Zero-Days and Virtualization Breaches: Escalating State-Aligned Exploitation

This week’s threat landscape reflects a sharp convergence of legacy weaknesses and active nation-state exploitation, as 11 vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog across major enterprise and software platforms. The newly listed flaws span Microsoft (two entries), Apple, Notepad++, SolarWinds, BeyondTrust, Synacor Zimbra, TeamT5, Google, GitLab, and Dell underscoring how both modern and long-standing vulnerabilities continue to be operationalized in real-world attacks.  

Malware developments this week further underscore the growing sophistication of state-aligned threat activity. According to Google, a joint investigation with Mandiant revealed that the suspected PRC-linked cluster UNC6201 has been exploiting Dell RecoverPoint for Virtual Machines since at least mid-2024, leveraging access to the virtualization layer to deploy advanced malware such as SLAYSTYLE, BRICKSTORM, and the newly identified GRIMBOLT backdoor. In parallel, exploitation of Notepad++ infrastructure was attributed by Rapid7 to the China-linked state-sponsored group Lotus Blossom, a long-running espionage actor active since 2009, highlighting continued supply-chain targeting of trusted software distribution mechanisms. Together, these developments reflect a sustained pattern of strategic exploitation focused on deep infrastructure access, stealthy persistence, and long-term intelligence collection.

Key points:

• 11 vulnerabilities added to the CISA KEV catalog
• UNC6201 exploited Dell RecoverPoint to deploy GRIMBOLT and Pivot through virtualization layers
• Lotus Blossom exploit campaign targeted Notepad++ infrastructure
• Legacy Exploit Resurgence: CVE-2008-0015 and Dogkild Malware Activity

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-1731 - OS Command Injection vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)

An OS Command Injection vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) allows an unauthenticated remote attacker to execute operating system commands in the context of the site user, potentially resulting in unauthorized access, data exfiltration, and service disruption. According to BeyondTrust, the flaw affects Remote Support and certain legacy versions of Privileged Remote Access and requires no authentication or user interaction for successful exploitation. Security researchers identified thousands of exposed internet-facing instances, and subsequent threat intelligence confirmed active exploitation through abuse of the /get_portal_info endpoint to extract identifiers and establish WebSocket connections for remote command execution. BeyondTrust remediated the issue in Remote Support Patch BT26-02-RS (version 25.3.2 and later) and Privileged Remote Access Patch BT26-02-PRA (version 25.1.1 and later), and the vulnerability has been added to the CISA KEV catalog.

CVE-2026-2441 - Use-After-Free vulnerability in Google Chromium

A Use-After-Free vulnerability in Google Chromium's CSS engine could allow a remote attacker to exploit heap corruption through a specially crafted HTML page. The flaw stems from an iterator invalidation issue in the CSSFontFeatureValuesMap implementation, creating a dangling pointer condition where freed memory is re-accessed during style recalculation or rendering. Successful exploitation may result in browser crashes, rendering corruption, or, with controlled heap manipulation, arbitrary code execution within Chrome’s sandbox environment, requiring no user interaction beyond visiting a malicious webpage. Google confirmed in-the-wild exploitation and released stable channel updates for Windows, macOS (145.0.7632.75/76), and Linux (144.0.7559.75), with corresponding patches expected from other Chromium-based browser vendors including Microsoft Edge, Brave, Opera, and Vivaldi. The fix was cherry-picked into stable releases due to active exploitation, and the vulnerability has been added to the CISA KEV catalog. ‍

CVE-2026-20700 - Buffer Overflow vulnerability in Apple multiple products

A Buffer Overflow vulnerability in multiple Apple operating systems affects iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS and was exploited in sophisticated targeted attacks. This flaw resides in dyld, Apple's Dynamic Link Editor, and successful exploitation allows an attacker with memory write capability to execute arbitrary code on affected devices. Apple reported that the vulnerability may have been used in highly targeted attacks against specific individuals on versions of iOS prior to iOS 26, and credited discovery and reporting to Google Threat Analysis Group. The vulnerability was addressed in iOS 18.7.5, iPadOS 18.7.5, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3, and visionOS 26.3, and has since been added to the CISA KEV catalog.

