OSINT Dashboard V2

Daily Intelligence Brief

131 Critical CVEs (7d) ▲ new

0 New KEVs Today 5 due ≤14d

11 Ransomware Victims Today ▼ -63%

1003 New IOCs Today ▲ new

2 APT Campaigns Today ▲ new

Ransomware
Victims
Last 90 days

Priority Threats

VULNERABILITY 10.0 CVSS

CVE-2026-4370 — Unknown Unknown

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to per…

Also: CVE-2026-34162 (CVSS 10.0), CVE-2025-15379 (CVSS 10.0)

RANSOMWARE 12 victims / 7d

nightspire

Targeting: Financial Services (1 incidents) · Manufacturing (1 incidents) · Education (1 incidents)

Active today: nightspire (8 new victims)

APT CAMPAIGN 9 IOCs

A laughing RAT: CrystalX combines spyware; stealer; and prankware features

Top Targeted Sector (30d)

Technology

Manufacturing

Consumer Services

Education

Healthcare

Top Targeted Countries (30d)

Live Feed Last 24 hours

RAN

shinyhunters → Cisco Systems, Inc. (cisco.com) (US) 13:14

NEWS

SANS ISC: TeamPCP Supply Chain Campaign: Update 005 - First Confirmed Victim Disclosure,… 13:08

NEWS

SentinelOne: The Implementation Blind Spot | Why Organizations Are Confusing Temporary F… 13:00

NEWS

Malwarebytes: Why we’re still not doing April Fools’ Day 13:00

NEWS

THN: Block the Prompt, Not the Work: The End of "Doctor No" 12:46

NEWS

THN: Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures 12:36

NEWS

TheRecord: Romania under daily barrage of cyberattacks, defense minister says 12:15

NEWS

InfosecMag: Chinese Hackers Target European Governments in Espionage Campaigns 12:05

NEWS

THN: Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass 11:49

NEWS

THN: New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released 11:42

NEWS

BleepingComputer: FBI warns against using Chinese mobile apps due to privacy risks 11:39

NEWS

THN: 3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See… 10:58

NEWS

SANS ISC: Malicious Script That Gets Rid of ADS, (Wed, Apr 1st) 10:44

NEWS

DarkReading: Are We Training AI Too Late? 10:40

RAN

anubis → Publishers Clearing House (US) 10:37

CVE

CVE-2026-4370 (CVSS 10) — Unknown 09:18

CVE

CVE-2026-34162 (CVSS 10) — Unknown 09:18

CVE

CVE-2026-34156 (CVSS 9.9) — Unknown 09:18

CVE

CVE-2025-15379 (CVSS 10) — Unknown 09:17

CVE

CVE-2026-32922 (CVSS 9.9) — openclaw 09:17

CVE

CVE-2026-30302 (CVSS 10) — Unknown 09:17

CVE

CVE-2026-33945 (CVSS 9.9) — Unknown 09:17

CVE

CVE-2026-33494 (CVSS 10) — Unknown 09:17

RAN

nightspire → Notre-Dame du Grandchamp (FR) 08:34

RAN

nightspire → Ghazi Brothers (PK) 08:33

RAN

nightspire → The GMP Group (SG) 08:33

RAN

nightspire → S**n* *o**tr***io* 08:32

RAN

nightspire → P**S****E 08:32

RAN

nightspire → *ep***e M***a*i***, Inc. 08:32

APT

OTX: A laughing RAT: CrystalX combines spyware; stealer; and prankware features · 9 IOCs 06:24

Active IOC Feed

IOC Value	Type	Malware / Family	Threat Type	Source	Confidence	First Seen	Ref
`40c44ed554771b552a99415c737b1ea24cce3d0dc3ed06bb778b8254a3fdc750`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`https://sp4rk3-trace.movementsheptun.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`sp4rk3-trace.movementsheptun.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`81d9e0389970009a15ed35e003f8feb500bcb1c684b7a6b16d4fe9fc028a1abc`	sha256	doc	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`http://110.36.76.249:56770/i`	url	—	malware_download	URLhaus	—	2026-04-01
`http://103.206.207.23:42009/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`5f81a3a1bb8b3c25e681fc472ddf01ecfe30d8c818e50a0d144f18e354f6ab10`	sha256	cmd	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`https://fvbtyoj.movementsheptun.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://39.74.39.212:34127/bin.sh`	url	—	malware_download	URLhaus	—	2026-04-01
`http://221.15.15.254:45309/bin.sh`	url	—	malware_download	URLhaus	—	2026-04-01
`https://arn3i.movementsheptun.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://117.24.142.170:47976/bin.sh`	url	32-bit, arm, elf, Mozi	malware_download	URLhaus	—	2026-04-01
`arn3i.movementsheptun.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`fb924e8cef93d0a4244790ba1e1a4ecaf1a93b19f8e816329cdd763b017df459`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`http://123.8.4.253:33343/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`http://124.135.131.61:53077/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`http://42.227.225.230:34570/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://relay-chain.movementsheptun.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`relay-chain.movementsheptun.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`fvbtyoj.movementsheptun.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`http://110.36.76.249:56770/bin.sh`	url	—	malware_download	URLhaus	—	2026-04-01
`5b0640966b086643d251381dbfe5998034a1b2b58e194924c302f93870749659`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`http://115.51.33.139:53835/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://m15t7-sync.demolishtunis.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://119.183.25.133:49085/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`http://196.190.69.149:59539/i`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-04-01
`http://196.190.69.149:59539/bin.sh`	url	mirai	malware_download	URLhaus	—	2026-04-01
`https://jjczes4.demolishtunis.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://182.235.62.104:47453/i`	url	32-bit, arm, elf, Mozi	malware_download	URLhaus	—	2026-04-01
`https://9sis.demolishtunis.in.net/verification.google`	url	ClearFake	malware_download	URLhaus	—	2026-04-01
`m15t7-sync.demolishtunis.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`jjczes4.demolishtunis.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`9sis.demolishtunis.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://fptinternet.info/`	url	unknown	payload_delivery	ThreatFox	90%	2026-04-01	🔗
`138.124.5.193:8080`	ip:port	py.amnesia_rat	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`c3b8803ca6b48a94a686ebb7d3add38fdd61f2fca5a6fff1da2250732d193afe`	sha256	zip	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`22ca3715bdf2432c7522062d006dcc585865344c078f1a7b4e93887702318824`	sha256	ps1	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`d2e8bdf1cc427f6311d2ae6561ef78e5f52ea7f79ab8d14ed352fce401e3d353`	sha256	ps1	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`f3b86b6587466afe8b515c08e31c9bea44ccfc3a795de0095bad2e8ae74ea2d7`	sha256	Adware.Techsnab	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`784e7ec599e5932974bacbbdba5a85cd71ff9cf17342a4cb13289ae830f092fc`	sha256	ps1	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`6f76ee849452d620288c6f7f4619b81b3c706177313fecbea706aa05ac4ab1e3`	sha256	ps1	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`670781d0d35582d3094cf375a43c59cfba157e0a99fe919e462ad06045f0843c`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`https://dynfluxal.demolishtunis.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://124.135.131.61:53077/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://talforgeal2.demolishtunis.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://binaryassay.demolishtunis.in.net/verification.google`	url	ClearFake	malware_download	URLhaus	—	2026-04-01
`dynfluxal.demolishtunis.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`talforgeal2.demolishtunis.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`binaryassay.demolishtunis.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`30bb939fad6a6fcb35f509012cdd40a9b5b1a600566a270c9627a02a72b96d70`	sha256	RemcosRAT	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16`	sha256	Formbook	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`11acea5515c1b6124820eff92e45e6187c2393ba34a05c3ad4b82e58e64e815d`	sha256	ACRStealer	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`bf8578b5c7d90be1668df5bc90280617891a5b2f1fa5cc94f04884cddf3e36f8`	sha256	ps1	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`2d5f7e2338ade5ae68dc82758126a60fdcecd36d44d08aded3f92df35fd7bdff`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`482d134402fb33d4ded42657dd3473240fccdedb25cee3c3af5de8e4783886e3`	sha256	CobaltStrike	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`72c35c67d1d70b9c504b62f4fcd18698f9a3d1e75e3ecaf9768a773c855aea77`	sha256	DarkWatchman	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`04f4dde250db15de247e67ecd25134ab7e4512a77859589f4e979905685316c0`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`283a63c497522046fd0654e224dc322143f7d4e975d5e437105d65c40424d7d2`	sha256	ps1	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`191860d5f0c5b1740b22934f0b3a70022dc10d956f7b7b25ccde0215118d9205`	sha256	cmd	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`816fd294fece9e4f049ffd27ced21af4ebb7cc2691cadce39cc51c536803bddf`	sha256	html	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`2f97b6f7fed27696ecbdd715219740a2a4ae7c746a485ff7469b8da9bc035fe1`	sha256	zip	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`24e8c437fd971140b5b616acea1102572d00688d6590caa0d8a335ee4d2189f4`	sha256	zip	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`40a191d9df24f960a53e798b11c16c4be15576716dc351cf6fc7f9ed4e9c1f4b`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`f26119470f6a040c7dfc591ad4ed4fd909a96cbeec705d0745998ee8ad023b3d`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`1e563640b8de25d76d26b4e04742d2a6425e5eb94e4d5283944a5d14c97a24e5`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`eb9252284ea46f9c5cd9ea330da0e44a2c0cd396498d651a2b749ae38795c50d`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`2154678a606be199a523590493f14a0811bd5a08db5114d47b4e6dfe8cc7042f`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`http://123.10.68.78:60783/i`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-04-01
`https://solcresten2.vivatwoman.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://110.37.106.148:50795/i`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-04-01
`https://6jamieya.vivatwoman.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://lumnexen7.vivatwoman.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://219.157.52.60:45020/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://norvenix2.vivatwoman.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://219.156.23.161:46171/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`http://110.37.69.76:57519/i`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-04-01
`https://neo-d3v.vivatwoman.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://110.39.244.189:48732/i`	url	Mozi	malware_download	URLhaus	—	2026-04-01
`https://qobavx3.barondecont.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://42.239.227.212:58225/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://calmion.barondecont.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://123.8.94.184:38216/i`	url	Mozi	malware_download	URLhaus	—	2026-04-01
`http://115.49.79.227:45272/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://crirn4-point.barondecont.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://h4rb-loop.barondecont.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://175.150.79.16:55160/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`http://119.183.25.133:49085/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://sprucethorn.barondecont.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://lejrmakei.com/WORDPRESS%202026.zip`	url	—	malware_download	URLhaus	—	2026-04-01
`https://marcuswelbyclinic.click/ligolo_172.28.16.169.exe`	url	—	malware_download	URLhaus	—	2026-04-01
`https://keilo-jermailer.org/WORDPRESS%202026.zip`	url	—	malware_download	URLhaus	—	2026-04-01
`https://marcuswelbyclinic.click/final-payload/ligolo_172.28.16.169.exe`	url	—	malware_download	URLhaus	—	2026-04-01
`https://pub-563376bbe356408a8c67e226123a6095.r2.dev/ScreenConnect.ClientSetup.msi`	url	connectwise	malware_download	URLhaus	—	2026-04-01
`https://dz7shop.com/TriggerFinder_DZ7.exe`	url	—	malware_download	URLhaus	—	2026-04-01
`https://jem-mialwe.org/WORDPRESS%202026.zip`	url	—	malware_download	URLhaus	—	2026-04-01
`https://telecomsa.xyz/taptapsend.apk`	url	—	malware_download	URLhaus	—	2026-04-01
`http://115.51.33.139:53835/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://m.hy-union.com/file/ueditor/php/upload/file/20250114/x1/REF-CLI%20v1.0.3.exe`	url	—	malware_download	URLhaus	—	2026-04-01
`https://www.telecomsa.xyz/taptapsend.apk`	url	—	malware_download	URLhaus	—	2026-04-01
`https://ossapp.suning.com/pcoss/dl/PPTV(pplive)_forap_1084_9993.exe`	url	—	malware_download	URLhaus	—	2026-04-01
`https://lo98.barondecont.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://42.239.227.212:58225/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://t.me/xerkoper`	url	win.vidar	botnet_cc	ThreatFox	75%	2026-04-01	🔗
`solcresten2.vivatwoman.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`6jamieya.vivatwoman.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`iopv.net`	domain	unknown	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://iopv.net/init`	url	unknown	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://iopv.net/register`	url	unknown	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`norvenix2.vivatwoman.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`neo-d3v.vivatwoman.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`qobavx3.barondecont.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`crirn4-point.barondecont.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`lotusstudiopr.us.com`	domain	win.quasar_rat	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`proveritas.eu.com`	domain	win.quasar_rat	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`greek.gb.net`	domain	win.quasar_rat	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`charlotte.eu.com`	domain	win.quasar_rat	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`skk.uk.com`	domain	win.quasar_rat	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`mahjongtiles.it.com`	domain	win.quasar_rat	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`aiscore.it.com`	domain	win.quasar_rat	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`h4rb-loop.barondecont.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`http://202.56.160.190:80/HRQr`	url	win.cobalt_strike	botnet_cc	ThreatFox	75%	2026-04-01	🔗
`sprucethorn.barondecont.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://tirqavem.top/session/login-stylesheet.js`	url	js.smartapesg	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`tirqavem.top`	domain	js.smartapesg	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://tirqavem.top/session/realm-response.php`	url	js.smartapesg	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`calmion.barondecont.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`ballieballerson.com`	domain	unknown	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://willowbrooktownhouse.com/`	url	unknown	payload_delivery	ThreatFox	90%	2026-04-01	🔗
`lumnexen7.vivatwoman.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://pelgiron.com/v1/user/py`	url	js.smartapesg	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://wexlunto.top/session/login-stylesheet.js`	url	js.smartapesg	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://wexlunto.top/session/realm-response.php`	url	js.smartapesg	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`wexlunto.top`	domain	js.smartapesg	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://wexlunto.top/session/version-header.js`	url	js.smartapesg	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`lo98.barondecont.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://srmvcas.org/`	url	unknown_stealer	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`105bc76ac37570568aac5d1a4007fd24ed2c3176bb25866b2658c4a59fc882fd`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`484a95c32225fa3728494be1e932c47ca11573db7829c0c5257cc2667c2dee8a`	sha256	msi	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`a3a4b852c94808c7a4484caaa441698fc34cb452bf62d363e55a180ccca84465`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`8aaea6dd4f70193006006dc46c9242d241771cd4804145ab78e6af433cea3a50`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`ac3d335498c49a80fe5b6fe69b75cf601eb325fafad0c042f8e7f14ed047927b`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`f75186f51a4ed00d24d07434bc8d1ea843680c0920d5952e06b64c6b24361c9b`	sha256	apk	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926`	sha256	js	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`dd404d1159202a1ac57af3f0e51b131331c8522c3e47312fe20a1647ea290413`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`https://wild-mount.vivatwoman.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://110.39.233.226:41288/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`http://123.8.94.184:38216/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`wild-mount.vivatwoman.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`e6235b7e678edf5c227b84d9a2c955cdeefb17bfc35a4567fea1efbb059772f7`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`5c067ef70261e6ea744eb8bcedf95e8c52ad89ab1a1f0155e349b05207385da7`	sha256	Mirai	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`44ac530444d98daca60c6b04ff25d0e335c26fcce9d74cde5a09157a0501b489`	sha256	elf	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`b5466c8d11f631841ea3ee55c504c07bf759508bbd56cef9bb49987452c0559f`	sha256	Mirai	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`9de338f3919597401019e2e6a7747c09a803111c04672e3008de8bd6ecaa6ba3`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`2be661211e8a0df37f4d20ada629abe9f75787ca491382151b43520bdf3d1c45`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`c04eecfa0ae1b15aa4042459efbb89884525d358dc01e481109972d4efa062c3`	sha256	STRRAT	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`793ed95eb6ef4d880d85e5aaf46a415949a1894a1f1022aa11e9d8923e8b1b84`	sha256	Mirai	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`9984df2dabb8112ccd999523e62ca9c671ed1a8e3649eb0928768919735d5200`	sha256	Mirai	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`9ba23c9e2fbc61850f8d08179560b5c810be4b780dee911ebbadc485d0991445`	sha256	js	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`9ffa2294f9e00007de0c84fd6bd073017e19b7cfe63ab6a2836781a62b739998`	sha256	js	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`82c7d4123b47bbc4b6d32a52521db81d4b1580a485c6e6bf508f32878bf53223`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`9eee0bd0f40ca1160d6e5b6331c7a77720a39aabe597bc5e777bb268a9659af0`	sha256	Worm.Virut	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`83b524467cb1eb5c4807b0f4cec93c5efe6f3b1bbd15f711f4462b15706b863b`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`debaf394b5a4dbc06ca03ae271fc59f6800ee261511239100120561cbc1d1200`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`6b94e16e486df4ae0960c0cf0ce0e0425a5b9a4b98ea18503468d4cdde93409e`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`b525837273dde06b86b5f93f9aec2c29665324105b0b66f6df81884754f8080d`	sha256	macho	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`1a30d6cdb0b98feed62563be8050db55ae0156ed437701d36a7b46aabf086ede`	sha256	macho	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`2ac08b5e2be289278c79ab0814a6b37d02e71a78f03c0ca144a20791f53f9b47`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`5bcf71623d9092f772c0c9947db516f0867eaf818ecb5775d76fbf93a2b7de85`	sha256	DarkTortilla	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`830e7555a21ef8eaf7c0476595d116806d5351e5e6d1e458f10cf9e7e93d7dd9`	sha256	AgentTesla	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`452e056633df2167a77f33ff65195268109c31789e5cbfcaaab83fb27e99c5a8`	sha256	PhantomStealer	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`ea61e090f64b28c641b4d7c1fd771082eaf91bec933242589e48f525cebb3da6`	sha256	Mirai	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`c5da47d70f71c5aae4980e0108a16e7ebe33d4e90e08890db61322a645eeb115`	sha256	AgentTesla	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`9f777b4fac1d52ac9d8ade02c38dd235ee858906e8b3f225d4f5cc9fbb53ea2c`	sha256	Mirai	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`028f1e2ce50f9911d30905bdfb4b706fc520f32d7a753b83022de1812944b976`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`918b846b21167686b9d121e182c9dfec18e66b53fd1c33af1cdd1d0907e5fb12`	sha256	macho	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`9fb82d137cef8056c62cc85ba2c04e8776074e8e54d1da80f90596cc07ecde33`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`e64c78c84a4ff05bd73230fbfb4ce2f0ac88cc2aca1abfee1c19ad5bd9168e3c`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`dd9f235cff12bd7ecfca75face1d525fe7f5d45edd066f5dddf4f66120763366`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`1a0b015f10ddb6773e33e27b07b24b1cd24a5095409173d587c7cdd247169c7b`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`e64d33a27a6ccfe5138f2865b41dfcabc362bcc5cab96f13f95a005db3bb1039`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`b0847d54bcb077c51e83f03e82f61063ce76325b3467cbb1dcf90eb076a3787e`	sha256	sh	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`0001b8219a77f8e206efe2b71ecf3892aed755c26fb2dc5e4b7b42a226b72eaa`	sha256	AsyncRAT	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`a985b3fab403ad6fbb5cc15a44912224aead9518ac6b970c0a6c303989e61556`	sha256	AdaptixC2	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`485952ba5347aa83f00537a4be0bebb274021f773a0203b65142f1b86dfda34d`	sha256	AdaptixC2	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`8edb7d760c45558724c237a0fcc9b3606a08cb45afbdd891c3d6ba26d0ef15b1`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`34671e45d3d03539b44eba27e6c78417cb0022bb38de9b96ca7e0f1e9507178f`	sha256	a310Logger	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`bc7400e057f39513278a665d89ab1af5e53825edd54359eede65281b879738d9`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`6890fa7e599e49cbb5f70c9fec4595da83b512ff0cdcd9be120edf322968902a`	sha256	SantaStealer	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`b2419d5fac72ce685db92544be9410962e22aba6326486f586b7eb36a3bb9bb4`	sha256	LummaStealer	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`3b3eb57f077a05824b98d8afb24d47514dc5d99ddc392f910b1db45ceed26ee8`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`0a7c791f3559b76c06008621fd91a562c151f4c0fd370ac6b473090d617f6c14`	sha256	Vidar	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`7c806f73aaca52b4030b6b996ae0b71452e545d08b38543d8885210037cfd02b`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b`	sha256	js	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`e268324d79d6ef3f04370fbb06ce26a8b3db7a34b92731a0c5582a0fe800547a`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba`	sha256	js	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a`	sha256	js	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`e03ae62f41b0ec6fc3b7780bfa23d153e5601eabbfd5b57b0c13b59d62e94c1c`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`b7d2a540e591492a71fa7921fdb692187d62ffe44e341114ad58105db6cf6d8b`	sha256	gz	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`http://217.160.125.125:15527/bot.x86`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://217.160.125.125:15527/bot.armv4l`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://217.160.125.125:15527/bot.sh4`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://60.22.176.44:39750/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.74/mips`	url	elf, gafgyt, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.74/mipsel`	url	elf, gafgyt, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.25/html/jade.mips`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.25/html/jade.arm7`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.25/html/jade.ppc`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.96/hiddenbin/boatnet.arm7`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.96/hiddenbin/boatnet.mips`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.96/hiddenbin/boatnet.spc`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.96/ohshit.sh`	url	mirai, sh, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.96/hiddenbin/boatnet.arm`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.59/mips`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.59/hiddenbin/boatnet.armv6l`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.59/hiddenbin/boatnet.m68k`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://113.238.14.212:45600/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.59/hiddenbin/boatnet.mipsrouter`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://42.54.11.123:34666/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://175.173.155.12:52416/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`http://180.157.55.73:39040/i`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.aarch64`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.arm6`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.arm7`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.mpsl`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.x86`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.mips`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.arm4`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.m68k`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.spc`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.arm7`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.arm5`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.arc`	url	mirai	malware_download	URLhaus	—	2026-04-01
`https://winston1.rf.gd/img_143439.png`	url	—	malware_download	URLhaus	—	2026-04-01
`https://winston1.rf.gd/img_215835.png`	url	—	malware_download	URLhaus	—	2026-04-01
`http://115.57.42.132:55074/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.mips-uclibc`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.ppc`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.arm6`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.mipsel`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.mipsel-uclibc`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.powerpc`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://105.184.169.34:56291/i`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.arm5`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.sh4`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.arm`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/hiddenbin/boatnet.mips`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://159.253.120.149:81/bins.mipsle`	url	—	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.x86`	url	mirai	malware_download	URLhaus	—	2026-04-01
`http://5.175.223.249/data.x86_64`	url	DDoSAgent	malware_download	URLhaus	—	2026-04-01
`http://82.23.183.167/ohshit.sh`	url	mirai	malware_download	URLhaus	—	2026-04-01
`https://mybiggestjoy.bond/api/index.php?a=dl&token=fcdd5b796fbf5cb5614da7aaa4773fb404771c4821e4b8d30305ed8df58a2188&src=trindade.pe.gov.br&mode=cloudflare`	url	exe, Vidar	malware_download	URLhaus	—	2026-04-01
`http://218.24.63.78:47588/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://grain-store.combinekabisia.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://field-scan.combinekabisia.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://harvest-api.combinekabisia.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://125.44.252.55:46814/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`http://175.173.142.44:57750/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://crop-trace.combinekabisia.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://110.37.2.210:47240/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://yield-hub.combinekabisia.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://115.49.79.227:45272/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://high-note.brillwhistleb.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://tune-api.brillwhistleb.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://182.116.21.30:51230/i`	url	Mozi	malware_download	URLhaus	—	2026-04-01
`https://signal-box.brillwhistleb.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://125.44.252.55:46814/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`https://alert-svc.brillwhistleb.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://wind-flow.brillwhistleb.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://emacra.com/GoogleChrome_1.1.1_new.exe`	url	dropped-by-amadey, fbf543	malware_download	URLhaus	—	2026-04-01
`http://182.123.208.44:35961/i`	url	Mozi	malware_download	URLhaus	—	2026-04-01
`https://loud-cloud.brillwhistleb.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://soft-glob.driveaway.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://wzovragk.driveaway.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://nppw50at.driveaway.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://123.10.68.78:60783/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-04-01
`https://compilpow.driveaway.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://175.150.79.16:55160/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`http://110.37.106.148:50795/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-04-01
`https://choru5-hinge.driveaway.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`https://kxep42pp.driveaway.in.net/verification.google`	url	ACRStealer, ClearFake	malware_download	URLhaus	—	2026-04-01
`http://219.157.52.60:45020/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-04-01
`159.75.76.236:443`	ip:port	win.cobalt_strike	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`38.22.91.131:8080`	ip:port	win.cobalt_strike	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`grain-store.combinekabisia.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`https://centegn.cyou`	url	win.lumma	botnet_cc	ThreatFox	75%	2026-04-01	🔗
`5.180.24.16:80`	ip:port	unknown	botnet_cc	ThreatFox	75%	2026-04-01	🔗
`http://5.180.24.16/api/upload-data`	url	unknown	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`http://5.180.24.16/ws/client`	url	unknown	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`harvest-api.combinekabisia.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`91.202.233.67:5555`	ip:port	unknown	botnet_cc	ThreatFox	75%	2026-04-01	🔗
`shlyapadulina.space`	domain	unknown_stealer	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`field-scan.combinekabisia.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`212.162.150.121:80`	ip:port	unknown	botnet_cc	ThreatFox	75%	2026-04-01	🔗
`65.109.103.93:80`	ip:port	unknown	botnet_cc	ThreatFox	75%	2026-04-01	🔗
`http://212.162.150.121/ws/client`	url	unknown	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`http://65.109.103.93/ws/client`	url	unknown	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`http://212.162.150.121/api/upload-data`	url	unknown	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`http://65.109.103.93/api/upload-data`	url	unknown	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`crop-trace.combinekabisia.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`yuosryb6o.ddns.net`	domain	win.remcos	botnet_cc	ThreatFox	75%	2026-04-01	🔗
`yuosryb6o.duckdns.org`	domain	win.remcos	botnet_cc	ThreatFox	75%	2026-04-01	🔗
`yield-hub.combinekabisia.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`high-note.brillwhistleb.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`tune-api.brillwhistleb.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`signal-box.brillwhistleb.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`alert-svc.brillwhistleb.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`wind-flow.brillwhistleb.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`loud-cloud.brillwhistleb.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`185.38.142.5:5003`	ip:port	jar.strrat	botnet_cc	ThreatFox	100%	2026-04-01	🔗
`soft-glob.driveaway.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`wzovragk.driveaway.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`nppw50at.driveaway.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`45.221.118.180:111`	ip:port	win.cobalt_strike	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`152.136.43.210:8083`	ip:port	win.cobalt_strike	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`43.230.161.81:443`	ip:port	win.cobalt_strike	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`104.168.149.226:443`	ip:port	win.cobalt_strike	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`103.40.253.162:443`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`113.45.65.232:443`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`161.97.139.204:3333`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`5.226.191.169:4433`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`46.225.174.26:3333`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`108.162.67.124:443`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`141.95.160.129:3333`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`5.129.194.137:3333`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`139.59.106.165:8443`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`178.104.45.253:8080`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`54.157.76.50:443`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`189.56.104.221:8443`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`147.45.45.79:31337`	ip:port	win.sliver	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`77.90.185.69:31337`	ip:port	win.sliver	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`165.245.130.101:31337`	ip:port	win.sliver	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`164.92.67.70:443`	ip:port	win.havoc	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`192.227.239.42:8443`	ip:port	win.adaptix_c2	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`compilpow.driveaway.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`144.172.88.60:4443`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`89.169.54.130:7443`	ip:port	unknown	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://docviews43.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://docviews24.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://elecviews55.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://docviews59.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://elecviews87.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://docviews5.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://search20s.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://docviews40.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://docviews65.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://docviews35.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://join39s.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`http://docviews56.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://nids58.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://docviews8.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://elecviews49.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://note4.dns.army/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://edocview7.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://elecviews40.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://docviews71.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://nids19.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://elecviews39.dynv6.net/`	url	win.kimsuky	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://77.91.97.162/g93kdwj3s/index.php`	url	win.amadey	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://taozi.win/`	url	apk.spynote	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://der04.top/`	url	apk.spynote	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://api.telegram.org/bot8565137147:AAE7jjjsdR6xpVh7Pt_AHuEJ8UDtF-iSSYw/`	url	win.agent_tesla	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`https://api.telegram.org/bot8271047137:AAEexDI10mt9IUeumEpriGOSFf1ITlCIW-0/`	url	win.agent_tesla	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`v3.xoilacvi.co`	domain	win.dcrat	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`v2.xoilacvi.co`	domain	win.dcrat	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`choru5-hinge.driveaway.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`brighterlib.click`	domain	win.lumma	botnet_cc	ThreatFox	50%	2026-04-01	🔗
`kxep42pp.driveaway.in.net`	domain	js.clearfake	payload_delivery	ThreatFox	100%	2026-04-01	🔗
`bbdd32373a701742689d1b34d1597d6c4347758d91bea4e9cb4aa875237cd07c`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`9a75bc0cbd4a2e57bf342a05c0f694a0986a928b5e01237cc008e1c8257516b4`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`https://farm-logic.combinekabisia.in.net/verification.google`	url	ClearFake	malware_download	URLhaus	—	2026-04-01
`c489ffa503624d6de25bed8ea8b340c6f9caa239010b47bb4e433c4dc360b30c`	sha256	iso	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`3d006229cbe5f32f036b0f10ee2876a1d2e9434639c8ba934704d31f73688f0c`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`1c772de0c40755f2516f57a86a8a0cbe58201a79a191defbb285946574ee3d2c`	sha256	7z	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c`	sha256	msi	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`9ca881abd3c11368e381b8a9f6d32ef14e022058ce936922afb82164c17f3310`	sha256	Mirai	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`5670707f3704c17145353742fed1c27aae3f4d52ceae99b12ed8c55400fc55fb`	sha256	exe	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`65e5b34667cda5e4444f563750beb579a8e532f94bcb073222c77fd16e9545dd`	sha256	DCRat	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`3dc15bca73cf6ceea3b6bc1db0995b887f001e8ea43e1e0f5234f85b539cdef8`	sha256	js	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`8e590e1b1db1016f3020b08a39ad2853c50b9247fe70ef73ce3b199522dc734d`	sha256	js	Malware Sample	MalwareBazaar	—	2026-04-01	🔗
`http://61.52.44.86:58703/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://61.52.44.86:58703/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://113.228.152.60:50583/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://42.230.40.84:32883/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/eastgerman-internist198/raylib-template/refs/heads/main/raylib-5.5_linux_amd64/lib/template_raylib_3.7.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/jasminahyperthermal488/utility-for-fortnite-noclip/raw/refs/heads/main/Cheka/noclip-fortnite-utility-for-1.6-alpha.4.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/eastgerman-internist198/raylib-template/raw/refs/heads/main/raylib-5.5_linux_amd64/lib/template_raylib_3.7.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/Flipflip563/YICB/refs/heads/main/airless/Software-2.8.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/jasminahyperthermal488/utility-for-fortnite-noclip/refs/heads/main/Cheka/noclip-fortnite-utility-for-1.6-alpha.4.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/Flipflip563/YICB/raw/refs/heads/main/airless/Software-2.8.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/Valentindelahaye8/LeviLauncher-MaterialBinLoader/refs/heads/master/Mediaqueries/LeviLauncher-MaterialBinLoader_3.7.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/Valentindelahaye8/LeviLauncher-MaterialBinLoader/raw/refs/heads/master/Mediaqueries/LeviLauncher-MaterialBinLoader_3.7.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`http://119.187.55.28:39334/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://58.255.46.51:34711/bin.sh`	url	—	malware_download	URLhaus	—	2026-03-31
`https://github.com/Avhasei07/DevilConnection-Russian-Localization/raw/refs/heads/main/heriot/Russian_Devil_Connection_Localization_v2.9.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/Avhasei07/DevilConnection-Russian-Localization/refs/heads/main/heriot/Russian_Devil_Connection_Localization_v2.9.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`http://42.57.180.81:48800/i`	url	—	malware_download	URLhaus	—	2026-03-31
`http://114.227.63.144:51956/bin.sh`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://120.28.193.113:47832/bin.sh`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://101.58.64.161:9454/.i`	url	hajime	malware_download	URLhaus	—	2026-03-31
`http://77.247.88.72:46880/i`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://77.247.88.72:46880/bin.sh`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://42.53.166.90:55722/i`	url	—	malware_download	URLhaus	—	2026-03-31
`http://27.156.176.206:50260/bin.sh`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://42.238.68.233:44121/bin.sh`	url	Mozi	malware_download	URLhaus	—	2026-03-31
`http://45.237.130.120:49016/i`	url	Mozi	malware_download	URLhaus	—	2026-03-31
`http://110.37.107.41:51045/bin.sh`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://110.37.88.34:53224/bin.sh`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://42.57.180.81:48800/bin.sh`	url	—	malware_download	URLhaus	—	2026-03-31
`http://175.154.118.223:55245/bin.sh`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://110.37.107.41:51045/i`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://58.255.46.51:34711/i`	url	—	malware_download	URLhaus	—	2026-03-31
`http://123.4.244.236:33143/i`	url	Mozi	malware_download	URLhaus	—	2026-03-31
`http://119.187.55.28:39334/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`https://github.com/HarryRyanBarr/yarpe/raw/refs/heads/main/renpy/Software-3.5-alpha.3.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/skidgang/discord-lanyard-activity/raw/refs/heads/main/demo/src/discord-activity-lanyard-tour.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/aslekarii/proxmox-nvidia-vfio-handoff/refs/heads/main/autogeneal/vfio-proxmox-handoff-nvidia-v2.6.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/aslekarii/proxmox-nvidia-vfio-handoff/raw/refs/heads/main/autogeneal/vfio-proxmox-handoff-nvidia-v2.6.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/skidgang/discord-lanyard-activity/refs/heads/main/demo/src/discord-activity-lanyard-tour.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/talangojames51/io5/refs/heads/main/5/83.txt`	url	lua, SmartLoader	malware_download	URLhaus	—	2026-03-31
`https://github.com/talangojames51/io5/raw/refs/heads/main/5/86.txt`	url	lua, SmartLoader	malware_download	URLhaus	—	2026-03-31
`https://github.com/talangojames51/io5/raw/refs/heads/main/5/83.txt`	url	lua, SmartLoader	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/Haylandercaio/Lego-Star-Wars-2005-PC-Resolution-FIX-DeveloperModeON/refs/heads/main/source/dxsdk/Mode_Wars_ON_Developer_Resolution_P_Lego_Star_FI_v3.9.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/Haylandercaio/Lego-Star-Wars-2005-PC-Resolution-FIX-DeveloperModeON/refs/heads/main/source/dxsdk/lib/x64/Developer-Wars-FI-Star-ON-Resolution-P-Mode-Lego-v1.8.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/Haylandercaio/Lego-Star-Wars-2005-PC-Resolution-FIX-DeveloperModeON/refs/heads/main/source/dxsdk/lib/x86/ON-P-Mode-Developer-Lego-FI-Star-Resolution-Wars-1.1.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/Haylandercaio/Lego-Star-Wars-2005-PC-Resolution-FIX-DeveloperModeON/raw/refs/heads/main/source/dxsdk/lib/x86/ON-P-Mode-Developer-Lego-FI-Star-Resolution-Wars-1.1.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/Haylandercaio/Lego-Star-Wars-2005-PC-Resolution-FIX-DeveloperModeON/raw/refs/heads/main/source/dxsdk/lib/x64/Developer-Wars-FI-Star-ON-Resolution-P-Mode-Lego-v1.8.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/Haylandercaio/Lego-Star-Wars-2005-PC-Resolution-FIX-DeveloperModeON/raw/refs/heads/main/source/dxsdk/Mode_Wars_ON_Developer_Resolution_P_Lego_Star_FI_v3.9.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`http://182.119.228.241:56948/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/sethudevasenapathy92/sethudevasenapathy92.github.io/refs/heads/main/cultigen/sethudevasenapathy_github_io_3.7.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/light-077/chatbot-gaming-assistant/refs/heads/main/my_agent/chatbot_assistant_gaming_v1.8.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/light-077/chatbot-gaming-assistant/raw/refs/heads/main/my_agent/chatbot_assistant_gaming_v1.8.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/sethudevasenapathy92/sethudevasenapathy92.github.io/refs/heads/main/cultigen/sethudevasenapathy-io-github-2.2.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/sethudevasenapathy92/sethudevasenapathy92.github.io/raw/refs/heads/main/cultigen/sethudevasenapathy-io-github-2.2.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/sethudevasenapathy92/GTAO_SoloSession/raw/refs/heads/main/GTAO_SoloSession/Solo-Session-GTA-v2.3.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://github.com/cradzz14/Gamification-In-Software-Project-Management/raw/refs/heads/main/unmeltableness/Software_Management_Project_In_Gamification_v2.6.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/cradzz14/Gamification-In-Software-Project-Management/refs/heads/main/unmeltableness/Software_Management_Project_In_Gamification_v2.6.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/tribalwarsaaa/vfio-windows-aio/refs/heads/main/assets/windows-vfio-aio-3.3.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`https://raw.githubusercontent.com/cradzz14/Gamification-In-Software-Project-Management/refs/heads/main/unmeltableness/Management_Project_Gamification_In_Software_2.3.zip`	url	SmartLoader, zip	malware_download	URLhaus	—	2026-03-31
`http://182.119.228.241:56948/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://217.160.125.125:15527/bot.m68k`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://217.160.125.125:15527/bot.mipsel`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://217.160.125.125:15527/bot.i486`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://217.160.125.125:15527/bot.powerpc`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://217.160.125.125:15527/bot.armv6l`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://217.160.125.125:15527/bot.i586`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://217.160.125.125:15527/bot.x86_64`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://217.160.125.125:15527/bot.powerpc-440fp`	url	mirai	malware_download	URLhaus	—	2026-03-31
`http://175.154.118.223:55245/i`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://103.164.128.50:33037/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://222.134.163.7:52361/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://222.134.163.7:52361/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://112.231.44.55:48069/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://110.39.244.67:47809/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://60.213.123.169:52883/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://110.37.97.32:42669/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://110.37.97.32:42669/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://112.231.44.55:48069/i`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://124.234.174.62:36200/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://115.62.25.41:38187/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://27.37.60.190:52268/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://179.43.186.246:14888/download/0e23d66b-d075-445a-bc56-e0d05a633724`	url	clearwater, Ransomware	malware_download	URLhaus	—	2026-03-31
`http://110.39.244.67:47809/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://123.12.238.198:39150/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://60.213.123.169:52883/i`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://110.37.118.66:34574/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://175.146.163.233:58676/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://123.12.238.198:39150/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://175.146.163.233:58676/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://60.22.176.44:39750/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://167.250.158.32:39717/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://105.186.172.191:42231/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://175.147.157.129:55169/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://61.166.217.21:33418/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://60.18.50.197:50181/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://90.224.208.190:45821/bin.sh`	url	—	malware_download	URLhaus	—	2026-03-31
`http://46.163.184.136:49029/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://217.208.164.149:45464/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://61.166.217.21:33418/i`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://42.6.253.116:46861/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://60.18.50.197:50181/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://42.230.32.152:46663/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://167.250.158.32:39717/i`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://42.230.32.152:46663/i`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://110.37.102.128:52610/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://120.37.212.67:43258/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`https://vault88x.secure-efficient2.su/MSI_054600.png`	url	—	malware_download	URLhaus	—	2026-03-31
`http://216.9.225.38/img/optimized_MSI.png`	url	—	malware_download	URLhaus	—	2026-03-31
`http://198.12.83.76/img/optimized_MSI.png`	url	—	malware_download	URLhaus	—	2026-03-31
`https://prosingle.com.br/my_photo.png`	url	—	malware_download	URLhaus	—	2026-03-31
`http://reutilizemais.co.mz/sehhs_MSI.png`	url	—	malware_download	URLhaus	—	2026-03-31
`https://reutilizemais.co.mz/sehhs_MSI.png`	url	—	malware_download	URLhaus	—	2026-03-31
`https://fullclear-seven.vercel.app/mp.msi`	url	GoToResolve, LogMeIn, msi	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.64/i486`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.64/arm4`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://176.65.139.64/spc`	url	elf, mirai, ua-wget	malware_download	URLhaus	—	2026-03-31
`http://60.23.203.149:51381/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://119.162.228.112:53422/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://113.228.240.50:54543/bin.sh`	url	32-bit, arm, elf, mirai, Mozi	malware_download	URLhaus	—	2026-03-31
`http://110.39.239.111:35582/bin.sh`	url	32-bit, elf, mips, Mozi	malware_download	URLhaus	—	2026-03-31
`http://121.37.40.52/cat.sh`	url	sh, ua-wget	malware_download	URLhaus	—	2026-03-31

