In early April, Cisco announced two critical-severity CVEs along with additional high and medium-severity vulnerabilities. Collectively, the flaws allow authentication bypass, privilege escalation to an Administrator account, unauthenticated remote code execution (RCE) as the root user, information disclosure, and Denial of Service conditions. The two critical flaws are CVE-2026-20160 (CVSS 9.8) affecting Cisco Smart Software Manager On-Prem (SSM On-Prem) and CVE-2026-20093 (CVSS 9.8) affecting Cisco Integrated Management Controller (IMC).

Greenbone’s OPENVAS ENTERPRISE FEED has included vulnerability detection for CVE-2026-20160 and CVE-2026-20093 since their disclosure, helping defenders mitigate these evolving threats. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.

Critical Flaws in Cisco SSM & IMC

CVE-2026-20160 and CVE-2026-20093 pose significant threats to enterprise IT. While SSM On-Prem and IMC are both internal network services that are not meant to be publicly exposed, these CVEs may offer adversaries with a covert foothold the opportunity for lateral movement to high-value assets.

Cisco IMC is especially high risk because it is embedded in physical server and edge platforms that often sit close to core enterprise workloads. If an attacker gains administrative access, they may be able to disrupt services, pivot into adjacent networks, or use the compromised device as a staging point to target sensitive internal systems. If a target network is not strictly segmented between departments or if access controls are not tightly limited according to the principle of least privilege, risk is further increased.

Let’s first examine the two new critical-severity CVEs and then some additional CVEs published in early April 2026.

CVE-2026-20160 (CVSS 9.8) Affecting Cisco Smart Software Manager On-Prem (SSM On-Prem)

An exposed internal service allows unauthenticated remote attackers to execute arbitrary commands on the underlying OS with root privileges. CVE-2026-20160 can be exploited via HTTP requests to the exposed service’s API. The flaw is essentially an improper access control that Cisco has classified as “Exposure of Resource to Wrong Sphere” [CWE-668]. Cisco Smart Software Manager On-Prem (SSM On-Prem) versions 9-202502 to 9-202510 are affected.

Cisco SSM On-Prem is an on-premises software license-management server deployed as a virtual machine. SSM On-Prem exposes a web UI on port 8443 for administration and licensing workflows. SSM On-Prem acts as a local Smart Licensing manager for Cisco products, instead of requiring them to connect directly to Cisco’s cloud-hosted Smart Software Manager.

Multiple national CERT advisories have been issued for CVE-2026-20160 [1][2][3][4][5][6][7][8]. However, active exploitation, full technical details, or a public proof of concept (PoC) exploit are not confirmed. The OPENVAS ENTERPRISE FEED includes a remote banner version check to identify affected instances [9]. Users should update to version 9-202601 or later. See Cisco’s official advisory for more information.

CVE-2026-20093 (CVSS 9.8) Affecting Cisco Integrated Management Controller (IMC)

Improper input validation [CWE-20] can lead to authentication bypass during password change requests to the IMC. An attacker could exploit this vulnerability remotely via HTTP requests to alter the passwords of any user on the system (including an Admin user) and gain access to the system as that user.

Cisco IMC is an embedded Baseboard Management Controller (BMC) built into Cisco UCS rack and storage server platforms. The core function of Cisco IMC is out-of-band server management of physical servers when they operate in Standalone Mode via the Redfish RESTful API standard, SNMP, IPMI v2.0, or the Cisco IMC XML API. Multiple Cisco physical server products are affected if they include the Cisco Integrated Management Controller (IMC):

• 5000 Series Enterprise Network Compute Systems (ENCS)
• Catalyst 8300 Series Edge uCPE
• UCS C-Series M5 and M6 Rack Servers in standalone mode
• UCS E-Series Servers M3
• UCS E-Series Servers M6

Multiple national CERT advisories have been issued for CVE-2026-20093 [1][2][3][4][5][6][7]. However, active exploitation, full technical details, or a public proof of concept (PoC) exploit are not confirmed. Greenbone’s OPENVAS ENTERPRISE FEED includes an active check [9] and a remote banner version check [10] for devices affected by CVE-2026-20093. See Cisco’s official advisory for more information including a list of fixed releases for affected products.

Other Recent High-Severity Flaws in Cisco Products

Cisco also disclosed several high and medium-severity vulnerabilities that expand the risk posed to enterprise customers. While all of the CVEs below require valid account access to exploit, credential theft is a common tactic used in many sophisticated cyber attacks. If unpatched, these flaws could still result in command execution, privilege escalation, denial of service, or sensitive information exposure.

• CVE-2026-20094 (CVSS 8.8): A command injection flaw due to improper validation of user-supplied input [CWE-77] allows an authenticated, remote attacker with read-only privileges to execute arbitrary commands on the underlying OS with root privileges. The flaw is exploitable via HTTP requests. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and prior are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20155 (CVSS 8.0): Improper authorization checks [CWE-862] on an API endpoint allow an authenticated, remote attacker with low privileges to access sensitive information without authorization. The flaw affects the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) devices prior to version 8.1.2 for all configurations. More information is available in Cisco’s official advisory.
• CVE-2026-20151 (CVSS 7.3): Due to the improper transmission of sensitive user information [CWE-201], an attacker can retrieve session credentials from status messages to elevate privileges from a low-level account to admin. SSM On-Prem version 9-202510 and earlier in all configurations are affected. More information is available in Cisco’s official advisory.
• CVE-2026-20095 (CVSS 6.5): Due to improper validation of user-supplied input, an authenticated remote user can execute arbitrary code or commands [CWE-77] on the underlying OS of an affected system and elevate privileges. The flaw is exploitable via HTTP requests. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and earlier are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20096 (CVSS 6.5): Due to improper validation of user-supplied input, an authenticated remote admin user can execute arbitrary commands [CWE-77] on the underlying OS with root privileges. The flaw is exploitable via HTTP requests. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and prior are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20097 (CVSS 6.5): Due to improper validation of user-supplied input, an authenticated remote admin user can execute arbitrary commands [CWE-77] on the underlying OS with root privileges. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and prior are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20110 (CVSS 6.5): A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to cause a denial of service (DoS) condition. This vulnerability exists because incorrect privileges are associated with the start maintenance All versions of Cisco IOS XE Software are affected if the start maintenance command is supported. See Cisco’s official advisory for more information.

Cisco has assigned a Security Impact Rating (SIR) of High to CVE-2026-20095, CVE-2026-20096, and CVE-2026-20097, which is above their CVSS ranking of Medium, because additional security implications apply if an attacker gains root-level access. The OPENVAS ENTERPRISE FEED includes detection tests for all aforementioned CVEs [1][2][3][4][5].

Summary

Cisco’s early April 2026 security disclosures indicate elevated risk across several products. This includes the vendor’s SSM On-Prem license management server and Cisco Integrated Management Controller (IMC), which impacts a wide array of physical hardware products, including Cisco UCS rack and storage server platforms. The most severe new flaws enable authentication bypass and unauthenticated RCE as the root user.

Although public exploitation has not been confirmed, the affected systems are high-value internal assets that represent attractive targets for advanced persistent threat (APT) actors. Organizations should verify exposure to these and other software vulnerabilities and prioritize patching. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.

This month exposed new cyber security risks at all levels of enterprise IT infrastructure. New critical vulnerability exposure emerged in perimeter networking gear and core network appliances. Other risks included actively exploited flaws in major browsers, enterprise email clients, agentic workflow platforms, core OS components, and virtually every other aspect of the enterprise IT ecosystem. In 2026, hunting for new vulnerabilities regularly is a fundamental cyber security activity and an essential component of an Exposure Management approach to cybersecurity.

