Joseph Lee

January 2026 Threat Report: Off to a Raucous Start – Part 2

So far, 2026 is off to a raucous start. With so much activity in the software vulnerability landscape it’s easy to understand the concerns of global executives discussed in Part 1 of the January 2026 Threat Report. This volatility also highlights the value of Greenbone’s industry-leading detection coverage. In Part 2 of the January Threat report we cover more critical vulnerabilities exposed in the first month of 2026.

Defenders need to scan widely and scan often to detect new threats in their infrastructure and prioritize mitigation efforts based on the potential impact to business operations, privacy regulations, and other compliance responsibilities. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

CVE-2025-20393-cisco-spam-filter

CVE-2025-69258: TrendMicro Apex Central Allows Unauthenticated RCE as SYSTEM

CVE-2025-69258 (CVSS 9.8) affecting Trend Micro Apex Central on-premises for Windows can allow unauthenticated RCE with SYSTEM-level privileges. Two additional CVEs, CVE-2025-69259 and CVE-2025-69260 (both CVSS 7.5) published at the same time allow denial of service (DoS) conditions. The root cause of CVE-2025-69258 is a buffer overflow [CWE-120] due to unsafe LoadLibraryEx usage and improper message handling. The bug leads to DLL injection, NULL handling flaws, and out-of-bounds reads.

Apex Central is a centralized management system for administering and monitoring Trend Micro security products across an organization, making it a prime target for attackers. On-premises Windows builds below 7190 are vulnerable. Apex Central does not include an automatic update mechanism for itself; administrators must manually install patches and upgrades. The vendor’s security advisory describes prerequisite software (such as Service Packs) that may need to be installed before the Critical Patch Build 7190 can be installed.

The CVEs are not confirmed as actively exploited, but full technical details and proof-of-concept exploits have been published for all three CVEs, significantly increasing their risk. Greenbone’s OPENVAS ENTERPRISE FEED includes a local registry check to detect all aforementioned CVEs.

Two New Actively Exploited Ivanti EPMM Flaws

!

Update

February 11, 2026

Active exploitation of CVE-2026-1281 and CVE-2026-1340 has resulted in confirmed government breaches across Europe. The Dutch Data Protection Authority and the Council for the Judiciary disclosed compromises, and the European Commission’s central mobile infrastructure was compromised [1][2][3][4]. Shadowserver has identified at least 86 compromised EPMM instances based on exploitation artifacts and many vulnerable instances remain online. Researchers assess that multiple threat actors are involved.

Numerous national cyber agencies have issued alerts for the CVEs and for their ongoing exploitation [1][2][3][4][5][6][7][8][9][10][11]. Ivanti has faced sustained scrutiny over its product security record, with CISA compiling more than 30 Ivanti vulnerabilities to its KEV list, many covered on our blog. Greenbone includes numerous vulnerability tests addressing Ivanti security flaws, allowing users to identify known vulnerabilities and secure their IT infrastructure.

Two new flaws affecting Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) were published on January 29th, 2026, and CVE-2026-1281 was immediately added to CISA’s KEV list that same day. Both CVEs allow unauthenticated RCE via code injection due to improper control of generated code [CWE-94]. Both are caused by pre-authenticated Apache RewriteMap integrations that pass attacker-controlled HTTP parameters into a Bash script that allows command substitution and remote shell command execution.

Once an EPMM device has been compromised, attackers may deploy backdoors [TA0011], seek lateral movement [TA0008] within the victim’s network or steal sensitive information [T1005] stored on the EPMM appliance. This may include administrator credentials [TA0006] and mobile device data including GPS location [T1430] and IMEI values [T1426]. Exploitation also allows configuration tampering [T1562] via the API or web console [T1102].

A detailed technical analysis has been released by watchTowr Labs, but push-button exploit kits are not publicly available. Furthermore, exploitation has not yet been linked to ransomware operations. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner version check to identify affected instances. Both vulnerabilities affect on-prem instances of Ivanti EPMM. See Ivanti’s official advisory and analysis guidance for more specific information about affected versions, steps for installing the patches, and known indicators of compromise (IoC). Ivanti advises that simply installing the patch is not sufficient mitigation. Users should also hunt for IoC and initiate incident response processes followed by a full system rebuild if found.

CVE-2025-34026: Versa Concerto Actively Exploited

CVE-2025-34026 (CVSS 7.6, EPSS ≥ 98th pctl), published on May 21st, 2025, was added to CISA’s KEV list on January 22nd, 2026. The flaw allows authentication bypass leading to access to administrative endpoints in the Versa Concerto SD-WAN orchestration platform. The root cause is improper request handling in the exposed Traefik reverse proxy and Spring Boot Actuator endpoint. Exploitation enables access to heap dumps and trace logs that may contain plaintext credentials and session tokens.

Other Concerto vulnerabilities, CVE-2025-34027 (CVSS 10, EPSS ≥ 87th pctl) and CVE-2025-34025 (CVSS 8.6) can also lead to full system compromise, but reports of their active exploitation have not emerged. Both additional CVEs were also published on May 21st, 2025. Although a full technical analysis is available, public PoC exploits are not.

The OPENVAS ENTERPRISE FEED has included an active check for CVE-2025-34026 and another for CVE-2025-34027 since May 2025, giving defenders early notice to take defensive measures. These checks send specially crafted HTTP requests to identify vulnerable instances. The flaw was patched in Concerto version 12.2.1 GA released on April 16, 2025. Users should apply updates with urgency.

Ni8Mare and Steady Stream of Critical n8n CVEs Since Late 2025

!

Update

February 5, 2026

A new critical severity flaw affecting n8n was uncovered in early February 2026. CVE-2026-25049 (CVSS 9.9, EPSS ≥ 7th pctl) allows an authenticated user with permissions to create or modify workflows to exploit crafted expressions in workflow parameters. The vulnerability is due to improper control of dynamically-managed code resources [CWE-913]. Exploitation could trigger malicious command execution on the host. n8n versions prior to 1.123.17 and 2.5.2 are affected.

Several technical descriptions and PoC exploits are available for CVE-2026-25049 [1][2][3] increasing the risk of malicious exploitation and several national CERT alerts have been issued [4][5][6][7]. Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner detection for CVE-2026-25049. The issue is patched in versions 1.123.17 and 2.5.2. Users should update to a patched version as soon as possible. More information is available from the vendor’s security advisory.

CVE-2026-21858 (aka Ni8Mare, CVSS 10, EPSS ≥ 90th pctl) is the most critical among a steady stream of critical n8n vulnerabilities that have surfaced since late 2025 affecting versions 1.x for both self-hosted and n8 Cloud instances. CVE-2026-21858 can be triggered remotely without authentication and allows full workflow-automation platform takeover. Multiple technical analyses are available for CVE-2026-21858 [1][2].

n8n is an open-source, fair-code workflow automation platform that enables users to visually connect applications, APIs, and services into automated processes. n8n’s workflow repository includes over 7,800 published workflows indicating the application is widely used.