Analyst Tools

Paste raw text — emails, reports, logs — to automatically extract and classify all IOCs.

Enter any IOC — type is auto-detected and a curated set of intel sources appears.

Decode common obfuscation schemes found in malware, phishing kits, and threat reports.

Convert IOCs between defanged (report-safe) and live formats. Handles hxxp, [.], and [://] notations.

Convert timestamps between Unix epoch, UTC, and local time. Paste any format into any field.

Unix Epoch (seconds)

Unix Epoch (milliseconds)

UTC / ISO 8601

Local Time

Human Readable (UTC)

Relative Time

Paste raw email headers to extract the sending chain, authentication results (SPF / DKIM / DMARC), originating IPs, and timing data.

Ransomware activity

Victim Name	Ransom Group	Industry / Sector	Country	Date Discovered
Cisco Systems, Inc. (cisco.com) NEW	shinyhunters	Technology	US	2026-04-01
Publishers Clearing House NEW	anubis	Consumer Services	US	2026-04-01
Notre-Dame du Grandchamp NEW	nightspire	Education	FR	2026-04-01
Ghazi Brothers NEW	nightspire	General	PK	2026-04-01
The GMP Group NEW	nightspire	General	SG	2026-04-01
S*n otr*io NEW	nightspire	Construction	Unknown	2026-04-01
PS**E NEW	nightspire	General	Unknown	2026-04-01
epe Mai***, Inc. NEW	nightspire	General	Unknown	2026-04-01
T*** Defense NEW	nightspire	Manufacturing	Unknown	2026-04-01
A**iaon OA*A NEW	nightspire	General	Unknown	2026-04-01
Nissan NEW	everest	Manufacturing	JP	2026-04-01
Service Star Freightways	qilin	Transportation/Logistics	CA	2026-03-31
Seeing Machines	qilin	Technology	AU	2026-03-31
SERAM SpA	qilin	Manufacturing	IT	2026-03-31
Catalyst Learning Company	genesis	Education	US	2026-03-31
B&R Sheet Metal	genesis	Manufacturing	US	2026-03-31
Raphael Ortho CRITICAL SECTOR	genesis	Healthcare	US	2026-03-31
Green Giftz	genesis	General	US	2026-03-31
HMI Elements	genesis	Technology	GB	2026-03-31
MC-Rx	genesis	General	US	2026-03-31
Modern Advanced Print Solutions (MAPS, Inc.)	genesis	Manufacturing	US	2026-03-31
Secure Health CRITICAL SECTOR	genesis	Healthcare	US	2026-03-31
Xiamen Tungsten Co. (XTC)	beast	Manufacturing	CN	2026-03-31
San Felipe Del Rio CISD School	worldleaks	Education	US	2026-03-31
delapazlaw.com	incransom	General	US	2026-03-31
submissionfinance.com	incransom	Financial Services	AU	2026-03-31
Cox Design & Metal Fabrication	akira	Manufacturing	US	2026-03-31
Dean Supply	akira	Consumer Services	US	2026-03-31
Excel Healthcare Receivable Management &Consulting CRITICAL SECTOR	akira	Healthcare	Unknown	2026-03-31
IranWire	handala	General	IR	2026-03-31
https://www.lagoonpark.com/	embargo	Hospitality and Tourism	US	2026-03-31
MerchNOW	akira	Consumer Services	US	2026-03-31
Chickasaw Holding	qilin	General	Unknown	2026-03-31
Q-Lab	qilin	General	US	2026-03-31
Parque Eólico Toabré CRITICAL SECTOR	everest	Energy	PA	2026-03-31
Hallmark Cards, Inc. & Hallmark Plus	shinyhunters	Consumer Services	US	2026-03-31
CERUMO Co., Ltd	nightspire	General	JP	2026-03-31
Beltran & Garcia Financial Investment SLU	nightspire	Financial Services	ES	2026-03-31
JT-ATFP, LLC	nightspire	General	US	2026-03-31
dn Vil sb***s	nightspire	General	Unknown	2026-03-31
PT Brantas Abipraya	everest	Construction	ID	2026-03-31
domingogarcia.com	incransom	General	US	2026-03-30
millersteelelaw.com	incransom	General	US	2026-03-30
Straight Line Logistics	everest	Transportation/Logistics	AE	2026-03-30
PC SOFT FRANCE - Leaked data	coinbasecartel	Technology	FR	2026-03-30
Net Solace	coinbasecartel	Technology	US	2026-03-30
Posiflex	coinbasecartel	Technology	TW	2026-03-30
Dronena	coinbasecartel	General	ES	2026-03-30
Siveco	coinbasecartel	Technology	RO	2026-03-30
Northcroft	coinbasecartel	General	GB	2026-03-30
Silver Peak	coinbasecartel	Technology	US	2026-03-30

Global Victim Distribution (30 days)

Targeted Sectors (30 days)

Top Targeted Countries (30 days)

Country	Incidents (30d)	Share
US	22	53.7%
AU	2	4.9%
JP	2	4.9%
GB	2	4.9%
ES	2	4.9%
FR	2	4.9%
RO	1	2.4%
CN	1	2.4%
PK	1	2.4%
TW	1	2.4%
PA	1	2.4%
ID	1	2.4%
CA	1	2.4%
SG	1	2.4%
IT	1	2.4%

51 This Week

11 Today

30 Single-Day Peak (30d)

Vulnerabilities

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to versio...