March 2026 Threat Report

Defenders seeking to detect and protect can try Greenbone’s OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

CitrixBleed 3: Memory Leak in Citrix Netscaler ADC and Gateway Actively Exploited

CVE-2026-3055 (CVSS 9.3) is a memory disclosure flaw that is exploitable remotely and without authentication. The root cause is insufficient input validation allowing out-of-bounds memory read access [CWE-125]. The flaw affects NetScaler ADC and NetScaler Gateway appliances configured as a SAML Identity Provider (IDP), reported to be a common single-sign-on (SSO) configuration.

Active reconnaissance for authentication methods in the /cgi/GetAuthMethods endpoint was reported 3 days post-disclosure. On March 30th, CVE-2026-3055 was added to CISA’s KEV list and was reported as actively exploited by other sources. A full technical analysis with exploit code has been published. The flaw resembles previous memory leak flaws affecting Netscaler ADC and Gateway, dubbed CitrixBleed and CitrixBleed 2, whose use for initial access is well documented [1][2][3][4]. Several national cyber security agencies have issued alerts for the new CVEs [5][6][7][8][9][10][11][12][13][14][15][16][17][18].

Citrix reported another high severity flaw in the same report. CVE-2026-4368 (CVSS 7.7) is a race condition bug that can cause user session mix-up on gateway or AAA virtual server configurations. See the official security advisory for more information, including affected versions for both new CVEs. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check to identify appliances that are potentially vulnerable to CVE-2026-3055 [19] and a similar check for CVE-2026-4368 [20].

SharePoint Actively Exploited, RegPwn, and Other Emerging Microsoft Risks

CVE-2026-20963 (CVSS 8.8, EPSS ≥ 91st pctl) affecting Microsoft SharePoint and published in January 2026, was added to CISA’s KEV list in March. The flaw is caused by improper deserialization of untrusted data [CWE-502] and could allow arbitrary remote code execution (RCE) to an authenticated attacker. The vulnerability attracted global attention from national CERT agencies [1][2][3][4][5][6][7][8][9][10][11]. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for Microsoft SharePoint Server 2019 and Microsoft SharePoint Enterprise Server 2016 [12][13].

Other high-profile risks affecting Microsoft products in March 2026 include:

• CVE-2026-24291 (CVSS 7.8): An incorrect permission assignment for a critical resource [CWE-732] in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized local attacker to elevate privileges and modify Windows Registry keys. Dubbed RegPwn, full technical descriptions [14][15] and proof-of-concept (PoC) exploit code are publicly available, increasing risk. The OPENVAS ENTERPRISE FEED includes registry checks for vulnerability detection across Windows OS versions.
• CVE-2026-26110 (CVSS 7.8): A type confusion flaw [CWE-843] in Microsoft Office allows an unauthorized local attacker to execute arbitrary code with high-level privileges. The OPENVAS ENTERPRISE FEED includes package version detection for Windows and macOS versions of Microsoft Office [16][17].
• CVE-2026-26113 (CVSS 7.8): An untrusted pointer dereference vulnerability [CWE-822] in Microsoft Office allows an unauthorized local attacker to execute arbitrary code with high-level privileges. The OPENVAS ENTERPRISE FEED includes package version detection for Windows and macOS versions of Microsoft Office [16][17] and SharePoint for Windows [18][19].

CVE-2026-33017: Langflow API Actively Exploited for Unauthenticated RCE

CVE-2026-33017 (CVSS 9.8, EPSS ≥ 90th pctl) is an unauthenticated RCE flaw that can be exploited via malicious HTTP request. The CVE affects any network-exposed Langflow instances prior to version 1.9.0. CVE-2026-33017 has been reported as actively exploited by multiple sources [1][2]. Several technical analyses [2][3][4] and public PoC exploits [3] exist, increasing the risk. Multiple CERT alerts have been issued globally [5][6][7][8][9].

Langflow is an open-source “low-code” platform for building, testing, and deploying agentic AI and LLM-enabled workflows. The flaw exists in Langflow’s API endpoint for building public flows. By design, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without authentication. The official Langflow API documentation states that Build Public Tmp only works for workflows marked as public in the database. The vulnerability arises when the optional data parameter is supplied: Langflow uses attacker-controlled flow code, which may contain arbitrary Python code, instead of the stored code from the database. This code is passed to exec() without sandboxing, resulting in unauthenticated RCE.

The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable instances of Langflow. Users should upgrade to version 1.9.0.

Living On The Edge: Perimeter Security Risks Emerging in March 2026

Exploitation of perimeter networking devices has been consistently measured as a top initial-access vector in cyber breaches. New vulnerabilities affecting key perimeter devices are published continuously and defenders need to be able to detect and patch these exposed entry points reliably. Here are several high-risk vulnerabilities affecting perimeter networking devices that emerged in March 2026:

New Cisco Firewall Flaws Ignite Perimeter Risk

Cisco published a group of 48 CVEs affecting its firewall product line, including two critical CVSS 10 vulnerabilities. One of these, CVE-2026-20131, was soon added to CISA’s KEV list. Active exploitation was also confirmed by Cisco. Ransomware attacks exploiting CVE-2026-20131 have been attributed to the Interlock threat actor. Numerous national CERT advisories have been issued globally [1][2][3][4][5][6][7][8][9][10][11][12][13][14].

Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for all 48 CVEs disclosed in Cisco’s security advisory, and a family of tests dedicated to Cisco software flaws. Users are advised to identify affected products in their network, apply patches immediately, and conduct breach assessments by hunting for any indicators of compromise (IoCs) [15]. The highest risk CVEs from the group are described below:

• CVE-2026-20131 (CVSS 10, EPSS 71st pctl): Insecure deserialization [CWE-502] of a user-supplied Java byte stream allows unauthenticated Java RCE with root privileges. The flaw affects the web-based management interface of Cisco Secure Firewall Management Center (FMC). If the FMC management interface is not internet accessible, the attack surface is significantly reduced.
• CVE-2026-20079 (CVSS 10, EPSS 90th pctl): An flawed system process is created at boot time that allows a remote attacker to bypass authentication [CWE-288] via crafted HTTP requests and execute script files. This may allow an attacker to obtain root privileges on the underlying OS. A full technical analysis and PoC exploit code are publicly available, increasing the risk. CVE-2026-20079 affects the web interface of Cisco Secure FMC.

CVE-2026-22557: CVSS 10 Unauthenticated Account Takeover on Ubiquiti UniFi Network Application

CVE-2026-22557 (CVSS 10) allows unauthorized account takeover through a path-traversal flaw [CWE-22] that lets attackers manipulate files on the underlying system. Public technical details are available and researchers assess that automated exploitation is trivial. Risk is also elevated because Ubiquiti network products are widely used. Multiple national CERT agencies have issued alerts globally [1][2][3][4][5].

Another CVE published in the same vendor advisory imposes additional high risk:

• CVE-2026-22559 (CVSS 8.8): An input validation flaw that is exploitable via social engineering if an attacker can trick the victim with network access to a Ubiquiti UniFi Network Application web interface to click on a malicious link.

CVE-2026-22557 affects Ubiquiti UniFi Network Application version 10.1.85 and earlier, Release Candidate 10.2.93 and earlier, and UniFi Express version 9.0.114 and earlier. OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances. Mitigation instructions for both aforementioned CVEs are available on the vendor’s official security advisory.

Other Notable Security Risks Affecting Perimeter Networking Devices

Other emerging threats to perimeter networking devices in March 2026 include:

F5 BIG-IP APM Access Policy

CVE-2025-53521 (CVSS 7.5) is an actively exploited flaw that allows attackers to trigger Denial of Service (DoS) on F5 BIG-IP if an APM Access Policy is configured on a virtual server. National CERT agencies have issued alerts [1][2][3][4][5][6][7][8][9][10][11][12][13][14]. The OPENVAS ENTERPRISE FEED provides package-level detection for CVE-2025-53521 and a dedicated family of F5 security checks.

