{"text": "CISA has added CVE-2026-39987 to the Known Exploited Vulnerabilities Catalog. Marimo contains a pre-authorization remote code execution vulnerability, allowing an unauthenticated attacker to gain shell access and execute arbitrary system commands. Organizations using Marimo should apply patches immediately.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "CVE_ID: CVE-2026-39987": [[15, 29]], "SYSTEM: Marimo": [[78, 84], [268, 274]], "VULNERABILITY: remote code execution vulnerability": [[114, 149]]}, "info": {"id": "cisa_00000", "source": "cisa_advisories"}}
{"text": "Microsoft Defender is affected by CVE-2026-33825, an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally. Microsoft has released a security update to address this issue. Administrators should apply the patch from the Microsoft Security Response Center.", "spans": {"SYSTEM: Microsoft Defender": [[0, 18]], "CVE_ID: CVE-2026-33825": [[34, 48]], "VULNERABILITY: insufficient granularity of access control vulnerability": [[53, 109]], "ORGANIZATION: Microsoft": [[182, 191]], "ORGANIZATION: Microsoft Security Response Center": [[293, 327]]}, "info": {"id": "cisa_00001", "source": "cisa_advisories"}}
{"text": "CISA issued Emergency Directive 26-03 to mitigate vulnerabilities in Cisco SD-WAN systems. CVE-2026-20122 affects Cisco Catalyst SD-WAN Manager due to incorrect use of privileged APIs. CVE-2026-20133 exposes sensitive information to unauthorized actors. CVE-2026-20128 involves storing passwords in a recoverable format. Federal agencies must remediate these Cisco vulnerabilities by April 23, 2026.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "SYSTEM: Cisco SD-WAN": [[69, 81]], "CVE_ID: CVE-2026-20122": [[91, 105]], "SYSTEM: Cisco Catalyst SD-WAN Manager": [[114, 143]], "VULNERABILITY: incorrect use of privileged APIs": [[151, 183]], "CVE_ID: CVE-2026-20133": [[185, 199]], "CVE_ID: CVE-2026-20128": [[254, 268]], "VULNERABILITY: storing passwords in a recoverable format": [[278, 319]], "ORGANIZATION: Cisco": [[359, 364]]}, "info": {"id": "cisa_00002", "source": "cisa_advisories"}}
{"text": "CVE-2026-20131 is a critical deserialization of untrusted data vulnerability in Cisco Secure Firewall Management Center and Cisco Security Cloud Control. An unauthenticated, remote attacker could execute arbitrary Java code as root on affected devices. This vulnerability has been associated with known ransomware campaigns. CISA urges all organizations to prioritize patching.", "spans": {"CVE_ID: CVE-2026-20131": [[0, 14]], "VULNERABILITY: deserialization of untrusted data vulnerability": [[29, 76]], "SYSTEM: Cisco Secure Firewall Management Center": [[80, 119]], "SYSTEM: Cisco Security Cloud Control": [[124, 152]], "ORGANIZATION: CISA": [[325, 329]]}, "info": {"id": "cisa_00003", "source": "cisa_advisories"}}
{"text": "Fortinet has disclosed CVE-2026-21643, a SQL injection vulnerability in FortiClient EMS that may allow an unauthenticated attacker to execute unauthorized code via specifically crafted HTTP requests. Additionally, CVE-2026-35616 describes an improper access control vulnerability in FortiClient EMS. Fortinet customers should consult FortiGuard advisories and upgrade to patched versions immediately.", "spans": {"ORGANIZATION: Fortinet": [[0, 8], [300, 308]], "CVE_ID: CVE-2026-21643": [[23, 37]], "VULNERABILITY: SQL injection vulnerability": [[41, 68]], "SYSTEM: FortiClient EMS": [[72, 87], [283, 298]], "CVE_ID: CVE-2026-35616": [[214, 228]], "VULNERABILITY: improper access control vulnerability": [[242, 279]], "ORGANIZATION: FortiGuard": [[334, 344]]}, "info": {"id": "cisa_00004", "source": "cisa_advisories"}}
{"text": "Ivanti Endpoint Manager Mobile is vulnerable to CVE-2026-1340, a code injection vulnerability that allows unauthenticated remote code execution. Separately, CVE-2026-1603 affects Ivanti Endpoint Manager with an authentication bypass vulnerability. Ivanti has released security updates for both products. CISA recommends all federal agencies apply mitigations per Ivanti's guidance.", "spans": {"SYSTEM: Ivanti Endpoint Manager Mobile": [[0, 30]], "CVE_ID: CVE-2026-1340": [[48, 61]], "VULNERABILITY: code injection vulnerability": [[65, 93]], "CVE_ID: CVE-2026-1603": [[157, 170]], "SYSTEM: Ivanti Endpoint Manager": [[179, 202]], "VULNERABILITY: authentication bypass vulnerability": [[211, 246]], "ORGANIZATION: Ivanti": [[248, 254], [363, 369]], "ORGANIZATION: CISA": [[304, 308]]}, "info": {"id": "cisa_00005", "source": "cisa_advisories"}}