Other critical and high-severity flaws disclosed in n8n versions 0.x and 1.x since late 2025 include:

  • CVE-2026-21877 (CVSS 9.9, EPSS ≥ 94th pctl): An authenticated attacker may upload a malicious file type [CWE-434] to the n8n instance that allows RCE, potentially resulting in full system compromise. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading is recommended. This issue is fixed in version 1.121.3 and more information is available from the vendor’s security advisory.
  • CVE-2025-68668 (CVSS 9.9, EPSS ≥ 13th pctl): A sandbox bypass vulnerability [CWE-693] in the Python Code node that uses Pyodide. An authenticated user with permissions to create or modify workflows can execute arbitrary commands on the host with n8n process privileges. Workarounds include: disabling the Code node entirely, disabling Python support in the Code node, and configuring n8n to use the task runner Python sandbox. A full root-cause analysis is available for CVE-2025-68668 increasing the risk. The issue is fixed in version 2.0.0, and more information is available in the vendor’s security advisory.
  • CVE-2025-68613 (CVSS 8.8, EPSS ≥ 99th pctl): An RCE flaw in the n8n workflow expression evaluation system that allows expressions supplied by authenticated users to be evaluated in an unsandboxed execution environment [CWE-913] under certain conditions. An authenticated user could achieve RCE with n8n process privileges. Multiple PoC exploits [3][4][5] and a Metasploit module are available for CVE-2025-68613 increasing the risk. This issue is fixed in versions 1.120.4, 1.121.1, and 1.122.0, and more information is available in the vendor’s security advisory.
  • CVE-2025-65964 (CVSS 8.8, EPSS ≥ 5th pctl): The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook. This could allow arbitrary command execution on the n8n host during Git operations. A full technical description and exploit chain is available. Exploitation requires n8n workflow privileges using the Git node. Workarounds include excluding the Git node and avoiding cloning or interacting with untrusted repositories using the Git node. This issue is fixed in version 1.119.2 and more information is available in the vendor’s security advisory.

Multiple CERT advisories have been issued globally addressing one or more of the aforementioned CVEs [6][7][8][9][10][11][12][13][14]. Active attack campaigns leveraging these CVEs have not been disclosed. The OPENVAS ENTERPRISE FEED includes multiple remote banner version checks to detect all the aforementioned vulnerabilities [15][16][17][18][19] as well as detection for many other CVEs affecting n8n.

n8n version 2.0 was released in December 2025 and is not affected by the aforementioned CVEs. n8n versions 0.x and 1.x users should identify the most recent fully patched version and update as soon as possible.

CVE-2025-15467: Critical Flaw Affecting OpenSSL 3

CVE-2025-15467 (CVSS 9.8, EPSS ≥ 71st pctl) is the most critical among twelve new vulnerabilities affecting the widely used OpenSSL toolkit. The flaw is exploited by passing a malicious Cryptographic Message Syntax (CMS) [RFC5652] AuthEnvelopedData message [RFC5083] using an Authenticated Encryption with Associated Data (AEAD) cipher (e.g., AES-GCM) to inject an oversized ASN.1-encoded initialization vector (IV). OpenSSL copies the oversized IV into a fixed-size stack buffer without length checks [CWE-787]. The result is a pre-authentication stack overflow that allows arbitrary RCE and DoS.

CVE-2025-15467 does not affect day-to-day SSL/TLS operations since TLS uses the X.509 certificate standard [RFC5280]. However, email clients or plugins that support S/MIME AuthEnvelopedData from untrusted inbound mail are one example of a potential attack chain. A full technical description is available for CVE-2025-15467 increasing the risk of exploit kit development. Multiple national CERT alerts have been issued globally for CVE-2025-15467 [1][2][3][4][5][6].

The twelve CVEs, disclosed by security researcher Stanislav Fort, were reportedly discovered via AI-based software analysis. This achievement comes at a time when other software maintainers and security researchers assert that AI-submitted bug reports (dubbed “AI-slop”) are effectively disrupting their bug tracking operations [7][8][9][10] and in some cases, AI-generated CVE reports are not valid bugs to begin with.

The OPENVAS ENTERPRISE FEED includes multiple detection tests for various Linux distros and Windows installations of OpenSSL for CVE-2025-15467 and eleven other recently disclosed CVEs. All twelve of the CVEs affect OpenSSL versions 3.0, 3.3, 3.4, 3.5, and 3.6.0 (released on October 1, 2025) and are fixed in versions 3.0.19, 3.3.6, 3.4.4, 3.5.5, and 3.6.1.

Hypervisor Risk Remains Elevated in Early 2026

2025’s final threat report described a reported increase in cyber attacks targeting hypervisor platforms in late 2025. This trend is poised to continue into 2026. In January, several high-risk vulnerabilities were published for popular virtualization platforms. Due to the critical role of hypervisors in securely isolating critical workloads in enterprise network infrastructure, patches should be considered a top priority.

CVE-2024-37079: Active Campaigns Targeting VMware Hypervisors

In the December 2025 Threat Report, we discussed a new intelligence report from Huntress describing a sharp spike in cyber attacks against hypervisors. The attacks targeted VMWare ESXi, Workstation, and Fusion, leveraging CVE-2025-22224 (CVSS 8.2), CVE-2025-22225 (CVSS 8.2), and CVE-2025-22226 (CVSS 6.0) by executing code as the VMX process, escaping the VMX sandbox, and leaking memory from the VMX process, respectively. Greenbone includes a variety of checks for detecting these actively exploited CVEs [1][2][3][4].

In January 2026, CVE-2024-37079 (CVSS 9.8), affecting VMware vCenter Server versions 7 and 8, was added to CISA’s KEV list. The vulnerability, published in mid-2024, allows an unauthenticated attacker to achieve RCE by exploiting a heap-overflow vulnerability to trigger an out-of-bounds memory write [CWE-787]. CVE-2024-37080 (CVSS 9.8) was published at the same time, but has not been observed in active attacks. Both CVEs are flaws in vCenter’s DCERPC (Distributed Computing Environment Remote Procedure Call) protocol implementation. DCERPC is a key technology for remote control of adjacent remote systems.

Oracle Fixes 11 High Severity VirtualBox Flaws in 2026’s First Patch Release

Oracle’s January 2026 security patch release included eleven high-severity CVEs affecting VirtualBox versions 7.1.14 (released October 10th, 2025) and version 7.2.4 (released October 21, 2025). Most of the vulnerabilities require local access. The high-severity disclosures include:

  • CVE-2026-21955 (CVSS 8.2): a high-severity vulnerability found in the core component of Oracle VirtualBox. The flaw allows a privileged, local attacker to compromise the virtualization software, with potential for full VirtualBox system takeover and unauthorized access to critical data.
  • CVE-2026-21956 (CVSS 8.2): a flaw in the core component of Oracle VirtualBox that allows a privileged attacker with logon privileges to compromise the integrity of VirtualBox and significantly impact additional products.

The new batch of VirtualBox flaws are not considered actively exploited and no public PoC exploits are available. Multiple national CERT advisories have been issued globally for Oracle’s latest security update [1][2][3][4][5]. Greenbone’s OPENVAS ENTERPRISE FEED detects all newly disclosed VirtualBox flaws across Windows, Linux, and macOS environments [5][6][7]. Users should update their VirtualBox instance to a patched version as soon as possible.