Juniper Networks Junos OS Evolved on PTX Series

CVE-2026-21902 (CVSS 9.8) is an Incorrect Permission Assignment for Critical Resource flaw [CWE-732] that allows unauthenticated RCE as root. CVE-2026-21902 affects the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series. The On-Box Anomaly detection framework is enabled by default. This flaw affects all PTX Series 25.4 versions before 25.4R1-S1-EVO and 25.4R2-EVO. This issue does not affect Junos OS Evolved versions before 25.4R1-EVO or Junos OS. A detailed technical description is publicly available reducing the burden for exploit development. Numerous national CERT agencies have published alerts [1][2][3][4][5][6][7][8][9][10][11]. An active check and a remote banner check are available in the OPENVAS ENTERPRISE FEED and a dedicated family of authenticated security checks for JunOS. See the vendor’s official advisory for more information.

Critical and High-Severity Flaws in HPE Aruba Networking Products

Hewlett-Packard Enterprise (HPE) published an advisory on March 10th, disclosing one critical and three high-severity CVEs in their Aruba networking AOS-CX switches. Multiple national CERT advisories were issued globally for the group of vulnerabilities [1][2][3][4][5][6][7][8][9][10][11][12]. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check for all CVEs disclosed in the advisory, which are described below. Users are strongly encouraged to identify any vulnerable AOS-CX appliances in their environment and update to the most recent version.

• CVE-2026-23813 (CVSS 9.8): An improper authentication flaw [CWE-287] in the web-based management interface of AOS-CX switches allows an unauthenticated remote attacker to circumvent existing authentication controls, including resetting the admin password.
• CVE-2026-23814 (CVSS 8.8): A command injection flaw [CWE-77] affecting the parameters of certain AOS-CX command-line interface (CLI) commands could allow an authenticated low-privilege remote attacker to inject malicious commands.
• CVE-2026-23815 (CVSS 7.2): A command injection flaw [CWE-77] in a custom binary used in the AOS-CX CLI could allow an authenticated remote attacker with high privileges to execute unauthorized commands.
• CVE-2026-23816 (CVSS 7.2): A command injection flaw [CWE-77] in the command line interface of AOS-CX switches could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
• CVE-2026-23817 (CVSS 6.5): A vulnerability in the web-based management interface of AOS-CX switches could allow an unauthenticated remote attacker to redirect users to an arbitrary URL [CWE-601].

A Spotlight on Shadow IT: OpenClaw (Clawd/Moltbot) AI Agent

OpenClaw (previously Clawd and Moltbot) is an open-source agentic AI assistant that can execute system-level tasks on behalf of a human user. OpenClaw’s capabilities include sending email, reading and writing files, and interacting with web services and APIs. The software was originally released as Clawd in November 2025, was rebranded to Moltbot in early 2026, and then rebranded again to OpenClaw [1].

Despite OpenClaw’s rise in popularity, criticism from the security community has been harsh [2][3][4][5]. Germany’s BSI listed over 60 vulnerabilities, and since its release, over 200 CVEs have been issued for the popular but unstable AI agent including 32 critical severity CVEs released in March 2026 alone. The most severe of the vulnerabilities allow unauthenticated RCE in the OpenClaw context. National CERT alerts have been issued for the product [1][2][3].

Considering the operational risks to unauthorized access and data security that OpenClaw poses to organizations, it should be banned from use. The OPENVAS ENTERPRISE FEED includes remote and local authenticated product detection for OpenClaw. Security teams can set alerts to notify them if OpenClaw is detected within their network.

Unauthenticated RCE in Wazuh Manager via Cluster Mode Worker Nodes

CVE-2026-25769 (CVSS 9.1) is an RCE that allows an authorized attacker with access to a cluster worker node to execute code on the master node as root. The root cause is flawed deserialization of untrusted data [CWE-502]. Risk is elevated because successful compromise of any worker in cluster mode can lead to full root-level compromise of the master node. A full technical analysis and PoC exploit kit are publicly available for CVE-2026-25769 lowering the barrier for attackers. Several national CERT agencies have issued alerts [1][2][3].

Five other CVEs were included in the disclosure by Wazuh including one additional critical severity flaw: CVE-2025-30201 (CVSS 9.1) allows authenticated attackers to force NTLM authentication through malicious UNC paths via agent configuration settings, potentially leading NTLM relay attacks [CWE-294] for privilege escalation and RCE. Technical detail and a PoC exploit are publicly available online.

The newly disclosed CVEs affect various version ranges of Wazuh Manager, but all require patching to version 4.14.3 or higher. The OPENVAS ENTERPRISE FEED includes detection for all aforementioned CVEs [1][2][3][4], and prior vulnerabilities affecting Wazuh. Users should consult Wazuh’s security advisories for specific details on each vulnerability.

n8n Agentic Workflow Platform Exposes New Critical Flaws

In recent months numerous critical and high-severity vulnerabilities have been exposed in the popular agentic workflow platform n8n. Attackers are starting to take advantage; on March 11th, 2026, CVE-2025-68613 (CVSS 8.8) was added to CISA’s KEV list. CVE-2025-68613 and other n8n flaws were covered in Part 2 of the January 2026 Threat Report.

Flawed expression evaluation has been a common cause of vulnerabilities. n8n expressions are specially formatted strings that allow dynamic manipulation of data for batch processing tasks, among other use cases. The highest-risk CVEs affecting n8n that emerged in March 2026 include:

• CVE-2026-27495 (CVSS 9.9): An authenticated user with workflow permissions can exploit a vulnerability in the JavaScript Task Runner to execute arbitrary code outside the sandbox boundary. On instances using the default internal Task Runners this could result in full compromise of the n8n host. Exploitability depends on Task Runners being enabled with the N8N_RUNNERS_ENABLED=true setting.
• CVE-2026-27577 (CVSS 9.9): An authenticated user with workflow permissions can abuse crafted expression parameters to trigger unintended command execution on the n8n host. This flaw allows bypass of security measures put in place to restrict command execution capabilities.
• CVE-2026-33696 (CVSS 8.8): An authenticated user with workflow permissions can exploit a prototype pollution vulnerability in the XML and GSuiteAdmin nodes. By supplying crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype` and achieve RCE.
• CVE-2026-33660 (CVSS 9.4): An authenticated user with workflow permissions can use the Merge node’s “Combine by SQL” mode to read local files on the n8n host and achieve RCE.

The OPENVAS ENTERPRISE FEED includes detection for all CVEs mentioned above [1][2][3][4] and other known n8n flaws. Each flaw affects various v1.x and v2.x instances of n8n. In many cases, if patches cannot be applied immediately, system administrators may disable affected nodes using the NODES_EXCLUDE environment variable. However, there are no workarounds offering full mitigation for any of the CVEs. Mitigation depends on updating to the latest version of n8n. See n8n’s security advisories for a complete list of vulnerabilities with descriptions.

Other Notable Critical Risk CVEs Emerging in March 2026

Let’s wrap up this month’s threat report with a quick-fire of other emerging threats in March 2026:

CVE-2026-3564 (CVSS 9.0) in ConnectWise ScreenConnect prior to version 26.1

An attacker with access to configuration files can extract a device’s machine key and use it for session authentication. ScreenConnect is a remote support and remote access platform that lets IT staff securely connect to attended or unattended devices. Several national CERT alerts have been issued [1][2][3]. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances.

CVE-2026-27944 (CVSS 9.8) in Nginx UI prior to v2.3.3

An unauthenticated remote attacker can download a full backup of the underlying system containing sensitive data, including user credentials, session tokens, SSL private keys, and Nginx server configurations. The flaw is due to the /api/backup endpoint being accessible without authentication and disclosing the encryption keys to decrypt the backup. Full technical analysis and PoC exploits are publicly available [1][2] and several national CERT alerts have been issued [3][4][5][6][7][8]. Nginx UI is a web user interface for the Nginx web server. The OPENVAS ENTERPRISE FEED includes an active check to identify affected instances.