CVSS: 9.1 2026-03-31

CVE-2026-30877

Unknown / Unknown

baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in t...

Medium Severity (5.0 - 8.9)

CVSS: 6.5 2026-04-01

CVE-2026-4668

Unknown / Unknown

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL ...

CVSS: 6.4 2026-04-01

CVE-2026-35057

XenForo / XenForo

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in struct...

CVSS: 6.5 2026-04-01

CVE-2026-34889

Brainstorm Force / Ultimate Addons for WPBakery Page Builder

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i...

CVSS: 7.8 2026-04-01

CVE-2026-3775

Foxit Software Inc. / Foxit PDF Editor

The application's update service, when checking for updates, loads certain system libraries from a s...

CVSS: 7.3 2026-04-01

CVE-2026-5257

code-projects / Simple Laundry System

A vulnerability has been found in code-projects Simple Laundry System 1.0. This issue affects some u...

CVSS: 6.4 2026-04-01

CVE-2026-25601

Metronik d.o.o. / MEPIS RM

A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. Th...

CVSS: 7.3 2026-04-01

CVE-2026-22767

Dell / AppSync

Dell AppSync, version(s) 4.6.0, contain(s) an UNIX Symbolic Link (Symlink) Following vulnerability. ...

CVSS: 5.5 2026-04-01

CVE-2026-3776

Foxit Software Inc. / Foxit PDF Editor

The application does not validate the presence of required appearance (AP) data before accessing sta...

CVSS: 8.8 2026-04-01

CVE-2026-35056

XenForo / XenForo

XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but mali...

CVSS: 7.8 2026-04-01

CVE-2026-3779

Foxit Software Inc. / Foxit PDF Editor

The application's list box calculate array logic keeps stale references to page or form objects afte...

CVSS: 7.3 2026-04-01

CVE-2026-5238

itsourcecode / Payroll Management System

A weakness has been identified in itsourcecode Payroll Management System 1.0. Affected by this issue...

CVSS: 7.3 2026-04-01

CVE-2026-5261

Shandong Hoteam / InforCenter PLM

A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element ...

CVSS: 7.3 2026-04-01

CVE-2026-5258

Sanster / IOPaint

A vulnerability was found in Sanster IOPaint 1.5.3. Impacted is the function _get_file of the file i...

CVSS: 6.3 2026-04-01

CVE-2026-5251

z-9527 / admin

A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file...

CVSS: 6.3 2026-04-01

CVE-2026-1879

Harvard University / IQSS Dataverse

A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown...

CVSS: 7.3 2026-04-01

CVE-2026-22768

Dell / AppSync

Dell AppSync, version(s) 4.6.0, contain(s) an Incorrect Permission Assignment for Critical Resource ...

CVSS: 6.4 2026-04-01

CVE-2026-35054

XenForo / XenForo

XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering...

CVSS: 6.1 2026-04-01

CVE-2026-35055

XenForo / XenForo

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightb...

CVSS: 8.2 2026-04-01

CVE-2026-35091

Red Hat / Red Hat Enterprise Linux 10

A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vul...

CVSS: 7.5 2026-04-01

CVE-2026-35092

Red Hat / Red Hat Enterprise Linux 10

A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity va...

CVSS: 5.5 2026-04-01

CVE-2026-3777

Foxit Software Inc. / Foxit PDF Editor

The application does not properly validate the lifetime and validity of internal view cache pointers...

CVSS: 6.2 2026-04-01

CVE-2026-3778

Foxit Software Inc. / Foxit PDF Editor

The application does not detect or guard against cyclic PDF object references while handling JavaScr...

CVSS: 7.3 2026-04-01

CVE-2026-3780

Foxit Software Inc. / Foxit PDF Reader

The application's installer runs with elevated privileges but resolves system executables and DLLs u...

CVSS: 7.1 2026-04-01

CVE-2026-4947

Foxit Software Inc. / na1.foxitesign.foxit.com

Addressed a potential insecure direct object reference (IDOR) vulnerability in the signing invitatio...

CVSS: 6.3 2026-04-01

CVE-2026-5248

n/a / gougucms

A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file...

CVSS: 7.3 2026-04-01

CVE-2026-5256

code-projects / Simple Laundry System

A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerability affects unknown...

CVSS: 6.3 2026-04-01

CVE-2026-5259

AutohomeCorp / frostmourne

A vulnerability was determined in AutohomeCorp frostmourne up to 1.0. The affected element is an unk...

CVSS: 6.5 2026-03-31

CVE-2026-34505

Unknown / Unknown

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowi...

CVSS: 7.5 2026-03-31

CVE-2026-32988

Unknown / Unknown

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged write...

CVSS: 7.2 2026-03-31

CVE-2026-30940

Unknown / Unknown

baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability ...

CVSS: 8.3 2026-03-31

CVE-2026-34504

Unknown / Unknown

OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider i...

CVSS: 7.5 2026-03-31

CVE-2026-34453

Unknown / Unknown

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service expose...

CVSS: 7.5 2026-03-31

CVE-2026-32982

Unknown / Unknown

OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia f...

CVSS: 8.1 2026-03-31

CVE-2026-34503

Unknown / Unknown

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or ...

CVSS: 6.5 2026-03-31

CVE-2026-34508

Unknown / Unknown

OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing...

CVSS: 8.1 2026-03-31

CVE-2026-33579

Unknown / Unknown

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command...

CVSS: 6.5 2026-03-31

CVE-2026-33580

Unknown / Unknown

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webho...

CVSS: 6.5 2026-03-31

CVE-2026-33581

Unknown / Unknown

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows at...

CVSS: 5.4 2026-03-31

CVE-2026-22569

Unknown / Unknown

An incorrect startup configuration of affected versions of Zscaler Client Connector on Windows may c...

CVSS: 6.5 2026-03-31

CVE-2026-33576

Unknown / Unknown

OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating se...

CVSS: 8.1 2026-03-31

CVE-2026-33577

Unknown / Unknown

Unknown / Unknown

Unknown / Unknown

go-git is an extensible git implementation library written in pure Go. Prior to ...

CVSS: 4.3 2026-03-31

CVE-2026-33578

Unknown / Unknown

Unknown / Unknown

Discourse is an open-source discussion platform. From versions 2026.1.0-latest t...

Sort by:

AWAITING CVSS

2026-04-01

CVE-2026-23409

Linux - Linux

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix differential encoding verification Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being verified are treated as a chain that has already been verified. 2. the order bailout on already checked states compared current chain check iterators j,k instead of using the outer loop iterator i. Meaning a step backwards in states in the current chain verification was being mistaken for moving to an already verified state. Move to a double mark scheme where already verified states get a different mark, than the current chain being kept. This enables us to also drop the backwards verification check that was the cause of the second error as any already verified state is already marked.

CRITICAL VENDOR

AWAITING CVSS

2026-04-01

Joomla! Project - Joomla! CMS

Lack of output escaping for article titles leads to XSS vectors in various locations.

AWAITING CVSS

2026-04-01

CVE-2026-5285

Google - Chrome

Use after free in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CRITICAL VENDOR

AWAITING CVSS

2026-04-01

CVE-2026-5290

Google - Chrome

Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CRITICAL VENDOR

AWAITING CVSS

2026-04-01

CVE-2026-4748

FreeBSD - FreeBSD

A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected. Some keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant. Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking.

CRITICAL VENDOR

AWAITING CVSS

2026-04-01

CVE-2026-23410

Linux - Linux

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling pointer and freed memory is accessed. The rawdata inodes weren't refcounted to avoid a circular refcount and were supposed to be held by the profile rawdata reference. However during profile removal there is a window where the vfs and profile destruction race, resulting in the use after free. Fix this by moving to a double refcount scheme. Where the profile refcount on rawdata is used to break the circular dependency. Allowing for freeing of the rawdata once all inode references to the rawdata are put.

CRITICAL VENDOR

CVSS: 4.7

2026-04-01

CVE-2026-27101

Dell - Secure Connect Gateway

Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application version(s) 5.28.00.xx to 5.32.00.xx, contain(s) an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability. A high privileged attacker within the management network could potentially exploit this vulnerability, leading to remote execution.

CVSS: 4.4

2026-04-01

CVE-2026-28265

Dell - PowerStore

PowerStore, contains a Path Traversal vulnerability in the Service user. A low privileged attacker with local access could potentially exploit this vulnerability, leading to modification of arbitrary system files.

CVSS: 7.3

2026-04-01

welovemedia - FFmate

A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. Affected by this issue is some unknown functionality of the file /ui/app/components/AppJsonTreeView.vue of the component Webhook Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AWAITING CVSS

2026-04-01

CVE-2026-5273

Google - Chrome

Use after free in CSS in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CRITICAL VENDOR

AWAITING CVSS

2026-04-01

CVE-2026-5274

Google - Chrome

Integer overflow in Codecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

CRITICAL VENDOR

AWAITING CVSS

2026-04-01

CVE-2026-5276

Google - Chrome

Insufficient policy enforcement in WebUSB in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

CRITICAL VENDOR

CVSS: 6.5

2026-04-01

CVE-2026-34889

Brainstorm Force - Ultimate Addons for WPBakery Page Builder

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4.

CVSS: 7.3

2026-04-01

CVE-2026-3779

Foxit Software Inc. - Foxit PDF Editor

The application's list box calculate array logic keeps stale references to page or form objects after they are deleted or re-created, which allows crafted documents to trigger a use-after-free when the calculation runs and can potentially lead to arbitrary code execution.

CVSS: 7.3

2026-04-01

CVE-2026-3780

Foxit Software Inc. - Foxit PDF Reader

The application's installer runs with elevated privileges but resolves system executables and DLLs using untrusted search paths that can include user-writable directories, allowing a local attacker to place malicious binaries with the same names and have them loaded or executed instead of the legitimate system files, resulting in local privilege escalation.

CVSS: 4.3

2026-04-01

CVE-2026-3831

crmperks - Database for Contact Form 7, WPforms, Elementor forms

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract all form submissions - including names, emails, phone numbers.

AWAITING CVSS

2026-04-01

CVE-2026-4374

RTI - Connext Professional

Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queueing Service,Cloud Discovery Service) allows Serialized Data External Linking, Data Serializat...

CVSS: 7.1

2026-04-01

CVE-2026-4947

Foxit Software Inc. - na1.foxitesign.foxit.com

Foxit Software Inc. - Foxit PDF Editor

The application does not properly validate the lifetime and validity of internal view cache pointers after JavaScript changes the document zoom and page state. When a script modifies the zoom property and then triggers a page change, the original view object may be destroyed while stale pointers are still kept and later dereferenced, which under crafted JavaScript and document structures can lead to a use-after-free condition and potentially allow arbitrary code execution.

CVSS: 10

2026-04-01

CVE-2026-4370

Canonical - Juju

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.

AWAITING CVSS

2026-04-01

CVE-2026-0932

M-Files Corporation - M-Files Server

Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.

CRITICAL VENDOR

AWAITING CVSS

2026-04-01

CVE-2026-24096

Checkmk GmbH - Checkmk

Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information

AWAITING CVSS

2026-04-01

CVE-2026-21630

Joomla! Project - Joomla! CMS

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

AWAITING CVSS

2026-04-01

CVE-2026-21631

Joomla! Project - Joomla! CMS

Lack of output escaping leads to a XSS vector in the multilingual associations component.

AWAITING CVSS

2026-04-01

CVE-2026-23406

Linux - Linux

Linux - Linux

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE Adjust KVM's sanity check against overwriting a shadow-present SPTE with a another SPTE with a different target PFN to only apply to direct MMUs, i.e. only to MMUs without shadowed gPTEs. While it's impossible for KVM to overwrite a shadow-present SPTE in response to a guest write, writes from outside the scope of KVM, e.g. from host userspace, aren't detected by KVM's write tracking and so can break KVM's shadow paging rules. ------------[ cut here ]------------ pfn != spte_to_pfn(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 872 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mmu_set_spte+0x1e4/0x440 [kvm] Call Trace: <TASK> ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]---

CRITICAL VENDOR

AWAITING CVSS

2026-04-01

VertiGIS - VertiGIS FM

A reflected cross-site scripting (XSS) vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.

CVSS: 7.3

2026-03-31

CVE-2026-5238

itsourcecode - Payroll Management System

A weakness has been identified in itsourcecode Payroll Management System 1.0. Affected by this issue is some unknown functionality of the file /view_employee.php of the component Parameter Handler. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.

CVSS: 4.3

2026-03-31

CVE-2026-5240

code-projects - BloodBank Managing System

A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. This affects an unknown part of the file /admin_state.php. The manipulation of the argument statename leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.

Sort by:

EPSS: 36.7%

2026-03-30

CVE-2026-3055

Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread.

Product: NetScaler

EPSS: 19.9%

2026-03-27

CVE-2025-53521

F5 BIG-IP APM contains an unspecified vulnerability that could allow a threat actor to achieve remote code execution.

Product: BIG-IP

EPSS: 21.2%

2026-03-26

CVE-2026-33634

Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.

Product: Trivy

EPSS: 5.7%

2026-03-25

CVE-2026-33017

Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.

Product: Langflow

EPSS: 48.9%

2026-03-20

CVE-2025-54068

Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.

Product: Livewire

EPSS: 0.5%

2026-03-20

CVE-2025-43510

Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes.

Product: Multiple Products

EPSS: 0.5%

2026-03-20

CVE-2025-43520

Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel memory.

Product: Multiple Products

EPSS: 87.7%

2026-03-20

CVE-2025-32432

Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.

Product: Craft CMS

EPSS: 0.3%

2026-03-20

CVE-2025-31277

Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corruption.

Product: Multiple Products

EPSS: 0.6%

2026-03-19

CVE-2026-20131

Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.

Product: Secure Firewall Management Center (FMC) RANSOMWARE USE

EPSS: 10.0%

2026-03-18

CVE-2025-66376

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.

Product: Zimbra Collaboration Suite (ZCS)

EPSS: 6.2%

2026-03-18

CVE-2026-20963

Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network.

Product: SharePoint

EPSS: 20.4%

2026-03-16

CVE-2025-47813

Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie.

Product: Wing FTP Server

EPSS: 1.5%

2026-03-13

CVE-2026-3910

Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium V8

EPSS: 1.7%

2026-03-13

CVE-2026-3909

Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.

Product: Skia

EPSS: 79.2%

2026-03-11

CVE-2025-68613

n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution.

Product: n8n

EPSS: 93.8%

2026-03-09

CVE-2021-22054

Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.

Product: Workspace One UEM

EPSS: 28.2%

2026-03-09

CVE-2025-26399

SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.

Product: Web Help Desk

EPSS: 65.4%

2026-03-09

CVE-2026-1603

Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.

Product: Endpoint Manager (EPM)

EPSS: 1.3%

2026-03-05

CVE-2021-30952

Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web content that may lead to arbitrary code execution.

Product: Multiple Products

EPSS: 94.2%

2026-03-05

CVE-2017-7921

Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.

Product: Multiple Products

EPSS: 0.2%

2026-03-05

CVE-2023-41974

Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.

Product: iOS and iPadOS

EPSS: 0.1%

2026-03-05

CVE-2023-43000

Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead to memory corruption.

Product: Multiple Products

EPSS: 12.9%

2026-03-05

CVE-2021-22681

Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.

Product: Multiple Products

EPSS: 2.1%

2026-03-03

CVE-2026-22719

Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support‑assisted product migration.

Product: VMware Aria Operations

EPSS: 0.2%

2026-03-03

CVE-2026-21385

Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation.

Product: Multiple Chipsets

EPSS: 1.0%

2026-02-25

CVE-2026-20127

Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

Product: Catalyst SD-WAN Controller and Manager

EPSS: 0.4%

2026-02-25

CVE-2022-20775

Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.

Product: SD-WAN

EPSS: 8.9%

2026-02-24

CVE-2026-25108

Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request.

Product: FileZen

EPSS: 6.4%

2026-02-20

CVE-2025-68461

RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.

Product: Webmail

EPSS: 91.6%

2026-02-20

CVE-2025-49113

RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.

Product: Webmail

EPSS: 76.9%

2026-02-18

CVE-2021-22175

GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled.

Product: GitLab

EPSS: 17.7%

2026-02-18

CVE-2026-22769

Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and root-level persistence.

Product: RecoverPoint for Virtual Machines (RP4VMs)

EPSS: 80.6%

2026-02-17

CVE-2008-0015

Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

Product: Windows

EPSS: 2.2%

2026-02-17

CVE-2024-7694

TeamT5 ThreatSonar Anti-Ransomware contains an unrestricted upload of file with dangerous type vulnerability. ThreatSonar Anti-Ransomware does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system commands on the server.

Product: ThreatSonar Anti-Ransomware

EPSS: 92.9%

2026-02-17

CVE-2020-7796

Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled.

Product: Zimbra Collaboration Suite

EPSS: 0.2%

2026-02-17

CVE-2026-2441

Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium

EPSS: 75.6%

2026-02-13

CVE-2026-1731

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.

Product: Remote Support (RS) and Privileged Remote Access (PRA) RANSOMWARE USE

EPSS: 85.1%

2026-02-12

CVE-2024-43468

Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database.

Product: Configuration Manager

EPSS: 5.3%

2026-02-12

CVE-2025-15556

Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.

Product: Notepad++

EPSS: 0.3%

2026-02-12

CVE-2026-20700

Apple iOS, macOS, tvOS, watchOS, and visionOS contain an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow an attacker with memory write the capability to execute arbitrary code.

Product: Multiple Products

EPSS: 67.6%

2026-02-12

CVE-2025-40536

SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality.

Product: Web Help Desk

EPSS: 19.6%

2026-02-10

CVE-2026-21533

Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally.

Product: Windows

EPSS: 12.2%

2026-02-10

CVE-2026-21525

Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally.

Product: Windows

EPSS: 2.9%

2026-02-10

CVE-2026-21510

Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network.

Product: Windows

EPSS: 28.0%

2026-02-10

CVE-2026-21513

Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network.

Product: Windows

EPSS: 4.7%

2026-02-10

CVE-2026-21519

Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally.

Product: Windows

EPSS: 6.3%

2026-02-10

CVE-2026-21514

Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally.

Product: Office

EPSS: 3.4%

2026-02-05

CVE-2025-11953

React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary executables via a vulnerable endpoint exposed by the server. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments.

Product: CLI

EPSS: 60.7%

2026-02-05

CVE-2026-24423

SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution.

Product: SmarterMail RANSOMWARE USE

EPSS: 47.9%

2026-02-03

CVE-2021-39935

GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API.

Product: Community and Enterprise Editions

EPSS: 88.8%

2026-02-03

CVE-2025-40551

SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

Product: Web Help Desk

EPSS: 21.6%

2026-02-03

CVE-2019-19006

Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.

Product: FreePBX

EPSS: 85.3%

2026-02-03

CVE-2025-64328

Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user.

Product: FreePBX

EPSS: 73.4%

2026-01-29

CVE-2026-1281

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Product: Endpoint Manager Mobile (EPMM)

EPSS: 1.8%

2026-01-27

CVE-2026-24858

Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

Product: Multiple Products

EPSS: 87.0%

2026-01-26

CVE-2026-24061

GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable.

Product: InetUtils

EPSS: 21.5%

2026-01-26

CVE-2018-14634

Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system.

Product: Kernel

EPSS: 77.9%

2026-01-26

CVE-2026-23760

SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.

Product: SmarterMail RANSOMWARE USE

EPSS: 87.3%

2026-01-26

CVE-2025-52691

SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

Product: SmarterMail

EPSS: 6.6%

2026-01-26

CVE-2026-21509

Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. Some of the impacted product(s) could be end-of-life (EoL) and/or end-of-service (EoS). Users are advised to discontinue use and/or transition to a supported version.

Product: Office

EPSS: 82.3%

2026-01-23

CVE-2024-37079

Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution.

Product: VMware vCenter Server

EPSS: 83.3%

2026-01-22

CVE-2025-31125

Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Product: Vitejs

EPSS: 7.0%

2026-01-22

CVE-2025-54313

Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

Product: eslint-config-prettier

EPSS: 75.1%

2026-01-22

CVE-2025-34026

Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.

Product: Concerto

EPSS: 44.6%

2026-01-22

CVE-2025-68645

Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Product: Zimbra Collaboration Suite (ZCS)

EPSS: 1.3%

2026-01-21

CVE-2026-20045

Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.

Product: Unified Communications Manager

EPSS: 3.2%

2026-01-13

CVE-2026-20805

Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.

Product: Windows

EPSS: 21.1%

2026-01-12

CVE-2025-8110

Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.

Product: Gogs

EPSS: 76.4%

2026-01-07

CVE-2009-0556

Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption.

Product: Office

EPSS: 85.1%

2026-01-07

CVE-2025-37164

Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution.

Product: OneView

EPSS: 74.6%

2025-12-29

CVE-2025-14847

MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by an unauthenticated client.

Product: MongoDB and MongoDB Server

EPSS: 73.5%

2025-12-22

CVE-2023-52163

Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi.

Product: DS-2105 Pro

EPSS: 34.5%

2025-12-19

CVE-2025-14733

WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.

Product: Firebox

EPSS: 31.8%

2025-12-17

CVE-2025-59374

ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: Live Update

EPSS: 0.3%

2025-12-17

CVE-2025-40602

SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices.

Product: SMA1000 appliance

EPSS: 6.3%

2025-12-17

CVE-2025-20393

Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.

Product: Multiple Products

EPSS: 6.3%

2025-12-16

CVE-2025-59718

Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.

Product: Multiple Products

EPSS: 0.1%

2025-12-15

CVE-2025-43529

Apple iOS, iPadOS, macOS, and other Apple products contain a use-after-free vulnerability in WebKit. Processing maliciously crafted web content may lead to memory corruption. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

Product: Multiple Products

EPSS: 59.1%

2025-12-15

CVE-2025-14611

Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication.

