Weekly Threat Landscape Digest – Week 6

1. n8n Critical RCE Vulnerability (CVE-2026-25049)
   A critical remote code execution vulnerability has been disclosed in the n8n workflow automation platform that allows authenticated users with workflow modification privileges to execute arbitrary system commands on the underlying host. By crafting malicious expressions within workflow parameters, attackers can bypass expected restrictions, leading to full server compromise, credential exposure, and potential lateral movement from the automation environment.

Details:

• CVE: CVE-2026-25049
• Vulnerability Type: Expression escape leading to unintended system command execution
• Severity: Critical (CVSS v4 ~9.4)

Affected Versions:

• All n8n versions prior to 1.123.17
• All n8n versions prior to 2.5.2

Fixed Version:

• n8n 1.123.17
• n8n 2.5.2 and later

Impact:

• Arbitrary command execution on the n8n server
• Exposure of stored API keys, tokens, and credentials
• Data access, persistence, and lateral movement risks

Recommendations:

• Upgrade to the latest fixed n8n version immediately
• Prioritize patching of internet-facing instances
• Restrict workflow creation and modification privileges
• Review existing workflows for suspicious expressions
• Rotate credentials used by n8n workflows

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-25049
https://thehackernews.com/2026/02/critical-n8n-flaw-cve-2026-25049.html

1. SmarterMail Critical Unauthenticated RCE Vulnerability (CVE-2026-24423)
   A critical unauthenticated remote code execution vulnerability in SmarterTools SmarterMail is being actively exploited in ransomware campaigns. The flaw resides in a core API function related to cluster and hub connectivity, allowing attackers to execute arbitrary code on vulnerable servers without authentication, resulting in full system compromise.

Details:

• CVE: CVE-2026-24423
• Severity: Critical
• Attack Vector: Specially crafted requests to exposed SmarterMail API endpoints
• Exploitation Status: Actively exploited in the wild

Affected Versions:

• SmarterMail versions prior to 100.0.9511

Fixed Version:

• SmarterMail 100.0.9511 and later

Impact:

• Unauthenticated remote code execution
• Full compromise of mail servers
• Mail data exposure, credential theft, lateral movement, and ransomware deployment

Recommendations:

• Patch all SmarterMail servers immediately
• Prioritize internet-facing deployments
• Review network segmentation and API exposure
• Monitor for signs of compromise and anomalous activity

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-24423
https://www.helpnetsecurity.com/2026/02/06/ransomware-smartermail-cve-2026-24423/

1. OpenSSL Critical and High-Severity Security Updates
   The OpenSSL Project has released security updates addressing multiple vulnerabilities across supported OpenSSL branches, including a high-severity pre-authentication stack buffer overflow that could lead to remote code execution or denial of service. Additional flaws affect PKCS#12 handling, TLS 1.3 memory management, CMS parsing, and QUIC cipher processing, increasing risk to internet-facing systems.

Details:

• CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData (High)
• CVE-2025-11187: PKCS#12 MAC verification flaw (Moderate)
• CVE-2025-15469: Data truncation in openssl dgst (Low)
• CVE-2025-66199: TLS 1.3 memory exhaustion (Low)
• CVE-2025-15468: NULL pointer dereference in QUIC (Low)

Affected Versions:

• OpenSSL 3.6.x
• OpenSSL 3.5.x
• OpenSSL 3.4.x
• OpenSSL 3.3.x
• OpenSSL 3.0.x
• Legacy: 1.1.1 and 1.0.2 (Premium Support)

Fixed Version:

• OpenSSL 3.6.1
• OpenSSL 3.5.5
• OpenSSL 3.4.4
• OpenSSL 3.3.6
• OpenSSL 3.0.19
• Vendor-provided patches for legacy versions

Recommendations:

• Upgrade OpenSSL immediately on all affected systems
• Identify and prioritize internet-facing services
• Apply vendor patches for legacy deployments
• Monitor logs for abnormal TLS or CMS activity
• Conduct vulnerability scans post-patching

Reference:
https://openssl-library.org/news/secadv/20260127.txt

1. Mozilla Firefox and Thunderbird Security Updates
   Mozilla has released security updates for Firefox and Thunderbird addressing multiple vulnerabilities that could allow arbitrary code execution, privacy protection bypass, or sensitive information exfiltration. Unpatched systems may be exposed to elevated security and privacy risks, particularly in enterprise environments.