CVE-2025-66168 (CVSS 8.8) in Apache ActiveMQ Message Broker

An integer overflow flaw [CWE-190] results in failure to properly validate the MQTT control packet’s remaining length field. Exploitation may lead to unexpected behavior including Denial of Service (DoS). The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected Apache ActiveMQ instances. See the vendor’s announcement for more details.

CVE-2026-1603 (CVSS 7.3, EPSS 65th pctl) in Ivanti Endpoint Manager prior to 2024 SU5

A new actively exploited authentication bypass vulnerability [CWE-288] could be exploited to leak credential data from Ivanti Endpoint Manager devices before version 2024 SU5. The OPENVAS ENTERPRISE FEED includes a remote banner check to detect CVE-2026-1603 and CVE-2026-1602 (CVSS 6.5). The two CVEs were disclosed in February 2026, and patches are available from Ivanti’s security advisory. No PoC exploit or detailed technical analysis are publicly available.

CVE-2026-21643 (CVSS 9.8) in FortiClientEMS v7.4.x prior to v7.4.5

An improper neutralization of special elements allows SQL injection [CWE-89] in Fortinet FortiClientEMS 7.4.x prior to v7.4.5. Exploitation can lead to unauthenticated RCE via specifically crafted HTTP requests. A technical root-cause analysis has been published potentially enabling rapid exploit development. Numerous national CERT alerts have been issued [1][2][3][4][5][6][7][8][9][10][11][12][13]. The OPENVAS ENTERPRISE FEED provides a remote banner check for CVE-2026-21643. Update to version 7.4.5 or later. See Fortinet’s official advisory for more information.

Summary

March 2026 brought new cyber risk at all levels of enterprise IT infrastructure. Perimeter networking gear and network appliances were hit especially hard. Other emerging threats included actively exploited flaws in major browsers, enterprise email clients, agentic workflow platforms, core OS components, and virtually every other aspect of the enterprise IT ecosystem. In 2026, hunting for new vulnerabilities regularly is a fundamental cyber security activity, and an essential component of an Exposure Management approach to cybersecurity.

Defenders seeking to detect and protect can try Greenbone’s OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

A field report on open source, competition, enforcement of rights, and the question of how to defend a fair and sustainable open source ecosystem.

Summary

This report describes a real case of misuse of open source software using the example of OPENVAS, the open source vulnerability management system we developed. A market participant had systematically integrated open-source code and data into its own products in violation of license and copyright laws and passed them off as its own work. Here, we report on the technical, forensic, and legal steps that were necessary to prove the misuse and effectively stop it, including warning letters, preliminary injunctions, and the involvement of platform operators. Special attention is paid to a case that was successfully brought in Germany for the first time to enforce the Open Database License (ODbL). The article is aimed at open-source developers, companies, and users and shows the requirements and costs associated with enforcing open source licenses—and why their consistent defense is crucial for a fair and sustainable open source ecosystem.

An in-depth analysis from a legal perspective has been published by IFROSS.

The peacocks and the crow in IT security

When software vendors want to adorn themselves with borrowed plumes, open source is an easy source. Of course, this is not compatible with open source licenses, but who cares? “What’s the worst that could happen?” seem to say some who even build their own business models on the work of others, which they also pass off as their own. Anyone who wants to fight back has a long road ahead of them and will have many interesting and not always pleasant experiences along the way. We did that, and here is our report.

With OPENVAS, we produce a globally popular and widely used open source vulnerability management system. Our project automates the search for security vulnerabilities in IT systems. We have around 200,000 tests to find security vulnerabilities, plus scanners to run them and applications to control the entire process from scanning to reporting. We provide an open source solution free of charge, as well as additional modules and services for our paying customers. This allows us to finance ourselves and also make the solution available to the community free of charge. What we do makes us at least competitive with our proprietary competitors (large international providers, mostly from the US), and in some cases even better. This also makes our code an attractive target.

We know many small providers around the world who offer their own products based on our open source solution. Larger ones sign contracts with us. Many comply with the licenses, others do not. Of course, this annoys us, but on the other hand, we prefer to put our energy into our project rather than engage in legal disputes somewhere in the world. But if a competitor goes too far, we take action. “Going too far” means changing copyright notices in our code and replacing our name with their own company name, ignoring attribution requirements, and violating open source licenses.

We have just successfully pursued such a case. We believe that the story is interesting for various groups: for open source developers, projects and companies, for people interested in legal issues (after all, we have set a legal precedent along the way – more on that later), and also for users of open source products and projects who are interested in the security of their supply chain.

There are essentially five things you need to successfully defend yourself against misuse: time, money, expertise, strong nerves, and a lot of patience. Expertise includes legal expertise, which means a good lawyer who is familiar with open source licenses. Of course, the jurisdiction in which you want to defend yourself is also a decisive factor, as you will always prefer the country in which your company is based, because this has several advantages that are also reflected in the costs. The law under which the case is heard is important. If you want to defend yourself internationally, you also need a law firm with the appropriate resources or network. Unless you are a large company with ample resources, you will not want to choose this route. We therefore conducted the proceedings discussed here in Germany, where our company is headquartered. Another part of the expertise is technical and forensic. After all, you must prove that your own code was used in the abusive application. If the other party does not fulfill its open source obligations and provide the source code, you must obtain the relevant code and prove that your share of it is part of the products that the other party is marketing. It is advisable to purchase the products through a third party to be able to provide proof. 

Once proof has been provided, the next steps are as follows: issue a warning letter and, if the manufacturer does not respond, obtain a preliminary injunction from the court. This prevents the products from being placed on the market until the defect (the abusive and unlicensed use of the software) has been remedied. In our case, the products were also distributed via hyperscaler platforms such as Microsoft Azure. Here, based on the Digital Services Act, the operator can be notified that licenses are being violated, which means that the products can no longer be distributed there because Microsoft (in the case of Azure) blocks them in the store if, for example, the preliminary injunction is pointed out there. This is a very good thing because it puts additional pressure on the product provider. Of course, this is only possible if you have plausible evidence, which can be quite a lot of work to obtain, depending on how much energy the product provider has expended to conceal the unlicensed use of third-party components. In our experience, advanced concealment techniques are used less frequently than expected: we were able to provide clear evidence both that the sources were ours and that it was not a mistake.

In our case, extensions were also linked to our libraries in violation of the copyleft. To conceal the license violation, our copyright notice was added to their own extensions. When we discovered these manipulations, we were naturally astonished at the audacity and immediately investigated further. We found that we were not the only victims of this provider but decided to focus on our own proceedings for the time being.

We had three goals when we started the project: to stop the misuse, to possibly obtain damages, and ultimately to impose the not inconsiderable costs of the proceedings on the other party. We have already achieved one goal: our injunction is legally binding and can no longer be appealed.

We have already achieved a significant legal victory in our proceedings, which has to do with the licensing of our product’s database content. Background: our solutions consist of three components: the application and system code and associated binaries, many thousands of test scripts for vulnerability detection, which together with information on already known vulnerabilities and input on how to fix them form a large database. This database is licensed for our community product under the Open Database Public License (ODbL). The ODbL allows a database to be freely copied, distributed, modified, and used (e.g., for your own applications or analyses). At the same time, it ensures that derived databases remain available under the same freedoms. The well-known geodatabase OpenStreetMap is licensed under the ODbL. Anyone who mixes an ODbL database with their own proprietary content must also place this modified database under the ODbL, which is therefore a copyleft license. In our case, an ODbL database was successfully defended in a license dispute for the first time in Germany. This resulted in a landmark decision that others can now refer to . We are very pleased about this.