Other Notable High-Risk CVEs From January 2026

Here is a quick snapshot of other high-risk CVEs published in January 2026:

  • BIND9 Denial of Service (CVE-2025-13878, CVSS 7.5): Allows unauthenticated remote attackers to cause DoS in ISC BIND 9. There are no reports of active exploitation or public PoC exploits. The issue impacts both authoritative servers and resolvers, and is fixed in BIND 9.18.44, 9.20.18, and 9.21.17 [1]. The OPENVAS ENTERPRISE FEED provides package-level detection across a wide array of Linux distributions and a remote banner check for Windows.
  • Critical-Severity GitLab Vulnerability Plus More (CVE-2025-13761, CVSS 9.6): GitLab has released security updates7.1, 18.6.3, and 18.5.5 to patch multiple vulnerabilities in self-managed instances. The update cycle included critical-severity stored and reflected XSS that could enable arbitrary JavaScript execution in users’ browsers. Collectively the issues could impact integrity, confidentiality, and availability across most deployment types. Administrators should upgrade immediately and pay close attention to GitLab’s fast moving patch cycle. The OPENVAS ENTERPRISE FEED includes detection for all CVEs in the batch.
  • Multiple Critical CVEs Affecting CoolLabs Coolify: Eleven new vulnerabilities affecting CoolLabs Coolify were released as a group in early January, 2026. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. The project’s GitHub repository shows ~50.5k stars, ~3.6k forks, and 575 contributors, signaling an active presence. More details are available on the product’s GitHub security page. The OPENVAS ENTERPRISE FEED provides detection for all eleven CVEs in the release.
  • Unauthenticated RCE in telnetd (CVE-2026-24061, CVSS 9.8): The telnet remote access application has been considered a critical security risk for decades. It does not provide encryption for data in transit, making adversary-in-the-middle (AiTM) attacks [T1157] trivial. However, CVE-2026-24061 uncovers an even more severe risk that goes back to version 1.9.3, released May 2015. CVE-2026-24061 is an authentication bypass in GNU InetUtils telnetd, allowing attackers without credentials to gain root user access remotely. Multiple descriptions [1][2] and PoC are available [3][4][5] and numerous CERT advisories have been issued globally [6][7][8][9][10]. For users who require legacy support from the telnet service, patches have been issued. Otherwise users should ensure the service is uninstalled since it can also be exploited locally for privilege escalation. The OPENVAS ENTERPRISE FEED provides a set of package version checks for Linux and an active check effective for all operating systems [11].

Summary

With so much activity in the software vulnerability landscape, it’s easy to understand the concerns of global executives discussed in Part 1 of the January 2026 Threat Report. This volatility also highlights the value of Greenbone’s industry-leading detection coverage. January 2026 was so hectic, it deserved two threat reports. In Part 2 of the January 2026 Threat Report we reviewed another cluster of emerging high-risk software vulnerabilities. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

Contact Test Now Buy Here Back to Overview
/by
Joseph Lee

January 2026 Threat Report: Off to a Raucous Start

So far, 2026 is off to a raucous start. The number of critical severity vulnerabilities impacting widely deployed software is staggering. Defenders need to scan widely and scan often to detect new threats in their infrastructure and prioritize mitigation efforts based on the potential impact to business operations, privacy regulations, and other compliance responsibilities. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

CVE-2025-20393-cisco-spam-filter

This month, the World Economic Forum’s report Global Cybersecurity Outlook 2026 was released. The annual report surveys the top concerns of global cyber security and business leaders. This edition reported that 58% of surveyed executives perceive increased risk of exploitation via software vulnerabilities in 2026. Fraud, ransomware, and supply chain disruptions were ranked as the top impact concerns, while AI, phishing, and software vulnerabilities were considered the most concerning attack vectors. Respondents who considered their organizations to have high cyber resilience ranked exploitation of software vulnerabilities as the second most concerning threat, while medium and insufficient-resilience organizations ranked it third.

Figure 1: Evolving cyber risk concerns for CEOs and CISOs between 2025 and 2026. (Source: WEF Global Cybersecurity Outlook 2026)

Figure 2: Top cyber risk concerns by cyber resilience level. (Source: WEF Global Cybersecurity Outlook 2026)

The survey included 873 participants from 99 countries, including C-suite executives, academics, civil society, and public-sector cybersecurity leaders. With these sentiments for 2026 in mind, let’s review some of the most high-risk software vulnerabilities from January.

High Alert: Max-Severity HPE OneView Actively Exploited

CVE-2025-37164 (CVSS 9.8, EPSS ≥ 99th pctl) was published in mid-December 2025 and added to CISA’s Known Exploited Vulnerabilities (KEV) list in early 2026. The flaw allows an attacker to gain unauthenticated remote code execution (RCE) on HPE OneView prior to version 11.00 and HPE Synergy Composer appliances that expose OneView. CVE-2025-37164 is classified as a Code Injection flaw [CWE-94]. The root cause is a REST API endpoint: /rest/id-pools/executeCommand. Submitted commands are executed with high-level privileges but without authentication.

HPE OneView is a platform for centralized management of HPE data center infrastructure. Therefore, exploitation can provide attackers with control over network infrastructure, device firmware, and lifecycle management. Full technical details and several proof-of-concept (PoC) exploits exist [1][2][3], increasing the risk. Numerous national CERT alerts have been issued globally [4][5][6][7][8][9][10][11]. Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner detection for defenders to identify affected systems. Users should apply the security hotfix for HPE OneView versions 5.20 trough 10.20 with urgency.

Critical Cisco Unified CM Flaw Actively Exploited

CVE-2026-20045 (CVSS 9.8, EPSS ≥ 75th pctl) is an unauthenticated RCE flaw affecting multiple Cisco products including Unified Communications Manager (CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence Service, Cisco Unity Connection, and Webex Calling Dedicated Instance. The root cause is improper validation of user-supplied HTTP input [CWE-20] leading to code injection [CWE-94]. Successful exploitation grants user-level access followed by privilege escalation to root, resulting in full system takeover.

Cisco considers the flaw actively exploited, and it has been added to CISA KEV. Mass scanning activity has also been reported. No PoC exploit is publicly available, but Cisco networking devices are often targeted in high-profile hacks [1][2]. Multiple national CERT alerts have been issued globally [3][4][5][6][7][8][9][10][11].

Greenbone’s OPENVAS ENTERPRISE FEED includes separate vulnerability tests for Unified CM [12] and Unified CM IM&P [13]. No workarounds can mitigate this flaw. Users should upgrade to a fixed software release or apply a patch. See the vendor’s security advisory for more information.

Microsoft: Newly Exploited and Critical Out-of-Band Updates

Microsoft’s January 2026 patch release published 124 CVEs, eight classified as “Exploitation More Likely”. Two of the new CVEs were quickly tagged as actively exploited and added to CISA KEV [1][2]. Microsoft also released out-of-band (OOB) security patches for Windows 11 and Windows Server [3][4]. Greenbone’s OPENVAS ENTERPRISE FEED regularly publishes detection tests for CVEs in Microsoft’s monthly patch cycle and out-of-band security updates [5].

