2025-8088
The Google Threat Intelligence Group reported widespread exploitation of the critical WinRAR vulnerability CVE-2025-8088, patched in July 2025, with both state-linked and financially motivated actors using the flaw to gain initial access and deliver diverse malware payloads. Russia-nexus groups such as UNC4895 (CIGAR/RomCom) and APT44 (FROZENBARENTS) leveraged tailored geopolitical lures to target Ukrainian military and government entities, while TEMP.Armageddon (CARPATHIAN) used RAR and HTA-based downloaders to sustain campaigns into January 2026. The Turla (SUMMIT) group adopted the exploit to deploy the STOCKSTAY malware suite, and a PRC-linked actor abused the vulnerability to deliver POISONIVY via startup-based BAT droppers. GTIG also noted that the scale of exploitation was fueled by the underground market, highlighting “zeroplayer” as a key supplier advertising WinRAR exploits to multiple threat actors.
China-Linked APTs Leverage PeckBirdy framework
Trend Micro recently reported that PeckBirdy is a JScript-based command-and-control (C2) framework used by China-aligned APT actors since 2023, designed for flexible, multi-environment execution and extended through modular backdoors such as HOLODONUT and MKDOOR. The company tracked coordinated campaigns labeled SHADOW-VOID-044 and SHADOW-EARTH-045, which leveraged PeckBirdy across multiple attack vectors to sustain access and lateral movement. In particular, SHADOW-VOID-044 was observed exploiting CVE-2020-16040 as part of its initial access chain, alongside the abuse of stolen code-signing certificates and the deployment of Cobalt Strike payloads, with infrastructure distributed across multiple C2 domains and IP addresses to maintain persistence and evade detection.
What were the most trending OSS vulnerabilities this week?
Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.
Were any PRE-NVD vulnerabilities identified this week?
PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.
Conclusion
This week’s developments reinforced how both new and long-standing vulnerabilities are being rapidly weaponized across enterprise, infrastructure, and open-source ecosystems. The convergence of active KEV additions, malware-driven exploitation, and Pre-NVD exposure highlights the shrinking window between disclosure and real-world impact. LOVI empowers security teams to stay ahead of this curve, delivering real-time vulnerability intelligence, exploitation tracking, and prioritized risk insights to turn early warning into decisive action.
FAQs:
1) What is CVE-2025-8088?
CVE-2025-8088 is a critical Path Traversal vulnerability in RARLAB WinRAR that could allow an attacker to execute arbitrary code by crafting malicious archive files. It has been actively exploited by multiple threat actors, including state-linked and financially motivated groups, to deploy malware such as STOCKSTAY and POISONIVY, making rapid patching essential.
2) What are OSS vulnerabilities?
Open-Source Software vulnerabilities are security weaknesses found in publicly available codebases, such as libraries, frameworks, and tools used across many applications. Because these components are widely reused, a single flaw can cascade risk across thousands of systems, making timely tracking, patching, and dependency management critical.
3) How does LOVI help organizations manage vulnerabilities effectively?
Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.
4) What is Cytellite?
Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.