Product: CentreStack and Triofox

EPSS: 0.9%

2025-12-12

CVE-2025-14174

Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium

EPSS: 0.8%

2025-12-12

CVE-2018-4063

Sierra Wireless AirLink ALEOS contains an unrestricted upload of file with dangerous type vulnerability. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: AirLink ALEOS

EPSS: 86.0%

2025-12-11

CVE-2025-58360

OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.

Product: GeoServer

EPSS: 4.8%

2025-12-09

CVE-2025-6218

RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.

Product: WinRAR

EPSS: 3.0%

2025-12-09

CVE-2025-62221

Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally.

Product: Windows

EPSS: 3.1%

2025-12-08

CVE-2025-66644

Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.

Product: ArrayOS AG

EPSS: 69.8%

2025-12-08

CVE-2022-37055

D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: Routers

EPSS: 65.1%

2025-12-05

CVE-2025-55182

Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.

Product: React Server Components RANSOMWARE USE

EPSS: 80.0%

2025-12-03

CVE-2021-26828

OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

Product: ScadaBR

EPSS: 0.2%

2025-12-02

CVE-2025-48572

Android Framework contains an unspecified vulnerability that allows for privilege escalation.

Product: Framework

EPSS: 0.1%

2025-12-02

CVE-2025-48633

Android Framework contains an unspecified vulnerability that allows for information disclosure.

Product: Framework

EPSS: 6.9%

2025-11-28

CVE-2021-26829

OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.

Product: ScadaBR

EPSS: 87.8%

2025-11-21

CVE-2025-61757

Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.

Product: Fusion Middleware

EPSS: 2.5%

2025-11-19

CVE-2025-13223

Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.

Product: Chromium V8

EPSS: 50.7%

2025-11-18

CVE-2025-58034

Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

Product: FortiWeb

EPSS: 88.2%

2025-11-14

CVE-2025-64446

Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

Product: FortiWeb

EPSS: 75.9%

2025-11-12

CVE-2025-12480

Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete.

Product: Triofox

EPSS: 69.0%

2025-11-12

CVE-2025-9242

WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code.

Product: Firebox

EPSS: 0.6%

2025-11-12

CVE-2025-62215

Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access.

Product: Windows

EPSS: 1.8%

2025-11-10

CVE-2025-21042

Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code.

Product: Mobile Devices

EPSS: 59.1%

2025-11-04

CVE-2025-48703

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

Product: Control Web Panel

EPSS: 72.3%

2025-11-04

CVE-2025-11371

Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files.

Product: CentreStack and Triofox

EPSS: 94.0%

2025-10-30

CVE-2025-24893

XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.

Product: Platform

EPSS: 0.4%

2025-10-30

CVE-2025-41244

Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

Product: VMware Aria Operations and VMware Tools

EPSS: 70.2%

2025-10-28

CVE-2025-6205

Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application.

Product: DELMIA Apriso

EPSS: 8.9%

2025-10-28

CVE-2025-6204

Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code.

Product: DELMIA Apriso

EPSS: 71.6%

2025-10-24

CVE-2025-59287

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Product: Windows

EPSS: 59.4%

2025-10-24

CVE-2025-54236

Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.

Product: Commerce and Magento

EPSS: 1.6%

2025-10-22

CVE-2025-61932

Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packets.

Product: LANSCOPE Endpoint Manager

EPSS: 89.4%

2025-10-20

CVE-2025-2747

Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.

Product: Xperience CMS

EPSS: 84.3%

2025-10-20

CVE-2025-2746

Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.

Product: Xperience CMS

EPSS: 0.2%

2025-10-20

CVE-2022-48503

Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: Multiple Products

EPSS: 55.9%

2025-10-20

CVE-2025-61884

Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.

Product: E-Business Suite RANSOMWARE USE

EPSS: 44.1%

2025-10-20

CVE-2025-33073

Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate.

Product: Windows

EPSS: 15.5%

2025-10-15

CVE-2025-54253

Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution.

Product: Experience Manager (AEM) Forms

EPSS: 53.2%

2025-10-14

CVE-2016-7836

SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.

Product: Client View

EPSS: 2.5%

2025-10-14

CVE-2025-47827

IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.

Product: IGEL OS

EPSS: 3.7%

2025-10-14

CVE-2025-59230

Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally.

Product: Windows

EPSS: 3.9%

2025-10-14

CVE-2025-24990

Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges.

Product: Windows

EPSS: 94.4%

2025-10-09

CVE-2021-43798

Grafana contains a path traversal vulnerability that could allow access to local files.

Product: Grafana

EPSS: 22.9%

2025-10-07

CVE-2025-27915

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

Product: Zimbra Collaboration Suite (ZCS)

EPSS: 90.3%

2025-10-06

CVE-2011-3402

Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page.

Product: Windows

EPSS: 86.9%

2025-10-06

CVE-2010-3765

Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.

Product: Multiple Products

EPSS: 87.0%

2025-10-06

CVE-2013-3918

Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: Windows

EPSS: 85.2%

2025-10-06

CVE-2021-22555

Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.

Product: Kernel

EPSS: 7.3%

2025-10-06

CVE-2021-43226

Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms.

Product: Windows

EPSS: 88.3%

2025-10-06

CVE-2010-3962

Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: Internet Explorer

EPSS: 88.8%

2025-10-06

CVE-2025-61882

Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks can result in takeover of Oracle Concurrent Processing.

Product: E-Business Suite RANSOMWARE USE

EPSS: 45.9%

2025-10-02

CVE-2025-4008

Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices.

Product: Meteobridge

EPSS: 90.1%

2025-10-02

CVE-2014-6278

GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment.

Product: GNU Bash

EPSS: 4.9%

2025-10-02

CVE-2025-21043

Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code.

Product: Mobile Devices

EPSS: 94.5%

2025-10-02

CVE-2017-1000353

Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.

Product: Jenkins

EPSS: 85.0%

2025-10-02

CVE-2015-7755

Juniper ScreenOS contains an improper authentication vulnerability that could allow unauthorized remote administrative access to the device.

Product: ScreenOS

EPSS: 94.2%

2025-09-29

CVE-2021-21311

Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information.

Product: Adminer

EPSS: 6.9%

2025-09-29

CVE-2025-59689

Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment.

Product: Email Security Gateway

EPSS: 2.0%

2025-09-29

CVE-2025-20352

Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system.

Product: IOS and IOS XE

EPSS: 38.5%

2025-09-29

CVE-2025-32463

Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.

Product: Sudo

EPSS: 58.8%

2025-09-29

CVE-2025-10035

Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

Product: GoAnywhere MFT RANSOMWARE USE

EPSS: 18.8%

2025-09-25

CVE-2025-20333

Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.

Product: Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense

EPSS: 43.6%

2025-09-25

CVE-2025-20362

Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.

Product: Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense

EPSS: 0.7%

2025-09-23

CVE-2025-10585

Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine.

Product: Chromium V8

EPSS: 44.1%

2025-09-11

CVE-2025-5086

Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution.

Product: DELMIA Apriso

EPSS: 8.9%

2025-09-04

CVE-2025-53690

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.

Product: Multiple Products

EPSS: 0.1%

2025-09-04

CVE-2025-38352

Linux kernel contains a time-of-check time-of-use (TOCTOU) race condition vulnerability that has a high impact on confidentiality, integrity, and availability.

Product: Kernel

EPSS: 0.3%

2025-09-04

CVE-2025-48543

Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation.

Product: Runtime

EPSS: 15.6%

2025-09-03

CVE-2025-9377

TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: Multiple Routers

EPSS: 1.7%

2025-09-03

CVE-2023-50224

TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: TL-WR841N

EPSS: 11.8%

2025-09-02

CVE-2020-24363

TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: TL-WA855RE

EPSS: 0.8%

2025-09-02

CVE-2025-55177

Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

Product: WhatsApp

EPSS: 68.5%

2025-08-29

CVE-2025-57819

Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.

Product: FreePBX

EPSS: 6.6%

2025-08-26

CVE-2025-7775

Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service.

Product: NetScaler

EPSS: 0.5%

2025-08-25

CVE-2025-48384

Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.

Product: Git

EPSS: 8.1%

2025-08-25

CVE-2024-8068

Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain.

Product: Session Recording

EPSS: 48.3%

2025-08-25

CVE-2024-8069

Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server.

Product: Session Recording

EPSS: 0.5%

2025-08-21

CVE-2025-43300

Apple iOS, iPadOS, and macOS contain an out-of-bounds write vulnerability in the Image I/O framework.

Product: iOS, iPadOS, and macOS

EPSS: 6.9%

2025-08-18

CVE-2025-54948

Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.

Product: Apex One

EPSS: 7.8%

2025-08-13

CVE-2025-8876

N-able N-Central contains a command injection vulnerability via improper sanitization of user input.

Product: N-Central

EPSS: 2.6%

2025-08-13

CVE-2025-8875

N-able N-Central contains an insecure deserialization vulnerability that could lead to command execution.

Product: N-Central

EPSS: 81.2%

2025-08-12

CVE-2013-3893

Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: Internet Explorer

EPSS: 66.8%

2025-08-12

CVE-2007-0671

Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a specially crafted Excel file, which, when opened, allowing an attacker to execute remote code on the affected system.

Product: Office

EPSS: 6.8%

2025-08-12

CVE-2025-8088

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.

Product: WinRAR

EPSS: 48.3%

2025-08-05

CVE-2020-25079

D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: DCS-2530L and DCS-2670L Devices

EPSS: 94.1%

2025-08-05

CVE-2020-25078

D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: DCS-2530L and DCS-2670L Devices

EPSS: 37.1%

2025-08-05

CVE-2022-40799

D-Link DNR-322L contains a download of code without integrity check vulnerability that could allow an authenticated attacker to execute OS level commands on the device. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: DNR-322L

EPSS: 28.2%

2025-07-28

CVE-2025-20281

Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device.

Product: Identity Services Engine

EPSS: 0.7%

2025-07-28

CVE-2025-20337

Product: Identity Services Engine

EPSS: 36.3%

2025-07-28

CVE-2023-2533

PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code.

Product: NG/MF

EPSS: 59.6%

2025-07-22

CVE-2025-49704

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.

Product: SharePoint RANSOMWARE USE

EPSS: 0.2%

2025-07-22

CVE-2025-6558

Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium

EPSS: 71.6%

2025-07-22

CVE-2025-49706

Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make some changes to disclosed information. This vulnerability could be chained with CVE-2025-49704. CVE-2025-53771 is a patch bypass for CVE-2025-49706, and the updates for CVE-2025-53771 include more robust protection than those for CVE-2025-49706.

Product: SharePoint RANSOMWARE USE

EPSS: 69.8%

2025-07-22

CVE-2025-2775

SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.

Product: SysAid On-Prem

EPSS: 62.6%

2025-07-22

CVE-2025-2776

SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.

Product: SysAid On-Prem

EPSS: 74.0%

2025-07-22

CVE-2025-54309

CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.

Product: CrushFTP

EPSS: 89.9%

2025-07-20

CVE-2025-53770

Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-53771. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.

Product: SharePoint RANSOMWARE USE

EPSS: 25.3%

2025-07-18

CVE-2025-25257

Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Product: FortiWeb

EPSS: 92.3%

2025-07-14

CVE-2025-47812

Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).

Product: Wing FTP Server

EPSS: 69.8%

2025-07-10

CVE-2025-5777

Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

Product: NetScaler ADC and Gateway RANSOMWARE USE

EPSS: 94.1%

2025-07-07

CVE-2019-9621

Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component.

Product: Zimbra Collaboration Suite (ZCS)

EPSS: 94.5%

2025-07-07

CVE-2016-10033

PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.

Product: PHPMailer

EPSS: 35.6%

2025-07-07

CVE-2014-3931

Multi-Router Looking Glass (MRLG) contains a buffer overflow vulnerability that could allow remote attackers to cause an arbitrary memory write and memory corruption.

Product: Multi-Router Looking Glass (MRLG)

EPSS: 94.3%

2025-07-07

CVE-2019-5418

Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.

Product: Ruby on Rails

EPSS: 0.9%

2025-07-02

CVE-2025-6554

Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium V8

EPSS: 7.6%

2025-07-01

CVE-2025-48927

TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI.

Product: TM SGNL

EPSS: 8.3%

2025-07-01

CVE-2025-48928

TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump.

Product: TM SGNL

EPSS: 2.0%

2025-06-30

CVE-2025-6543

Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

Product: NetScaler ADC and Gateway

EPSS: 72.6%

2025-06-25

CVE-2019-6693

Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key.

Product: FortiOS RANSOMWARE USE

EPSS: 75.6%

2025-06-25

CVE-2024-0769

D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.

Product: DIR-859 Router

EPSS: 8.2%

2025-06-25

CVE-2024-54085

AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.

Product: MegaRAC SPx

EPSS: 52.4%

2025-06-17

CVE-2023-0386

Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

Product: Kernel

EPSS: 91.5%

2025-06-16

CVE-2023-33538

TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: Multiple Routers

EPSS: 0.5%

2025-06-16

CVE-2025-43200

Apple iOS, iPadOS, macOS, watchOS, and visionOS, contain an unspecified vulnerability when processing a maliciously crafted photo or video shared via an iCloud Link.

Product: Multiple Products

EPSS: 93.9%

2025-06-10

CVE-2025-24016

Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.

Product: Wazuh Server

EPSS: 51.8%

2025-06-10

CVE-2025-33053

Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribute of Internet Shortcut files.

Product: Windows

EPSS: 91.4%

2025-06-09

CVE-2024-42009

RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

Product: Webmail

EPSS: 50.3%

2025-06-09

CVE-2025-32433

Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). By exploiting a flaw in how SSH protocol messages are handled, a malicious actor could gain unauthorized access to affected systems. This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE.

Product: Erlang/OTP

EPSS: 3.3%

2025-06-05

CVE-2025-5419

Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium V8

EPSS: 2.0%

2025-06-03

CVE-2025-21480

Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.

Product: Multiple Chipsets

EPSS: 0.1%

2025-06-03

CVE-2025-21479

Product: Multiple Chipsets

EPSS: 1.4%

2025-06-03

CVE-2025-27038

Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.

Product: Multiple Chipsets

EPSS: 93.8%

2025-06-02

CVE-2024-56145

Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.

Product: Craft CMS

EPSS: 33.1%

2025-06-02

CVE-2025-35939

Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.

Product: Craft CMS

EPSS: 42.7%

2025-06-02

CVE-2023-39780

ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346.

Product: RT-AX55 Routers

EPSS: 94.2%

2025-06-02

CVE-2021-32030

ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: Routers

EPSS: 15.5%

2025-06-02

CVE-2025-3935

ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.

Product: ScreenConnect

EPSS: 49.2%

2025-05-22

CVE-2025-4632

Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority.

Product: MagicINFO 9 Server

EPSS: 91.6%

2025-05-19

CVE-2025-4427

Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library.

Product: Endpoint Manager Mobile (EPMM)

EPSS: 52.0%

2025-05-19

CVE-2025-27920

Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

Product: Output Messenger

EPSS: 15.3%

2025-05-19

CVE-2024-11182

MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.

Product: Email Server

EPSS: 45.3%

2025-05-19

CVE-2025-4428

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library, as represented by CVE-2025-35036.

Product: Endpoint Manager Mobile (EPMM)

EPSS: 80.8%

2025-05-19

CVE-2023-38950

ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.

Product: BioTime

EPSS: 30.1%

2025-05-19

CVE-2024-27443

Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.

Product: Zimbra Collaboration Suite (ZCS)

EPSS: 79.5%

2025-05-15

CVE-2024-12987

DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface.

Product: Vigor Routers

EPSS: 67.8%

2025-05-15

CVE-2025-42999

SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.

Product: NetWeaver

EPSS: 41.6%

2025-05-14

CVE-2025-32756

Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.

Product: Multiple Products

EPSS: 1.0%

2025-05-13

CVE-2025-30400

Microsoft Windows DWM Core Library contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.

Product: Windows

EPSS: 1.0%

2025-05-13

CVE-2025-32709

Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator.

Product: Windows

EPSS: 1.3%

2025-05-13

CVE-2025-32706

Microsoft Windows Common Log File System (CLFS) Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally.

Product: Windows

EPSS: 2.1%

2025-05-13

CVE-2025-32701

Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.

Product: Windows

EPSS: 21.3%

2025-05-13

CVE-2025-30397

Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL.

Product: Windows

EPSS: 4.1%

2025-05-12

CVE-2025-47729

TeleMessage TM SGNL contains a hidden functionality vulnerability in which the archiving backend holds cleartext copies of messages from TM SGNL application users.

Product: TM SGNL

EPSS: 73.0%

2025-05-07

CVE-2024-6047

Multiple GeoVision devices contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: Multiple Devices

EPSS: 66.1%

2025-05-07

CVE-2024-11120

Product: Multiple Devices

EPSS: 65.0%

2025-05-06

CVE-2025-27363

FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution.

Product: FreeType

EPSS: 92.1%

2025-05-05

CVE-2025-3248

Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests.

Product: Langflow

EPSS: 57.5%

2025-05-02

CVE-2024-58136

Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432.

Product: Yii

EPSS: 63.2%

2025-05-02

CVE-2025-34028

Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code.

Product: Command Center

EPSS: 93.9%

2025-05-01

CVE-2024-38475

Apache HTTP Server contains an improper escaping of output vulnerability in mod_rewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.

Product: HTTP Server

EPSS: 21.7%

2025-05-01

CVE-2023-44221

SonicWall SMA100 appliances contain an OS command injection vulnerability in the SSL-VPN management interface that allows a remote, authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user.

Product: SMA100 Appliances

EPSS: 32.2%

2025-04-29

CVE-2025-31324

SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.

Product: NetWeaver RANSOMWARE USE

EPSS: 2.8%

2025-04-28

CVE-2025-42599

Qualitia Active! Mail contains a stack-based buffer overflow vulnerability that allows a remote, unauthenticated attacker to execute arbitrary or trigger a denial-of-service via a specially crafted request.

Product: Active! Mail

EPSS: 16.6%

2025-04-28

CVE-2025-3928

Commvault Web Server contains an unspecified vulnerability that allows a remote, authenticated attacker to create and execute webshells.

Product: Web Server

EPSS: 0.9%

2025-04-28

CVE-2025-1976

Broadcom Brocade Fabric OS contains a code injection vulnerability that allows a local user with administrative privileges to execute arbitrary code with full root privileges.

Product: Brocade Fabric OS

EPSS: 11.9%

2025-04-17

CVE-2025-24054

Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network.

Product: Windows

EPSS: 2.3%

2025-04-17

CVE-2025-31201

Apple iOS, iPadOS, macOS, and other Apple products contain an arbitrary read and write vulnerability that allows an attacker to bypass Pointer Authentication.

Product: Multiple Products

EPSS: 2.1%

2025-04-17

CVE-2025-31200

Apple iOS, iPadOS, macOS, and other Apple products contain a memory corruption vulnerability that allows for code execution when processing an audio stream in a maliciously crafted media file.

Product: Multiple Products

EPSS: 4.0%

2025-04-16

CVE-2021-20035

SonicWall SMA100 appliances contain an OS command injection vulnerability in the management interface that allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution.

Product: SMA100 Appliances

EPSS: 1.1%

2025-04-09

CVE-2024-53150

Linux Kernel contains an out-of-bounds read vulnerability in the USB-audio driver that allows a local, privileged attacker to obtain potentially sensitive information.

Product: Kernel

EPSS: 1.8%

2025-04-09

CVE-2024-53197

Linux Kernel contains an out-of-bounds access vulnerability in the USB-audio driver that allows an attacker with physical access to the system to use a malicious USB device to potentially manipulate system memory, escalate privileges, or execute arbitrary code.

Product: Kernel

EPSS: 83.4%

2025-04-08

CVE-2025-30406

Gladinet CentreStack and Triofox contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification. Successful exploitation allows an attacker to forge ViewState payloads for server-side deserialization, allowing for remote code execution.

Product: CentreStack

EPSS: 0.4%

2025-04-08

CVE-2025-29824

Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.

Product: Windows RANSOMWARE USE

EPSS: 86.2%

2025-04-07

CVE-2025-31161

CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.

Product: CrushFTP RANSOMWARE USE

EPSS: 53.7%

2025-04-04

CVE-2025-22457

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution.

Product: Connect Secure, Policy Secure, and ZTA Gateways RANSOMWARE USE

EPSS: 94.2%

2025-04-01

CVE-2025-24813

Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.

Product: Tomcat

EPSS: 86.3%

2025-03-31

CVE-2024-20439

Cisco Smart Licensing Utility contains a static credential vulnerability that allows an unauthenticated, remote attacker to log in to an affected system and gain administrative credentials.

Product: Smart Licensing Utility

EPSS: 39.5%

2025-03-27

CVE-2025-2783

Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium Mojo

EPSS: 24.4%

2025-03-26

CVE-2019-9875

Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

Product: CMS and Experience Platform (XP)

EPSS: 79.7%

2025-03-26

CVE-2019-9874

Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

Product: CMS and Experience Platform (XP)

EPSS: 15.4%

2025-03-24

CVE-2025-30154

reviewdog action-setup GitHub Action contains an embedded malicious code vulnerability that dumps exposed secrets to Github Actions Workflow Logs.

Product: action-setup GitHub Action

EPSS: 85.3%

2025-03-19

CVE-2025-1316

Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Product: IC-7100 IP Camera

EPSS: 93.2%

2025-03-19

CVE-2017-12637

SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string.

Product: NetWeaver

EPSS: 94.0%

2025-03-19

CVE-2024-48248

NAKIVO Backup and Replication contains an absolute path traversal vulnerability that enables an attacker to read arbitrary files.

Product: Backup and Replication

EPSS: 10.1%

2025-03-18

CVE-2025-24472

Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that allows a remote attacker to gain super-admin privileges via crafted CSF proxy requests.

Product: FortiOS and FortiProxy RANSOMWARE USE

EPSS: 91.0%

2025-03-18

CVE-2025-30066

tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading Github Actions Workflow Logs. These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.

Product: changed-files GitHub Action

EPSS: 0.1%

2025-03-13

CVE-2025-24201

Apple iOS, iPadOS, macOS, and other Apple products contain an out-of-bounds write vulnerability in WebKit that may allow maliciously crafted web content to break out of Web Content sandbox. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

Product: Multiple Products

EPSS: 0.8%

2025-03-13

CVE-2025-21590

Juniper Junos OS contains an improper isolation or compartmentalization vulnerability. This vulnerability could allows a local attacker with high privileges to inject arbitrary code.

Product: Junos OS

EPSS: 1.5%

2025-03-11

CVE-2025-24993

Microsoft Windows New Technology File System (NTFS) contains a heap-based buffer overflow vulnerability that allows an unauthorized attacker to execute code locally.