Details:

• CVE-2026-24869: Use-after-free in layout component (High)
• CVE-2026-24868: Privacy mitigation bypass (Moderate)
• CVE-2026-0818: CSS-based content exfiltration (Moderate)

Affected Versions:

• Mozilla Firefox
• Mozilla Thunderbird

Fixed Version:

• Firefox 147.0.2
• Thunderbird 147.0.1
• Thunderbird 140.7.1

Recommendations:

• Update Firefox and Thunderbird to patched versions
• Disable remote content in email clients where possible
• Restrict browser installation privileges
• Monitor endpoints for abnormal browser behavior
• Perform post-update security validation

Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-06/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-07/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-08/

1. Metro4Shell Critical RCE Vulnerability in React Native Metro Server (CVE-2025-11953)
   Threat actors are actively exploiting a critical remote code execution vulnerability, known as Metro4Shell, affecting the Metro Development Server used by React Native projects. The flaw allows unauthenticated attackers to execute arbitrary operating system commands on developer machines and CI/CD infrastructure, posing significant supply chain and development environment risks.

Details:

• CVE: CVE-2025-11953
• Severity: Critical (CVSS 9.8)
• Vulnerability Type: Unauthenticated RCE via Metro server HTTP endpoints
• Exploitation Status: Observed in the wild since December 2025

Affected Versions:

• @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2

Fixed Version:

• @react-native-community/cli-server-api 20.0.0 or later

Impact:

• Arbitrary OS command execution
• Full system compromise of developer and build systems
• Unauthorized payload deployment and persistence

Recommendations:

• Upgrade to patched versions immediately
• Disable public exposure of Metro development servers
• Restrict network access to internal or secured channels
• Monitor logs for suspicious requests
• Validate integrity of development toolchains

Reference:
https://thehackernews.com/2026/02/hackers-exploit-metro4shell-rce-flaw-in.html

1. Notepad++ Update Hijacking Supply Chain Incident

A supply chain attack targeting the Notepad++ update mechanism allowed state-sponsored attackers to hijack update traffic at the hosting provider level and redirect users to malicious servers. Although not caused by a vulnerability in the application code itself, the incident may have resulted in users downloading poisoned executables, leading to potential remote code execution and system compromise.

Details:

• CVE: None (supply chain attack)
• Severity: High
• Attack Type: Update mechanism hijacking at hosting provider level

Affected Versions:

• Notepad++ versions 8.8.9 and earlier

Fixed Version:

• Notepad++ 8.9.0 and later

Impact:

• Potential remote code execution via malicious updates
• System compromise and follow-on exploitation

Recommendations:

• Upgrade to the latest Notepad++ version immediately
• Verify integrity of installed binaries
• Monitor systems for indicators of compromise
• Review update mechanisms and trusted sources

Reference:
https://notepad-plus-plus.org/news/hijacked-incident-info-update/

1. China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking and Malware Delivery

Cybersecurity researchers have uncovered a China-linked adversary-in-the-middle (AitM) framework named DKnife that has been active since at least 2019 and targets routers and edge devices to monitor, manipulate, and hijack network traffic. The modular Linux-based framework enables deep packet inspection, credential harvesting, DNS and binary hijacking, and malware delivery, facilitating large-scale surveillance and targeted malware distribution against PCs, mobile devices, and IoT systems, with a strong focus on Chinese-speaking users.