And we are going even further: we have currently filed a lawsuit. This will deal with copyright and competition law issues, and will also address the issue of damages.

That sums up a process that has dragged on for several months and will continue into the future. If I were to draw a conclusion today, it would be a positive one: we have won on all important issues so far. We make open source stronger when we enforce its rules. Open source is a cornerstone of our business model, which is why it is important to us at to defend this foundation. On the other hand, the effort involved is considerable. Our business purpose is to provide our users with the greatest possible security for their IT infrastructure, not to engage in legal disputes. We only want to do this in a very measured way and only where the prospects of success are high and the framework conditions are favorable (as in our case here, where we can operate within the familiar legal system). We would like to thank our excellent legal representative, Dr. Till Jaeger from JBViniol, and the outstanding forensic expertise of DN-Systems – without their help, we would not have been able to achieve these successes.

We have a list of just over 100 suspected cases, and we regularly receive reports of such cases from partners, the community, and employees. The conditions are not always as favorable as in this case, and the relevance is not always great enough. Where this is the case, we will act against providers again, despite the considerable effort involved. We want a fair and healthy open source ecosystem, and particularly brazen violations – such as the one reported here – naturally trigger us. With this report, we also want to encourage others and – in keeping with the open source idea – share our knowledge.

Download
Regional Court Berlin II – Judgment, Case No. 15 O 299/25 (redacted version, English translation) – PDF

February 2026’s cyber security headlines were dominated by the sudden emerging risk of CVE-2026-20127, a critical-severity vulnerability in Cisco Catalyst SD-WAN. However, this month, other high-risk vulnerabilities impacting widely deployed enterprise software also opened new gaps for attackers to exploit. To effectively defend IT infrastructure, security teams need granular visibility, reliable threat intelligence for prioritization, and strong leadership for strategic decision-making. Defenders seeking to detect and protect can try Greenbone’s entry-level product OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

Let’s review the highest-risk vulnerabilities in enterprise software from February 2026.

February 2026 Threat Report

CVE-2026-1731: Ransomware Attacks Leveraging Critical BeyondTrust Flaw

CVE-2026-1731 (CVSS 9.8, EPSS ≥ 98th pctl) was published on February 6th, 2026, added to CISA’s Known Exploited Vulnerabilities (KEV) list one week later, and quickly flagged for ransomware attacks. The flaw enables pre-authentication remote code execution (RCE) via OS command injection [CWE-78] in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). CISA set an aggressive deadline of three days for civilian federal agencies to complete remediation, perhaps due to RS and PRA being leveraged in a December 2024 breach of the U.S. Treasury.

The root cause is insufficient verification of the remoteVersion user-supplied input in the thin-scc-wrapper WebSocket handshake. The unsanitized data is injected into a Bash arithmetic evaluation, which can trigger the execution of arbitrary shell commands. A PoC exploit became publicly available on February 10th, and a detailed technical write-up has reduced the burden of exploit development for adversaries. According to Hacktron, who discovered the flaw, ~11,000 affected instances were initially exposed to the internet including ~8,500 on-prem deployments. CVE-2026-1731 has triggered numerous advisories from national CERT agencies globally [1][2][3][4][5][6][7][8][9].

After gaining initial access, attackers created rogue accounts, deployed web shells for RCE, installed command-and-control (C2) tools, achieved defense evasion via DNS tunneling, leveraged PSexec and SMB2 setup requests for lateral movement, and exfiltrated data including full PostgreSQL dumps [10][11]. Incident responders also noted the deployment of SparkRAT and VShell malware.

The timeline of events from disclosure to exploitation:

• 2026-01-31: Hacktron responsibly disclosed CVE-2026-1731 to BeyondTrust.
• 2026-02-02: BeyondTrust releases patches for affected RS and PRA products.
• 2026-02-06: BeyondTrust publishes the BT26-02 advisory, and CVE-2026-1731 is published
• 2026-02-09: Greenbone creates detection tests for the OPENVAS ENTERPRISE FEED [12][13].
• 2026-02-10: Technical analysis and PoC exploit code become publicly available.
• 2026-02-12: GreyNoise reports observation of reconnaissance scanning activity and watchTowr Threat Intelligence reports in-the-wild exploitation.
• 2026-02-13: CISA adds CVE-2026-1731 to the KEV catalog and incident responders share indicators of compromise (IoC) and behavioral indicators [10].
• 2026-02-16: CISA adjusts the remediation deadline to end of Monday, 2026-02-16
• 2026-02-19: Further incident reports reveal additional IoCs, TTPs, and targeted sectors and geographic regions [11].

Greenbone’s OPENVAS ENTERPRISE FEED has included remote banner checks to identify affected RS [12] and PRA [13] instances prior to the active exploitation of CVE-2026-1731. Affected versions are described as RS ≤ 25.3.1 and PRA ≤ 24.3.4. Patches have been available since February 2nd, 2026.

CVE-2026-22769: CVSS 10 in Dell RecoverPoint for VMs Actively Exploited

CVE-2026-22769 (CVSS 10, EPSS ≥ 97th pctl) is a new critical-severity flaw affecting Dell RecoverPoint for Virtual Machines (RP4VMs) that security analysts say has been covertly exploited since at least mid-2024. CISA added CVE-2026-22769 to its KEV list on February 28th and demanded that federal agencies apply patches within three days. The root cause is hardcoded admin credentials [CWE-798] in RP4VMs’ Apache Tomcat Manager configuration. Remote attackers with knowledge of these credentials can gain unauthorized root-level access and persistence on affected devices.

RP4VMs is a VMware-focused data protection and replication product, implemented as software components inside a VMware vSphere environment. Its architecture includes a RecoverPoint write-splitter embedded in the hypervisor and a splitter agent installed on every ESXi host.

No public PoC is known and ransomware victims have not been reported. Previous exploitation has been attributed to the UNC6201 threat actor with the goal of espionage. According to Google Threat Intelligence the Slaystyle web shell [1], Brickstorm [2][3], and a novel backdoor dubbed Grimbolt—a precompiled C# binary—were deployed in the attacks. Several countries have issued national CERT alerts [1][2][3][4][5][6][7][8].

The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances. RP4VMs versions prior to 6.0.3.1 HF1 are affected. Dell has urged users to immediately upgrade to 6.0.3.1 HF1 or employ official remediation steps.

Microsoft Patch Tuesday Includes Six Actively Exploited and More

Microsoft’s February 2026 patch cycle disclosed six actively exploited vulnerabilities and classified five others as “Exploitation More Likely”. All the flaws require software updates for protection; no workarounds or mitigations are available. The new actively exploited Microsoft flaws are:

• CVE-2026-21510 (CVSS 8.8, EPSS ≥ 86th pctl): A protection mechanism failure [CWE-693] in the Windows Shell allows an unauthorized attacker to bypass a security feature over a network.
• CVE-2026-21513 (CVSS 8.8, EPSS ≥ 88th pctl): A protection mechanism failure [CWE-693] in the MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
• CVE-2026-21514 (CVSS 7.8, EPSS ≥ 84th pctl): Microsoft Office Word relies on untrusted inputs in a security decision [CWE-807], allowing an unauthorized attacker to bypass a security feature locally.
• CVE-2026-21519 (CVSS 7.8, EPSS ≥ 84th pctl): A type confusion flaw [CWE-843] in Desktop Window Manager (dwm.exe) allows an authorized attacker to elevate privileges locally.
• CVE-2026-21533 (CVSS 7.8, EPSS ≥ 82nd pctl): Improper privilege management [CWE-269] in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.
• CVE-2026-21525 (CVSS 6.2, EPSS ≥ 84th pctl): A NULL pointer dereference [CWE-476] in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally.