Product: Windows

EPSS: 0.7%

2025-03-11

CVE-2025-24991

Microsoft Windows New Technology File System (NTFS) contains an out-of-bounds read vulnerability that allows an authorized attacker to disclose information locally.

Product: Windows

EPSS: 1.1%

2025-03-11

CVE-2025-24985

Microsoft Windows Fast FAT File System Driver contains an integer overflow or wraparound vulnerability that allows an unauthorized attacker to execute code locally.

Product: Windows

EPSS: 6.4%

2025-03-11

CVE-2025-26633

Microsoft Windows Management Console (MMC) contains an improper neutralization vulnerability that allows an unauthorized attacker to bypass a security feature locally.

Product: Windows RANSOMWARE USE

EPSS: 0.7%

2025-03-11

CVE-2025-24983

Microsoft Windows Win32 Kernel Subsystem contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.

Product: Windows

EPSS: 4.4%

2025-03-11

CVE-2025-24984

Microsoft Windows New Technology File System (NTFS) contains an insertion of sensitive Information into log file vulnerability that allows an unauthorized attacker to disclose information with a physical attack. An attacker who successfully exploited this vulnerability could potentially read portions of heap memory.

Product: Windows

EPSS: 44.2%

2025-03-10

CVE-2024-57968

Advantive VeraCore contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx.

Product: VeraCore

EPSS: 72.1%

2025-03-10

CVE-2025-25181

Advantive VeraCore contains a SQL injection vulnerability in timeoutWarning.asp that allows a remote attacker to execute arbitrary SQL commands via the PmSess1 parameter.

Product: VeraCore

EPSS: 94.2%

2025-03-10

CVE-2024-13159

Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.

Product: Endpoint Manager (EPM)

EPSS: 93.5%

2025-03-10

CVE-2024-13160

Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.

Product: Endpoint Manager (EPM)

EPSS: 92.5%

2025-03-10

CVE-2024-13161

Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.

Product: Endpoint Manager (EPM)

EPSS: 52.7%

2025-03-04

CVE-2025-22224

VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.

Product: ESXi and Workstation

EPSS: 1.3%

2025-03-04

CVE-2024-50302

The Linux kernel contains a use of uninitialized resource vulnerability that allows an attacker to leak kernel memory via a specially crafted HID report.

Product: Kernel

EPSS: 7.9%

2025-03-04

CVE-2025-22225

VMware ESXi contains an arbitrary write vulnerability. Successful exploitation allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.

Product: ESXi RANSOMWARE USE

EPSS: 6.8%

2025-03-04

CVE-2025-22226

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. Successful exploitation allows an attacker with administrative privileges to a virtual machine to leak memory from the vmx process.

Product: ESXi, Workstation, and Fusion

EPSS: 3.9%

2025-03-03

CVE-2023-20118

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data.

Product: Small Business RV Series Routers

EPSS: 29.9%

2025-03-03

CVE-2018-8639

Microsoft Windows Win32k contains an improper resource shutdown or release vulnerability that allows for local, authenticated privilege escalation. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Product: Windows RANSOMWARE USE

EPSS: 94.2%

2025-03-03

CVE-2024-4885

Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution.

Product: WhatsUp Gold

EPSS: 93.4%

2025-03-03

CVE-2022-43939

Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization.

Product: Pentaho Business Analytics (BA) Server

EPSS: 94.0%

2025-03-03

CVE-2022-43769

Hitachi Vantara Pentaho BA Server contains a special element injection vulnerability that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution.

Product: Pentaho Business Analytics (BA) Server

EPSS: 89.0%

2025-02-25

CVE-2023-34192

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

Product: Zimbra Collaboration Suite (ZCS)

EPSS: 6.2%

2025-02-25

CVE-2024-49035

Microsoft Partner Center contains an improper access control vulnerability that allows an attacker to escalate privileges.

Product: Partner Center

EPSS: 93.4%

2025-02-24

CVE-2017-3066

Adobe ColdFusion contains a deserialization vulnerability in the Apache BlazeDS library that allows for arbitrary code execution.

Product: ColdFusion

EPSS: 69.0%

2025-02-24

CVE-2024-20953

Oracle Agile Product Lifecycle Management (PLM) contains a deserialization vulnerability that allows a low-privileged attacker with network access via HTTP to compromise the system.

Product: Agile Product Lifecycle Management (PLM)

EPSS: 24.6%

2025-02-21

CVE-2025-24989

Microsoft Power Pages contains an improper access control vulnerability that allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.

Product: Power Pages

EPSS: 19.1%

2025-02-20

CVE-2025-23209

Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.

Product: Craft CMS

EPSS: 3.7%

2025-02-20

CVE-2025-0111

Palo Alto Networks PAN-OS contains an external control of file name or path vulnerability. Successful exploitation enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.

Product: PAN-OS

EPSS: 94.1%

2025-02-18

CVE-2025-0108

Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in its management web interface. This vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts.

Product: PAN-OS

EPSS: 93.9%

2025-02-18

CVE-2024-53704

SonicWall SonicOS contains an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.

Product: SonicOS RANSOMWARE USE

EPSS: 94.0%

2025-02-13

CVE-2024-57727

SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files may include server configuration files and hashed user passwords.

Product: SimpleHelp RANSOMWARE USE

EPSS: 19.7%

2025-02-12

CVE-2024-41710

Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, contain an argument injection vulnerability due to insufficient parameter sanitization during the boot process. Successful exploitation may allow an attacker to execute arbitrary commands within the context of the system.

Product: SIP Phones

EPSS: 44.2%

2025-02-12

CVE-2025-24200

Apple iOS and iPadOS contains an incorrect authorization vulnerability that allows a physical attacker to disable USB Restricted Mode on a locked device.

Product: iOS and iPadOS

EPSS: 45.9%

2025-02-11

CVE-2024-40890

Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.

Product: DSL CPE Devices

EPSS: 55.4%

2025-02-11

CVE-2024-40891

Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet.

Product: DSL CPE Devices

EPSS: 5.6%

2025-02-11

CVE-2025-21391

Microsoft Windows Storage contains a link following vulnerability that could allow for privilege escalation. This vulnerability could allow an attacker to delete data including data that results in the service being unavailable.

Product: Windows

EPSS: 13.6%

2025-02-11

CVE-2025-21418

Microsoft Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

Product: Windows

EPSS: 76.0%

2025-02-07

CVE-2025-0994

Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server.

Product: Cityworks

EPSS: 82.6%

2025-02-06

CVE-2020-15069

Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature.

Product: XG Firewall

EPSS: 11.7%

2025-02-06

CVE-2022-23748

Dante Discovery contains a process control vulnerability in mDNSResponder.exe that all allows for a DLL sideloading attack. A local attacker can leverage this vulnerability in the Dante Application Library to execute arbitrary code.

Product: Dante Discovery

EPSS: 52.4%

2025-02-06

CVE-2025-0411

7-Zip contains a protection mechanism failure vulnerability that allows remote attackers to bypass the Mark-of-the-Web security feature to execute arbitrary code in the context of the current user.

Product: 7-Zip

EPSS: 8.7%

2025-02-06

CVE-2020-29574

CyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely.

Product: CyberoamOS

EPSS: 93.0%

2025-02-06

CVE-2024-21413

Microsoft Outlook contains an improper input validation vulnerability that allows for remote code execution. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode.

Product: Office Outlook

EPSS: 13.9%

2025-02-05

CVE-2024-53104

Linux kernel contains an out-of-bounds write vulnerability in the uvc_parse_streaming component of the USB Video Class (UVC) driver that could allow for physical escalation of privilege.

Product: Kernel

EPSS: 84.8%

2025-02-04

CVE-2018-9276

Paessler PRTG Network Monitor contains an OS command injection vulnerability that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console.

Product: PRTG Network Monitor

EPSS: 93.0%

2025-02-04

CVE-2018-19410

Paessler PRTG Network Monitor contains a local file inclusion vulnerability that allows a remote, unauthenticated attacker to create users with read-write privileges (including administrator).

Product: PRTG Network Monitor

EPSS: 94.1%

2025-02-04

CVE-2024-45195

Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access.

Product: OFBiz

EPSS: 93.7%

2025-02-04

CVE-2024-29059

Microsoft .NET Framework contains an information disclosure vulnerability that exposes the ObjRef URI to an attacker, ultimately enabling remote code execution.

Product: .NET Framework

EPSS: 25.2%

2025-01-29

CVE-2025-24085

Apple iOS, macOS, and other Apple products contain a user-after-free vulnerability that could allow a malicious application to elevate privileges.

Product: Multiple Products

EPSS: 61.3%

2025-01-24

CVE-2025-23006

SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) contain a deserialization of untrusted data vulnerability, which can enable a remote, unauthenticated attacker to execute arbitrary OS commands.

Product: SMA1000 Appliances RANSOMWARE USE

EPSS: 36.9%

2025-01-23

CVE-2020-11023

JQuery contains a persistent cross-site scripting (XSS) vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser.

Product: JQuery

EPSS: 94.4%

2025-01-16

CVE-2024-50603

Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.

Product: Controllers

EPSS: 8.7%

2025-01-14

CVE-2025-21335

Microsoft Windows Hyper-V NT Kernel Integration VSP contains a use-after-free vulnerability that allows a local attacker to gain SYSTEM privileges.

Product: Windows

EPSS: 94.2%

2025-01-14

CVE-2024-55591

Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Product: FortiOS and FortiProxy RANSOMWARE USE

EPSS: 6.6%

2025-01-14

CVE-2025-21334

Microsoft Windows Hyper-V NT Kernel Integration VSP contains a use-after-free vulnerability that allows a local attacker to gain SYSTEM privileges.

Product: Windows

EPSS: 81.8%

2025-01-14

CVE-2025-21333

Microsoft Windows Hyper-V NT Kernel Integration VSP contains a heap-based buffer overflow vulnerability that allows a local attacker to gain SYSTEM privileges.

Product: Windows

EPSS: 33.4%

2025-01-13

CVE-2024-12686

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain an OS command injection vulnerability that can be exploited by an attacker with existing administrative privileges to upload a malicious file. Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user.

Product: Privileged Remote Access (PRA) and Remote Support (RS)

EPSS: 62.0%

2025-01-13

CVE-2023-48365

Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.

Product: Sense RANSOMWARE USE

EPSS: 94.1%

2025-01-08

CVE-2025-0282

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.

Product: Connect Secure, Policy Secure, and ZTA Gateways RANSOMWARE USE

EPSS: 13.0%

2025-01-07

CVE-2024-55550

Mitel MiCollab contains a path traversal vulnerability that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization. This vulnerability can be chained with CVE-2024-41713, which allows an unauthenticated, remote attacker to read arbitrary files on the server.

Product: MiCollab RANSOMWARE USE

EPSS: 94.1%

2025-01-07

CVE-2024-41713

Mitel MiCollab contains a path traversal vulnerability that could allow an attacker to gain unauthorized and unauthenticated access. This vulnerability can be chained with CVE-2024-55550, which allows an unauthenticated, remote attacker to read arbitrary files on the server.

Product: MiCollab RANSOMWARE USE

EPSS: 94.4%

2025-01-07

CVE-2020-2883

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an unspecified vulnerability exploitable by an unauthenticated attacker with network access via IIOP or T3.

Product: WebLogic Server

EPSS: 77.7%

2024-12-30

CVE-2024-3393

Palo Alto Networks PAN-OS contains a vulnerability in parsing and logging malicious DNS packets in the DNS Security feature that, when exploited, allows an unauthenticated attacker to remotely reboot the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Product: PAN-OS

EPSS: 8.9%

2024-12-23

CVE-2021-44207

Acclaim Systems USAHERDS contains a hard-coded credentials vulnerability that could allow an attacker to achieve remote code execution on the system that runs the application. The MachineKey must be obtained via a separate vulnerability or other channel.

Product: USAHERDS

EPSS: 93.8%

2024-12-19

CVE-2024-12356

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site user.

Product: Privileged Remote Access (PRA) and Remote Support (RS)

EPSS: 53.5%

2024-12-18

CVE-2022-23227

NUUO NVRmini2 devices contain a missing authentication vulnerability that allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users.

Product: NVRmini2 Devices

EPSS: 32.6%

2024-12-18

CVE-2021-40407

Reolink RLC-410W IP cameras contain an authenticated OS command injection vulnerability in the device network settings functionality.

Product: RLC-410W IP Camera

EPSS: 93.9%

2024-12-18

CVE-2018-14933

NUUO NVRmini devices contain an OS command injection vulnerability. This vulnerability allows remote command execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.

Product: NVRmini Devices

EPSS: 38.4%

2024-12-18

CVE-2019-11001

Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W IP cameras contain an authenticated OS command injection vulnerability. This vulnerability allows an authenticated admin to use the "TestEmail" functionality to inject and run OS commands as root.

Product: Multiple IP Cameras

EPSS: 89.1%

2024-12-17

CVE-2024-55956

Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

Product: Multiple Products RANSOMWARE USE

EPSS: 56.8%

2024-12-16

CVE-2024-35250

Microsoft Windows Kernel-Mode Driver contains an untrusted pointer dereference vulnerability that allows a local attacker to escalate privileges.

Product: Windows

EPSS: 94.0%

2024-12-16

CVE-2024-20767

Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel.

Product: ColdFusion

EPSS: 94.0%

2024-12-13

CVE-2024-50623

Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges.

Product: Multiple Products RANSOMWARE USE

EPSS: 85.8%

2024-12-10

CVE-2024-49138

Microsoft Windows Common Log File System (CLFS) driver contains a heap-based buffer overflow vulnerability that allows a local attacker to escalate privileges.

Product: Windows

EPSS: 93.9%

2024-12-04

CVE-2024-51378

CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property.

Product: CyberPanel RANSOMWARE USE

EPSS: 21.0%

2024-12-03

CVE-2023-45727

North Grid Proself Enterprise/Standard, Gateway, and Mail Sanitize contain an improper restriction of XML External Entity (XXE) reference vulnerability, which could allow a remote, unauthenticated attacker to conduct an XXE attack.

Product: Proself

EPSS: 93.5%

2024-12-03

CVE-2024-11680

ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Product: ProjectSend

EPSS: 35.9%

2024-12-03

CVE-2024-11667

Multiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL.

Product: Multiple Firewalls RANSOMWARE USE

EPSS: 89.3%

2024-11-25

CVE-2023-28461

Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway.

Product: AG/vxAG ArrayOS RANSOMWARE USE

EPSS: 1.2%

2024-11-21

CVE-2024-44309

Apple iOS, macOS, and other Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to a cross-site scripting (XSS) attack.

Product: Multiple Products

EPSS: 69.8%

2024-11-21

CVE-2024-21287

Oracle Agile Product Lifecycle Management (PLM) contains an incorrect authorization vulnerability in the Process Extension component of the Software Development Kit. Successful exploitation of this vulnerability may result in unauthenticated file disclosure.

Product: Agile Product Lifecycle Management (PLM)

EPSS: 1.5%

2024-11-21

CVE-2024-44308

Apple iOS, macOS, and other Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to arbitrary code execution.

Product: Multiple Products

EPSS: 77.9%

2024-11-20

CVE-2024-38812

VMware vCenter Server contains a heap-based buffer overflow vulnerability in the implementation of the DCERPC protocol. This vulnerability could allow an attacker with network access to the vCenter Server to execute remote code by sending a specially crafted packet.

Product: vCenter Server

EPSS: 29.5%

2024-11-20

CVE-2024-38813

VMware vCenter contains an improper check for dropped privileges vulnerability. This vulnerability could allow an attacker with network access to the vCenter Server to escalate privileges to root by sending a specially crafted packet.

Product: vCenter Server

EPSS: 94.3%

2024-11-18

CVE-2024-1212

Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.

Product: Kemp LoadMaster

EPSS: 94.3%

2024-11-18

CVE-2024-0012

Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators.

Product: PAN-OS RANSOMWARE USE

EPSS: 94.2%

2024-11-18

CVE-2024-9474

Palo Alto Networks PAN-OS contains an OS command injection vulnerability that allows for privilege escalation through the web-based management interface for several PAN products, including firewalls and VPN concentrators.

Product: PAN-OS RANSOMWARE USE

EPSS: 94.2%

2024-11-14

CVE-2024-9465

Palo Alto Networks Expedition contains a SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Product: Expedition

EPSS: 94.2%

2024-11-14

CVE-2024-9463

Palo Alto Networks Expedition contains an OS command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Product: Expedition

EPSS: 94.4%

2024-11-12

CVE-2021-41277

Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.

Product: Metabase

EPSS: 90.3%

2024-11-12

CVE-2024-43451

Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a file open operation. The attacker could then leverage this hash to impersonate that user.

Product: Windows

EPSS: 63.9%

2024-11-12

CVE-2014-2120

Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.

Product: Adaptive Security Appliance (ASA)

EPSS: 94.2%

2024-11-12

CVE-2021-26086

Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint.

Product: Jira Server and Data Center

EPSS: 66.4%

2024-11-12

CVE-2024-49039

Microsoft Windows Task Scheduler contains a privilege escalation vulnerability that can allow an attacker-provided, local application to escalate privileges outside of its AppContainer, and access privileged RPC functions.

Product: Windows RANSOMWARE USE

EPSS: 94.4%

2024-11-07

CVE-2019-16278

Nostromo nhttpd contains a directory traversal vulnerability in the http_verify() function in a non-chrooted nhttpd server allowing for remote code execution.

Product: nhttpd

EPSS: 94.3%

2024-11-07

CVE-2024-51567

CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to execute commands as root.

Product: CyberPanel RANSOMWARE USE

EPSS: 0.2%

2024-11-07

CVE-2024-43093

Android Framework contains an unspecified vulnerability that allows for privilege escalation.

Product: Framework

EPSS: 91.0%

2024-11-07

CVE-2024-5910

Palo Alto Networks Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data.

Product: Expedition

EPSS: 83.6%

2024-11-04

CVE-2024-8956

PTZOptics PT30X-SDI/NDI cameras contain an insecure direct object reference (IDOR) vulnerability that allows a remote, attacker to bypass authentication for the /cgi-bin/param.cgi CGI script. If combined with CVE-2024-8957, this can lead to remote code execution as root.

Product: PT30X-SDI/NDI Cameras

EPSS: 55.5%

2024-11-04

CVE-2024-8957

PTZOptics PT30X-SDI/NDI cameras contain an OS command injection vulnerability that allows a remote, authenticated attacker to escalate privileges to root via a crafted payload with the ntp_addr parameter of the /cgi-bin/param.cgi CGI script.

Product: PT30X-SDI/NDI Cameras

EPSS: 11.1%

2024-10-24

CVE-2024-20481

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a missing release of resource after effective lifetime vulnerability that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) of the RAVPN service.

Product: Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)

EPSS: 64.5%

2024-10-24

CVE-2024-37383

RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.

Product: Webmail

EPSS: 93.8%

2024-10-23

CVE-2024-47575

Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Product: FortiManager

EPSS: 64.8%

2024-10-22

CVE-2024-38094

Microsoft SharePoint contains a deserialization vulnerability that allows for remote code execution.

Product: SharePoint RANSOMWARE USE

EPSS: 63.9%

2024-10-21

CVE-2024-9537

ScienceLogic SL1 (formerly EM7) is affected by an unspecified vulnerability involving an unspecified third-party component.

Product: SL1

EPSS: 64.1%

2024-10-17

CVE-2024-40711

Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.

Product: Backup & Replication RANSOMWARE USE

EPSS: 84.5%

2024-10-15

CVE-2024-30088

Microsoft Windows Kernel contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that could allow for privilege escalation.

Product: Windows RANSOMWARE USE

EPSS: 31.3%

2024-10-15

CVE-2024-9680

Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process.

Product: Firefox RANSOMWARE USE

EPSS: 94.3%

2024-10-15

CVE-2024-28987

SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data.

Product: Web Help Desk

EPSS: 81.7%

2024-10-09

CVE-2024-9379

Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.

Product: Cloud Services Appliance (CSA)

EPSS: 88.1%

2024-10-09

CVE-2024-9380

Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.

Product: Cloud Services Appliance (CSA)

EPSS: 58.0%

2024-10-09

CVE-2024-23113

Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Product: Multiple Products

EPSS: 17.7%

2024-10-08

CVE-2024-43573

Microsoft Windows MSHTML Platform contains an unspecified spoofing vulnerability which can lead to a loss of confidentiality.

Product: Windows

EPSS: 1.7%

2024-10-08

CVE-2024-43047

Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.

Product: Multiple Chipsets

EPSS: 42.7%

2024-10-08

CVE-2024-43572

Microsoft Windows Management Console contains unspecified vulnerability that allows for remote code execution.

Product: Windows

EPSS: 94.1%

2024-10-03

CVE-2024-45519

Synacor Zimbra Collaboration Suite (ZCS) contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands.

Product: Zimbra Collaboration Suite (ZCS)

EPSS: 94.0%

2024-10-02

CVE-2024-29824

Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code.

Product: Endpoint Manager (EPM)

EPSS: 40.6%

2024-09-30

CVE-2019-0344

SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection.

Product: Commerce Cloud

EPSS: 93.0%

2024-09-30

CVE-2020-15415

DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.

Product: Multiple Vigor Routers

EPSS: 93.1%

2024-09-30

CVE-2023-25280

D-Link DIR-820 routers contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.

Product: DIR-820 Router

EPSS: 94.4%

2024-09-24

CVE-2024-7593

Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account.

Product: Virtual Traffic Manager

EPSS: 94.2%

2024-09-19

CVE-2024-8963

Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.

Product: Cloud Services Appliance (CSA)

EPSS: 93.6%

2024-09-18

CVE-2020-14644

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains a deserialization vulnerability. Unauthenticated attackers with network access via T3 or IIOP can exploit this vulnerability to achieve remote code execution.

Product: WebLogic Server

EPSS: 92.0%

2024-09-18

CVE-2022-21445

Oracle ADF Faces library, included with Oracle JDeveloper Distribution, contains a deserialization of untrusted data vulnerability leading to unauthenticated remote code execution.

Product: ADF Faces

EPSS: 94.3%

2024-09-18

CVE-2024-27348

Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code.

Product: HugeGraph-Server

EPSS: 94.3%

2024-09-18

CVE-2020-0618

Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.

Product: SQL Server

EPSS: 57.9%

2024-09-17

CVE-2013-0643

Adobe Flash Player contains an incorrect default permissions vulnerability in the Firefox sandbox that allows a remote attacker to execute arbitrary code via crafted SWF content.

Product: Flash Player

EPSS: 89.0%

2024-09-17

CVE-2014-0502

Adobe Flash Player contains a double free vulnerability that allows a remote attacker to execute arbitrary code.

Product: Flash Player

EPSS: 92.9%

2024-09-17

CVE-2014-0497

Adobe Flash Player contains an integer underflow vulnerability that allows a remote attacker to execute arbitrary code.