Details:

• Threat Framework: DKnife
• Threat Actor: China-nexus activity cluster linked to Earth Minotaur
• Architecture: Modular, Linux-based implants delivered via ELF downloader
• Key Capabilities:
  • Deep packet inspection and real-time traffic monitoring
  • Credential harvesting via TLS termination and email decryption
  • DNS hijacking over IPv4 and IPv6
  • Hijacking Android app updates and Windows binary downloads
  • Delivery of ShadowPad and DarkNimbus backdoors
  • Interference with antivirus and system management traffic
• Infrastructure Links: Overlaps with WizardNet and Spellbinder AitM framework used by TheWizards

Impact:

• Large-scale traffic interception and manipulation
• Credential theft from email and mobile applications
• Malware delivery through trusted update mechanisms
• Potential long-term persistence and regional surveillance

Recommendations:

• Audit and secure routers and edge devices
• Restrict administrative access and update device firmware
• Monitor network traffic for anomalous DNS and update activity
• Inspect for signs of AitM behavior and unauthorized TLS certificates
• Apply network segmentation to limit blast radius

Reference:
https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework.html

1. Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware
   A software supply chain attack has been identified involving compromised npm and PyPI packages associated with the dYdX v4 protocol, where malicious versions were published using legitimate developer credentials. The poisoned packages delivered cryptocurrency wallet stealers and, in the Python variant, a remote access trojan (RAT), enabling credential theft and remote command execution on developer and user systems.

Details:

• Affected Packages:
  • @dydxprotocol/v4-client-js (npm): 3.4.1, 1.22.1, 1.15.2, 1.0.31
  • dydx-v4-client (PyPI): 1.1.5post1
• Attack Type: Supply chain compromise via developer account access
• Malware Functionality:
  • Cryptocurrency wallet seed phrase theft
  • Device fingerprinting and data exfiltration
  • RAT execution upon package import (PyPI)
• C2 Activity:
  • Python RAT contacts external server for command retrieval
  • Stealth execution on Windows using CREATE_NO_WINDOW flag

Impact:

• Theft of cryptocurrency assets
• Remote code execution on affected systems
• Compromise of developer environments and downstream applications

Recommendations:

• Immediately remove compromised package versions
• Isolate affected systems and move funds to new wallets
• Rotate all API keys, credentials, and secrets
• Verify package integrity and restrict publishing access
• Review dependency usage and monitor for anomalous behavior

Reference:
https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html

1. Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

Anthropic disclosed that its latest LLM, Claude Opus 4.6, identified more than 500 previously unknown high-severity security flaws across open-source libraries such as Ghostscript, OpenSC, and CGIF, with findings validated and subsequently patched by maintainers. The company stated the model demonstrated improved vulnerability discovery without task-specific prompting, and was evaluated by its Frontier Red Team using a virtualized environment and security tooling to assess out-of-the-box performance.

Details:

• Anthropic reports Claude Opus 4.6 found 500+ previously unknown high-severity flaws across open-source libraries.
• Examples cited:
  • Ghostscript: crash due to missing bounds check identified by reviewing Git commit history
  • OpenSC: buffer overflow identified by searching for risky function call patterns (e.g., strrchr(), strcat())
  • CGIF: heap buffer overflow (fixed in 0.5.1), described as requiring specific LZW/GIF logic to trigger
• Anthropic states each discovered flaw was validated to avoid hallucinated findings.

Recommendations:

• Apply the latest upstream patches for impacted open-source libraries in use.
• Prioritize remediation of memory corruption issues identified by maintainers.
• Continue prompt patching of known vulnerabilities as AI-assisted offensive and defensive workflows evolve.

Reference:
https://thehackernews.com/2026/02/claude-opus-46-finds-500-high-severity.html

1. Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

Researchers disclosed an active campaign targeting NGINX deployments and management panels such as Baota (BT) to hijack and proxy legitimate web traffic through attacker-controlled infrastructure using injected NGINX “location” rules and proxy_pass redirection. Datadog associated the observed activity with post-exploitation behavior linked to React2Shell exploitation and described a multi-stage toolkit that establishes persistence, enumerates configuration paths, installs malicious redirect rules, and reports active hijack configurations, with targeting focused on specific Asian and government/education TLDs.