New high-risk CVEs affecting Microsoft products include:

  • CVE-2026-20805 (CVSS 5.5): A flaw in Microsoft Windows Desktop Window Manager that allows an authorized attacker to leak sensitive memory information [CWE-200]. The root cause is exposure of user-mode memory addresses via Advanced Local Procedure Call (ALPC). The flaw enables leakage of small but security-relevant memory fragments that can be chained with other vulnerabilities to bypass protections such as ASLR. Exploitation may allow full system compromise. CISA has added the flaw to its KEV list. However, no public PoC or ransomware activity have been reported. Microsoft distributed a fix for CVE-2026-20805 in its January 2026 cumulative updates.
  • CVE-2026-21509 (CVSS 7.8): An unauthorized local attacker can bypass Microsoft Office security features by exploiting reliance on untrusted inputs [CWE-807]. The flaw impacts Microsoft 365 and Microsoft Office 2016, 2019, and 2021. CISA has added the flaw to its KEV list but no public PoC is available. CVE-2026-21509 can be mitigated by installing the emergency patch or implementing registry-based controls [5][6].
  • CVE-2026-20952 and CVE-2026-20953 (both CVSS 8.4): Both flaws enable RCE via social engineering attacks leveraging trojanized Office documents. Exploitation does not require the target to open a malicious file; the flaw can be triggered via the Preview Pane. These CVEs are not reported as actively exploited and no public PoC exploits are yet available. Patches are available in Microsoft’s January 2026 cumulative updates.

Adobe ColdFusion Requires Critical Patches Amidst Active Attack Campaigns

Adobe has patched a critical RCE flaw in ColdFusion versions 2025 and 2023 introduced by dependency on Apache Tika’s CVE-2025-66516 (CVSS 9.8, EPSS ≥ 88th pctl). The flaw in Apache Tika was published in December 2025. Greenbone includes a remote banner check for affected ColdFusion products as well as detection for other enterprise software products affected by CVE-2025-66516. The OPENVAS ENTERPRISE FEED also includes detection for all ColdFusion CVEs published in Adobe’s December 2025 patch release. Greenbone’s ENTERPRISE FEED also includes detection for 10 ColdFusion CVEs included in a new exploitation campaign that occurred over the holidays [1][2][3][4][5][6][7][8][9][10][11]. The reported mass exploitation event targeted ColdFusion and other enterprise software applications.

CVE-2025-68645: Zimbra Collaboration Suite (ZCS) Actively Exploited Again

CVE-2025-68645 (CVSS 8.8, EPSS ≥ 96th pctl) impacting Zimbra Collaboration Suite (ZCS), published in late December 2025, is now considered actively exploited by CISA. The flaw allows unauthenticated remote attackers to perform local file inclusion against ZCS 10.0 and 10.1. The root cause is improper request parameter handling in the RestFilter servlet of the Webmail Classic UI. This allows arbitrary files to be uploaded into the WebRoot directory such as web shells, potentially resulting in arbitrary RCE.

CVE-2025-68645 is being used in targeted, reconnaissance-driven attack campaigns. A public PoC can be found via Google search, but seems to have been removed from GitHub. ZCS has an extensive history of exploitation, often in ransomware attacks.

Greenbone’s OPENVAS ENTERPRISE FEED has included remote banner checks [1][2] prior to the disclosure of CVE-2025-68645, and now includes an active check for affected ZSC installations. Known affected versions include Zimbra Collaboration Suite 10.0.0 through 10.0.17 and 10.1.0 through 10.1.12, with the issue resolved in versions 10.0.18 and 10.1.13, released in early November 2025. Users who have not patched should do so immediately.

Gogs Self-Hosted Git Server Targeted in Mass Exploitation Attacks

CVE-2025-8110 (CVSS 8.8, EPSS ≥ 96th pctl) is a path traversal flaw [CWE-22] that allows authenticated attackers to achieve RCE against the Gogs self-hosted Git service. The root cause is improper symbolic link handling in the PutContents file update API which can be leveraged to overwrite arbitrary files outside the targeted repository. CVE-2025-8110 is considered a bypass of CVE-2024-55947 (CVSS 8.8) and requires only low-level permissions to create a repository for exploitation. Gogs does not need to be internet-facing for exploitation. Malicious insiders with access to Gogs instances hosted on a local network also represent a significant threat.

CVE-2025-8110 is being actively exploited in automated mass exploitation campaigns and has a full technical description and public PoC exploit kit. Historically, Gogs has a very high rate of exploit development for published CVEs. CVE-2025-8110’s timeline for disclosure and mitigation includes 6 months of active exploitation while patches remained unavailable. Exploitation was first observed in mid-2025, and the vulnerability was responsibly disclosed to maintainers on July 17, 2025. The CVE was only later published on December 10th, 2025 while still unpatched. Inspection of the Gogs release indicates patches became available on January 23, 2026 in Gogs v0.13.4. The OPENVAS ENTERPRISE FEED has included remote banner detection for vulnerable instances since initial publication.

Fortinet Exploited Again: New FortiCloud SSO Admin Authentication Bypass

CVE-2026-24858 (CVSS 9.8) is a new actively exploited flaw affecting FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb when FortiCloud SSO is enabled. The flaw allows a FortiCloud-authenticated attacker to gain unauthorized administrative access to other tenants’ Fortinet devices. The root cause is an improper authentication flow [CWE-288] when FortiCloud SSO is used.

Early exploitation of CVE-2026-24858 was initially mistaken for a recurrence of the December 2025 FortiCloud SSO bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 (both CVSS 9.8) due to the similar attack patterns. CVE-2026-24858 has no publicly released proof-of-concept exploits, and has not been associated with ransomware attacks. However, attackers have been observed downloading full device configuration files [T1005] and creating persistent super_admin local accounts [T1136.001].

Numerous national CERT alerts have been issued globally [1][2][3][4][5][6][7][8][9][10]. The OPENVAS ENTERPRISE FEED includes detection for CVE-2026-24858 for many Fortinet products [11][12][13][14]. Updates are not yet available for all affected products. Users should seek updated guidance from Fortinet’s official advisory. According to the advisory, Fortinet has disabled FortiCloud SSO authentication from vulnerable devices to provide mitigation and posted indicators of compromise (IoC) observed in attacks.

New High-Risk CVEs in SolarWinds Web Help Desk (WHD)

!

Update

February 11, 2026

Microsoft security researchers have confirmed active, in-the-wild exploitation of internet-exposed SolarWinds Web Help Desk (WHD) instances and CISA has added CVE-2025-40551 to its KEV list. According to Microsoft, the observed intrusions occurred in December 2025 and resulted in unauthenticated RCE. The exact vulnerability leveraged in the attacks remains unconfirmed because affected systems were vulnerable to multiple CVEs: CVE-2025-40551, CVE-2025-40536, and the previously disclosed CVE-2025-26399.