Product: Flash Player

EPSS: 54.7%

2024-09-17

CVE-2013-0648

Adobe Flash Player contains an unspecified vulnerability in the ExternalInterface ActionScript functionality that allows a remote attacker to execute arbitrary code via crafted SWF content.

Product: Flash Player

EPSS: 10.8%

2024-09-16

CVE-2024-43461

Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page. This vulnerability was exploited in conjunction with CVE-2024-38112.

Product: Windows

EPSS: 94.5%

2024-09-16

CVE-2024-6670

Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user.

Product: WhatsUp Gold RANSOMWARE USE

EPSS: 91.9%

2024-09-13

CVE-2024-8190

Product: Cloud Services Appliance

EPSS: 1.4%

2024-09-10

CVE-2024-38226

Microsoft Publisher contains a protection mechanism failure vulnerability that allows attacker to bypass Office macro policies used to block untrusted or malicious files.

Product: Publisher

EPSS: 12.8%

2024-09-10

CVE-2024-38014

Microsoft Windows Installer contains an improper privilege management vulnerability that could allow an attacker to gain SYSTEM privileges.

Product: Windows

EPSS: 13.2%

2024-09-10

CVE-2024-38217

Microsoft Windows Mark of the Web (MOTW) contains a protection mechanism failure vulnerability that allows an attacker to bypass MOTW-based defenses. This can result in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.

Product: Windows

EPSS: 3.5%

2024-09-09

CVE-2024-40766

SonicWall SonicOS contains an improper access control vulnerability that could lead to unauthorized resource access and, under certain conditions, may cause the firewall to crash.

Product: SonicOS RANSOMWARE USE

EPSS: 93.8%

2024-09-09

CVE-2016-3714

ImageMagick contains an improper input validation vulnerability that affects the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders. This allows a remote attacker to execute arbitrary code via shell metacharacters in a crafted image.

Product: ImageMagick

EPSS: 54.2%

2024-09-09

CVE-2017-1000253

Linux kernel contains a position-independent executable (PIE) stack buffer corruption vulnerability in load_elf_ binary() that allows a local attacker to escalate privileges.

Product: Kernel RANSOMWARE USE

EPSS: 12.4%

2024-09-03

CVE-2024-7262

Kingsoft WPS Office contains a path traversal vulnerability in promecefpluginhost.exe on Windows that allows an attacker to load an arbitrary Windows library.

Product: WPS Office

EPSS: 94.0%

2024-09-03

CVE-2021-20123

Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Product: VigorConnect

EPSS: 94.1%

2024-09-03

CVE-2021-20124

Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Product: VigorConnect

EPSS: 26.8%

2024-08-28

CVE-2024-7965

Google Chromium V8 contains an inappropriate implementation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium V8

EPSS: 94.3%

2024-08-27

CVE-2024-38856

Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.

Product: OFBiz

EPSS: 1.0%

2024-08-26

CVE-2024-7971

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium V8

EPSS: 4.6%

2024-08-23

CVE-2024-39717

The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The “Change Favicon” (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.

Product: Director

EPSS: 3.3%

2024-08-21

CVE-2021-31196

Microsoft Exchange Server contains an information disclosure vulnerability that allows for remote code execution.

Product: Exchange Server

EPSS: 94.2%

2024-08-21

CVE-2021-33044

Dahua IP cameras and related products contain an authentication bypass vulnerability when the NetKeyboard type argument is specified by the client during authentication.

Product: IP Camera Firmware

EPSS: 94.1%

2024-08-21

CVE-2021-33045

Dahua IP cameras and related products contain an authentication bypass vulnerability when the loopback device is specified by the client during authentication.

Product: IP Camera Firmware

EPSS: 1.8%

2024-08-21

CVE-2022-0185

Linux kernel contains a heap-based buffer overflow vulnerability in the legacy_parse_param function in the Filesystem Context functionality. This allows an attacker to open a filesystem that does not support the Filesystem Context API and ultimately escalate privileges.

Product: Kernel

EPSS: 94.5%

2024-08-19

CVE-2024-23897

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution.

Product: Jenkins Command Line Interface (CLI) RANSOMWARE USE

EPSS: 71.2%

2024-08-15

CVE-2024-28986

SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution.

Product: Web Help Desk

EPSS: 3.4%

2024-08-13

CVE-2024-38107

Microsoft Windows Power Dependency Coordinator contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to obtain SYSTEM privileges.

Product: Windows

EPSS: 43.7%

2024-08-13

CVE-2024-38189

Microsoft Project contains an unspecified vulnerability that allows for remote code execution via a malicious file.

Product: Project

EPSS: 59.3%

2024-08-13

CVE-2024-38213

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience via a malicious file.

Product: Windows

EPSS: 26.3%

2024-08-13

CVE-2024-38178

Microsoft Windows Scripting Engine contains a memory corruption vulnerability that allows unauthenticated attacker to initiate remote code execution via a specially crafted URL.

Product: Windows

EPSS: 0.8%

2024-08-13

CVE-2024-38106

Microsoft Windows Kernel contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. Successful exploitation of this vulnerability requires an attacker to win a race condition.

Product: Windows

EPSS: 75.2%

2024-08-13

CVE-2024-38193

Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

Product: Windows

EPSS: 94.0%

2024-08-07

CVE-2024-32113

Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution.

Product: OFBiz

EPSS: 0.5%

2024-08-07

CVE-2024-36971

Android contains an unspecified vulnerability in the kernel that allows for remote code execution. This vulnerability resides in Linux Kernel and could impact other products, including but not limited to Android OS.

Product: Kernel

EPSS: 91.5%

2024-08-05

CVE-2018-0824

Microsoft COM for Windows contains a deserialization of untrusted data vulnerability that allows for privilege escalation and remote code execution via a specially crafted file or script.

Product: Windows

EPSS: 74.2%

2024-07-30

CVE-2024-37085

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Product: ESXi RANSOMWARE USE

EPSS: 93.3%

2024-07-29

CVE-2023-45249

Acronis Cyber Infrastructure (ACI) allows an unauthenticated user to execute commands remotely due to the use of default passwords.

Product: Cyber Infrastructure (ACI)

EPSS: 94.3%

2024-07-29

CVE-2024-4879

ServiceNow Utah, Vancouver, and Washington DC Now Platform releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute code remotely.

Product: Utah, Vancouver, and Washington DC Now Platform

EPSS: 94.1%

2024-07-29

CVE-2024-5217

ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.

Product: Utah, Vancouver, and Washington DC Now Platform

EPSS: 91.4%

2024-07-23

CVE-2012-4792

Microsoft Internet Explorer contains a use-after-free vulnerability that allows a remote attacker to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object.

Product: Internet Explorer

EPSS: 29.6%

2024-07-23

CVE-2024-39891

Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.

Product: Authy

EPSS: 28.8%

2024-07-17

CVE-2022-22948

VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information.

Product: vCenter Server

EPSS: 94.4%

2024-07-17

CVE-2024-28995

SolarWinds Serv-U contains a path traversal vulnerability that allows an attacker access to read sensitive files on the host machine.

Product: Serv-U

EPSS: 94.1%

2024-07-17

CVE-2024-34102

Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution.

Product: Commerce and Magento Open Source

EPSS: 94.4%

2024-07-15

CVE-2024-36401

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.

Product: GeoServer

EPSS: 22.0%

2024-07-09

CVE-2024-38080

Microsoft Windows Hyper-V contains a privilege escalation vulnerability that allows a local attacker with user permissions to gain SYSTEM privileges.

Product: Windows

EPSS: 94.3%

2024-07-09

CVE-2024-23692

Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.

Product: HTTP File Server

EPSS: 92.6%

2024-07-09

CVE-2024-38112

Microsoft Windows MSHTML Platform contains a spoofing vulnerability that has a high impact to confidentiality, integrity, and availability.

Product: Windows

EPSS: 0.8%

2024-07-02

CVE-2024-20399

Cisco NX-OS contains a command injection vulnerability in the command line interface (CLI) that could allow an authenticated, local attacker to execute commands as root on the underlying operating system of an affected device.

Product: NX-OS

EPSS: 71.8%

2024-06-26

CVE-2020-13965

Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment.

Product: Webmail

EPSS: 93.7%

2024-06-26

CVE-2022-24816

OSGeo GeoServer JAI-EXT contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.

Product: JAI-EXT

EPSS: 2.2%

2024-06-26

CVE-2022-2586

Linux Kernel contains a use-after-free vulnerability in the nft_object, allowing local attackers to escalate privileges.

Product: Kernel

EPSS: 0.2%

2024-06-13

CVE-2024-32896

Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation.

Product: Pixel

EPSS: 94.4%

2024-06-13

CVE-2024-4358

Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.

Product: Telerik Report Server

EPSS: 35.1%

2024-06-13

CVE-2024-26169

Microsoft Windows Error Reporting Service contains an improper privilege management vulnerability that allows a local attacker with user permissions to gain SYSTEM privileges.

Product: Windows RANSOMWARE USE

EPSS: 94.4%

2024-06-12

CVE-2024-4577

PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.

Product: PHP RANSOMWARE USE

EPSS: 0.8%

2024-06-12

CVE-2024-4610

Arm Bifrost and Valhall GPU kernel drivers contain a use-after-free vulnerability that allows a local, non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.

Product: Mali GPU Kernel Driver

EPSS: 94.4%

2024-06-03

CVE-2017-3506

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.

Product: WebLogic Server

EPSS: 94.3%

2024-05-30

CVE-2024-24919

Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways connected to the internet, with IPSec VPN, Remote Access VPN or Mobile Access enabled. This issue affects several product lines from Check Point, including CloudGuard Network, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances.

Product: Quantum Security Gateways RANSOMWARE USE

EPSS: 85.2%

2024-05-30

CVE-2024-1086

Linux kernel contains a use-after-free vulnerability in the netfilter: nf_tables component that allows an attacker to achieve local privilege escalation.

Product: Kernel RANSOMWARE USE

EPSS: 14.1%

2024-05-29

CVE-2024-4978

Justice AV Solutions (JAVS) Viewer installer contains a malicious version of ffmpeg.exe, named fffmpeg.exe (SHA256: 421a4ad2615941b177b6ec4ab5e239c14e62af2ab07c6df1741e2a62223223c4). When run, this creates a backdoor connection to a malicious C2 server.

Product: Viewer

EPSS: 5.7%

2024-05-28

CVE-2024-5274

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium V8

EPSS: 94.4%

2024-05-23

CVE-2020-17519

Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface.

Product: Flink

EPSS: 0.4%

2024-05-20

CVE-2024-4947

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page.

Product: Chromium V8

EPSS: 94.4%

2024-05-20

CVE-2023-43208

NextGen Healthcare Mirth Connect contains a deserialization of untrusted data vulnerability that allows for unauthenticated remote code execution via a specially crafted request.

Product: Mirth Connect RANSOMWARE USE

EPSS: 92.6%

2024-05-16

CVE-2021-40655

D-Link DIR-605 routers contain an information disclosure vulnerability that allows attackers to obtain a username and password by forging a post request to the /getcfg.php page.

Product: DIR-605 Router

EPSS: 5.2%

2024-05-16

CVE-2024-4761

Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium V8

EPSS: 40.8%

2024-05-16

CVE-2014-100005

D-Link DIR-600 routers contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to change router configurations by hijacking an existing administrator session.

Product: DIR-600 Router

EPSS: 23.5%

2024-05-14

CVE-2024-30040

Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for a security feature bypass.

Product: Windows

EPSS: 50.2%

2024-05-14

CVE-2024-30051

Microsoft DWM Core Library contains a privilege escalation vulnerability that allows an attacker to gain SYSTEM privileges.

Product: DWM Core Library RANSOMWARE USE

EPSS: 0.5%

2024-05-13

CVE-2024-4671

Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium

EPSS: 93.5%

2024-05-01

CVE-2023-7028

GitLab Community and Enterprise Editions contain an improper access control vulnerability. This allows an attacker to trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover.

Product: GitLab CE/EE

EPSS: 62.8%

2024-04-30

CVE-2024-29988

Microsoft SmartScreen Prompt contains a security feature bypass vulnerability that allows an attacker to bypass the Mark of the Web (MotW) feature. This vulnerability can be chained with CVE-2023-38831 and CVE-2024-21412 to execute a malicious file.

Product: SmartScreen Prompt

EPSS: 0.2%

2024-04-24

CVE-2024-20359

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a privilege escalation vulnerability that can allow local privilege escalation from Administrator to root.

Product: Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)

EPSS: 94.4%

2024-04-24

CVE-2024-4040

CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).

Product: CrushFTP

EPSS: 24.4%

2024-04-24

CVE-2024-20353

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an infinite loop vulnerability that can lead to remote denial of service condition.

Product: Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)

EPSS: 5.0%

2024-04-23

CVE-2022-38028

Microsoft Windows Print Spooler service contains a privilege escalation vulnerability. An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions.

Product: Windows

EPSS: 94.3%

2024-04-12

CVE-2024-3400

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall.

Product: PAN-OS RANSOMWARE USE

EPSS: 94.2%

2024-04-11

CVE-2024-3272

D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contains a hard-coded credential that allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution.

Product: Multiple NAS Devices

EPSS: 94.4%

2024-04-11

CVE-2024-3273

D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability. When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution.

Product: Multiple NAS Devices

EPSS: 0.2%

2024-04-04

CVE-2024-29745

Android Pixel contains an information disclosure vulnerability in the fastboot firmware used to support unlocking, flashing, and locking affected devices.

Product: Pixel

EPSS: 0.4%

2024-04-04

CVE-2024-29748

Android Pixel contains a privilege escalation vulnerability that allows an attacker to interrupt a factory reset triggered by a device admin app.

Product: Pixel

EPSS: 91.6%

2024-03-26

CVE-2023-24955

Microsoft SharePoint Server contains a code injection vulnerability that allows an authenticated attacker with Site Owner privileges to execute code remotely.

Product: SharePoint Server RANSOMWARE USE

EPSS: 94.5%

2024-03-25

CVE-2021-44529

Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody).

Product: Endpoint Manager Cloud Service Appliance (EPM CSA) RANSOMWARE USE

EPSS: 94.4%

2024-03-25

CVE-2019-7256

Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution.

Product: Linear eMerge E3-Series

EPSS: 94.1%

2024-03-25

CVE-2023-48788

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

Product: FortiClient EMS RANSOMWARE USE

EPSS: 93.0%

2024-03-07

CVE-2024-27198

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

Product: TeamCity RANSOMWARE USE

EPSS: 0.2%

2024-03-06

CVE-2024-23296

Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.

Product: Multiple Products

EPSS: 0.2%

2024-03-06

CVE-2024-23225

Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.

Product: Multiple Products

EPSS: 0.7%

2024-03-05

CVE-2023-21237

Android Pixel contains a vulnerability in the Framework component, where the UI may be misleading or insufficient, providing a means to hide a foreground service notification. This could enable a local attacker to disclose sensitive information.

Product: Pixel

EPSS: 93.6%

2024-03-05

CVE-2021-36380

Sunhillo SureLine contains an OS command injection vulnerability that allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in ipAddr or dnsAddr in /cgi/networkDiag.cgi.

Product: SureLine

EPSS: 78.6%

2024-03-04

CVE-2024-21338

Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys that allows a local attacker to achieve privilege escalation.

Product: Windows RANSOMWARE USE

EPSS: 30.8%

2024-02-29

CVE-2023-29360

Microsoft Streaming Service contains an untrusted pointer dereference vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

Product: Streaming Service

EPSS: 94.3%

2024-02-22

CVE-2024-1709

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.

Product: ScreenConnect RANSOMWARE USE

EPSS: 6.1%

2024-02-15

CVE-2024-21410

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Product: Exchange Server

EPSS: 69.7%

2024-02-15

CVE-2020-3259

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.

Product: Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) RANSOMWARE USE

EPSS: 13.2%

2024-02-13

CVE-2024-21351

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.

Product: Windows

EPSS: 93.8%

2024-02-13

CVE-2024-21412

Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.

Product: Windows RANSOMWARE USE

EPSS: 77.5%

2024-02-12

CVE-2023-43770

Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.

Product: Webmail

EPSS: 93.0%

2024-02-09

CVE-2024-21762

Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests.

Product: FortiOS RANSOMWARE USE

EPSS: 63.6%

2024-02-06

CVE-2023-4762

Product: Chromium V8

EPSS: 94.3%

2024-01-31

CVE-2024-21893

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.

Product: Connect Secure, Policy Secure, and Neurons RANSOMWARE USE

EPSS: 0.2%

2024-01-31

CVE-2022-48618

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a time-of-check/time-of-use (TOCTOU) memory corruption vulnerability that allows an attacker with read and write capabilities to bypass Pointer Authentication.

Product: Multiple Products

EPSS: 94.4%

2024-01-24

CVE-2023-22527

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Product: Confluence Data Center and Server RANSOMWARE USE

EPSS: 0.6%

2024-01-23

CVE-2024-23222

Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

Product: Multiple Products

EPSS: 93.2%

2024-01-22

CVE-2023-34048

VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote code execution.

Product: vCenter Server

EPSS: 94.4%

2024-01-18

CVE-2023-35082

Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application.

Product: Endpoint Manager Mobile (EPMM) and MobileIron Core RANSOMWARE USE

EPSS: 76.5%

2024-01-17

CVE-2023-6549

Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for a denial-of-service when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

Product: NetScaler ADC and NetScaler Gateway

EPSS: 0.1%

2024-01-17

CVE-2024-0519

Google Chromium V8 Engine contains an out-of-bounds memory access vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Product: Chromium V8

EPSS: 8.3%

2024-01-17

CVE-2023-6548

Citrix NetScaler ADC and NetScaler Gateway contain a code injection vulnerability that allows for authenticated remote code execution on the management interface with access to NSIP, CLIP, or SNIP.

Product: NetScaler ADC and NetScaler Gateway

EPSS: 83.3%

2024-01-16

CVE-2018-15133

Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a malicious user has accessed the application encryption key (APP_KEY environment variable).

Product: Laravel Framework

EPSS: 94.4%

2024-01-10

CVE-2023-29357

Microsoft SharePoint Server contains an unspecified vulnerability that allows an unauthenticated attacker, who has gained access to spoofed JWT authentication tokens, to use them for executing a network attack. This attack bypasses authentication, enabling the attacker to gain administrator privileges.

Product: SharePoint Server RANSOMWARE USE

EPSS: 94.4%

2024-01-10

CVE-2024-21887

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.

Product: Connect Secure and Policy Secure RANSOMWARE USE

EPSS: 94.4%

2024-01-10

CVE-2023-46805

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.

Product: Connect Secure and Policy Secure RANSOMWARE USE

EPSS: 92.6%

2024-01-08

CVE-2016-20017

D-Link DSL-2750B devices contain a command injection vulnerability that allows remote, unauthenticated command injection via the login.cgi cli parameter.

Product: DSL-2750B Devices

EPSS: 84.0%

2024-01-08

CVE-2023-27524

Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.

Product: Superset

EPSS: 94.2%

2024-01-08

CVE-2023-38203

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.

Product: ColdFusion RANSOMWARE USE

EPSS: 94.5%

2024-01-08

CVE-2023-23752

Joomla! contains an improper access control vulnerability that allows unauthorized access to webservice endpoints.

Product: Joomla!

EPSS: 2.7%

2024-01-08

CVE-2023-41990

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when processing a font file.

Product: Multiple Products

EPSS: 93.7%

2024-01-08

CVE-2023-29300

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.

Product: ColdFusion RANSOMWARE USE

Advanced Persistent Threats (APT)

200 Tracked Actors

2 Active (OTX Matched)

43 Live OTX Pulses

2 New Today

CN Most Tracked Region

MEDIUM OTX PULSE

4/1/2026

A laughing RAT: CrystalX combines spyware; stealer; and prankware features

In March 2026, a new MaaS active campaign was discovered promoting previously unknown malware in private Telegram chats. The Trojan features an extensive arsenal of capabilities. On the panel provided to third‑party actors, in addition to the standard features of RAT‑like malware, a stealer, keylogger, clipper, and spyware are also available.

IOCs: 9 malware-as-a-service crystalx

MEDIUM OTX PULSE

4/1/2026

Weaponizing the Protectors: TeamPCPs Multi-Stage Supply Chain Attack on Security Infrastructure

Between late February and March 2026, threat group TeamPCP conducted a highly calculated, escalating sequence of supply chain threats. It systematically compromised widely trusted open-source security tools, including the vulnerability scanners Trivy and KICS and the popular AI gateway LiteLLM. The affected software also includes the official Python SDK of Telnyx.

IOCs: 63 teampcp canisterworm

CRITICAL OTX PULSE

3/31/2026

Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets

A zero-day vulnerability in the TrueConf client application, CVE-2026-3502, was exploited in a targeted campaign against government entities in Southeast Asia. The flaw allows attackers controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints. The campaign, dubbed 'TrueChaos', abused the trusted update channel to deliver malware to multiple government agencies. The attack likely involved a Chinese-nexus threat actor and utilized the Havoc post-exploitation framework. The vulnerability stems from inadequate validation in the update process, enabling malicious updates to be distributed through a centrally managed server. TrueConf has since released a fix in version 8.5.3 of their Windows client.

IOCs: 3 southeast asia havoc

LOW OTX PULSE

3/31/2026

WhatsApp malware campaign delivers VBScript and MSI backdoors

A sophisticated malware campaign targeting WhatsApp users has been observed since February 2026. The attack chain begins with malicious Visual Basic Script files sent via WhatsApp messages, which, when executed, initiate a multi-stage infection process. The malware uses renamed Windows utilities, retrieves payloads from trusted cloud services, and installs malicious MSI packages. The campaign employs social engineering, stealth techniques, and cloud-based payload hosting to establish persistence and escalate privileges on victim systems. The attackers utilize legitimate tools and trusted platforms to reduce visibility and increase the likelihood of successful execution. The final stage involves the delivery of unsigned MSI installers that enable remote access to compromised systems.

IOCs: 22 cloud-based social-engineering

HIGH OTX PULSE

3/31/2026

Supply-Chain Compromise of axios npm Package

A coordinated supply chain attack targeted the axios npm package, compromising two versions (1.14.1 and 0.30.4) by injecting a malicious dependency. The attack delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems. The compromise occurred through the lead maintainer's npm account, bypassing normal publishing workflows. The malicious payload performed system reconnaissance, established persistence on Windows, and provided remote access capabilities. The attack affected numerous organizations and potentially exposed sensitive credentials. Immediate mitigation steps include pinning to safe versions, removing malicious dependencies, rotating credentials, and blocking the command and control server.