{"text": "The Apache Software Foundation has patched CVE-2026-34197, an improper input validation vulnerability in Apache ActiveMQ that allows for code injection. Organizations running Apache ActiveMQ should upgrade to the latest version. This vulnerability was added to the CISA KEV catalog on April 16, 2026.", "spans": {"ORGANIZATION: Apache Software Foundation": [[4, 30]], "CVE_ID: CVE-2026-34197": [[43, 57]], "VULNERABILITY: improper input validation vulnerability": [[62, 101]], "SYSTEM: Apache ActiveMQ": [[105, 120], [175, 190]], "ORGANIZATION: CISA": [[265, 269]]}, "info": {"id": "cisa_00006", "source": "cisa_advisories"}}
{"text": "CVE-2025-53521 is a stack-based buffer overflow vulnerability in F5 BIG-IP APM that could allow remote code execution. F5 has released mitigation guidance and urges customers to check for signs of compromise. CISA added this vulnerability to the KEV catalog with a remediation deadline of March 30, 2026.", "spans": {"CVE_ID: CVE-2025-53521": [[0, 14]], "VULNERABILITY: stack-based buffer overflow vulnerability": [[20, 61]], "SYSTEM: F5 BIG-IP APM": [[65, 78]], "ORGANIZATION: F5": [[119, 121]], "ORGANIZATION: CISA": [[209, 213]]}, "info": {"id": "cisa_00007", "source": "cisa_advisories"}}
{"text": "Aquasecurity Trivy is affected by CVE-2026-33634, an embedded malicious code vulnerability representing a supply chain compromise. Exploitation could allow an attacker to access all tokens, SSH keys, cloud credentials, and database passwords in the CI/CD environment. Organizations should audit their Trivy installations and follow vendor remediation steps.", "spans": {"SYSTEM: Trivy": [[13, 18], [301, 306]], "CVE_ID: CVE-2026-33634": [[34, 48]], "VULNERABILITY: embedded malicious code vulnerability": [[53, 90]], "VULNERABILITY: supply chain compromise": [[106, 129]]}, "info": {"id": "cisa_00008", "source": "cisa_advisories"}}
{"text": "CISA warns that CVE-2026-3055 affects Citrix NetScaler ADC, NetScaler Gateway, and NetScaler ADC FIPS when configured as a SAML identity provider. This out-of-bounds read vulnerability could lead to memory overread. Citrix has published remediation guidance. Federal agencies must comply with BOD 22-01.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "CVE_ID: CVE-2026-3055": [[16, 29]], "SYSTEM: Citrix NetScaler ADC": [[38, 58]], "SYSTEM: NetScaler Gateway": [[60, 77]], "VULNERABILITY: out-of-bounds read vulnerability": [[152, 184]], "ORGANIZATION: Citrix": [[216, 222]]}, "info": {"id": "cisa_00009", "source": "cisa_advisories"}}
{"text": "Broadcom VMware Aria Operations, formerly known as vRealize Operations, is impacted by CVE-2026-22719, a command injection vulnerability that allows unauthenticated remote code execution. Qualcomm has also disclosed CVE-2026-21385, a memory corruption vulnerability affecting multiple chipsets. Both vulnerabilities were added to the CISA KEV catalog on March 3, 2026.", "spans": {"SYSTEM: VMware Aria Operations": [[9, 31]], "ORGANIZATION: Broadcom": [[0, 8]], "CVE_ID: CVE-2026-22719": [[87, 101]], "VULNERABILITY: command injection vulnerability": [[105, 136]], "ORGANIZATION: Qualcomm": [[188, 196]], "CVE_ID: CVE-2026-21385": [[216, 230]], "VULNERABILITY: memory corruption vulnerability": [[234, 265]], "ORGANIZATION: CISA": [[334, 338]]}, "info": {"id": "cisa_00010", "source": "cisa_advisories"}}
{"text": "Google has patched two critical zero-day vulnerabilities in Chromium. CVE-2026-3910 is an improper restriction of operations within the bounds of a memory buffer in Chromium V8 that could allow remote code execution via a crafted HTML page. CVE-2026-5281 is a use-after-free vulnerability in Google Dawn. Both affect Google Chrome, Microsoft Edge, and Opera.", "spans": {"ORGANIZATION: Google": [[0, 6]], "SYSTEM: Chromium": [[60, 68]], "CVE_ID: CVE-2026-3910": [[70, 83]], "VULNERABILITY: improper restriction of operations within the bounds of a memory buffer": [[90, 161]], "SYSTEM: Chromium V8": [[165, 176]], "CVE_ID: CVE-2026-5281": [[241, 254]], "VULNERABILITY: use-after-free vulnerability": [[260, 288]], "SYSTEM: Google Dawn": [[292, 303]], "SYSTEM: Google Chrome": [[317, 330]], "SYSTEM: Microsoft Edge": [[332, 346]], "SYSTEM: Opera": [[352, 357]]}, "info": {"id": "cisa_00011", "source": "cisa_advisories"}}