The breaches followed a multi-stage attack chain: initial compromise via SolarWinds WHD servers, followed by lateral movement [TA0008] toward high-value assets and, in at least one case, escalation to DCSync activity [T1003.006] against a domain controller. Post-exploitation activity relied heavily on living-off-the-land (LoTL) techniques [T1218] such as legitimate administrative tooling to reduce detection.

Six new high-risk vulnerabilities affecting SolarWinds Web Help Desk (WHD) were disclosed in January 2026. WHD plays a significant role in IT service management and sensitive asset tracking globally. Previous exploitation of similar bugs indicate threat actors will target newly disclosed CVEs.

The newly disclosed CVEs affecting SolarWinds WHD are:

Active exploitation has not been reported although Horizon3.ai has published the technical details for at least one potential attack chain. All versions of WHD prior to 2026.1 are impacted. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner version check covering and separate active checks for CVE-2025-40551 and CVE-2025-40536 [1] and CVE-2025-40537 [2] for all aforementioned vulnerabilities in SolarWinds WHD. Users should identify vulnerable instances in their IT infrastructure and upgrade to WHD 2026.1 as soon as possible.

CVE-2025-59470: Critical RCE Flaw in Veeam Restoration and Backups

Four new CVEs affecting Veeam Backup & Replication version 13 builds ≤ v13.0.1.180 were published in Veeam’s January security update. All four CVEs are rated critical . They are not yet reported as actively exploited, and no public PoC exploit exists at this time. Several national CERT advisories have been issued globally [1][2][3][4][5].

The CVEs are described below:

  • CVE-2025-55125 (CVSS 9.8): An attacker with the Backup or Tape Operator can achieve RCE as root by creating a malicious backup configuration file. The root cause is a command injection flaw due to improper sanitization of user supplied input [CWE-77].
  • CVE-2025-59468 (CVSS 9.1): An attacker with the Backup Administrator role to perform RCE as the postgres user by sending a malicious password parameter. The root cause is a command injection flaw due to improper sanitization of user supplied input [CWE-77].
  • CVE-2025-59469 (CVSS 9.0): An attacker with the Backup or Tape Operator role can write files as root. Although classified as an exposure of a sensitive information flaw [CWE-200] by NIST, it actually allows privileged file write operations, potentially leading to full system takeover.
  • CVE-2025-59470 (CVSS 9.0): Authorized attackers can achieve RCE as the server’s postgres user. The root cause is a command injection flaw due to improper sanitization of user supplied input [CWE-77].

Veeam indicates that it serves 82% of Fortune 500 companies. As such, Veeam Backup & Replication is a high-value target for ransomware operators and has a documented history of exploitation by ransomware groups [7][8][9]. While exploitation requires Backup Operator or Tape Operator roles, these accounts are typically compromised via credential theft [TA0006] or by creating new privileged accounts [T1136] once an attacker gains admin-level control of the environment [6]. The OPENVAS ENTERPRISE FEED includes remote banner detection for all four new CVEs affecting Veeam Backup & Replication.

New Wireshark CVEs Can Trigger Denial-of-Service (DoS)

Multiple vulnerabilities affecting Wireshark’s protocol dissection logic can result in denial-of-service (DoS). The flaws affect various versions of Wireshark between 4.4.0 and 4.6.2. The new CVEs can be triggered by malformed network traffic.

  • CVE-2026-0959 (CVSS 6.5): IEEE 802.11 protocol dissector can crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allowing DoS.
  • CVE-2026-0960 (CVSS 5.5): HTTP3 protocol dissector can enter an infinite loop in Wireshark 4.6.0 to 4.6.2 allowing DoS.
  • CVE-2026-0961 (CVSS 6.5): A BLF file parser can crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allowing DoS.
  • CVE-2026-0962 (CVSS 6.5)): The SOME/IP-SD protocol dissector can crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allowing DoS.

Because tshark shares the same libwireshark dissection engine, these flaws also affect headless and CLI-based workflows, meaning automated processing of untrusted PCAP files or live captures can trigger DoS conditions. The Greenbone ENTERPRISE FEED includes local security checks for Windows, Linux, and macOS environments. Extended information can be found from the vendor’s advisory.

Summary

January 2026 makes it clear that exploiting software vulnerabilities remains a dominant and persistent cyber security risk for virtually all organizations globally. This month included multiple critical and actively exploited flaws affecting widely deployed enterprise software. Network management systems, collaboration tools, backup software, and security appliances remain prime targets for threat actors. Unauthenticated or low-privilege RCE can have severe downstream impacts such as ransomware or data theft resulting in fraud. Organizations should scan widely and scan often to maintain complete visibility of emerging threats within their infrastructure. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

Contact Test Now Buy Here Back to Overview
/by
Joseph Lee

CVE-2025-64155: In the Wild Exploitation of FortiSIEM for Unauthenticated Root-Level RCE

On January 13th, 2026, Fortinet publicly disclosed and patched CVE-2025-64155 (CVSS 9.8) affecting FortiSIEM along with five additional vulnerabilities across its product line [1][2][3][4][5]. In particular, CVE-2025-64155 represents high-risk exposure; immediately after its release, active exploitation was reported. The flaw was responsibly disclosed to Fortinet almost six months ago (August 2025), by Horizon3.ai. Greenbone includes a remote banner check for our enterprise customers that can detect the presence of CVE-2025-64155 in a network, as well as three other Fortinet vulnerabilities released in the same patch cycle [6][7][8].

A free two-week trial of OPENVAS BASIC, Greenbone’s entry-level virtual appliance, is available for interested parties to evaluate the OPENVAS ENTERPRISE FEED. Our full product line also includes high-performance physical and virtual appliances for corporate, education, and public sector customers.

CVE-2025-64155 (CVSS 9.8) is a new OS command injection flaw [CWE-78] that allows remote code execution (RCE) with root-level permissions on FortiSIEM endpoints. Unauthenticated arbitrary RCE with root permissions is the most dangerous combination of attributes a CVE could have. The combination allows sophisticated attackers to remotely take full control of an affected device to potentially install rootkit malware. Existing rootkits are known to have advanced evasion capabilities including Endpoint Detection and Response evasion [1][2][3], covert persistence mechanisms, log tampering, firmware manipulation, and secure boot bypass [4][5][6].

Honeypot exploitation has been reported by Defused, but no specific victims have been identified, and CVE-2025-64155 has not been added to CISA’s Known Exploited Vulnerabilities (KEV) database. However, Fortinet CVEs have been listed 23 times on CISA KEV; 13 are associated with ransomware attacks. A full technical description and proof-of-concept (PoC) exploit have been published by Horizon.3.ai, the team that first discovered the flaw. Multiple government CERT agencies have issued alerts globally [7][8][9][10][11][12][13]. Fortinet users should review all recent PSIRT advisories issued by the vendor to evaluate their risk.

A Technical Description of CVE-2025-64155 in FortiSIEM

FortiSIEM devices use the phMonitor service for communication and data sharing over TCP/IP. phMonitor exposes multiple command handlers on TCP port 7900 that operate without authentication via the initEventHandler() function. Handler routing is determined by the parameters passed by the client. 