Details:

• Technique: Injection of malicious NGINX configuration “location” blocks to intercept and redirect traffic via proxy_pass.
• Targeted environments:
  • NGINX installations (including Linux and containerized deployments)
  • Baota (BT) management panel environments
• Observed targeting:
  • Asian TLDs (.in, .id, .pe, .bd, .th)
  • Government and educational TLDs (.edu, .gov)
• Reported linkage:
  • Activity observed alongside React2Shell exploitation (CVE-2025-55182, CVSS 10.0)
• Toolkit components (as described):
  • zx.sh: orchestrator stage using curl/wget or raw TCP fallback
  • bt.sh: targets Baota to overwrite NGINX configuration files
  • 4zdh.sh: enumerates common NGINX config locations and reduces errors when creating new config
  • zdh.sh: narrower targeting focusing on Linux/container NGINX and selected TLDs
  • ok.sh: generates reporting on active hijacking rules
• React2Shell exploitation telemetry cited:
  • Two IPs account for 56% of observed attempts
  • 1,083 unique source IPs observed between January 26 and February 2, 2026

Recommendations:

• Audit NGINX configurations for unexpected location blocks and unauthorized proxy_pass directives.
• Restrict access to management panels (e.g., Baota/BT) and harden administrative interfaces.
• Monitor for configuration file changes and persistence scripts associated with NGINX tampering.
• Investigate for indicators of prior exploitation paths referenced in the reporting (including React2Shell activity).

Reference:
https://thehackernews.com/2026/02/hackers-exploit-react2shell-to-hijack.html

1. DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

Threat hunters reported on a stealthy malware campaign dubbed DEAD#VAX that uses phishing-delivered, IPFS-hosted Virtual Hard Disk (VHD) files disguised as purchase-order PDFs to deploy AsyncRAT through a multi-stage, fileless execution chain. The campaign combines heavily obfuscated scripts, runtime decryption, scheduled-task persistence, and in-memory shellcode injection into trusted Microsoft-signed processes, minimizing disk artifacts and complicating detection and forensic reconstruction.

Details:

• Initial access: Phishing email delivering a VHD file hosted on IPFS, disguised as a PDF purchase order.
• Execution flow:
  • VHD mounts as a virtual drive upon user interaction
  • A WSF script launches obfuscated batch scripts with environment checks (anti-sandbox/anti-VM and privilege checks)
  • PowerShell loader decrypts embedded payloads, establishes persistence via scheduled tasks, and injects shellcode in memory
• Payload: AsyncRAT delivered as encrypted x64 shellcode and executed entirely in memory.
• Process injection targets cited: RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, sihost.exe
• Evasion: Extreme obfuscation, runtime decryption, memory-resident execution, and throttled timing/sleep intervals to reduce anomalous behavior.

Impact:

• Remote access trojan capability enabling surveillance and data collection (including keylogging, screen/webcam capture, clipboard monitoring, file access, remote command execution, and persistence).

Recommendations:

• Block and monitor VHD mounting and execution paths where feasible, especially from email-originated content.
• Detect and alert on WSF/batch/PowerShell chains exhibiting heavy obfuscation, runtime decryption, and scheduled-task persistence.
• Hunt for suspicious PowerShell-based process injection into trusted Microsoft-signed processes.
• Review email security controls for VHD-based lures and IPFS-hosted payload distribution patterns.

Reference:
https://thehackernews.com/2026/02/deadvax-malware-campaign-deploys.html

1. Microsoft Warns Python Infostealers Target macOS via Fake Ads and Installers

Microsoft has warned that information-stealing malware campaigns are increasingly targeting macOS systems by abusing cross-platform languages like Python and leveraging malvertising, fake installers, and ClickFix-style social engineering. The campaigns rely on disk image (DMG) installers distributed via malicious ads and phishing, enabling fileless execution and abuse of native macOS utilities to steal credentials, browser data, cloud secrets, and cryptocurrency information.