{"text": "Apple has released security updates addressing CVE-2025-43510, an improper locking vulnerability affecting watchOS, iOS, iPadOS, macOS, visionOS, and tvOS. CVE-2025-43520 is a classic buffer overflow vulnerability in the same Apple products. CVE-2025-31277 is a buffer overflow in Apple Safari that could lead to memory corruption through maliciously crafted web content.", "spans": {"ORGANIZATION: Apple": [[0, 5], [226, 231]], "CVE_ID: CVE-2025-43510": [[47, 61]], "VULNERABILITY: improper locking vulnerability": [[66, 96]], "SYSTEM: watchOS": [[107, 114]], "SYSTEM: iOS": [[116, 119]], "SYSTEM: iPadOS": [[121, 127]], "SYSTEM: macOS": [[129, 134]], "SYSTEM: visionOS": [[136, 144]], "SYSTEM: tvOS": [[150, 154]], "CVE_ID: CVE-2025-43520": [[156, 170]], "VULNERABILITY: buffer overflow vulnerability": [[184, 213]], "CVE_ID: CVE-2025-31277": [[242, 256]], "SYSTEM: Apple Safari": [[281, 293]]}, "info": {"id": "cisa_00012", "source": "cisa_advisories"}}
{"text": "Microsoft Exchange Server has been added to the CISA KEV catalog for CVE-2023-21529, a deserialization of untrusted data vulnerability that allows authenticated remote code execution. This vulnerability has known usage in ransomware campaigns. Microsoft SharePoint Server is also affected by CVE-2026-32201, an improper input validation vulnerability enabling spoofing attacks over a network.", "spans": {"SYSTEM: Microsoft Exchange Server": [[0, 25]], "ORGANIZATION: CISA": [[48, 52]], "CVE_ID: CVE-2023-21529": [[69, 83]], "VULNERABILITY: deserialization of untrusted data vulnerability": [[87, 134]], "SYSTEM: Microsoft SharePoint Server": [[244, 271]], "CVE_ID: CVE-2026-32201": [[292, 306]], "VULNERABILITY: improper input validation vulnerability": [[311, 350]]}, "info": {"id": "cisa_00013", "source": "cisa_advisories"}}
{"text": "SolarWinds Web Help Desk is affected by CVE-2025-26399, a deserialization of untrusted data vulnerability in the AjaxProxy component that could allow command execution on the host machine. SolarWinds urges customers to apply the hotfix for Web Help Desk version 12.8.7. CISA added this to the KEV catalog with a March 12, 2026 deadline.", "spans": {"SYSTEM: SolarWinds Web Help Desk": [[0, 24]], "CVE_ID: CVE-2025-26399": [[40, 54]], "VULNERABILITY: deserialization of untrusted data vulnerability": [[58, 105]], "ORGANIZATION: SolarWinds": [[189, 199]], "ORGANIZATION: CISA": [[270, 274]]}, "info": {"id": "cisa_00014", "source": "cisa_advisories"}}
{"text": "The FBI, CISA, and NSA have released a joint cybersecurity advisory warning that Volt Typhoon, a People's Republic of China state-sponsored threat actor, has compromised critical infrastructure networks. The threat actor exploited CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure to gain initial access. Volt Typhoon leveraged living-off-the-land techniques using PowerShell, WMI, and ntdsutil.exe to extract Active Directory credentials.", "spans": {"ORGANIZATION: FBI": [[4, 7]], "ORGANIZATION: CISA": [[9, 13]], "ORGANIZATION: NSA": [[19, 22]], "THREAT_ACTOR: Volt Typhoon": [[81, 93], [314, 326]], "CVE_ID: CVE-2023-46805": [[231, 245]], "CVE_ID: CVE-2024-21887": [[250, 264]], "SYSTEM: Ivanti Connect Secure": [[268, 289]], "TOOL: PowerShell": [[374, 384]], "TOOL: WMI": [[386, 389]], "TOOL: ntdsutil.exe": [[395, 407]], "SYSTEM: Active Directory": [[419, 435]]}, "info": {"id": "cisa_00015", "source": "cisa_advisories"}}
{"text": "APT29, also known as Cozy Bear, has been observed exploiting CVE-2023-42793 in JetBrains TeamCity to gain initial access to victim networks. The threat group deployed a custom backdoor communicating with the command and control server at 185.193.126.51 over HTTPS. Mandiant and Microsoft have attributed this campaign to the Russian Foreign Intelligence Service. The attackers used Mimikatz for credential harvesting and Cobalt Strike beacons for lateral movement.", "spans": {"THREAT_ACTOR: APT29": [[0, 5]], "THREAT_ACTOR: Cozy Bear": [[21, 30]], "CVE_ID: CVE-2023-42793": [[61, 75]], "SYSTEM: JetBrains TeamCity": [[79, 97]], "IP_ADDRESS: 185.193.126.51": [[238, 252]], "ORGANIZATION: Mandiant": [[265, 273]], "ORGANIZATION: Microsoft": [[278, 287]], "TOOL: Mimikatz": [[382, 390]], "MALWARE: Cobalt Strike": [[421, 434]]}, "info": {"id": "cisa_00016", "source": "cisa_advisories"}}
{"text": "CISA and FBI warn that the ransomware group known as BlackCat (ALPHV) is targeting the healthcare sector. Actors have been observed exploiting CVE-2021-44228 in Apache Log4j and CVE-2024-1709 in ConnectWise ScreenConnect for initial access. Indicators of compromise include the domain api.clearnetwork[.]org and the SHA256 hash a3e4b0e7f8c2d1a6b9c5d3e2f1a0b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1. Victims should report incidents to the FBI Internet Crime Complaint Center.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "ORGANIZATION: FBI": [[9, 12]], "MALWARE: BlackCat": [[53, 61]], "THREAT_ACTOR: ALPHV": [[63, 68]], "CVE_ID: CVE-2021-44228": [[143, 157]], "SYSTEM: Apache Log4j": [[161, 173]], "CVE_ID: CVE-2024-1709": [[178, 191]], "SYSTEM: ConnectWise ScreenConnect": [[195, 220]], "DOMAIN: api.clearnetwork[.]org": [[285, 307]], "HASH: a3e4b0e7f8c2d1a6b9c5d3e2f1a0b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1": [[328, 392]], "ORGANIZATION: FBI Internet Crime Complaint Center": [[433, 468]]}, "info": {"id": "cisa_00017", "source": "cisa_advisories"}}