Exploitation of CVE-2025-64155 has been demonstrated by leveraging an argument injection flaw [CWE-88] in phMonitor to achieve arbitrary file write. An attacker can use this flaw for root-level RCE by overwriting non-root owned files that are executed by the /etc/cron.d/fsm-crontab file, FortiSIEM’s root-owned cron scheduler. Non-root RCE attack chains are also possible, such as writing a bash reverse-shell to the /opt/phoenix/bin/phLicenseTool file which is automatically executed periodically.

When specific parameters are passed to phMonitor, invoking the handleStorageRequest function, the user-controlled <cluster_url> parameter is passed to a shell script named elastic_test_url.sh. The shell script further appends the <cluster_url> parameter to the curl command and executes it. However, because the parameter is not properly sanitized, curl can be abused to trigger local file writes on the target FortiSIEM host. Horizon3.ai researchers have also pointed out that FortiSIEM’s lack of authentication for the phMonitor API has contributed to several maximum severity, exploitable CVEs in the past [1][2].

Mitigating CVE-2025-64155 in FortiSIEM Devices

Users should follow the update guidance provided in Fortinet’s official advisory for CVE-2025-64155. According to Fortinet, the flaw does not affect all node types. Only the Super and Worker nodes are impacted. For customers who cannot complete an update, Fortinet advises restricting access to the phMonitor port 7900. However, blocking access to port 7900 may cause services that depend on it to fail.

While Fortinet’s official hardening guide advises users that FortiSIEM should operate “in a protected network segment”, security researchers are well aware that sensitive services are often exposed to the internet despite the high risk. Even if a FortiSIEM device is not exposed publicly, vulnerable instances could be used for lateral movement and persistence within a target network. This threat applies if attackers already have a foothold, if malicious insiders are present, or if attackers gain unauthorized access to a user’s internal network in the future.

The affected FortiSIEM products and relevant mitigations are:

Affected Product Version Solution
FortiSIEM Cloud Not affected
FortiSIEM 7.5 Not affected
FortiSIEM 7.4 Upgrade to 7.4.1 or above
FortiSIEM 7.3 Upgrade to 7.3.5 or above
FortiSIEM 7.2 Upgrade to 7.2.7 or above
FortiSIEM 7.1 Upgrade to 7.1.9 or above
FortiSIEM 7.0 Migrate to fixed release
FortiSIEM 6.7 Migrate to fixed release

Summary

CVE-2025-64155 (CVSS 9.8) is a critical, unauthenticated, root-level remote code execution vulnerability in FortiSIEM that was disclosed and patched by Fortinet on January 13, 2026. Honeypot exploitation activity was observed almost immediately after disclosure, increasing risk for any exposed or reachable FortiSIEM deployments. Defenders should ensure that their FortiSIEM instances are not publicly accessible and that access controls are strictly enforced even on internal network segments.

A free two-week trial of OPENVAS BASIC, Greenbone’s entry-level virtual appliance is available for interested parties to evaluate the industry-leading coverage of the OPENVAS ENTERPRISE FEED. Our full product line-up also includes high-performance physical and virtual appliances for medium and large corporate, education, and public sector customers.

Contact Test Now Buy Here Back to Overview
/by
Joseph Lee

December 2025 Threat Report: Emergency End-of-Year Patches and New Exploit Campaigns

In 2025, Greenbone increased the total number of vulnerability tests in the OPENVAS ENTERPRISE FEED to over 227,000, adding almost 40,000 vulnerability checks. Since the first CVE was published in 1999, over 300,000 software vulnerabilities have been added to MITRE’s CVE repository. CVE disclosures continued to rocket upward, increasing roughly 21% compared to 2024. CISA added 245 CVEs to its Known Exploited Vulnerabilities (KEV); 24 of these are known ransomware vectors. Defenders seeking to detect and protect can try OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

CVE-2025-20393-cisco-spam-filter

5,519 new CVEs were published in December 2025, setting a new all-time high for a single month. New critical severity vulnerabilities and emergency responses continued throughout the holiday season unabated. The Greenbone blog has already reported on two actively exploited CVSS 10 vulnerabilities that emerged in December: CVE-2025-55182 dubbed React2Shell and CVE-2025-20393 affecting Cisco AsyncOS Spam Quarantine. In the December 2025 Threat Report, we will round off the month’s most critical emerging threats to IT security.

Ransom Attacks against Hypervisors Spiked in Late 2025

Research from Huntress shows that hypervisors are trending upward as a prime ransomware target. According to their data, hypervisors played a role in 3% of malicious encryption attacks during the first half of 2025, increasing to 25% during the second half. They believe the increase was driven by the Akira ransomware APT, a group known to aggressively exploit software vulnerabilities.

To reduce risk to hypervisor infrastructure, defenders should plan and implement comprehensive security controls, including:

  • Regularly run vulnerability scans across hypervisor infrastructure and prioritize any discovered vulnerabilities for mitigation
  • Disable or restrict unnecessary hypervisors and VM instances
  • Never expose management interfaces directly to the internet
  • Limit access to hypervisor IP addresses and management consoles using firewall rules

MongoBleed Gifts an Emergency Holiday Patch

CVE-2025-14847 (CVSS 7.5, EPSS 98th pctl), affecting MongoDB, was published on December 19th, 2025. The flaw allows an unauthenticated remote attacker to access sensitive memory locations by sending malformed packets with length parameter inconsistency [CWE-130]. It has been nicknamed MongoBleed, following the informal convention for memory leak vulnerabilities such as HeartBleed [1][2], and CitrixBleed [3][4]. The flaw lies in MongoDB’s network transport-layer zlib compression process. When faced with a length mismatch, the zlib message compressor could return an allocated buffer length rather than the true decompressed length, allowing attackers to read uninitialized heap memory.

One security researcher estimates over 200,000 instances are exposed on the public internet globally. The Shadowserver Foundation lists over 80,000. At least one proof-of-concept (PoC) exploit has been published for CVE-2025-14847 that can automatically hunt for secrets like DB passwords and cloud keys. The PoC demonstrates how an attacker can enumerate through heap memory to exfiltrate sensitive information. CVE-2025-14847 has been added to CISA’s KEV catalogue and numerous national CERT alerts have been issued globally [5][6][7][8][9][10][11][12][13]. No ransomware attacks leveraging MongoBleed have yet been reported.

Greenbone’s OPENVAS ENTERPRISE FEED includes remote version detection checks for Windows and Linux instances of MongoDB Server [14][15], and an active check for both Windows and Linux [16]. The vendor’s official advisory includes a list of affected versions, and patches. Users should upgrade with urgency and inspect MongoDB servers for indicators of compromise (IoC).

CVSS 10 SmarterMail Flaw Allows Unauthenticated RCE

!

Update

February 11, 2026

CVE-2026-24423 (CVSS 9.8) is a new critical vulnerability that is now being exploited in ransomware attacks and has been added to CISA’s KEV list. SmarterMail’s vendor, SmarterTools has also become a victim of their own software product after suffering a breach. In a report, ReliaQuest has attributed attacks targeting CVE-2026-24423 to the Warlock ransomware operator (aka Storm-2603), a Chinese-based threat actor.