IOCs: 12 remote-access-trojan credential-theft

MEDIUM OTX PULSE

3/31/2026

New widespread EvilTokens kit: device code phishing as-a-service

EvilTokens is a new Phishing-as-a-Service offering a turnkey Microsoft device code phishing kit. It enables attackers to harvest access and refresh tokens, granting unauthorized access to victims' Microsoft accounts. The kit supports post-compromise operations, allowing data exfiltration from various Microsoft services. EvilTokens has been rapidly adopted by cybercriminals since March 2026, impacting organizations globally. The service provides advanced capabilities for account takeover, including token conversion to Primary Refresh Tokens and browser cookies for persistent access. Phishing campaigns using EvilTokens target employees in finance, HR, logistics, and sales, primarily for Business Email Compromise attacks.

IOCs: 33 device code phishing token harvesting

HIGH OTX PULSE

3/31/2026

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat that turns compromised devices into residential proxy nodes, enabling attackers to evade detection. Originally marketed on Russian underground forums as Malware-as-a-Service, it has gained popularity due to its partnership with Lumma Stealer. Written in GoLang, GhostSocks uses SOCKS5 proxy protocol and TLS encryption to blend malicious traffic into normal network activity. It also incorporates backdoor functionality for running arbitrary commands and deploying additional payloads. Darktrace observed an increase in GhostSocks activity, detecting it alongside Lumma Stealer in customer networks. The malware's versatility in converting devices into proxy nodes while enabling covert network access illustrates how threat actors maximize the value of compromised infrastructure.

IOCs: 10 c2 infrastructure ghostsocks

LOW OTX PULSE

3/31/2026

CrySome RAT : An Advanced Persistent .NET Remote Access Trojan

CrySome is a sophisticated .NET-based remote access trojan designed for persistent command-and-control operations. It features advanced persistence mechanisms, including recovery partition abuse and offline registry modification, allowing it to survive system resets. The malware incorporates an aggressive defense evasion module, disabling security products and blocking updates. Key capabilities include command execution, file operations, surveillance, credential theft, and hidden virtual desktop control. CrySome's modular architecture and structured packet-based protocol enable a wide range of remote operations. Its emphasis on stealth, resilience, and comprehensive system control makes it a significant threat for long-term covert access to compromised environments.

IOCs: 8 rat .net

MEDIUM OTX PULSE

3/31/2026

One Click Away: Inside a LinkedIn Phishing Attack

A sophisticated phishing campaign targeting LinkedIn users has been identified. The attack uses fake LinkedIn message notifications to lure victims into clicking on malicious links. The emails closely mimic legitimate LinkedIn communications, including spoofed display names and formatting. Upon clicking, users are redirected to a convincing but fraudulent LinkedIn login page designed to steal credentials. The phishing page uses a deceptive domain name similar to 'LinkedIn' to further trick users. This campaign demonstrates the evolving tactics of cybercriminals in exploiting human trust and curiosity. The analysis emphasizes the importance of vigilance, source verification, and caution when interacting with seemingly routine notifications.

IOCs: 3 credential theft social engineering

HIGH OTX PULSE

3/31/2026

Axios NPM Distribution Compromised in Supply Chain Attack

An unknown threat actor compromised the npm account of an axios maintainer, publishing two malicious versions of the package. These versions introduced a dependency on plain-crypto-js, a newly created malicious package. Despite quick removal, axios's widespread usage led to rapid exposure. The malicious package includes a dropper that downloads and executes platform-specific second-stage payloads, functioning as remote access trojans. These payloads can execute remote shells, inject binaries, browse directories, list processes, and perform system reconnaissance. Organizations are advised to audit their environments, remove malicious artifacts, rotate exposed credentials, investigate potential compromise paths, and monitor for suspicious activity.

IOCs: 7 npm remote access trojan

LOW OTX PULSE

3/31/2026

Operation DualScript: Multi-Stage PowerShell Malware Targets Crypto

Operation DualScript is a sophisticated multi-stage malware campaign targeting cryptocurrency and financial activities. It utilizes Windows Scheduled Tasks, VBScript launchers, and PowerShell execution to maintain persistence while minimizing disk artifacts. The attack operates through two parallel chains: a web-based PowerShell loader deploying a cryptocurrency clipboard hijacker, and a secondary chain executing the RetroRAT implant in memory. RetroRAT monitors user activity, captures keystrokes, and tracks interactions with financial services to harvest sensitive information. The malware employs various anti-analysis techniques and establishes a command-and-control channel for remote access and data exfiltration. This campaign highlights the growing abuse of trusted system utilities and in-memory execution techniques to evade traditional detection mechanisms.

IOCs: 12 cryptocurrency retrorat

LOW OTX PULSE

3/30/2026

TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM

TeamPCP launched a sophisticated attack on the Telnyx Python SDK, publishing malicious versions 4.87.1 and 4.87.2 to PyPI. The attack represents an evolution from their previous LiteLLM campaign, incorporating WAV-based steganography, split-file code injection, and expanded platform support. The payload, activated on import, uses stealthy techniques to download and execute credential-stealing malware across Linux, macOS, and Windows systems. Key changes include the use of audio steganography to hide malicious code, improved evasion through split-file injection, and the addition of Windows support with Startup folder persistence. The attackers shifted from HTTPS to plaintext HTTP infrastructure, potentially exposing their activities to network monitoring. Organizations are advised to downgrade to the last clean version and treat affected systems as compromised.

IOCs: 7 base64 encoding pypi

MEDIUM OTX PULSE

3/30/2026

Security brief: tax scams aim to steal funds from taxpayers

Threat actors are exploiting tax season with numerous campaigns leveraging tax themes to deliver malware, remote monitoring tools, fraud attempts, and credential phishing. Over a hundred campaigns have been observed in 2026, with a notable increase in remote monitoring and management (RMM) payloads. Tactics include impersonating tax agencies, claiming expired documents, and requesting tax filing support. While primarily targeting the United States, campaigns have also been observed in Canada, Australia, Switzerland, and Japan. Notable actors include TA4922, a newly designated threat group delivering malware from the Winos4.0 ecosystem, and TA2730, focusing on credential phishing for financial institutions. Business email compromise actors are also using tax form lures to steal financial and personal data. These campaigns demonstrate the ongoing exploitation of timely and topical themes by cybercriminals to deceive users.

IOCs: 19 tax scams bec

HIGH OTX PULSE

3/28/2026

A cunning predator: How Silver Fox preys on Japanese firms this tax season

Silver Fox, a threat actor, is exploiting Japan's tax filing and organizational change season with a targeted spearphishing campaign against Japanese businesses. The group sends convincing phishing emails related to tax compliance, salary adjustments, and HR matters, tricking recipients into opening malicious links or attachments. The campaign capitalizes on the high volume of legitimate financial and HR communications during this period, increasing the risk of compromise. Silver Fox has expanded its targets from Chinese-speaking entities to Southeast Asia, Japan, and potentially North America. The group uses ValleyRAT, a remote access trojan, to gain control of compromised machines and steal sensitive information. To protect against this threat, organizations should increase vigilance, reinforce awareness about phishing attempts, and verify the authenticity of tax- and HR-themed requests.

IOCs: 79 targeted attacks valleyrat

LOW OTX PULSE

3/28/2026

Telnyx Python SDK Compromised to Deliver Credential-Stealing Malware

A supply chain attack affecting the telnyx Python package on PyPI has been identified. Malicious versions 4.87.1 and 4.87.2 contained embedded credential-harvesting malware. The attack employs a three-stage runtime chain on Linux/macOS using audio steganography for delivery, in-memory execution of a data harvester, and encrypted exfiltration. On Windows, it drops a persistent binary in the Startup folder. The malware uses sophisticated techniques including fileless execution, hybrid encryption, and anti-forensics measures. The threat actor, TeamPCP, demonstrates high operational security and cryptographic awareness. Developers are advised to audit environments, rotate credentials, and check for indicators of compromise.

IOCs: 3 telnyx supply-chain-attack

LOW OTX PULSE

3/28/2026

BreachForums Data Leaks: Technical Analysis and Timeline Attribution (2022–2026)

This analysis examines multiple data leaks attributed to BreachForums between 2022 and 2026, focusing on distinguishing between leak publication dates and actual data timelines. The study covers four datasets associated with different domain names (.vc, .co, .hn, .bf) used by the platform. Each dataset is analyzed based on publication date, format, database structure, and the 'lastactive' field in the user table. The analysis reveals that the domain associated with a leak does not necessarily indicate the timing of the compromise, but rather the context of data collection. The article emphasizes the importance of differentiating between publication date and actual data timeline to avoid misattribution in cyber threat intelligence activities.

IOCs: 13 timeline attribution data leaks

MEDIUM OTX PULSE

3/27/2026

AI Infrastructure Supply Chain Poisoning Alert

A supply chain poisoning attack on LiteLLM, a popular AI model gateway, was detected by NSFOCUS Technology CERT. The TeamPCP group compromised the Trivy security scanning tool used in LiteLLM's release process, allowing them to publish malicious versions 1.82.7 and 1.82.8 on PyPI. These versions contained credential-stealing programs that collected sensitive data and, if a Kubernetes cluster was detected, deployed privileged Pods and implanted persistent backdoors. The attack impacted numerous dependent packages and potentially affected millions of users. The incident highlights the growing risks in AI infrastructure and the need for robust supply chain security measures.

IOCs: 6 software security supply chain attack

MEDIUM OTX PULSE

3/27/2026

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion

A new phishing campaign is targeting TikTok for Business accounts using adversary-in-the-middle (AitM) techniques. The attackers employ Cloudflare Turnstile to evade detection and create convincing lookalike pages impersonating TikTok for Business or Google Careers. Victims are tricked into clicking malicious links, leading to credential theft. The campaign aims to seize control of business accounts, which can be used for malvertising and malware distribution. Multiple domains are involved in hosting the phishing pages. Additionally, a separate campaign using SVG file attachments to deliver malware has been observed in Venezuela, with potential links to BianLian ransomware activity.

IOCs: 10 aura stealer tiktok

LOW OTX PULSE

3/27/2026

Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka

A new macOS infostealer called Infiniti Stealer has been discovered, utilizing ClickFix delivery and Python/Nuitka compilation. The malware spreads through a fake CAPTCHA page, tricking users into running a command themselves. The final payload is a Python-based stealer compiled with Nuitka, making it harder to analyze and detect. The malware targets sensitive data including browser credentials, macOS Keychain entries, cryptocurrency wallets, and developer files. It employs anti-analysis techniques and exfiltrates data via HTTP POST requests. This campaign demonstrates the adaptation of Windows-based techniques to target Mac users and showcases the increasing sophistication of macOS malware.

IOCs: 4 infostealer infiniti stealer

MEDIUM OTX PULSE

3/27/2026

Inside Keitaro Abuse Part 2: One Platform, Many Threats

This analysis examines how threat actors abuse Keitaro, an advertising performance tracker, for various malicious purposes. The report covers a wide range of threats, including malware delivery, phishing, scams, and illegal content distribution. Key findings include the use of Keitaro for cloaking and traffic distribution in malvertising campaigns, spam operations leveraging Keitaro for cryptocurrency wallet draining, and the abuse of Keitaro in investment scams. The report also highlights specific threat actors and their tactics, such as domain hijacking for adult content delivery and the use of fake arrests as clickbait for investment scams. Overall, the analysis demonstrates how Keitaro's features make it attractive to cybercriminals seeking to maximize their reach with minimal effort.

IOCs: 103 rustystealer screenconnect

HIGH OTX PULSE

3/27/2026

BRUSHWORM and BRUSHLOGGER uncovered

A South Asian financial institution was targeted with two custom malware components: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger. BRUSHWORM features anti-analysis checks, encrypted configuration, scheduled task persistence, modular payload downloading, USB worm propagation, and extensive file theft. BRUSHLOGGER uses DLL side-loading to capture system-wide keystrokes with window context tracking. The malware's low sophistication and implementation flaws suggest an inexperienced author, possibly using AI code-generation tools. Multiple testing versions were discovered on VirusTotal, indicating iterative development. The malware components combine to create a functional collection platform with modular loading, USB propagation, broad file theft, air-gap bridging, and persistent keystroke capture.

IOCs: 7 keylogger brushworm

LOW OTX PULSE

3/27/2026

The Certificate Decoding Illusion: How Blank Grabber Stealer Hides Its Loader

BlankGrabber, a Python-based information stealer, employs sophisticated techniques to evade detection and exfiltrate sensitive data. It uses a multi-stage infection chain, starting with a batch file loader that disguises the payload as certificate data. The malware implements anti-analysis measures, including sandbox and virtualization checks. It harvests a wide range of data, including browser information, system details, and credentials from various applications. BlankGrabber utilizes Windows Management Instrumentation for system discovery, captures screenshots and webcam images, and attempts to disable Windows Defender. The malware achieves persistence through startup folder manipulation and exfiltrates data using Telegram bots and public web services.

IOCs: 5 xworm information stealer

HIGH OTX PULSE

3/27/2026

Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a Southeast Asian government organization between June and August 2025. Three distinct activity clusters were identified: Stately Taurus, CL-STA-1048, and CL-STA-1049. Stately Taurus used USB-propagated malware to deploy the PUBLOAD backdoor. CL-STA-1048 employed an espionage toolkit including EggStremeFuel backdoor, Masol RAT, and other tools. CL-STA-1049 utilized a novel Hypnosis loader to deploy FluffyGh0st RAT. These clusters show significant overlap with known China-aligned campaigns, suggesting a coordinated effort to establish persistent access and exfiltrate sensitive data from government networks. The convergence of multiple threat actors indicates a complex, well-resourced operation with a common strategic objective.

IOCs: 50 cl-sta-1048 eggstremefuel

HIGH OTX PULSE

3/26/2026

EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons

EtherRAT, a Node.js-based backdoor linked to a North Korean APT group, was detected in a retail customer's environment. It allows arbitrary command execution, extensive system information gathering, and asset theft. The malware uses 'EtherHiding' to store C2 addresses in Ethereum smart contracts, making infrastructure resilient to takedowns. It communicates using CDN-like beaconing to blend with normal traffic. Initial access varied, including ClickFix and IT Support scams via Microsoft Teams. A SYS_INFO module performs comprehensive host fingerprinting for target selection. The malware checks for CIS languages and self-destructs if found. It collects detailed system information, including hardware, software, and network details.

IOCs: 22 sys_info module backdoor

CRITICAL OTX PULSE

3/26/2026

Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities

The Russian-aligned cyber espionage group Pawn Storm has launched a new campaign using the PRISMEX malware suite to target Ukrainian defense and Western military aid infrastructure. The campaign exploits vulnerabilities CVE-2026-21509 and CVE-2026-21513, using advanced steganography, COM hijacking, and cloud service abuse for command and control. PRISMEX components include a dropper, steganography loader, and Covenant Grunt implant. The attacks focus on compromising the Ukrainian defense supply chain, including military allies, meteorological data providers, and transport hubs. The campaign demonstrates Pawn Storm's continued aggression and ability to rapidly weaponize vulnerabilities, posing a significant threat to government and critical infrastructure entities in Central and Eastern Europe.

APT2 APT28

IOCs: 175 prismex prismexstager

HIGH OTX PULSE

3/26/2026

GlassWorm attack installs fake browser extension for surveillance

GlassWorm is a sophisticated malware targeting developers through compromised code repositories and package managers. It executes in stages, starting with a stealthy infection that fingerprints the machine and fetches further payloads via the Solana blockchain. The malware steals sensitive data, including cryptocurrency wallets and development credentials, installs a Remote Access Trojan (RAT), and deploys a fake Chrome extension for extensive surveillance. It uses distributed hash tables and blockchain for resilient command and control. While initially focused on developers with potential cryptocurrency assets, the stolen information could enable wider supply chain attacks. Prevention strategies include careful package management, regular extension audits, and up-to-date anti-malware solutions.

IOCs: 1 developers supply chain attack

LOW OTX PULSE

3/26/2026

The Return of the Kinsing

A Canary Intelligence team analysis revealed the resurgence of the Kinsing malware, exploiting three CVEs: CVE-2023-46604 (ActiveMQ), CVE-2023-38646 (Metabase), and CVE-2025-55182 (React2Shell). The attacks, originating from IP 212.113.98.30, converged on a shared staging host at 78.153.140.16. The malware's tactics include downloading and installing a Go-based Linux binary and a stealthy libsystem.so component. The exploitation methods involve retrieving and executing malicious scripts, leading to the installation of Kinsing's core components. This cluster of activity demonstrates how older malware families can remain relevant by exploiting new vulnerabilities without significantly changing their core binaries.

IOCs: 14 metabase activemq

LOW OTX PULSE

3/26/2026

Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework

Elastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework combining Loadable Kernel Modules (LKMs) and eBPF for persistence. The rootkit, developed by a Chinese-speaking threat actor, evolved through four generations, targeting kernels from CentOS 7 to Ubuntu 22.04. VoidLink employs advanced techniques like delayed initialization, runtime key rotation, and a hybrid LKM-eBPF architecture for comprehensive stealth. Notable features include an ICMP-based covert channel, process protection, and memfd-aware boot loading. Evidence suggests AI-assisted development, lowering the barrier for kernel-level rootkit creation. Detection strategies and defensive recommendations are provided to counter this emerging threat.

IOCs: 2 rootkit stealth

LOW OTX PULSE

3/25/2026

ClickFix Campaigns Targeting Windows and macOS

Insikt Group identified five distinct clusters using the ClickFix social engineering technique for initial access. These clusters impersonate various services like Intuit QuickBooks and Booking.com, demonstrating operational variance but similar core techniques. ClickFix manipulates victims into executing malicious commands within native system tools, bypassing traditional security controls. The methodology has become a standardized template for cybercriminals and APT groups. Campaigns target diverse sectors and use sophisticated obfuscation and living-off-the-land tactics. Defenders are advised to implement aggressive behavioral hardening and user awareness training to mitigate these threats.

IOCs: 141 living-off-the-land vidar

MEDIUM OTX PULSE

3/25/2026

Supply Chain Attack: Malicious PyPI Packages

TeamPCP has launched a supply chain attack targeting LiteLLM, an open-source Python library used in 36% of cloud environments. Malicious versions 1.82.7 and 1.82.8 were published on PyPI, employing sophisticated techniques for payload delivery and persistence. The compromised packages exploit Python's .pth mechanism for stealthy execution across any Python process. The malware collects sensitive data including API keys, cloud credentials, and CI/CD secrets, encrypting and exfiltrating them to attacker-controlled domains. This attack follows TeamPCP's previous compromises of Aqua Security's Trivy and Checkmarx tools, highlighting an ongoing campaign against the open-source ecosystem. The incident underscores the potential for widespread impact and the need for vigilance in software supply chain security.

IOCs: 3 cloud security supply chain attack

MEDIUM OTX PULSE

3/25/2026

Malicious PyPI Package - LiteLLM Supply Chain Compromise

A malicious supply chain attack has been discovered in the Python Package Index package litellm version 1.82.8. The compromised package contains a malicious .pth file that executes automatically when the Python interpreter starts, without requiring explicit import. This file, located in site-packages/, exfiltrates sensitive information including environment variables, SSH keys, and cloud credentials to an attacker-controlled server. The payload is double base64-encoded to evade basic static analysis. PyPI administrators have quarantined the project to limit its spread. Users are advised to check for the malicious file, rotate all potentially exposed credentials, and audit their PyPI publishing process. The attack is attributed to TeamPCP and is actively exploited in the wild.

IOCs: 3 litellm cloud credentials

MEDIUM OTX PULSE

3/25/2026

Guidance for detecting, investigating, and defending against the Trivy supply chain compromise

On March 19, 2026, Trivy, an open-source vulnerability scanner, was compromised in a sophisticated CI/CD supply chain attack. Threat actors, identified as TeamPCP, injected credential-stealing malware into official Trivy releases, affecting the core binary and GitHub Actions. The attack exploited mutable tags and commit identity spoofing on GitHub. The malware performed extensive credential harvesting, targeting cloud providers, Kubernetes secrets, and various application credentials. Microsoft Defender provides detection and investigation capabilities for this threat. Recommended mitigations include updating to safe versions, hardening CI/CD pipelines, enforcing least privilege, protecting secrets, and leveraging attack path analysis to reduce lateral movement risks.

IOCs: 7 trivy supply chain attack

MEDIUM OTX PULSE

3/24/2026

Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions

A threat actor known as TeamPCP expanded its supply chain attack from Aqua Security's Trivy to Checkmarx's AST GitHub Action. The attack, which began on March 19, 2026, involved injecting a credential-stealing payload into CI/CD pipelines across thousands of repositories. The malicious code harvested secrets from runner memory, queried cloud metadata, and exfiltrated encrypted data to typosquat domains. The Checkmarx compromise occurred approximately four days after the initial Trivy incident, using identical techniques but targeting a different action. This cascading effect demonstrates how compromised actions can be used to harvest credentials and compromise additional dependencies. Runtime detection proved effective in identifying the attack pattern across both waves, as the underlying behavior remained consistent despite changes in the delivery mechanism.

IOCs: 3 teampcp cloud stealer ci/cd compromise

HIGH OTX PULSE

2/27/2026

Malicious Go 'crypto' Module Steals Passwords and Deploys Rekoobe Backdoor

A malicious Go module impersonating the legitimate golang.org/x/crypto has been discovered, containing a backdoor in ssh/terminal/terminal.go. This module captures passwords, exfiltrates them, and executes remote commands. The attack chain includes a Linux stager that installs an SSH key for persistence, weakens firewall settings, and deploys a Rekoobe backdoor. The campaign targets high-trust cryptography libraries and likely aims at cloud environments. The threat actor uses GitHub for staging and disguises payloads as media files. This sophisticated supply chain attack highlights the need for careful scrutiny of Go module changes and implementation of robust security measures in development workflows.

IOCs: 15 cryptography-impersonation rekoobe

HIGH OTX PULSE

2/26/2026

Disrupting the GRIDTIDE Global Cyber Espionage Campaign

A global espionage campaign targeting telecommunications and government organizations across four continents has been disrupted. The threat actor, UNC2814, is suspected to be linked to China and has been active since 2017. The campaign utilized a sophisticated backdoor called GRIDTIDE, which leveraged Google Sheets API for command and control. The attackers compromised 53 victims in 42 countries, with suspected infections in 20 more. GRIDTIDE's capabilities include executing shell commands, file transfers, and evading detection by disguising traffic as legitimate cloud API requests. The disruption involved terminating attacker-controlled cloud projects, disabling infrastructure, and revoking API access.