‍CVE-2026-22769 - Use of Hard-coded Credentials vulnerability in Dell RecoverPoint for Virtual Machines (RP4VMs)

A Use of Hard-coded Credentials vulnerability in Dell RecoverPoint for Virtual Machines (RP4VMs) that was exploited as a zero-day by Chinese threat actors in targeted operations. The flaw affects versions prior to 6.0.3.1 HF1 and enables an unauthenticated remote attacker with knowledge of embedded credentials to gain unauthorized access to the underlying operating system, potentially achieving root-level persistence. Dell confirmed the issue as critical and advised upgrading to version 6.0.3.1 HF1 or following the recommended migration paths for affected 5.x and 6.x branches. The vulnerability was identified by Mandiant during incident response investigations and has since been added to the CISA KEV catalog, underscoring active real-world exploitation.

CVE-2025-15556 - Download of Code Without Integrity Check vulnerability in Notepad++

A Download of Code Without Integrity Check vulnerability in Notepad++ when using the WinGUp (Generic Updater) component allows an attacker to intercept or redirect update traffic and deliver an attacker-controlled installer, potentially resulting in arbitrary code execution with user-level privileges. According to Red Hot Cyber, the issue represents a supply-chain exploitation scenario in which adversaries hijack the update channel through server compromise or local network manipulation techniques such as DNS or ARP spoofing, combined with SSL/TLS bypass methods. By emulating the legitimate update endpoint and responding to hardcoded update queries with a crafted XML manifest, attackers can force the application to download and execute malicious payloads due to the absence of cryptographic integrity verification in affected versions. Notepad++ resolved the flaw in version 8.8.9 by enforcing digital signature validation of both the update manifest and installer, and the vulnerability has recently been added to the CISA KEV catalog.

CVE-2025-40536 - Security Control Bypass vulnerability in SolarWinds Web Help Desk

A Security Control Bypass vulnerability in SolarWinds Web Help Desk could allow an unauthenticated attacker to access restricted functionality by circumventing built-in request validation mechanisms. According to Horizon3.ai, the flaw enables bypass of CSRF protections and parameter whitelisting within the checkCsrfTokenWo() routine that processes WebObjects requests under the wo path. By injecting a crafted URI parameter containing “/ajax/”, an attacker can evade whitelist enforcement and invoke restricted parameters such as wopage, allowing unauthorized instantiation of WebObject components outside the intended application workflow. This weakness disrupts the platform’s stateful security model and can be chained with additional flaws, including deserialization issues, to achieve unauthenticated remote code execution. SolarWinds addressed the vulnerability in Web Help Desk version 2026.1, and the issue has been added to the CISA KEV catalog.  

CVE-2024-7694 - Unrestricted Upload of File with Dangerous Type vulnerability in TeamT5 ThreatSonar Anti-Ransomware

An Unrestricted Upload of File with Dangerous Type vulnerability in TeamT5 ThreatSonar Anti-Ransomware stems from improper validation of uploaded file content, allowing remote attackers with administrative privileges on the platform to upload malicious files capable of executing arbitrary system commands on the underlying server. ThreatSonar Anti-Ransomware is an enterprise security solution developed by TeamT5 to detect and prevent ransomware through behavioral monitoring and threat intelligence integration, making it a high-impact target within organizational environments. According to TWcert, the input validation weakness introduces significant risk of server compromise and unauthorized control if exploited. The vulnerability has been addressed in version 3.5.0 and later, as well as through the Hotfix-20240715 patch, and has recently been added to the CISA KEV catalog.  

CVE-2024-43468 - SQL Injection vulnerability in Microsoft Configuration Manager

An SQL Injection vulnerability in Microsoft Configuration Manager allows an unauthenticated attacker to send specially crafted network requests that are improperly processed, enabling execution of arbitrary commands on the server and underlying database. Microsoft Configuration Manager (also known as MCM, ConfigMgr, or SCCM) is a centralized enterprise management platform used for software deployment, patching, operating system provisioning, and endpoint administration across large environments, making it a high-value target. According to Synacktiv, CVE-2024-43468 resides in the MP_Location service and exposes two unauthenticated injection vectors - getMachineID and getContentID allowing arbitrary SQL execution with sysadmin-level privileges and potential abuse of procedures such as xp_cmdshell for remote code execution. Successful exploitation can result in full database access, data exfiltration, privilege escalation, and lateral movement. Although Microsoft addressed the issue in an October 2024 security update, and the vulnerability has been recently added to the CISA KEV catalog.