{"text": "The Lazarus Group exploited CVE-2022-47966 in Zoho ManageEngine to deploy the QuiteRAT backdoor. After gaining access, the threat actor dropped a malicious DLL at C:\\Windows\\System32\\wsmprovhost.dll and established persistence via scheduled tasks. Network indicators include connections to 104.168.174.32 and the domain update.microsoft-store[.]net. The SHA256 hash of the QuiteRAT payload is 7f8e3c2d1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e.", "spans": {"THREAT_ACTOR: Lazarus Group": [[4, 17]], "CVE_ID: CVE-2022-47966": [[28, 42]], "SYSTEM: Zoho ManageEngine": [[46, 63]], "MALWARE: QuiteRAT": [[78, 86], [373, 381]], "FILEPATH: C:\\Windows\\System32\\wsmprovhost.dll": [[163, 198]], "IP_ADDRESS: 104.168.174.32": [[290, 304]], "DOMAIN: update.microsoft-store[.]net": [[320, 348]], "HASH: 7f8e3c2d1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e": [[393, 457]]}, "info": {"id": "cisa_00018", "source": "cisa_advisories"}}
{"text": "Sandworm Team, attributed to Russia's GRU Unit 74455, deployed the Industroyer2 malware targeting Ukrainian power grid infrastructure. The attack leveraged CVE-2021-27065 in Microsoft Exchange Server for initial access. Post-exploitation tools included PsExec for lateral movement and CaddyWiper for destructive operations. CISA, NSA, and the UK National Cyber Security Centre issued a joint advisory warning critical infrastructure operators.", "spans": {"THREAT_ACTOR: Sandworm Team": [[0, 13]], "ORGANIZATION: GRU": [[38, 41]], "MALWARE: Industroyer2": [[67, 79]], "CVE_ID: CVE-2021-27065": [[156, 170]], "SYSTEM: Microsoft Exchange Server": [[174, 199]], "TOOL: PsExec": [[253, 259]], "MALWARE: CaddyWiper": [[285, 295]], "ORGANIZATION: CISA": [[324, 328]], "ORGANIZATION: NSA": [[330, 333]], "ORGANIZATION: UK National Cyber Security Centre": [[343, 376]]}, "info": {"id": "cisa_00019", "source": "cisa_advisories"}}
{"text": "Cl0p ransomware operators have been mass-exploiting CVE-2023-34362 in MOVEit Transfer to exfiltrate data from hundreds of organizations. The SQL injection vulnerability in Progress MOVEit allows unauthenticated access to the application database. Webshells were deployed at /MOVEit/human2.aspx on compromised servers. CISA and FBI released indicators including the IP addresses 5.252.190.141, 148.113.152.104, and 89.39.104.1. Organizations should review their MOVEit Transfer logs for unauthorized access.", "spans": {"MALWARE: Cl0p": [[0, 4]], "CVE_ID: CVE-2023-34362": [[52, 66]], "SYSTEM: MOVEit Transfer": [[70, 85], [461, 476]], "VULNERABILITY: SQL injection vulnerability": [[141, 168]], "SYSTEM: MOVEit": [[181, 187]], "FILEPATH: /MOVEit/human2.aspx": [[274, 293]], "ORGANIZATION: CISA": [[318, 322]], "ORGANIZATION: FBI": [[327, 330]], "IP_ADDRESS: 5.252.190.141": [[378, 391]], "IP_ADDRESS: 148.113.152.104": [[393, 408]], "IP_ADDRESS: 89.39.104.1": [[414, 425]]}, "info": {"id": "cisa_00020", "source": "cisa_advisories"}}
{"text": "The Kimsuky threat group has been conducting targeted spear-phishing campaigns exploiting CVE-2017-11882 in Microsoft Office and CVE-2022-30190 in the Microsoft Support Diagnostic Tool (MSDT). Malicious documents download a second-stage payload from hxxps://drive.google-analytics[.]cloud/update.exe. The payload establishes a connection to 193.56.29.174 on port 443. SHA256 of the dropper: 5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b.", "spans": {"THREAT_ACTOR: Kimsuky": [[4, 11]], "CVE_ID: CVE-2017-11882": [[90, 104]], "SYSTEM: Microsoft Office": [[108, 124]], "CVE_ID: CVE-2022-30190": [[129, 143]], "SYSTEM: Microsoft Support Diagnostic Tool": [[151, 184]], "URL: hxxps://drive.google-analytics[.]cloud/update.exe": [[250, 299]], "IP_ADDRESS: 193.56.29.174": [[341, 354]], "HASH: 5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b": [[391, 455]]}, "info": {"id": "cisa_00021", "source": "cisa_advisories"}}