IOCs: 181 cyber espionage google sheets

CRITICAL OTX PULSE

2/25/2026

The Latest PlugX Variant Executed by STATICPLUGIN

In January 2026, a new variant of the PlugX malware was observed being used in targeted attacks. Analysis suggests involvement of the UNC6384 APT group, linked to Mustang Panda, targeting government agencies in Southeast Asia. The malware uses a browser updater disguise to download and execute a malicious MSI file, leading to PlugX infection. The STATICPLUGIN downloader uses a revoked code-signing certificate from a Chinese company. The PlugX variant employs DLL sideloading and shellcode execution techniques. Its configuration is encrypted using RC4 and custom encoding. C2 servers were identified as fruitbrat[.]com and 108.165.255[.]97:443. The ongoing improvements to PlugX indicate its continued use in targeted attacks by APT groups.

IOCs: 14 rc4-encryption apt

LOW OTX PULSE

2/24/2026

Developer-targeting campaign using malicious Next.js repositories

A coordinated campaign is targeting developers through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. The attack uses multiple entry points that lead to runtime retrieval and local execution of attacker-controlled JavaScript, transitioning into staged command-and-control. The campaign employs three main execution paths: Visual Studio Code workspace automation, build-time execution during application development, and server startup execution via environment variable exfiltration and dynamic remote code execution. The attack chain includes a Stage 1 C2 beacon for registration and a Stage 2 C2 controller for persistent tasking. This sophisticated approach allows attackers to blend into routine developer workflows, increasing the likelihood of code execution and potentially compromising high-value assets such as source code, environment secrets, and access to build or cloud resources.

IOCs: 0 next.js command-and-control

HIGH OTX PULSE

2/24/2026

Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences

A new Go-based remote access trojan named Moonrise has been discovered, operating without early static detection and establishing active C2 communication before vendor alerts. The RAT supports credential theft, remote command execution, persistence, and user monitoring, enabling full remote control of infected endpoints. Its capabilities include stealing passwords, executing remote commands, uploading files, capturing screens, and accessing webcams and microphones. The malware's silent operation increases business exposure, extending dwell time and raising risks of data loss and operational disruption. The attack chain involves session registration, host environment visibility, direct system interaction, credential access, active user monitoring, and privilege manipulation. Early detection strategies involve monitoring for weak signals, rapid triage with behavior confirmation, and threat hunting to prevent repeat incidents.

IOCs: 6 credential theft remote access trojan

CRITICAL OTX PULSE

2/24/2026

North Korean Lazarus Group Now Working With Medusa Ransomware

North Korean state-backed attackers are utilizing Medusa ransomware in their ongoing extortion attacks against the U.S. healthcare sector. The Symantec and Carbon Black Threat Hunter Team discovered evidence of North Korean actors employing Medusa in an attack on a Middle Eastern target and an unsuccessful attempt on a U.S. healthcare organization. Medusa, launched in 2023, operates as a ransomware-as-a-service. The Lazarus sub-group Stonefly has been a key player in North Korean ransomware attacks, using proceeds to fund espionage activities. Despite indictments and rewards, the attacks continue unabated. The current campaign employs various tools, including Comebacker, Blindingcan, ChromeStealer, and RP_Proxy. While the attacks bear similarities to previous Stonefly operations, the exact sub-group responsible remains unclear.

IOCs: 58 stonefly blindingcan

MEDIUM OTX PULSE

2/23/2026

Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer

A new campaign exploits OpenClaw skills to distribute the Atomic MacOS Stealer (AMOS). This evolution in supply chain attacks manipulates AI agentic workflows to install malware. The campaign spans multiple repositories with hundreds of malicious skills uploaded to ClawHub and SkillsMP. The infection chain begins with a seemingly harmless SKILL.md file that installs a prerequisite, leading to the download of a Mach-O universal binary. This AMOS variant steals extensive data, including credentials, browser data, cryptocurrency wallets, and various user documents. It lacks system persistence but expands its reach by exfiltrating Apple and KeePass keychains. The malware uses sophisticated encryption schemes and targets multiple browsers and cryptocurrency wallets.

IOCs: 50 amos skillsmp

CRITICAL OTX PULSE

2/23/2026

Fake Huorong security site infects users with ValleyRAT

A sophisticated campaign by the Silver Fox APT group has been discovered using a fake version of the popular Chinese antivirus Huorong Security to distribute ValleyRAT, a Remote Access Trojan. The attackers created a convincing lookalike website with a typosquatted domain to trick users into downloading a malicious installer. The malware uses DLL sideloading techniques to deploy a full-featured backdoor with advanced stealth capabilities. It establishes persistence through scheduled tasks, disables Windows Defender, and employs various evasion tactics. Once installed, ValleyRAT provides attackers with extensive control over the victim's system, including keylogging, process injection, and credential theft. The campaign primarily targets Chinese-language systems but may be spreading to other threat actors due to the public leak of the ValleyRAT builder.

IOCs: 23 dll sideloading huorong security

CRITICAL OTX PULSE

2/23/2026

Operation Olalampo: Inside MuddyWater's Latest Campaign

MuddyWater APT has launched Operation Olalampo, targeting organizations in the MENA region. The campaign involves new malware variants, including a Rust backdoor called CHAR, downloaders GhostFetch and HTTP_VIP, and an advanced backdoor GhostBackDoor. Notably, the group is using Telegram bots for command-and-control, revealing insights into their post-exploitation tactics. The operation, first observed on January 26, 2026, shows tactical and technical overlaps with previous MuddyWater activities. Key discoveries include potential AI-assisted malware development and infrastructure reuse dating back to October 2025. The campaign aligns with ongoing geopolitical tensions and provides valuable information on the threat actor's evolving techniques.

IOCs: 65 ghostbackdoor ai-assisted

CRITICAL OTX PULSE

2/23/2026

Chronology of MuddyWater APT Attacks Targeting the Middle East

This report analyzes the recent activities of the MuddyWater APT group, which primarily targets organizations in the Middle East. The group employs sophisticated spear-phishing techniques, often impersonating legitimate entities and using malicious documents to gain initial access. Their attacks focus on long-term infiltration and intelligence gathering rather than immediate disruption. The report details several attack cases from 2019 to 2026, highlighting the group's evolving tactics, including the abuse of legitimate remote management tools and the use of Rust-based malware. The analysis emphasizes the importance of endpoint detection and response (EDR) solutions in identifying and mitigating these threats, as traditional perimeter-based security measures prove insufficient against such advanced persistent threats.

IOCs: 58 anydesk edr

PK DORMANT

Stealth Mango and Tangelo

This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense secto…

CN DORMANT

1937CN

1937CN is a Chinese hacking group that has been active since at least 2013. The group is known for targeting Vietnamese organizati…

IQ DORMANT

313 Team

313 Team is an Iraq-based threat actor that has conducted coordinated DDoS campaigns targeting multiple government servers in the …

SY DORMANT

APT-C-27

A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the …

AKA: GoldMouse Golden RAT ATK80

PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and mili…

AKA: ANCHOR PANDA QAZTeam ALUMINUM

Targets: Other Aerospace Defense

CN DORMANT

APT15

This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage pu…

AKA: VIXEN PANDA Ke3Chang Playful Dragon Metushy

Targets: Government Administration

CN DORMANT

APT16

Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attack…

AKA: SVCMONDR G0023

CN DORMANT

APT17

FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intellige…

AKA: Group 8 AURORA PANDA Hidden Lynx Tailgater Team

Targets: Defense Intelligence Technology

CN DORMANT

APT18

Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targe…

AKA: DYNAMITE PANDA TG-0416 SCANDIUM PLA Navy

Targets: Aerospace Defense Health

CN DORMANT

APT19

Adversary group targeting financial, technology, non-profit organisations.

AKA: DEEP PANDA Codoso WebMasters KungFu Kittens

Targets: Technology Finance Non-profit organisation

CN ACTIVE

APT2

Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tra…

AKA: PLA Unit 61486 PUTTER PANDA MSUpdater 4HCrew

CN DORMANT

APT20

We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering ho…

AKA: VIOLIN PANDA TH3Bug Crawling Taurus

CN DORMANT

APT21

AKA: HAMMER PANDA TEMP.Zhenbao NetTraveler

CN DORMANT

APT22

Suckfly is a China-based threat group that has been active since at least 2014

AKA: G0039 Suckfly BRONZE OLIVE Group 46

CN DORMANT

APT23

TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaig…

AKA: PIRATE PANDA KeyBoy Tropic Trooper BRONZE HOBART

Targets: Military Government Administration

CN DORMANT

APT24

The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly…

AKA: PITTY PANDA G0011 Temp.Pittytiger

CN DORMANT

APT26

AKA: JerseyMikes TURBINE PANDA BRONZE EXPRESS TECHNETIUM

CN DORMANT

APT27

A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.

AKA: GreedyTaotie TG-3390 EMISSARY PANDA TEMP.Hippo

Targets: Technology Government Administration

RU ACTIVE

APT28

The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the …

AKA: Pawn Storm FANCY BEAR Sednit SNAKEMACKEREL

Targets: Military Government Administration

RU DORMANT

APT29

A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group …

AKA: Group 100 COZY BEAR The Dukes Minidionis

Targets: Think Tanks Government Administration

CN DORMANT

APT3

Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage …

AKA: GOTHIC PANDA TG-0110 Group 6 UPS

Targets: Political party

CN DORMANT

APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT3…

AKA: G0013

CN DORMANT

APT31

FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a part…

AKA: ZIRCONIUM JUDGMENT PANDA BRONZE VINEWOOD Red keres

VN DORMANT

APT32

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector com…

AKA: OceanLotus Group Ocean Lotus OceanLotus Cobalt Kitty

Targets: Dissidents Government Administration

IR DORMANT

APT33

Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess …

AKA: APT 33 Elfin MAGNALLIUM Refined Kitten

IR DORMANT

APT35

FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored…

AKA: Newscaster Team Magic Hound G0059 Phosphorus

KP DORMANT

APT37

APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea.…

AKA: APT 37 Group 123 Group123 InkySquid

IR DORMANT

APT39

APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a gr…

AKA: Chafer REMIX KITTEN COBALT HICKMAN G0087

CN DORMANT

APT4

AKA: PLA Navy MAVERICK PANDA BRONZE EDISON SODIUM

CN DORMANT

Altahrea Team is a pro-Iranian hacking group that has been active since at least 2020. The group has claimed responsibility for a …

CN DORMANT

Amaranth-Dragon

Amaranth-Dragon is a previously untracked threat actor assessed to be closely linked to the China-affiliated APT 41 ecosystem, exh…

RU DORMANT

Angry Likho

Angry Likho is an APT group that has been active since 2023, primarily targeting large organizations and government agencies in Ru…

AKA: Sticky Werewolf

TW DORMANT

Anonymous64

Anonymous 64 is a group accused by China's national security ministry of attempting to gain control of web portals, outdoor electr…

AKA: Anonymous 64

CN DORMANT

Antlion

Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan.…

CN DORMANT

Aoqin Dragon

SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primari…

AKA: UNC94

IR DORMANT

AppMilad

AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad. This spyware is…

PS DORMANT

AridViper

AridViper is a state-sponsored APT primarily targeting military personnel, journalists, and dissidents in the Middle East, with a …

AKA: Desert Falcon Arid Viper APT-C-23 Bearded Barbie

TR DORMANT

Aslan Neferler Tim

Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has bee…

AKA: Lion Soldiers Team Phantom Turk

Targets: Government Administration News - Media

CN DORMANT

Avivore

The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that c…

TR DORMANT

Ayyıldız Tim

Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against …

AKA: Crescent and Star

Targets: Government Administration

IT DORMANT

AzzaSec

AzzaSec is a hacktivist group that originated in Italy. Known for their pro-Palestine stance, they have been involved in various c…

IR DORMANT

BANISHED KITTEN

BANISHED KITTEN is an Iranian state-nexus adversary active since at least 2008. While the adversary’s most prominent activity is t…

AKA: DUNE Storm-0842 Red Sandstorm

In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulne…

CN DORMANT

BRONZE SPRING

BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intel…

AKA: UNC302

CN DORMANT

BRONZE STARLIGHT

BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group…

AKA: SLIME34 DEV-0401 Cinnamon Tempest Emperor Dragonfly

CN DORMANT

BRONZE VAPOR

BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated…

VN DORMANT

BatShadow

BatShadow is a Vietnamese threat actor that targets job seekers and digital marketing professionals through social engineering cam…

CN DORMANT

Beijing Group

AKA: SNEAKY PANDA Elderwood Elderwood Gang SIG22

PS DORMANT

BiBiGun

A pro-Hamas hacktivist group developed a wiper called BiBi-Linux to target and destroy data on Israeli systems. The malware impers…

KE DORMANT

Bignosa

Bignosa is a threat actor known for launching malware campaigns targeting Australian and US organizations using phishing emails wi…

UA DORMANT

BlackJack

Blackjack, a threat actor linked to Ukraine's security apparatus, has targeted critical Russian entities such as ISPs, utilities, …

CN DORMANT

BlackTech

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong…

AKA: CIRCUIT PANDA Temp.Overboard HUAPI Palmerworm

PS DORMANT

Blackatom

Recent campaigns suggest Hamas-linked actors may be advancing their TTPs to include intricate social engineering lures specially c…

CN DORMANT

Blackgear

BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released…

AKA: Topgear Comnie BLACKGEAR

PS DORMANT

Blackmeta

BLACKMETA is a pro-Palestinian hacktivist group that has claimed responsibility for a series of DDoS attacks and data breaches tar…

AKA: SN Blackmeta

CN DORMANT

Blackwood

Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operation…

IR DORMANT

BladedFeline

BladedFeline is an Iran-aligned APT group that has been active since at least 2017, targeting Iraqi and Kurdish government officia…

CN DORMANT

Blue Termite

Blue Termite is a group of suspected Chinese origin active in Japan.

AKA: Cloudy Omega Emdivi

IL DORMANT

Blue Tsunami

Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube. They …

AKA: Black Cube

IR DORMANT

Bohrium

Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle E…

AKA: Smoke Sandstorm BOHRIUM IMPERIAL KITTEN

RU DORMANT

Boulder Bear

First observed activity in December 2013.

CN DORMANT

BrazenBamboo

BrazenBamboo is a Chinese state-affiliated threat actor known for developing the LIGHTSPY, DEEPDATA, and DEEPPOST malware families…

CN DORMANT

Budminer

Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced thr…

AKA: Budminer cyberespionage group

RU DORMANT

BuhTrap

Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. …

Targets: Bank Payment Finance

RU DORMANT

CIRCUS SPIDER

According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIR…

CN DORMANT

CL-STA-0048

CL-STA-0048 is a Chinese state-backed APT that targets strategic sectors in South Asia, particularly government and telecommunicat…

AKA: CL STA 0048

CN DORMANT

TN DORMANT

Corsair Jackal

AKA: TunisianCyberArmy

IR DORMANT

Cotton Sandstorm

Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, includ…

AKA: Emennet Pasargad Holy Souls MARNANBRIDGE NEPTUNIUM

IR DORMANT

Cuboid Sandstorm

Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the compa…

AKA: DEV-0228

CN DORMANT

Curious Gorge

Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in…

AKA: UNC3742

RU DORMANT

Curly COMrades

Curly COMrades is a threat actor identified by Amazon Threat Intelligence and Bitdefender, believed to operate in support of Russi…

IR DORMANT

Cutting Kitten

One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with…

AKA: ITsecTeam

UA DORMANT

Cyber Alliance

The Ukrainian Cyber Alliance is a pro-Ukraine hacktivist group formed in 2016, primarily targeting Russian entities since the inva…

IR DORMANT

Cyber Av3ngers

The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching…

RU DORMANT

Cyber Berkut

IR DORMANT

Cyber Islamic Resistance

Cyber Islamic Resistance is a hacktivist collective ideologically aligned with Iran, engaging in operations such as website deface…

BY DORMANT

Cyber Partisans

The Cyber Partisans, a hacktivist group based in Belarus, has been involved in various cyber-attacks targeting organizations and i…

IR DORMANT

Cyber Toufan

Cyber Toufan is a threat actor group that has gained prominence for its cyberattacks targeting Israeli organizations. The group's …

IR DORMANT

Cyber fighters of Izz Ad-Din Al Qassam

AKA: Fraternal Jackal

UA DORMANT

Cyber.Anarchy.Squad

Cyber Anarchy Squad is a pro-Ukrainian hacktivist group known for targeting Russian companies and infrastructure. They have carrie…

AKA: Cyber Anarchy Squad

CN DORMANT

DAGGER PANDA

Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion D…

AKA: IceFog Trident RedFoxtrot Red Wendigo

Targets: Other Maritime Military

CN DORMANT

DEV-0147

DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion…

IR DORMANT

DEV-0270

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also…

AKA: Nemesis Kitten Storm-0270

RU DORMANT

DEV-0586

MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups.…

AKA: Ruinous Ursa Cadet Blizzard

CN DORMANT

Dalbit

The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and de…

LB DORMANT

Dark Caracal

Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of…

AKA: G0070

KR DORMANT

DarkHotel

Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advan…

AKA: DUBNIUM Fallout Team Karba Luder

SY DORMANT

Deadeye Jackal

The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of S…

AKA: SyrianElectronicArmy SEA

CN DORMANT

ELOQUENT PANDA

KP DORMANT

ELUSIVE COMET

ELUSIVE COMET is a threat actor responsible for significant cryptocurrency theft through sophisticated social engineering attacks,…

RU DORMANT

ENERGETIC BEAR

A Russian group that collects intelligence on the energy industry.

AKA: BERSERK BEAR ALLANITE CASTLE DYMALLOY

Targets: Energy

CN DORMANT

Earth Alux

Earth Alux is a China-linked APT group known for conducting cyberespionage attacks across various sectors, including government, t…

CN DORMANT

Earth Baxia

Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC…

CN DORMANT

Earth Berberoka

According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websit…

AKA: GamblingPuppet

CN DORMANT

Earth Freybug

Earth Freybug, identified as a subset of APT41, is a cyberthreat group active since at least 2012, engaging in espionage and finan…

CN DORMANT

Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, res…

IR DORMANT

Edalat-e Ali

Edalat-e Ali is a hacktivist group known for disrupting Iranian state-run TV and radio transmissions during significant events, su…

IR DORMANT

Educated Manticore

Educated Manticore is an Iranian APT group aligned with the Islamic Revolutionary Guard Corps, primarily engaged in espionage targ…

US DORMANT

Equation Group

The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophis…

AKA: Tilded Team EQGRP G0020

CN DORMANT

Evasive Panda

Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, governmen…

AKA: BRONZE HIGHLAND

RU DORMANT

EvilWeb

EvilWeb is a pro-Russian hacktivist group created in March 2024 that targets American and European entities using a hack-and-leak …

RU DORMANT

FIN1

FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified…

RU DORMANT

FIN13

Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term…

AKA: TG2003 Elephant Beetle

RU DORMANT

FIN7

Groups targeting financial organizations or people with significant financial assets.

AKA: CARBON SPIDER GOLD NIAGARA Calcium ATK32

CN DORMANT

FOXY PANDA

Adversary group targeting telecommunication and technology organizations.

Targets: Technology Telecoms

RU DORMANT

Femwar02

Femwar02 is a previously unknown pro-Russian ransomware threat actor that emerged in early 2026, linked to a major cyberattack on …

IR DORMANT

Ferocious Kitten

Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in I…

CN DORMANT

Flax Typhoon

Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage camp…

AKA: Ethereal Panda Storm-0919

IR DORMANT

Flying Kitten

GTG-1002

GTG-1002 is a Chinese state-sponsored APT that conducted a large-scale autonomous cyber espionage campaign targeting approximately…

RU DORMANT

Gamaredon Group

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this…

Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-l…

RU DORMANT

GreedyBear

GreedyBear is a sophisticated threat actor responsible for over $1 million in cryptocurrency theft through a campaign involving 15…

TW DORMANT

GreenSpot

GreenSpot is an APT group believed to operate from Taiwan, active since at least 2007, primarily targeting government, academic, a…

AKA: PoisonVine APT-Q-20

IR DORMANT

Greenbug

Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, governm…

Targets: Education Energy Investment

UA DORMANT

Groundbait

Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.

Targets: Separatists

CN DORMANT

HAFNIUM

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease research…

AKA: ATK233 G0125 Operation Exchange Marauder Red Dev 13

IN DORMANT

HAZY TIGER

The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released i…

AKA: Bitter T-APT-17 APT-C-08 Orange Yali

CN DORMANT

HURRICANE PANDA

We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommu…

Targets: Technology Telecoms

PS DORMANT

Handala

Handala is a pro-Palestinian hacktivist group that targets Israeli organizations, employing tactics such as phishing, data theft, …

CN DORMANT

Hellsing

This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States.…

ID DORMANT

INDOHAXSEC TEAM

INDOHAXSEC TEAM is an Indonesian group that claims to have developed a web-based version of WannaCry, asserting the ability to enc…

RU DORMANT

INDRIK SPIDER

INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of …

AKA: Manatee Tempest

IR DORMANT

IRIDIUM

IronHusky

IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as av…

DZ DORMANT

Jabaroot

JabaRoot is an Algerian hacker group that has targeted Moroccan government systems, successfully exfiltrating sensitive data from …

AKA: Jabaroot DZ

MA DORMANT

Kasablanka

The Kasablanka group is a cyber-criminal organization that has specifically targeted Russia between September and December 2022, u…

ES DORMANT

KelvinSecurity

KelvinSecurity is a hacker group that has been active since at least 2015. They are known for their hacktivist and black hat activ…

KP DORMANT

Kimsuky

This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espiona…

AKA: Velvet Chollima Black Banshee Thallium Operation Stolen Pencil

Targets: Research - Innovation Energy Defense

CN DORMANT

LIMINAL PANDA

LIMINAL PANDA is a China-nexus APT that targets telecommunications entities, employing custom malware and publicly available tools…

Priority Threats

Live Feed Last 24 hours

Active IOC Feed

Analyst Tools

Threat Intelligence News

Ransomware activity

nightspire

genesis

coinbasecartel

qilin

akira

everest

incransom

shinyhunters

anubis

beast

embargo

handala

worldleaks

0apt

0mega

8base

abrahams_ax

abyss

adminlocker

againstthewest

agl0bgvycg

ailock

ako

alp-001

alphalocker

alphv

apos

apt73

arcusmedia

argonauts

arkana

arvinclub

atomsilo

avaddon

avos

avoslocker

aware

aztroteam

babuk

babuk2

babyduck

benzona

bert

bianlian

blackbasta

blackbyte

blacklock

blackmatter

blacknevas

blackout

blackshadow

blackshrantac

blacksuit

blacktor

bluebox

bluelocker

bluesky

bonacigroup

bqtlock

braincipher

bravox

brotherhood

cactus

cephalus

chaos

cheers

chilelocker

chort

cicada3301

ciphbit

cipherforce

cloak

clop

contfr