Details:

• Observed by: Microsoft Defender Security Research Team
• Target Platform: macOS
• Initial Access:
  • Malicious ads (including Google Ads)
  • Fake websites impersonating legitimate tools (e.g., AI utilities)
  • ClickFix social engineering lures
• Malware Families Identified:
  • Atomic macOS Stealer (AMOS)
  • MacSync
  • DigitStealer
  • PXA Stealer (linked to Vietnamese-speaking threat actors)
  • Eternidade Stealer (distributed via messaging apps)
• Techniques:
  • Python-based cross-platform malware
  • Fileless execution
  • AppleScript automation
  • Abuse of native macOS utilities
• Data Targeted:
  • Browser credentials and session cookies
  • iCloud Keychain data
  • Developer secrets
  • Financial and cryptocurrency information
• Additional Distribution:
  • WhatsApp-based malware delivery
  • Fake PDF editors promoted via SEO poisoning and malvertising

Impact:

• Credential theft leading to account compromise
• Data breaches and unauthorized internal access
• Increased risk of BEC, supply chain compromise, and ransomware

Recommendations:

• Educate users on malvertising, fake installers, and ClickFix-style prompts
• Monitor macOS endpoints for suspicious Terminal activity and AppleScript usage
• Inspect access attempts to iCloud Keychain
• Monitor outbound network traffic for suspicious POST requests to newly registered domains

Reference:
https://thehackernews.com/2026/02/microsoft-warns-python-infostealers.html

1. Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package

Threat actors have been observed actively exploiting a critical remote code execution vulnerability, known as Metro4Shell, affecting the Metro Development Server used by the “@react-native-community/cli” npm package. The flaw allows unauthenticated attackers to execute arbitrary OS commands, and real-world exploitation has been confirmed since December 2025, including delivery of persistent malware payloads rather than proof-of-concept activity.

Details:

• CVE: CVE-2025-11953 (Metro4Shell)
• Severity: Critical (CVSS 9.8)
• Affected Component: Metro Development Server in @react-native-community/cli
• Exploitation Observed: Since December 21, 2025
• Payload Characteristics:
  • Base64-encoded PowerShell scripts
  • Creation of Microsoft Defender Antivirus exclusions
  • Raw TCP connections to attacker-controlled infrastructure
  • Download and execution of Rust-based binaries with anti-analysis features
• Observed Attacker IPs:
  • 5.109.182[.]231
  • 223.6.249[.]141
  • 134.209.69[.]155
• Attribution Assessment:
  • Operational exploitation
  • Consistent payloads across weeks, not exploratory scanning

Affected Versions:

• Vulnerable Metro Development Server versions as documented by JFrog (November 2025)

Impact:

• Remote unauthenticated command execution
• Compromise of developer workstations and build environments
• Potential downstream supply chain risk

Recommendations:

• Immediately patch affected React Native CLI and Metro components
• Restrict network exposure of development servers
• Monitor for PowerShell execution chains and Defender exclusion creation
• Audit developer infrastructure treated as externally reachable

Reference:
https://thehackernews.com/2026/02/hackers-exploit-metro4shell-rce-flaw-in.html

1. APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks

The Russia-linked threat actor APT28 has been attributed to active exploitation of a newly disclosed Microsoft Office security feature bypass, CVE-2026-21509, as part of an espionage campaign dubbed Operation Neusploit. The attacks leverage malicious Office documents to deliver credential-stealing and backdoor malware without requiring macros or user interaction, targeting government and military-related entities across Eastern and Central Europe shortly after public disclosure of the flaw.

Details:

• Threat Actor: APT28 (aka UAC-0001)
• Campaign Name: Operation Neusploit
• CVE: CVE-2026-21509
• CVSS Score: 7.8
• Vulnerability Type: Microsoft Office security feature bypass
• Initial Exploitation Observed: January 29, 2026
• Targeted Regions: Ukraine, Slovakia, Romania, Poland, Slovenia, Turkey, Greece, UAE
• Lure Types:
  • Geopolitically themed phishing documents
  • Localized language content (Romanian, Slovak, Ukrainian)
• Delivery Mechanisms:
  • Malicious RTF and Word documents
  • WebDAV-based payload retrieval
• Malware Deployed:
  • MiniDoor (Outlook email stealer)
  • PixyNetLoader
  • COVENANT Grunt implant
  • NotDoor (aka GONEPOSTAL)
  • BEARDSHELL backdoor
• Techniques Observed:
  • COM object hijacking
  • DLL proxying
  • Steganography (PNG-embedded shellcode)
  • In-memory execution
  • Legitimate cloud services used for C2 (filen[.]io)