CVE-2021-22175 - Server-Side Request Forgery (SSRF) vulnerability in GitLab

A Server-Side Request Forgery (SSRF) vulnerability in GitLab affects all versions starting from 10.5 when requests to the internal network for webhooks are enabled, allowing an unauthenticated attacker to exploit the flaw even if user registration is disabled. The issue enables crafted requests to be relayed from the GitLab instance to internal network resources, potentially exposing sensitive services and data. Threat intelligence firm GreyNoise reported a coordinated surge in exploitation activity on March 9, 2025, observing at least 400 IP addresses actively targeting multiple SSRF vulnerabilities simultaneously with notable overlap in attack patterns. The vulnerability has recently been added to the CISA KEV catalog, highlighting confirmed in-the-wild exploitation.

CVE-2020-7796 - Server-Side Request Forgery vulnerability in Synacor Zimbra Collaboration Suite (ZCS)

A Server-Side Request Forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS) arises when the WebEx zimlet is installed and its JSP component is enabled, allowing an unauthenticated attacker to force the server to send crafted HTTP requests to arbitrary remote hosts. According to GreyNoise, exploitation of this flaw enables interaction with internal services, potential bypass of network controls, and access to sensitive resources within the hosting environment. In March 2025, GreyNoise observed a coordinated surge in SSRF exploitation attempts across multiple platforms, identifying CVE-2020-7796 among the actively targeted vulnerabilities, although no public proof-of-concept details or specific threat actor attribution have been disclosed. The issue was remediated in Zimbra Collaboration Suite version 8.15 Patch 7 GA Release and has recently been added to the CISA KEV catalog.

CVE-2008-0015 - Remote Code Execution vulnerability Microsoft Windows Video ActiveX Control

A Remote Code Execution vulnerability in Microsoft Windows Video ActiveX Control arises from a stack-based buffer overflow in the msvidctl.dll library, allowing attackers to execute arbitrary code by luring users to a specially crafted web page. Successful exploitation grants the same privileges as the logged-in user, and in Internet Explorer environments, code execution may occur without additional user interaction. According to Microsoft, exploitation activity detected as Exploit:JS/CVE-2008-0015 involved redirecting victims to remote servers to download additional malware, including the Dogkild worm, which propagates via removable drives. First disclosed prominently in July 2009, the issue was addressed through a Microsoft security advisory that provided mitigation guidance; however, its continued inclusion in the CISA KEV catalog underscores ongoing exploitation of legacy, unpatched systems such as Windows XP and Windows Server 2003.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

UNC6201 exploited Dell RecoverPoint to deploy GRIMBOLT and Pivot through virtualization layers

According to Google, a joint investigation with Mandiant revealed that the suspected PRC-nexus threat cluster UNC6201 has been exploiting CVE-2026-22769 in Dell RecoverPoint for Virtual Machines since at least mid-2024 to gain access to the virtualization layer and deploy advanced malware, including SLAYSTYLE, BRICKSTORM, and the newly identified GRIMBOLT backdoor. The group upgraded its toolkit in September 2025 by replacing BRICKSTORM with GRIMBOLT, a C#-based implant compiled using ahead-of-time (AOT) techniques to hinder static analysis and improve stealth. Post-compromise activity included creation of “Ghost NICs” on ESXi servers to pivot laterally across internal and SaaS environments, along with deployment of SLAYSTYLE to implement iptables-based Single Packet Authorization for covert persistence. This activity highlights UNC6201’s evolving tradecraft and strategic focus on virtualization infrastructure to establish long-term, stealthy control within targeted networks.