{"text": "CISA Alert AA24-131A warns of Black Basta ransomware affiliates exploiting CVE-2024-1709 in ConnectWise ScreenConnect and CVE-2024-3400 in Palo Alto Networks PAN-OS GlobalProtect. After initial access, affiliates deploy SystemBC proxy malware and use rclone for data exfiltration to attacker-controlled infrastructure. The campaign has impacted over 500 organizations globally. FBI and CISA recommend implementing phishing-resistant multi-factor authentication.", "spans": {"ORGANIZATION: CISA": [[0, 4], [386, 390]], "MALWARE: Black Basta": [[30, 41]], "CVE_ID: CVE-2024-1709": [[75, 88]], "SYSTEM: ConnectWise ScreenConnect": [[92, 117]], "CVE_ID: CVE-2024-3400": [[122, 135]], "SYSTEM: PAN-OS GlobalProtect": [[158, 178]], "ORGANIZATION: Palo Alto Networks": [[139, 157]], "MALWARE: SystemBC": [[220, 228]], "TOOL: rclone": [[251, 257]], "ORGANIZATION: FBI": [[378, 381]]}, "info": {"id": "cisa_00022", "source": "cisa_advisories"}}
{"text": "The LockBit 3.0 ransomware group has been exploiting CVE-2023-4966, known as Citrix Bleed, to bypass authentication on Citrix NetScaler ADC and Gateway appliances. Post-compromise activity includes deploying Cobalt Strike beacons and using Impacket for lateral movement. Network defenders should look for connections to the following indicators: 91.215.85.183, 193.142.59.11, and the domain lockbit-decryptor[.]com. SHA256 hash of the ransomware binary: 8d4e7f2a1b3c5d6e9f0a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e.", "spans": {"MALWARE: LockBit 3.0": [[4, 15]], "CVE_ID: CVE-2023-4966": [[53, 66]], "SYSTEM: Citrix NetScaler ADC": [[119, 139]], "SYSTEM: Gateway": [[144, 151]], "MALWARE: Cobalt Strike": [[208, 221]], "TOOL: Impacket": [[240, 248]], "IP_ADDRESS: 91.215.85.183": [[346, 359]], "IP_ADDRESS: 193.142.59.11": [[361, 374]], "DOMAIN: lockbit-decryptor[.]com": [[391, 414]], "HASH: 8d4e7f2a1b3c5d6e9f0a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e": [[454, 518]]}, "info": {"id": "cisa_00023", "source": "cisa_advisories"}}
{"text": "Scattered Spider has compromised cloud environments by exploiting CVE-2023-22515 in Atlassian Confluence and using social engineering to defeat Okta multi-factor authentication. The threat actor deploys the ALPHV/BlackCat ransomware after establishing persistence. Mandiant observed the group using Fleetdeck.io and AnyDesk for remote access. CISA recommends reviewing Okta system logs and Azure Active Directory sign-in logs for anomalous activity.", "spans": {"THREAT_ACTOR: Scattered Spider": [[0, 16]], "CVE_ID: CVE-2023-22515": [[66, 80]], "SYSTEM: Atlassian Confluence": [[84, 104]], "SYSTEM: Okta": [[144, 148], [369, 373]], "MALWARE: BlackCat": [[213, 221]], "ORGANIZATION: Mandiant": [[265, 273]], "TOOL: AnyDesk": [[316, 323]], "ORGANIZATION: CISA": [[343, 347]], "SYSTEM: Azure Active Directory": [[390, 412]]}, "info": {"id": "cisa_00024", "source": "cisa_advisories"}}
{"text": "CISA has released an advisory on CVE-2024-23113, a format string vulnerability in Fortinet FortiOS that allows remote code execution. CVE-2024-47575, known as FortiJump, is a missing authentication vulnerability in FortiManager. Fortinet disclosed that the threat actor UNC5820 exploited FortiJump to exfiltrate configuration data from FortiGate devices. Organizations should check for unauthorized fortigate_access.log entries.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "CVE_ID: CVE-2024-23113": [[33, 47]], "VULNERABILITY: format string vulnerability": [[51, 78]], "SYSTEM: FortiOS": [[91, 98]], "CVE_ID: CVE-2024-47575": [[134, 148]], "VULNERABILITY: missing authentication vulnerability": [[175, 211]], "SYSTEM: FortiManager": [[215, 227]], "ORGANIZATION: Fortinet": [[82, 90], [229, 237]], "THREAT_ACTOR: UNC5820": [[270, 277]], "SYSTEM: FortiGate": [[336, 345]], "FILEPATH: fortigate_access.log": [[399, 419]]}, "info": {"id": "cisa_00025", "source": "cisa_advisories"}}
{"text": "Microsoft Threat Intelligence has identified Storm-0558 exploiting a token validation vulnerability to forge Azure Active Directory authentication tokens. The threat actor used a compromised Microsoft account consumer signing key. CVE-2023-36884 was also exploited through malicious Microsoft Office documents. Indicators include the domains token.msoauthapi[.]net and auth.identity-verify[.]net. CISA Emergency Directive 23-02 mandates federal agencies to audit Microsoft 365 environments.", "spans": {"ORGANIZATION: Microsoft Threat Intelligence": [[0, 29]], "THREAT_ACTOR: Storm-0558": [[45, 55]], "VULNERABILITY: token validation vulnerability": [[69, 99]], "SYSTEM: Azure Active Directory": [[109, 131]], "CVE_ID: CVE-2023-36884": [[231, 245]], "SYSTEM: Microsoft Office": [[283, 299]], "DOMAIN: token.msoauthapi[.]net": [[342, 364]], "DOMAIN: auth.identity-verify[.]net": [[369, 395]], "ORGANIZATION: CISA": [[397, 401]], "SYSTEM: Microsoft 365": [[463, 476]]}, "info": {"id": "cisa_00026", "source": "cisa_advisories"}}