CVE-2026-24423 is an unauthenticated RCE vulnerability in the ConnectToHub API method. With a malicious HTTP request, an attacker can point a SmarterMail instance to an attacker-controlled HTTP capable server and deliver malicious OS commands to SmarterMail.

A PoC for the flaw is available in Fortra’s Core Certified Exploit Library. Several national CERT agencies have issued alerts for CVE-2026-24423 [1][2][3][4][5][6]. Greenbone’s OPENVAS ENTERPRISE FEED has included both version detection and active check vulnerability tests for CVE-2026-24423 since shortly after it was disclosed in January 2026. Users should upgrade to the most recent secure build version of SmarterMail.

!

Update

January 27, 2026

Both CVE-2025-52691 CVSS 10, published in late December 2025, and CVE-2026-23760 CVSS 9.3, a new flaw, published on January 23rd, 2026, were added to CISA’s KEV list on January 26th, 2026, indicating active exploitation. Both flaws affect SmarterTools SmarterMail.

The newer, CVE-2026-23760, is an authentication bypass vulnerability [CWE-288] that allows an unauthenticated attacker to reset the admin user’s password. As described below, CVE-2025-52691 has a full technical description. A full technical description for CVE-2026-23760 has also been published, increasing the risk.

The OPENVAS ENTERPRISE FEED includes vulnerability tests for both CVEs. A remote banner check for detecting CVE-2026-23760 was published on January 23rd, 2026 within 24 hours of the CVE’s publication and before it was added to CISA KEV.

Users should re-evaluate their risk, and consult SmarterMail’s official release notes, which indicate that users should upgrade to the patched Build 9518.

CVE-2025-52691 (CVSS 10) is a new unauthenticated remote code execution (RCE) vulnerability in SmarterTools SmarterMail affecting Build 9406 and earlier. The flaw is caused by an arbitrary file upload weakness [CWE-434] that lets attackers upload files to any location on the target server. These uploaded files can potentially serve as web shells or be executed as SYSTEM if placed in sensitive directories.

SmarterMail runs on the Windows/IIS/.NET stack and includes a web application with webmail and sync services over HTTPS. SmarterMail’s official documentation claims over 15 million users. Other sources attribute SmarterMail with less than 0.1% of all identifiable web applications. SmarterMail is often used in managed web hosting environments, which could increase the potential blast radius if exploited.

Singapore’s Cyber Security Agency (CSA) published CVE-2025-52691 and first alerted the public to its risk. Active exploitation in the wild or public PoC exploits have not been disclosed, but penligent.ai researchers have published technical descriptions of the attack chain [1][2]. Other national security agencies have also issued emergency cyber alerts [3][4].

The OPENVAS ENTERPRISE FEED includes a version detection check for CVE-2025-52691. The issue was patched in early October 2025 in Build 9413 of SmarterMail. Users are advised to upgrade to the newest version.

OSGeo GeoServer Actively Exploited via XXE Flaw

CVE-2025-58360 (CVSS 9.8, EPSS 99th pctl) is an unauthenticated XML External Entity (XXE) vulnerability [CWE-611] in OSGeo GeoServer. The flaw lets remote attackers read arbitrary files, trigger Server-Side Request Forgery (SSRF) [CWE-918], or cause Denial of Service (DoS). The root cause is a failure to properly sanitize XML data processed by the /geoserver/wms GetMap endpoint.

CVE-2025-58360 was added to CISA KEV on December 11th and multiple public PoC exploits exist [1][2][3]. Use in ransomware attacks or espionage has not been confirmed. The Shadowserver Foundation has tracked 2,451 exposed GeoServer instances; Shodan reports over 14,000, indicating significant global risk. Several national CERT agencies have published alerts for CVE-2025-58360 [4][5][6][7][8]. Previously, in 2024, CVE-2024-36401 (CVSS 9.8) in GeoServer was actively exploited and led to a confirmed breach of an unnamed U.S. federal agency. This indicates cyber adversaries are familiar with exploiting GeoServer infrastructure, which increases the risk.

The OPENVAS ENTERPRISE FEED includes a remote banner check to detect vulnerable GeoServer instances. CVE-2025-58360 affects the main OSGeo GeoServer application, docker.osgeo.org/geoserver containers, gs-web-app, and gs-wms Maven packages. Full affected product status is available in the vendor’s official advisory.

Living on the Edge: New Threats to Network Perimeters in December 2025

Our monthly Threat Report has been closely tracking software vulnerabilities impacting the network perimeter [1][2][3]. In December 2025, there was indeed another wave of new high-risk CVEs and active exploitation. Let’s cover some emerging risks to perimeter networks:

Multiple Fortinet Products Actively Exploited via Authentication Bypass

Published on December 9th, 2025, CVE-2025-59718 (CVSS 9.8, EPSS 90th pctl) and CVE-2025-59719 (CVSS 9.8) were added to CISA’s KEV list one week after being made public. CVE-2025-59718 affects Fortinet FortiOS, FortiProxy, and FortiSwitchManager, while CVE-2025-59719 only impacts FortiWeb. The new CVEs allow authentication bypass of FortiCloud SSO admin logins due to improper cryptographic signature verification [CWE-347] of SAML messages. According to the first report of active attacks, made by Arctic Wolf, FortiCloud SSO login may be enabled by default when registering devices via the FortiCare GUI.

At least one PoC exploit is publicly available [1]. The new CVEs triggered a widespread response from national CERT agencies globally [1][2][3][4][5][6][7][8][9][10][11][12]. Greenbone provides detection for both new critical severity CVEs. For a full list of affected products, see Fortinet’s official advisory.

Privilege Escalation Flaw in SonicWall SMA 1000 Appliances

CVE-2025-40602 (CVSS 6.6, EPSS 84th pctl) is a local privilege escalation flaw affecting the Appliance Management Console of SonicWall Secure Mobile Access (SMA) 1000 appliances. The vulnerability is caused by insufficient or missing authorization [CWE-862]. Exploitation can lead to root-level OS command execution. CVE-2025-40602 is now on CISA’s KEV list and being actively exploited in the wild for unauthenticated RCE when chained with CVE-2025-23006 (CVSS 9.8, EPSS 98th pctl), published in January 2025 and covered in our January 2025 Threat Report. However, CVE-2025-40602 can be exploited on its own with local account access.

No detailed attack tutorials or PoC exploits are publicly available for either CVE. This may indicate that ongoing attacks are conducted by nation-state threat actors or other APT groups. The OPENVAS ENTERPRISE FEED includes remote banner checks for both CVEs described above [1][2]. SMA 1000 Series appliances (6200, 6210, 7200, 7210, 8000v, 8200v) versions 12.4.3-03093 and prior and versions 12.5.x through 12.5.0-02002 are impacted.

CVE-2025-14733: WatchGuard VPNs Actively Exploited Again

CVE-2025-14733 (CVSS 9.8, EPSS 97th pctl) is an unauthenticated RCE flaw affecting WatchGuard Firebox mobile user VPNs and branch office VPNs with IKEv2 when configured with a dynamic gateway peer. The root cause is a software flaw that allows out-of-bounds memory write in the iked IKEv2 daemon responsible for managing VPN sessions. According to the vendor’s own threat report, attackers have exfiltrated configuration files and the user database from compromised VPN devices [TA0010].