Aside from Microsoft’s regular patch release, two additional high-risk CVEs were disclosed out-of-band in February 2026:

• CVE-2026-26119 (CVSS 8.8): An improper authentication flaw [CWE-287] in Windows Admin Center (WAC) allows an authorized attacker to elevate privileges over a network. If exploited, the flaw could allow a standard user to achieve full domain compromise. The flaw is not considered actively exploited but is classified as “Exploitation More Likely” by Microsoft. CVE-2026-26119 was patched in WAC version 2511, released in December 2025.
• CVE-2026-2636 (CVSS 5.5): An improper handling of invalid special elements flaw [CWE‑159] can force a call to the KeBugCheckEx function leading to an unrecoverable inconsistency in the sys driver. Exploitation allows an unprivileged user to trigger a system crash. CVE-2026-2636 was patched in the September 2025 cumulative update for Windows 11 2024 LTSC and Windows Server 2025. Public PoC code and a full technical analysis are available, increasing the risk of exploitation in-the-wild.

Greenbone includes detection for all aforementioned CVEs affecting Microsoft products and regularly produces vulnerability detection checks for Microsoft Security Bulletins [15][16] and other Windows vulnerabilities. Defenders should continuously verify security patch levels to ensure that newly exposed vulnerabilities are mitigated.

New SolarWinds Serv-U CVEs Present High Risk to Enterprise IT

Four CVEs impacting the SolarWinds Serv-U managed file transfer tool were published on February 24th, 2026. While NIST assigned a CVSS score of 7.2, SolarWinds rates each as CVSS 9.1—critical-severity. All flaws allow RCE; as root on Linux and potentially with SYSTEM-level privileges on Windows. However, all four CVEs require admin privileges to exploit.

Although active exploitation has not been reported and no public PoC or detailed exploitation writeups are available, a 2024 vulnerability in SolarWinds Serv-U was weaponized and actively exploited within weeks. SolarWinds’ popularity with large organizations makes it a popular target. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable instances of Serv-U. Users should upgrade to v15.5.4 as soon as possible.

The four new high-risk CVEs affecting SolarWinds Serv-U are:

• CVE-2025-40538 (CVSS 7.2): A broken access control [​​CWE-269] allows an authenticated Serv-U admin user to create a system admin user and execute arbitrary code as a privileged domain admin or group admin.
• CVE-2025-40539 (CVSS 7.2): A type confusion vulnerability [CWE-704] allows an admin authenticated attacker to execute arbitrary native code as a privileged account.
• CVE-2025-40540 (CVSS 7.2): A type confusion flaw [CWE-704] allows an authenticated user to execute arbitrary native code as a privileged user.
• CVE-2025-40541 (CVSS 7.2): An Insecure Direct Object Reference (IDOR) flaw allows native code to be executed as a privileged account by an authenticated Serv-U administrator.

CVE-2026-2329: PoC Exploit for New Grandstream GXP1600 Series IP Phones

CVE-2026-2329 (CVSS 9.8, EPSS ≥ 97th pctl) allows unauthenticated RCE as the device’s root user on Grandstream GXP1600-series VoIP phones. CVE-2026-2329 is a stack-based buffer overflow flaw [CWE-121] caused by improper bounds checking in the /cgi-bin/api.values.get HTTP API. It is not known to be actively exploited. However, a full technical analysis and a Metasploit exploit module are available increasing the risk of attacks.

Exploitation of CVE-2026-2329 could allow an attacker to:

• Execute arbitrary OS commands [T1059] on the phone as the root user
• Maintain persistent access to compromised devices [T1543]
• Dump stored secrets [T1552] from the device such as local user accounts and SIP account credentials and leverage them in subsequent attacks [T1078]
• Reconfigure SIP settings to point at an attacker-controlled SIP proxy, enabling transparent call interception [T1557] and audio eavesdropping [T1040]

The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable devices. Grandstream GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630 devices with firmware version prior to 1.0.7.81 are affected. Users should update to firmware version 1.0.7.81 or later.

Unauthenticated RCE in VMware Aria Operations During Support-Assisted Migration and More

Since late 2025, security researchers have reported increasing risk to VM environments [1][2]. This month, new threats in this domain included several new vulnerabilities affecting VMware Aria Operations. Aria Operations is a largely automated platform for monitoring, performance analytics, and planning for vSphere VM fleets and hybrid-cloud infrastructure.

The new CVEs affecting VMware Aria Operations are:

• CVE-2026-22719 (CVSS 8.1): A command injection vulnerability [CWE-77] allows an unauthenticated attacker to execute arbitrary commands remotely while support-assisted product migration is in progress. Support-assisted product migration is a workflow that involves VMware Support as part of a product transition/upgrade.
• CVE-2026-22720 (CVSS 8.0): A stored cross-site scripting vulnerability [CWE-79] allows an attacker with privileges to create custom benchmarks and inject scripts to perform administrative actions.
• CVE-2026-22721 (CVSS 6.2): A privilege escalation vulnerability [CWE-269] allows an attacker with vCenter to access Aria Operations to obtain administrative access.

VMware Aria Operations version 8.x are affected and v8.18.6 mitigates all three CVEs. A workaround for CVE-2026-22719 has been made available as a shell script that removes passwordless sudo privileges in the /etc/sudoers file and deletes a migration launcher script. The workaround does not mitigate CVE-2026-22720 or CVE-2026-22721. The OPENVAS ENTERPRISE FEED includes a remote banner check to detect affected Aria Operations nodes.

More Critical CVEs Affect Trend Micro Apex One

Just last month, the Greenbone Threat Report reviewed an authenticated RCE flaw in Trend Micro Apex One. In February, Trend Micro issued another emergency security bulletin, disclosing nine new vulnerabilities in its Apex One endpoint security platform. Curiously, the issued CVE IDs have not appeared in the MITRE CVE repository or NIST NVD as of March 3rd, 2026.

According to Trend Micro, the flaws range in severity from CVSS 7.2 (High) to 9.8 (Critical). The two critical-severity CVEs allow unauthenticated RCE via malicious file upload, while the High severity CVEs all permit local privilege escalation. The OPENVAS ENTERPRISE FEED includes a Windows registry version check for affected instances of Apex One for Windows. Affected users should apply Critical Patch (CP) Build 14136 for Apex One 2019 (on-premises) as soon as possible.

New Authenticated RCE Flaws Affect Kubernetes Ingress NGINX Controller

Two new High severity CVEs were exposed affecting the Kubernetes Ingress NGINX controller along with one Medium and another Low severity CVE. Both new High-severity flaws require Kubernetes API/RBAC privileges and only instances with the Ingress NGINX component are affected. Ingress NGINX is one of several Ingress controller implementations for Kubernetes. It’s important to note that support for Ingress NGINX will end in March 2026. The Kubernetes blog suggests migrating to the Gateway API. Several national CERT alerts were issued [1][2][3][4][5].

The High severity CVEs are:

• CVE-2026-1580 (CVSS 8.8): The ingress.kubernetes.io/auth-method Ingress annotation can be used to inject nginx configurations, leading to arbitrary authenticated RCE in the context of the ingress-nginx controller and potentially, disclosure of all Secrets cluster-wide.
• CVE-2026-24512 (CVSS 8.8): The http.paths.path Ingress field can be used to inject nginx configurations, leading to arbitrary authenticated RCE in the context of the ingress-nginx controller and potentially, disclosure of all Secrets cluster-wide.

The OPENVAS ENTERPRISE FEED has included an executable version check for all new CVEs in the security alert within hours of disclosure. Ingress NGINX versions 1.13.x prior to 1.13.7 and 1.14.x prior to v1.14.3 are affected. Users who must rely on Ingress NGINX should upgrade to v1.13.7, v1.14.3, or later.