Impact:

• Email exfiltration from compromised Outlook accounts
• Persistent access to government and enterprise environments
• Elevated espionage risk through stealthy, multi-stage infection chains

Recommendations:

• Apply Microsoft Office security updates immediately
• Block and monitor WebDAV traffic where not required
• Inspect Office document execution chains for abnormal network connections
• Monitor for COM hijacking and DLL proxying behaviors
• Review endpoint telemetry for Covenant-related activity

Reference:
https://thehackernews.com/2026/02/apt28-uses-microsoft-office-cve-2026.html

1. Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

Researchers have uncovered a large-scale supply chain abuse campaign involving ClawHub, a third-party skills marketplace for the OpenClaw AI assistant, where hundreds of malicious skills were used to distribute information-stealing malware. The campaign, codenamed ClawHavoc, relies on fake prerequisites and social engineering to trick users into executing malicious scripts that deploy stealers targeting macOS and Windows systems.

Details:

• Platform Affected: ClawHub (OpenClaw skills marketplace)
• Skills Analyzed: 2,857
• Malicious Skills Identified: 341
• Campaign Name: ClawHavoc
• Primary Payload:
  • Atomic Stealer (AMOS) for macOS
• Initial Infection Vectors:
  • Fake prerequisite installation instructions
  • GitHub-hosted ZIP archives (Windows)
  • glot[.]io-hosted shell scripts (macOS)
• Malware Capabilities:
  • Keylogging
  • Credential and API key theft
  • Crypto wallet and exchange data theft
  • SSH and browser credential harvesting
• Shared Infrastructure:
  • Command-and-control server: 91.92.242[.]30
• Skill Themes Used as Lures:
  • Cryptocurrency and wallet tracking tools
  • Polymarket trading bots
  • YouTube utilities
  • Auto-updaters
  • Finance and social media tools
  • Google Workspace integrations
• Additional Findings:
  • Reverse shell backdoors hidden in functional skills
  • Exfiltration of bot credentials from local environment files

Impact:

• Compromise of AI assistant hosts
• Theft of sensitive credentials and cryptocurrency assets
• Increased supply chain risk within AI plugin ecosystems

Recommendations:

• Remove untrusted or unnecessary ClawHub skills immediately
• Avoid executing prerequisite commands from skill documentation
• Monitor systems for execution of unauthorized shell scripts
• Audit AI agent permissions and persistent memory usage
• Leverage ClawHub’s new reporting and skill-flagging mechanisms

Reference:
https://thehackernews.com/search?updated-max=2026-02-03T16:30:00%2B05:30&max-results=12&start=12&by-date=false

1. OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

A high-severity vulnerability has been disclosed in OpenClaw that allows attackers to achieve one-click remote code execution by tricking a user into visiting a malicious web page. The flaw stems from improper validation of WebSocket connections and trusted parameters, enabling token exfiltration and full gateway compromise even when the service is bound to localhost.

Details:

• Product: OpenClaw (formerly Clawdbot / Moltbot)
• CVE: CVE-2026-25253
• CVSS Score: 8.8
• Vulnerability Type: Token exfiltration leading to RCE
• Root Cause:
  • Unvalidated gatewayUrl parameter
  • Missing WebSocket origin validation
• Attack Vector:
  • Crafted malicious link or web page
  • Cross-site WebSocket hijacking
• Exploitation Outcome:
  • Theft of gateway authentication token
  • Operator-level API access
  • Disabling of safety approvals
  • Escape from containerized execution
  • Arbitrary command execution on host
• Affected Scope:
  • Any authenticated OpenClaw Control UI user
  • Exploitable even on loopback-only deployments

Fixed Version:

• OpenClaw 2026.1.29 (released January 30, 2026)

Impact:

• Full compromise of OpenClaw gateway host
• Bypass of sandboxing and safety guardrails
• Arbitrary configuration changes and code execution

Recommendations:

• Upgrade OpenClaw to version 2026.1.29 or later
• Invalidate and rotate gateway tokens
• Restrict access to the Control UI
• Monitor for unexpected WebSocket connections
• Review API usage for unauthorized configuration changes

Reference:
https://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html

1. Critical Flaws in Ivanti EPMM Lead to Fast-Moving Exploitation Attempts

Security researchers have warned of active and highly targeted exploitation attempts against two critical remote code execution vulnerabilities affecting the on-premises version of Ivanti Endpoint Manager Mobile (EPMM). Ivanti confirmed that a limited number of customers were already impacted at the time of disclosure, prompting rapid response from security agencies and industry researchers as exploitation activity accelerated shortly thereafter.