Lotus Blossom exploit campaign targeted Notepad++ infrastructure

The exploitation of CVE-2025-15556 has been attributed by Rapid7 to the China-linked state-sponsored threat actor Lotus Blossom (also known as Billbug, Bronze Elgin, G0030, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip), active since at least 2009. The campaign compromised the Notepad++ update pipeline between June and October 2025, selectively delivering a previously undocumented backdoor named Chrysalis through trojanized installers while leaving the source code untouched. By leveraging adversary-in-the-middle capabilities to dynamically fingerprint update requests, the actors diverted traffic only for strategically valuable targets, avoiding mass distribution and minimizing detection. Investigations describe the intrusion as a quiet, methodical intelligence-gathering operation characterized by long dwell times, restrained targeting, and abuse of trusted update mechanisms to maintain covert, high-value access.

Legacy Exploit Resurgence: CVE-2008-0015 and Dogkild Malware Activity

According to Microsoft, in 2009 the exploit identified as Exploit:JS/CVE-2008-0015 was observed triggering when users visited specially crafted web pages, which then connected to remote servers to download additional malware. Microsoft further reported instances where the exploit was used to retrieve and execute Dogkild, a worm capable of spreading through removable drives. Once deployed, Dogkild could download and run supplementary payloads, overwrite critical system files, and terminate numerous security-related processes. The worm also modified the Windows Hosts file to block access to security vendor websites, hindering remediation efforts.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

An overview of recently observed campaigns and tactics that reflect how threat actors are adapting tools, platforms, and social engineering methods.

• Security researchers have uncovered ZeroDayRAT, a commercially advertised cross-platform mobile spyware sold on Telegram that targets Android and iOS devices to enable real-time surveillance, credential theft, OTP interception, financial fraud, and remote camera/microphone access through a self-hosted control panel. The malware supports broad OS versions, uses social engineering and fake marketplaces for distribution, and includes wallet and banking stealers capable of clipboard hijacking and transaction rerouting. Its emergence coincides with a surge in Android malware campaigns leveraging phishing, fake updates, NFC relay attacks, enterprise provisioning abuse, and app store infiltration to deliver RATs, banking trojans, and spyware. Collectively, these operations reflect a rapidly expanding mobile threat ecosystem where advanced surveillance and financial exploitation capabilities are increasingly commoditized and widely accessible.
• Citizen Lab research indicates that Kenyan authorities likely used Cellebrite forensic extraction tools to access the Samsung phone of pro-democracy activist Boniface Mwangi while it was in police custody in July 2025, potentially enabling full data extraction. Similar patterns were previously documented in Jordan, where seized devices of activists and human rights defenders were reportedly subjected to forensic extraction between late 2023 and mid-2025. The findings add to mounting evidence of government misuse of commercial digital forensics technology against civil society actors. The cases also highlight broader concerns around the deployment of surveillance tools alongside mercenary spyware ecosystems such as Pegasus and Predator.
• Amnesty International confirmed that the iPhone of Angolan journalist Teixeira Cândido was successfully infected with Intellexa’s Predator spyware in May 2024 after a malicious WhatsApp link was opened, marking the first forensically verified Predator case targeting civil society in Angola. The device, running outdated iOS 16.2, was compromised briefly before removal upon reboot, followed by multiple failed reinfection attempts. Analysis shows Predator is engineered for long-term, modular surveillance, offering operators real-time control and incorporating advanced anti-analysis and anti-forensics mechanisms. The findings underscore the spyware’s technical sophistication and the continued targeting of journalists and activists through commercial surveillance platforms.

The convergence of zero-day exploitation, supply-chain compromise, and deep virtualization-layer targeting highlights a threat environment driven by persistence, precision, and long-term strategic intent. As adversaries increasingly weaponize both legacy and newly disclosed vulnerabilities, reactive patching alone is no longer sufficient. Organizations must adopt continuous vulnerability intelligence, proactive monitoring, and faster remediation cycles to reduce exposure windows. Platforms like Loginsoft Vulnerability Intelligence (LOVI) empower security teams with timely insights and prioritized threat context to stay ahead of evolving exploitation campaigns.

FAQs:

1) What makes the Dell RecoverPoint vulnerability particularly concerning?

CVE-2026-22769 affects the virtualization layer in Dell RecoverPoint for Virtual Machines. According to Google and Mandiant, the PRC-linked cluster UNC6201 exploited this flaw to deploy advanced malware like SLAYSTYLE, BRICKSTORM, and GRIMBOLT. Virtualization-layer access provides attackers deep infrastructure control and long-term persistence.

2) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

3) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

4) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.