{"text": "Iranian state-sponsored actors known as MuddyWater have been deploying the Atera Agent and SimpleHelp remote monitoring tools to maintain persistence on victim networks. The group exploited CVE-2021-34473 and CVE-2021-34523 in Microsoft Exchange Server, known as ProxyShell, along with CVE-2021-31207. CISA and the UK NCSC attribute this activity to Iran's Ministry of Intelligence and Security. Post-exploitation involved running certutil.exe to download additional payloads.", "spans": {"THREAT_ACTOR: MuddyWater": [[40, 50]], "TOOL: Atera Agent": [[75, 86]], "TOOL: SimpleHelp": [[91, 101]], "CVE_ID: CVE-2021-34473": [[190, 204]], "CVE_ID: CVE-2021-34523": [[209, 223]], "SYSTEM: Microsoft Exchange Server": [[227, 252]], "CVE_ID: CVE-2021-31207": [[286, 300]], "ORGANIZATION: CISA": [[302, 306]], "ORGANIZATION: UK NCSC": [[315, 322]], "TOOL: certutil.exe": [[431, 443]]}, "info": {"id": "cisa_00027", "source": "cisa_advisories"}}
{"text": "CISA has published ICS Advisory ICSA-26-04-01 for Rockwell Automation ControlLogix and CompactLogix controllers. CVE-2021-22681 allows unauthorized access to Logix controllers through insufficient credential protection. Additionally, Hikvision IP cameras are affected by CVE-2017-7921, an improper authentication vulnerability enabling privilege escalation. Industrial control system operators should segment OT networks from IT infrastructure and monitor for anomalous Modbus and EtherNet/IP traffic.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "ORGANIZATION: Rockwell Automation": [[50, 69]], "SYSTEM: ControlLogix": [[70, 82]], "SYSTEM: CompactLogix": [[87, 99]], "CVE_ID: CVE-2021-22681": [[113, 127]], "VULNERABILITY: insufficient credential protection": [[184, 218]], "ORGANIZATION: Hikvision": [[234, 243]], "CVE_ID: CVE-2017-7921": [[271, 284]], "VULNERABILITY: improper authentication vulnerability": [[289, 326]]}, "info": {"id": "cisa_00028", "source": "cisa_advisories"}}
{"text": "The Play ransomware group has targeted organizations using CVE-2022-41040 and CVE-2022-41082 in Microsoft Exchange Server, collectively known as ProxyNotShell. After exploitation, the actors deployed a webshell at C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx. The ransomware encrypted files with the .play extension. FBI investigation uncovered command and control infrastructure at 45.76.172.198 and 64.190.113.52. Encrypted DNS over HTTPS was used to evade detection.", "spans": {"MALWARE: Play": [[4, 8]], "CVE_ID: CVE-2022-41040": [[59, 73]], "CVE_ID: CVE-2022-41082": [[78, 92]], "SYSTEM: Microsoft Exchange Server": [[96, 121]], "FILEPATH: C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx": [[214, 260]], "ORGANIZATION: FBI": [[319, 322]], "IP_ADDRESS: 45.76.172.198": [[385, 398]], "IP_ADDRESS: 64.190.113.52": [[403, 416]]}, "info": {"id": "cisa_00029", "source": "cisa_advisories"}}
{"text": "PaperCut NG/MF is impacted by CVE-2023-27351, an improper authentication vulnerability allowing remote attackers to bypass authentication via the SecurityRequestFilter class. This vulnerability is known to be used in ransomware campaigns. Kentico Xperience contains CVE-2025-2749, a path traversal vulnerability enabling file upload by authenticated users. Synacor Zimbra Collaboration Suite is affected by CVE-2025-48700 and CVE-2025-66376, both cross-site scripting vulnerabilities.", "spans": {"SYSTEM: PaperCut NG/MF": [[0, 14]], "CVE_ID: CVE-2023-27351": [[30, 44]], "VULNERABILITY: improper authentication vulnerability": [[49, 86]], "SYSTEM: Kentico Xperience": [[239, 256]], "CVE_ID: CVE-2025-2749": [[266, 279]], "VULNERABILITY: path traversal vulnerability": [[283, 311]], "SYSTEM: Zimbra Collaboration Suite": [[365, 391]], "ORGANIZATION: Synacor": [[357, 364]], "CVE_ID: CVE-2025-48700": [[407, 421]], "CVE_ID: CVE-2025-66376": [[426, 440]], "VULNERABILITY: cross-site scripting vulnerabilities": [[447, 483]]}, "info": {"id": "cisa_00030", "source": "cisa_advisories"}}
{"text": "CISA Emergency Directive 21-02 mandated immediate action on Microsoft Exchange Server vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, collectively known as ProxyLogon. The threat actor HAFNIUM exploited these vulnerabilities to deploy China Chopper webshells. Affected organizations should search for indicators in the C:\\Windows\\Temp\\lsass directory and review IIS logs at C:\\inetpub\\logs\\LogFiles for suspicious POST requests.", "spans": {"ORGANIZATION: CISA": [[0, 4]], "SYSTEM: Microsoft Exchange Server": [[60, 85]], "CVE_ID: CVE-2021-26855": [[102, 116]], "CVE_ID: CVE-2021-26857": [[118, 132]], "CVE_ID: CVE-2021-26858": [[134, 148]], "CVE_ID: CVE-2021-27065": [[154, 168]], "THREAT_ACTOR: HAFNIUM": [[221, 228]], "MALWARE: China Chopper": [[271, 284]], "FILEPATH: C:\\Windows\\Temp\\lsass": [[355, 376]], "FILEPATH: C:\\inetpub\\logs\\LogFiles": [[410, 434]]}, "info": {"id": "cisa_00031", "source": "cisa_advisories"}}