Summary

This month’s Threat Report summarizes the highest-impact vulnerabilities and exploitation trends observed in February 2026. Several new CVEs have been tied to in-the-wild exploit activity, ransomware operations, and rapid exploitation development. Defenders seeking to detect and protect can try Greenbone’s entry-level product OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

So far, 2026 is off to a raucous start. With so much activity in the software vulnerability landscape it’s easy to understand the concerns of global executives discussed in Part 1 of the January 2026 Threat Report. This volatility also highlights the value of Greenbone’s industry-leading detection coverage. In Part 2 of the January Threat report we cover more critical vulnerabilities exposed in the first month of 2026.

Defenders need to scan widely and scan often to detect new threats in their infrastructure and prioritize mitigation efforts based on the potential impact to business operations, privacy regulations, and other compliance responsibilities. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

Threat Report January 2026: Part 2

CVE-2025-69258: TrendMicro Apex Central Allows Unauthenticated RCE as SYSTEM

CVE-2025-69258 (CVSS 9.8) affecting Trend Micro Apex Central on-premises for Windows can allow unauthenticated RCE with SYSTEM-level privileges. Two additional CVEs, CVE-2025-69259 and CVE-2025-69260 (both CVSS 7.5) published at the same time allow denial of service (DoS) conditions. The root cause of CVE-2025-69258 is a buffer overflow [CWE-120] due to unsafe LoadLibraryEx usage and improper message handling. The bug leads to DLL injection, NULL handling flaws, and out-of-bounds reads.

Apex Central is a centralized management system for administering and monitoring Trend Micro security products across an organization, making it a prime target for attackers. On-premises Windows builds below 7190 are vulnerable. Apex Central does not include an automatic update mechanism for itself; administrators must manually install patches and upgrades. The vendor’s security advisory describes prerequisite software (such as Service Packs) that may need to be installed before the Critical Patch Build 7190 can be installed.

The CVEs are not confirmed as actively exploited, but full technical details and proof-of-concept exploits have been published for all three CVEs, significantly increasing their risk. Greenbone’s OPENVAS ENTERPRISE FEED includes a local registry check to detect all aforementioned CVEs.

Two New Actively Exploited Ivanti EPMM Flaws

Two new flaws affecting Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) were published on January 29th, 2026, and CVE-2026-1281 was immediately added to CISA’s KEV list that same day. Both CVEs allow unauthenticated RCE via code injection due to improper control of generated code [CWE-94]. Both are caused by pre-authenticated Apache RewriteMap integrations that pass attacker-controlled HTTP parameters into a Bash script that allows command substitution and remote shell command execution.

Once an EPMM device has been compromised, attackers may deploy backdoors [TA0011], seek lateral movement [TA0008] within the victim’s network or steal sensitive information [T1005] stored on the EPMM appliance. This may include administrator credentials [TA0006] and mobile device data including GPS location [T1430] and IMEI values [T1426]. Exploitation also allows configuration tampering [T1562] via the API or web console [T1102].

A detailed technical analysis has been released by watchTowr Labs, but push-button exploit kits are not publicly available. Furthermore, exploitation has not yet been linked to ransomware operations. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner version check to identify affected instances. Both vulnerabilities affect on-prem instances of Ivanti EPMM. See Ivanti’s official advisory and analysis guidance for more specific information about affected versions, steps for installing the patches, and known indicators of compromise (IoC). Ivanti advises that simply installing the patch is not sufficient mitigation. Users should also hunt for IoC and initiate incident response processes followed by a full system rebuild if found.

CVE-2025-34026: Versa Concerto Actively Exploited

CVE-2025-34026 (CVSS 7.6, EPSS ≥ 98th pctl), published on May 21st, 2025, was added to CISA’s KEV list on January 22nd, 2026. The flaw allows authentication bypass leading to access to administrative endpoints in the Versa Concerto SD-WAN orchestration platform. The root cause is improper request handling in the exposed Traefik reverse proxy and Spring Boot Actuator endpoint. Exploitation enables access to heap dumps and trace logs that may contain plaintext credentials and session tokens.

Other Concerto vulnerabilities, CVE-2025-34027 (CVSS 10, EPSS ≥ 87th pctl) and CVE-2025-34025 (CVSS 8.6) can also lead to full system compromise, but reports of their active exploitation have not emerged. Both additional CVEs were also published on May 21st, 2025. Although a full technical analysis is available, public PoC exploits are not.

The OPENVAS ENTERPRISE FEED has included an active check for CVE-2025-34026 and another for CVE-2025-34027 since May 2025, giving defenders early notice to take defensive measures. These checks send specially crafted HTTP requests to identify vulnerable instances. The flaw was patched in Concerto version 12.2.1 GA released on April 16, 2025. Users should apply updates with urgency.

Ni8Mare and Steady Stream of Critical n8n CVEs Since Late 2025

CVE-2026-21858 (aka Ni8Mare, CVSS 10, EPSS ≥ 90th pctl) is the most critical among a steady stream of critical n8n vulnerabilities that have surfaced since late 2025 affecting versions 1.x for both self-hosted and n8 Cloud instances. CVE-2026-21858 can be triggered remotely without authentication and allows full workflow-automation platform takeover. Multiple technical analyses are available for CVE-2026-21858 [1][2].

n8n is an open-source, fair-code workflow automation platform that enables users to visually connect applications, APIs, and services into automated processes. n8n’s workflow repository includes over 7,800 published workflows indicating the application is widely used.

Other critical and high-severity flaws disclosed in n8n versions 0.x and 1.x since late 2025 include:

• CVE-2026-21877 (CVSS 9.9, EPSS ≥ 94th pctl): An authenticated attacker may upload a malicious file type [CWE-434] to the n8n instance that allows RCE, potentially resulting in full system compromise. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading is recommended. This issue is fixed in version 1.121.3 and more information is available from the vendor’s security advisory.
• CVE-2025-68668 (CVSS 9.9, EPSS ≥ 13th pctl): A sandbox bypass vulnerability [CWE-693] in the Python Code node that uses Pyodide. An authenticated user with permissions to create or modify workflows can execute arbitrary commands on the host with n8n process privileges. Workarounds include: disabling the Code node entirely, disabling Python support in the Code node, and configuring n8n to use the task runner Python sandbox. A full root-cause analysis is available for CVE-2025-68668 increasing the risk. The issue is fixed in version 2.0.0, and more information is available in the vendor’s security advisory.
• CVE-2025-68613 (CVSS 8.8, EPSS ≥ 99th pctl): An RCE flaw in the n8n workflow expression evaluation system that allows expressions supplied by authenticated users to be evaluated in an unsandboxed execution environment [CWE-913] under certain conditions. An authenticated user could achieve RCE with n8n process privileges. Multiple PoC exploits [3][4][5] and a Metasploit module are available for CVE-2025-68613 increasing the risk. This issue is fixed in versions 1.120.4, 1.121.1, and 1.122.0, and more information is available in the vendor’s security advisory.
• CVE-2025-65964 (CVSS 8.8, EPSS ≥ 5th pctl): The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook. This could allow arbitrary command execution on the n8n host during Git operations. A full technical description and exploit chain is available. Exploitation requires n8n workflow privileges using the Git node. Workarounds include excluding the Git node and avoiding cloning or interacting with untrusted repositories using the Git node. This issue is fixed in version 1.119.2 and more information is available in the vendor’s security advisory.

Multiple CERT advisories have been issued globally addressing one or more of the aforementioned CVEs [6][7][8][9][10][11][12][13][14]. Active attack campaigns leveraging these CVEs have not been disclosed. The OPENVAS ENTERPRISE FEED includes multiple remote banner version checks to detect all the aforementioned vulnerabilities [15][16][17][18][19] as well as detection for many other CVEs affecting n8n.

n8n version 2.0 was released in December 2025 and is not affected by the aforementioned CVEs. n8n versions 0.x and 1.x users should identify the most recent fully patched version and update as soon as possible.