Details:

• Product: Ivanti Endpoint Manager Mobile (on-premises)
• CVEs:
  • CVE-2026-1281
  • CVE-2026-1340
• Severity: Critical (CVSS 9.8)
• Vulnerability Type: Code injection leading to remote code execution
• Exploitation Status:
  • Confirmed exploitation prior to public disclosure
  • Initial activity assessed as highly targeted and deliberate
• Observed Threat Activity:
  • Spike in exploitation attempts reported by Shadowserver
  • Activity from 13 source IPs
  • Attempts to execute callbacks and establish reverse shells
• Exposure Metrics:
  • ~1,600 exposed instances initially observed worldwide
  • Reduced to ~1,400 but with ongoing exploitation attempts
• Government Response:
  • CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) catalog
  • Accelerated mitigation deadline issued for federal agencies

Affected Versions:

• Ivanti EPMM on-premises deployments (specific vulnerable versions as per Ivanti advisory)

Fixed Version:

• Permanent fix scheduled for Ivanti EPMM version 12.8.0.0
• Temporary mitigation patch currently available (must be reinstalled after upgrades)

Impact:

• Remote code execution on mobile device management infrastructure
• Deployment of web shells and backdoors post-compromise
• Elevated risk to enterprise mobile environments and managed devices

Recommendations:

• Apply Ivanti’s temporary patch immediately and monitor closely
• Prepare to upgrade to version 12.8.0.0 once available
• Restrict external access to EPMM management interfaces
• Monitor for indicators of web shell deployment and reverse shell activity
• Treat exposure as high priority due to active exploitation

Reference:
https://www.cybersecuritydive.com/news/critical-flaws-ivanti-epmm-exploitation/811228/

1. eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

The update infrastructure of eScan antivirus was compromised to distribute malicious updates that deployed a persistent, multi-stage malware downloader to enterprise and consumer endpoints. The supply chain attack abused eScan’s legitimate update mechanism during a limited time window, allowing attackers to tamper with core product components, disable defenses, and fetch additional payloads from external servers.

Details:

• Affected Product: eScan Antivirus
• Vendor: MicroWorld Technologies
• Attack Type: Supply chain compromise via update servers
• Incident Window:
  • January 20, 2026
  • Approximately two hours of malicious update distribution
• Root Cause:
  • Unauthorized access to a regional update server configuration
• Malicious Components:
  • Replacement of legitimate reload.exe with a rogue binary
  • Delivery of a persistent downloader and PowerShell-based malware
• Techniques Observed:
  • Blocking antivirus updates via HOSTS file modification
  • AMSI bypass
  • Scheduled task persistence
  • Environment validation to evade analysis and security tools
• Payloads Identified:
  • Reload.exe (malicious replacement)
  • CONSCTLX.exe (malicious replacement)
  • Multiple Base64-encoded PowerShell scripts
• Geographic Impact:
  • Hundreds of systems observed
  • Primarily India, Bangladesh, Sri Lanka, and the Philippines

Impact:

• Compromise of systems through trusted antivirus updates
• Prevention of security updates and remediation
• Persistent access and staged payload delivery
• Elevated supply chain risk impacting both enterprises and consumers

Recommendations:

• Immediately contact MicroWorld Technologies for remediation guidance
• Apply vendor-provided fixes to revert malicious changes
• Verify integrity of eScan binaries and update mechanisms
• Monitor endpoints for unauthorized PowerShell execution and scheduled tasks
• Conduct incident response reviews on systems updated during the affected timeframe

Reference:
https://thehackernews.com/2026/02/escan-antivirus-update-servers.html