{"text": "Langflow, an open-source AI application builder, is affected by CVE-2026-33017, a code injection vulnerability that could allow unauthenticated users to build public flows. Similarly, n8n contains CVE-2025-68613, an improper control of dynamically managed code resources vulnerability allowing remote code execution. CISA added both to the KEV catalog as active exploitation has been observed.", "spans": {"SYSTEM: Langflow": [[0, 8]], "CVE_ID: CVE-2026-33017": [[64, 78]], "VULNERABILITY: code injection vulnerability": [[82, 110]], "SYSTEM: n8n": [[184, 187]], "CVE_ID: CVE-2025-68613": [[197, 211]], "VULNERABILITY: improper control of dynamically managed code resources vulnerability": [[216, 284]], "ORGANIZATION: CISA": [[317, 321]]}, "info": {"id": "cisa_00032", "source": "cisa_advisories"}}
{"text": "VMware ESXi has been heavily targeted by ransomware operators. CVE-2019-5544 is a heap-based buffer overflow in OpenSLP allowing remote code execution via port 427. CVE-2020-3992 is a use-after-free vulnerability also in VMware ESXi OpenSLP. CVE-2021-21972 affects VMware vCenter Server with a remote code execution vulnerability in the vSphere Client plugin via port 443. VMware Workspace One is affected by CVE-2021-22054, a server-side request forgery vulnerability. Broadcom has assumed responsibility for these VMware products.", "spans": {"SYSTEM: VMware ESXi": [[0, 11], [221, 232]], "CVE_ID: CVE-2019-5544": [[63, 76]], "VULNERABILITY: heap-based buffer overflow": [[82, 108]], "CVE_ID: CVE-2020-3992": [[165, 178]], "VULNERABILITY: use-after-free vulnerability": [[184, 212]], "CVE_ID: CVE-2021-21972": [[242, 256]], "SYSTEM: VMware vCenter Server": [[265, 286]], "CVE_ID: CVE-2021-22054": [[409, 423]], "VULNERABILITY: server-side request forgery vulnerability": [[427, 468]], "SYSTEM: VMware Workspace One": [[373, 393]], "ORGANIZATION: Broadcom": [[470, 478]]}, "info": {"id": "cisa_00033", "source": "cisa_advisories"}}
{"text": "The ALPHV/BlackCat ransomware group deployed Emotet as an initial access vector followed by Cobalt Strike for command and control. Network indicators include IP addresses 198.51.100.23, 203.0.113.42, and 172.16.254.1. Malicious domains observed: download.system-update[.]cloud, c2.secure-check[.]net, and exfil.data-backup[.]org. File hash indicators: MD5 d41d8cd98f00b204e9800998ecf8427e, SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709, SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Victims should contact ic3.gov to report incidents.", "spans": {"THREAT_ACTOR: ALPHV": [[4, 9]], "MALWARE: BlackCat": [[10, 18]], "MALWARE: Emotet": [[45, 51]], "MALWARE: Cobalt Strike": [[92, 105]], "IP_ADDRESS: 198.51.100.23": [[171, 184]], "IP_ADDRESS: 203.0.113.42": [[186, 198]], "IP_ADDRESS: 172.16.254.1": [[204, 216]], "DOMAIN: download.system-update[.]cloud": [[246, 276]], "DOMAIN: c2.secure-check[.]net": [[278, 299]], "DOMAIN: exfil.data-backup[.]org": [[305, 328]], "HASH: d41d8cd98f00b204e9800998ecf8427e": [[356, 388]], "HASH: da39a3ee5e6b4b0d3255bfef95601890afd80709": [[395, 435]], "HASH: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855": [[444, 508]], "DOMAIN: ic3.gov": [[533, 540]]}, "info": {"id": "cisa_00034", "source": "cisa_advisories"}}
{"text": "JetBrains TeamCity is affected by CVE-2024-27199, a relative path traversal vulnerability that could allow limited admin actions. This vulnerability has been used in ransomware campaigns. Quest KACE Systems Management Appliance is impacted by CVE-2025-32975, an improper authentication vulnerability. Craft CMS contains CVE-2025-32432, a code injection vulnerability allowing remote code execution. Laravel Livewire is affected by CVE-2025-54068, a code injection vulnerability enabling unauthenticated remote command execution.", "spans": {"SYSTEM: JetBrains TeamCity": [[0, 18]], "CVE_ID: CVE-2024-27199": [[34, 48]], "VULNERABILITY: relative path traversal vulnerability": [[52, 89]], "SYSTEM: Quest KACE Systems Management Appliance": [[188, 227]], "CVE_ID: CVE-2025-32975": [[243, 257]], "VULNERABILITY: improper authentication vulnerability": [[262, 299]], "SYSTEM: Craft CMS": [[301, 310]], "CVE_ID: CVE-2025-32432": [[320, 334]], "VULNERABILITY: code injection vulnerability": [[338, 366], [449, 477]], "SYSTEM: Laravel Livewire": [[399, 415]], "CVE_ID: CVE-2025-54068": [[431, 445]]}, "info": {"id": "cisa_00035", "source": "cisa_advisories"}}