CVE-2025-15467: Critical Flaw Affecting OpenSSL 3

CVE-2025-15467 (CVSS 9.8, EPSS ≥ 71st pctl) is the most critical among twelve new vulnerabilities affecting the widely used OpenSSL toolkit. The flaw is exploited by passing a malicious Cryptographic Message Syntax (CMS) [RFC5652] AuthEnvelopedData message [RFC5083] using an Authenticated Encryption with Associated Data (AEAD) cipher (e.g., AES-GCM) to inject an oversized ASN.1-encoded initialization vector (IV). OpenSSL copies the oversized IV into a fixed-size stack buffer without length checks [CWE-787]. The result is a pre-authentication stack overflow that allows arbitrary RCE and DoS.

CVE-2025-15467 does not affect day-to-day SSL/TLS operations since TLS uses the X.509 certificate standard [RFC5280]. However, email clients or plugins that support S/MIME AuthEnvelopedData from untrusted inbound mail are one example of a potential attack chain. A full technical description is available for CVE-2025-15467 increasing the risk of exploit kit development. Multiple national CERT alerts have been issued globally for CVE-2025-15467 [1][2][3][4][5][6].

The twelve CVEs, disclosed by security researcher Stanislav Fort, were reportedly discovered via AI-based software analysis. This achievement comes at a time when other software maintainers and security researchers assert that AI-submitted bug reports (dubbed “AI-slop”) are effectively disrupting their bug tracking operations [7][8][9][10] and in some cases, AI-generated CVE reports are not valid bugs to begin with.

The OPENVAS ENTERPRISE FEED includes multiple detection tests for various Linux distros and Windows installations of OpenSSL for CVE-2025-15467 and eleven other recently disclosed CVEs. All twelve of the CVEs affect OpenSSL versions 3.0, 3.3, 3.4, 3.5, and 3.6.0 (released on October 1, 2025) and are fixed in versions 3.0.19, 3.3.6, 3.4.4, 3.5.5, and 3.6.1.

Hypervisor Risk Remains Elevated in Early 2026

2025’s final threat report described a reported increase in cyber attacks targeting hypervisor platforms in late 2025. This trend is poised to continue into 2026. In January, several high-risk vulnerabilities were published for popular virtualization platforms. Due to the critical role of hypervisors in securely isolating critical workloads in enterprise network infrastructure, patches should be considered a top priority.

CVE-2024-37079: Active Campaigns Targeting VMware Hypervisors

In the December 2025 Threat Report, we discussed a new intelligence report from Huntress describing a sharp spike in cyber attacks against hypervisors. The attacks targeted VMWare ESXi, Workstation, and Fusion, leveraging CVE-2025-22224 (CVSS 8.2), CVE-2025-22225 (CVSS 8.2), and CVE-2025-22226 (CVSS 6.0) by executing code as the VMX process, escaping the VMX sandbox, and leaking memory from the VMX process, respectively. Greenbone includes a variety of checks for detecting these actively exploited CVEs [1][2][3][4].

In January 2026, CVE-2024-37079 (CVSS 9.8), affecting VMware vCenter Server versions 7 and 8, was added to CISA’s KEV list. The vulnerability, published in mid-2024, allows an unauthenticated attacker to achieve RCE by exploiting a heap-overflow vulnerability to trigger an out-of-bounds memory write [CWE-787]. CVE-2024-37080 (CVSS 9.8) was published at the same time, but has not been observed in active attacks. Both CVEs are flaws in vCenter’s DCERPC (Distributed Computing Environment Remote Procedure Call) protocol implementation. DCERPC is a key technology for remote control of adjacent remote systems.

Oracle Fixes 11 High Severity VirtualBox Flaws in 2026’s First Patch Release

Oracle’s January 2026 security patch release included eleven high-severity CVEs affecting VirtualBox versions 7.1.14 (released October 10th, 2025) and version 7.2.4 (released October 21, 2025). Most of the vulnerabilities require local access. The high-severity disclosures include:

• CVE-2026-21955 (CVSS 8.2): a high-severity vulnerability found in the core component of Oracle VirtualBox. The flaw allows a privileged, local attacker to compromise the virtualization software, with potential for full VirtualBox system takeover and unauthorized access to critical data.
• CVE-2026-21956 (CVSS 8.2): a flaw in the core component of Oracle VirtualBox that allows a privileged attacker with logon privileges to compromise the integrity of VirtualBox and significantly impact additional products.

The new batch of VirtualBox flaws are not considered actively exploited and no public PoC exploits are available. Multiple national CERT advisories have been issued globally for Oracle’s latest security update [1][2][3][4][5]. Greenbone’s OPENVAS ENTERPRISE FEED detects all newly disclosed VirtualBox flaws across Windows, Linux, and macOS environments [5][6][7]. Users should update their VirtualBox instance to a patched version as soon as possible.

Other Notable High-Risk CVEs From January 2026

Here is a quick snapshot of other high-risk CVEs published in January 2026:

• BIND9 Denial of Service (CVE-2025-13878, CVSS 7.5): Allows unauthenticated remote attackers to cause DoS in ISC BIND 9. There are no reports of active exploitation or public PoC exploits. The issue impacts both authoritative servers and resolvers, and is fixed in BIND 9.18.44, 9.20.18, and 9.21.17 [1]. The OPENVAS ENTERPRISE FEED provides package-level detection across a wide array of Linux distributions and a remote banner check for Windows.
• Critical-Severity GitLab Vulnerability Plus More (CVE-2025-13761, CVSS 9.6): GitLab has released security updates7.1, 18.6.3, and 18.5.5 to patch multiple vulnerabilities in self-managed instances. The update cycle included critical-severity stored and reflected XSS that could enable arbitrary JavaScript execution in users’ browsers. Collectively the issues could impact integrity, confidentiality, and availability across most deployment types. Administrators should upgrade immediately and pay close attention to GitLab’s fast moving patch cycle. The OPENVAS ENTERPRISE FEED includes detection for all CVEs in the batch.
• Multiple Critical CVEs Affecting CoolLabs Coolify: Eleven new vulnerabilities affecting CoolLabs Coolify were released as a group in early January, 2026. Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. The project’s GitHub repository shows ~50.5k stars, ~3.6k forks, and 575 contributors, signaling an active presence. More details are available on the product’s GitHub security page. The OPENVAS ENTERPRISE FEED provides detection for all eleven CVEs in the release.
• Unauthenticated RCE in telnetd (CVE-2026-24061, CVSS 9.8): The telnet remote access application has been considered a critical security risk for decades. It does not provide encryption for data in transit, making adversary-in-the-middle (AiTM) attacks [T1157] trivial. However, CVE-2026-24061 uncovers an even more severe risk that goes back to version 1.9.3, released May 2015. CVE-2026-24061 is an authentication bypass in GNU InetUtils telnetd, allowing attackers without credentials to gain root user access remotely. Multiple descriptions [1][2] and PoC are available [3][4][5] and numerous CERT advisories have been issued globally [6][7][8][9][10]. For users who require legacy support from the telnet service, patches have been issued. Otherwise users should ensure the service is uninstalled since it can also be exploited locally for privilege escalation. The OPENVAS ENTERPRISE FEED provides a set of package version checks for Linux and an active check effective for all operating systems [11].

Summary

With so much activity in the software vulnerability landscape, it’s easy to understand the concerns of global executives discussed in Part 1 of the January 2026 Threat Report. This volatility also highlights the value of Greenbone’s industry-leading detection coverage. January 2026 was so hectic, it deserved two threat reports. In Part 2 of the January 2026 Threat Report we reviewed another cluster of emerging high-risk software vulnerabilities. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.