The CVE has been added to CISA’s KEV database, but no proof-of-concept or detailed technical write-ups are available yet. The Shadowserver Foundation reports more than 100,000 affected devices exposed on the internet. A similar out-of-bounds write flaw in WatchGuard VPNs, CVE-2025-9242 (CVSS 9.8), has been exploited in the wild since September 2025.

Greenbone’s OPENVAS ENTERPRISE FEED includes remote checks for both CVEs referenced above [1][2], allowing defenders to quickly identify affected devices. See the vendor’s official advisory for more information including specific affected versions and configuration requirements for exploitation, mitigation steps, and indicators of compromise (IoC).

Array Networks AG Series VPNs Exploited for RCE

CVE-2025-66644 (CVSS 9.8, EPSS 86th pctl) is an unauthorized command injection flaw [CWE-78] in Array Networks ArrayOS AG Series VPNs with the DesktopDirect remote access feature enabled. According to a report published in early December 2025, CVE-2025-66644 has been actively exploited against entities in Japan since at least August. The attack chain has included installing PHP webshells [T1505.003] and creating rogue users [T1136] for persistence.

The CVE has been added to CISA’s KEV list. However, no public PoC exploit is available. Greenbone includes a remote banner check to detect vulnerable devices. For mitigation, the vendor instructs users to upgrade to ArrayOS version 9.4.5.9 or later.

Ivanti Patches New Vulnerabilities in EndPoint Manager (EPM)

Four new risky CVEs affecting Ivanti EndPoint Manager (EPM) were published and patched in December 2025. Active exploitation is not yet reported, and none of the flaws triggered high EPSS scores. Users should upgrade to Ivanti Endpoint Manager 2024 SU4 SR1 and ensure that EPM is not internet-facing. The OPENVAS ENTERPRISE FEED includes remote detection for all four new Ivanti vulnerabilities. See Ivanti’s official advisory for more information.

The four new CVEs are briefly described below.

  • CVE-2025-13659 (CVSS 8.8) allows unauthenticated arbitrary file write on the server, potentially leading to remote code execution, due to improper control of dynamically managed code resources [CWE-913].
  • CVE-2025-13662 (CVSS 7.8) enables unauthenticated code execution via improper signature verification in the patch management process [CWE-347].
  • CVE-2025-13661 (CVSS 8.0) is an authenticated path traversal flaw [CWE-22] enabling arbitrary file writes.
  • CVE-2025-10573 (CVSS 6.1): a stored XSS flaw [CWE-79] enabling unauthenticated JavaScript execution in an admin session in Ivanti Endpoint Manager Core and remote consoles.

Update: New CVEs Add to Social Engineering Risks

Social engineering is a prominent attack chain used by adversaries. Using deceptive context to trick users into clicking on links and files [T1566] has proven to be a highly effective means for gaining unauthorized access and even RCE. Here are some emerging threats on the social engineering landscape that defenders should mitigate:

New High Risk 7-Zip Flaw Has Public PoC

CVE-2025-11001 (CVSS 7.8) is a path traversal flaw [CWE-22] in the 7-Zip application for Windows caused by insecure handling of Linux-style symbolic links in .zip files. A maliciously crafted .zip archive can potentially allow RCE by placing files into sensitive directories [T1574], or enable other attacks such as placing malware in visible locations on the victim’s system, hoping the user executes them [T1204.002]. On Windows, exploitation depends on the local user having the SeCreateSymbolicLinkPrivilege permission or other configurations such as Developer Mode, or running 7-Zip as admin.

CVE-2025-11001 has not been added to CISA’s KEV list, but the UK’s NHS has reported a public PoC exploit [1]. Multiple national CERT agencies have issued alerts globally [2][3][4][5][6][7][8]. CVE-2025-11002 is often cited alongside CVE-2025-11001, but officially remains in RESERVED status. CVE-2025-11001 was patched in 7-Zip version 25.00. Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for the 7-Zip Windows application and other platforms that include vulnerable versions of 7-Zip.

CISA Adds New WinRAR Flaw to Actively Exploited List

CVE-2025-6218 (CVSS 7.8) is a directory traversal flaw [CWE-22] affecting WinRAR versions 7.11 and earlier. Similar to CVE-2025-11001 described above, attackers that trick a victim into opening a malicious archive file could write files into sensitive locations on the target system, potentially leading to a malware infection. In August 2025, another WinRAR flaw, CVE-2025-8088 (CVSS 8.8), was being exploited in espionage campaigns.

Multiple technical analyses of CVE-2025-6218 are available [1][2]. China’s 360 threat intel has attributed attacks to the APT-C-08 group (aka BITTER, Manlinghua, T-APT-17). The group is an Advanced Persistent Threat (APT) active since 2013, and is known to target government, energy, military, and defence-industrial entities in South Asia [3][4]. On December 9th, 2025, CISA added CVE-2025-6218 to its KEV list and numerous national CERT alerts have been issued, going back to the CVE’s time of initial disclosure [5][6][7][8][9][10][11].

The OPENVAS ENTERPRISE FEED includes an authenticated security check to detect the presence of vulnerable WinRAR applications on Windows endpoints. Users are advised to upgrade to the latest version of WinRAR for Windows.

CVE-2025-66516: New Guidance for Critical Apache Tika Vulnerability

CVE-2025-66516 (CVSS 9.8) is a new maximum severity CVE affecting Apache Tika, an open-source content analysis and extraction toolkit. The application is commonly used within search, ETL and indexing pipelines, Data Loss Prevention (DLP) and compliance scanning, and in AI RAG systems to convert encoded documents (such as .pdf and .docx) into plaintext and metadata.

CVE-2025-66516 allows any attacker who can submit a maliciously crafted XFA-enabled PDF to the Apache Tika processor to trigger an XML External Entity injection [CWE-611]. Exploitation enables file disclosure, SSRF, and DoS due to unsafe external entity handling during XFA XML parsing.

CVE-2025-66516 is considered an extension of CVE-2025-54988 (CVSS 8.4), published in August 2025. CVE-2025-54988 didn’t correctly describe the affected components; users who upgraded the tika-parser-pdf-module but didn’t upgrade tika-core are still vulnerable. Patching requires upgrading the full dependency chain to a fixed version.

Although reports do not indicate active exploitation or ransomware use, a public PoC exploit is available. The vulnerability is high-risk due to Tika’s widespread use in automated document-processing pipelines. Belgium’s CERT.be, and Korea’s KRCERT have issued alerts. Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for CVE-2025-66516, including affected upstream enterprise SaaS products from Atlassian, Elastic, and more.

Summary

In December 2025, critical CVEs landed throughout the holidays, driving emergency patching and rapid triage for defenders. This report covers new actively exploited vulnerabilities, including MongoBleed, a SmarterMail unauthenticated RCE, OSGeo GeoServer, and trending attacks against edge devices such those from Fortinet SonicWall, WatchGuard, and more. Defenders seeking to harden their IT infrastructure can try OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

Kontakt Kostenlos testen Hier kaufen Zurück zur Übersicht
/by