{"text": "Multiple Ivanti products have been targeted in the wild. CVE-2021-22893 is a use-after-free vulnerability in Ivanti Pulse Connect Secure allowing unauthenticated remote code execution via license services. CVE-2019-11510 enables arbitrary file read in Pulse Connect Secure through crafted HTTPS URIs. CVE-2021-22894 is a buffer overflow in the Collaboration Suite. CISA Emergency Directive 21-03 required agencies to assess and mitigate these Ivanti vulnerabilities. Defenders should review /data/runtime/mtmp/lmdb/ for suspicious files.", "spans": {"ORGANIZATION: Ivanti": [[9, 15], [443, 449]], "CVE_ID: CVE-2021-22893": [[57, 71]], "VULNERABILITY: use-after-free vulnerability": [[77, 105]], "SYSTEM: Ivanti Pulse Connect Secure": [[109, 136]], "CVE_ID: CVE-2019-11510": [[206, 220]], "SYSTEM: Pulse Connect Secure": [[252, 272]], "CVE_ID: CVE-2021-22894": [[301, 315]], "VULNERABILITY: buffer overflow": [[321, 336]], "ORGANIZATION: CISA": [[365, 369]], "FILEPATH: /data/runtime/mtmp/lmdb/": [[491, 515]]}, "info": {"id": "cisa_00036", "source": "cisa_advisories"}}
{"text": "Adobe Acrobat and Reader are affected by two vulnerabilities in the CISA KEV catalog. CVE-2020-9715 is a use-after-free vulnerability in Adobe Acrobat that allows code execution. CVE-2026-34621 is a prototype pollution vulnerability in Adobe Acrobat and Reader that enables arbitrary code execution. Adobe has released security updates through APSB20-48 and APSB26-43. Organizations should update to the latest versions of Adobe Acrobat and Reader.", "spans": {"SYSTEM: Adobe Acrobat": [[0, 13], [137, 150], [236, 249], [423, 436]], "SYSTEM: Reader": [[18, 24], [254, 260], [441, 447]], "ORGANIZATION: CISA": [[68, 72]], "CVE_ID: CVE-2020-9715": [[86, 99]], "VULNERABILITY: use-after-free vulnerability": [[105, 133]], "CVE_ID: CVE-2026-34621": [[179, 193]], "VULNERABILITY: prototype pollution vulnerability": [[199, 232]], "ORGANIZATION: Adobe": [[300, 305]]}, "info": {"id": "cisa_00037", "source": "cisa_advisories"}}
{"text": "SonicWall Email Security has been targeted through an exploit chain involving CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023. CVE-2021-20021 is an improper privilege management vulnerability allowing administrative account creation. CVE-2021-20022 enables unrestricted file upload. CVE-2021-20023 is a path traversal vulnerability for file reading. SonicWall SMA100 is separately affected by CVE-2021-20016, a SQL injection vulnerability used in ransomware campaigns.", "spans": {"SYSTEM: SonicWall Email Security": [[0, 24]], "CVE_ID: CVE-2021-20021": [[78, 92], [130, 144]], "CVE_ID: CVE-2021-20022": [[94, 108], [237, 251]], "CVE_ID: CVE-2021-20023": [[114, 128], [286, 300]], "VULNERABILITY: improper privilege management vulnerability": [[151, 194]], "VULNERABILITY: unrestricted file upload": [[260, 284]], "VULNERABILITY: path traversal vulnerability": [[306, 334]], "SYSTEM: SonicWall SMA100": [[353, 369]], "CVE_ID: CVE-2021-20016": [[396, 410]], "VULNERABILITY: SQL injection vulnerability": [[414, 441]]}, "info": {"id": "cisa_00038", "source": "cisa_advisories"}}
{"text": "Threat intelligence from CrowdStrike and Palo Alto Networks Unit 42 identified the Turla threat group deploying the Snake malware implant. Network communication was observed to 162.255.119.58, 78.128.113.34, and 45.33.32.156 over encrypted channels. The malware configuration file was stored at /var/tmp/.snake/snake.conf on compromised Linux servers. SHA256 hashes of observed Snake variants: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b and 2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c. CISA and FBI urge network defenders to hunt for these indicators.", "spans": {"ORGANIZATION: CrowdStrike": [[25, 36]], "ORGANIZATION: Palo Alto Networks": [[41, 59]], "THREAT_ACTOR: Turla": [[83, 88]], "MALWARE: Snake": [[116, 121], [378, 383]], "IP_ADDRESS: 162.255.119.58": [[177, 191]], "IP_ADDRESS: 78.128.113.34": [[193, 206]], "IP_ADDRESS: 45.33.32.156": [[212, 224]], "FILEPATH: /var/tmp/.snake/snake.conf": [[295, 321]], "HASH: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b": [[394, 458]], "HASH: 2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c": [[463, 527]], "ORGANIZATION: CISA": [[529, 533]], "ORGANIZATION: FBI": [[538, 541]]}, "info": {"id": "cisa_00039", "source": "cisa_advisories"}}