Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being actively exploited, enabling unauthenticated remote code execution as root and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks.
Fortinet FortiSIEM is reported as under active attack via CVE-2024-23108, an unauthenticated command-injection issue in the phMonitor component (noted as listening on TCP 8014) that can yield full system compromise. Separately, Cisco Secure Email Gateway / Secure Email and Web Manager is reported as exploited via CVE-2024-20353 (CVSS 10.0), with activity attributed to China-linked UAT-9686 leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes RondoDox botnet-driven exploitation of HPE OneView CVE-2025-37164 at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Check Point reports global targeting of HPE OneView systems
By mid-January, Check Point said the RondoDox-driven exploitation campaign was global, with the highest volume in the United States and notable activity in Australia, France, Germany, and Austria. The attacks were concentrated mainly against government organizations, financial services firms, and industrial manufacturers, with much activity traced to a single Dutch IP address.
RondoDox botnet exploitation of HPE OneView spikes globally
Check Point observed tens of thousands of automated exploit attempts against HPE OneView CVE-2025-37164, with a sharp spike on January 7. The activity was attributed to the RondoDox botnet based on a distinctive user-agent string and commands used to download malware from remote hosts.
CISA adds HPE OneView flaw to KEV catalog
CISA added CVE-2025-37164 to its catalog of known exploited vulnerabilities. Check Point later noted that a major spike in exploitation activity coincided with this listing.
HPE discloses and patches OneView CVE-2025-37164
HPE disclosed and patched CVE-2025-37164, a critical remote code execution flaw in OneView with a CVSS score of 10.0, in mid-December. The company emphasized urgency because OneView is a high-privilege enterprise management platform for servers, storage, and networking.
FortiSIEM CVE-2024-23108 comes under active exploitation
Multiple researchers and telemetry sources reported active exploitation of CVE-2024-23108 in the wild, including mass scanning, automated exploitation, and use of simple tools such as curl and netcat. Observed follow-on activity included reverse shells and deployment of cryptominers, RATs, and scripts.
Fortinet releases patches for FortiSIEM CVE-2024-23108
Fortinet released fixed versions for the critical FortiSIEM command-injection flaw CVE-2024-23108, including 6.7.8, 7.0.4, 7.1.2 and later. The vulnerability affects the phMonitor component and can allow unauthenticated command execution as root.
Exploitation of Cisco email flaw intensifies
Reporting indicates exploitation of CVE-2024-20353 increased in early 2024, with victims observing unusual outbound connections and SSH tunneling behavior. Post-compromise activity included custom malware, tunneling tools, and log tampering to support persistence, lateral movement, and data theft.
Cisco Secure Email zero-day exploitation begins
Open-source reporting says CVE-2024-20353, a critical unauthenticated RCE in Cisco Secure Email Gateway and Secure Email and Web Manager, was first observed being exploited in the wild in late 2023. The activity was later linked to a China-nexus espionage actor tracked as UAT-9686.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Critical Fortinet FortiSIEM Vulnerability CVE-2024-23108 Actively Exploited: Risks, Attack Analysis, and Mitigation Steps
rescana.com
Open sourceCritical CVE-2024-20353 Zero-Day Exploited by China-Linked APT Hits Cisco Secure Email Gateway and Secure Email and Web Manager
rescana.com
Open sourceRondoDox botnet exploits critical HPE OneView bug • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Critical Enterprise Software Vulnerabilities Added to CISA KEV
Multiple **critical, unauthenticated remote code execution and authentication-bypass vulnerabilities** in widely deployed enterprise products were reported as **actively exploited** and, in several cases, added to CISA’s **Known Exploited Vulnerabilities (KEV)** catalog. SmarterTools *SmarterMail* is being targeted in **ransomware** activity via **CVE-2026-24423**, an unauthenticated RCE caused by missing authentication on the `ConnectToHub` API (`/api/v1/settings/sysadmin/connect-to-hub`), where an attacker-controlled server can return JSON containing a `CommandMount` value that drives arbitrary command execution; the issue affects versions prior to `v100.0.9511`. Separately, SolarWinds *Web Help Desk* is affected by **CVE-2025-40551** (CVSS 9.8), a **deserialization of untrusted data** flaw in the `AjaxProxy` component enabling remote, unauthenticated command execution; CISA added it to KEV amid in-the-wild exploitation and set an accelerated patch deadline for US federal agencies. In parallel, Fortinet environments using **FortiCloud SSO** face authentication-bypass risk from **CVE-2025-59718**, **CVE-2025-59719**, and **CVE-2026-24858**, which can allow an attacker with a FortiCloud account to log into organizations’ **FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb** if SSO is enabled; Kaspersky published **SIEM correlation rules** to detect related suspicious logins and admin actions. Samsung *MagicInfo 9 Server* (digital signage management) was also reported with a trio of severe flaws affecting versions prior to `21.1090.1`, including **CVE-2026-25202** (hardcoded credentials, CVSS 9.8) and **CVE-2026-25201** (unauthenticated arbitrary file upload leading to RCE, CVSS 8.8), creating risk of server takeover and potential network compromise; the article does not indicate KEV inclusion or confirmed exploitation for these MagicInfo issues.
Mar 21, 2026
Public Exploit Released for Critical FortiSIEM Unauthenticated Command Injection (CVE-2025-25256)
Technical details and public exploit code were released for a **critical Fortinet FortiSIEM** vulnerability, **CVE-2025-25256**, that enables a **remote, unauthenticated attacker** to execute unauthorized OS commands/code via crafted TCP requests. Reporting attributes the issue to exposed command handlers on the `phMonitor` service that can be invoked without authentication, chaining an arbitrary write with elevated permissions and privilege escalation to achieve **root** access. Fortinet has issued patches across affected FortiSIEM versions (reported as impacting **6.7 through 7.5**) and stated that all vulnerable versions are now fixed, following earlier partial fixes across product branches. Researchers noted `phMonitor` has been a recurring entry point for prior FortiSIEM flaws (including **CVE-2023-34992** and **CVE-2024-23108**) and warned that ransomware operators (e.g., **Black Basta**) have previously shown interest in FortiSIEM exploitation, increasing the likelihood of opportunistic targeting now that exploit code is public.
Mar 21, 2026
Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of **in-the-wild exploitation** of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, **CVE-2024-20253**, impacting *Cisco Unified Communications Manager (Unified CM)*, *Cisco Unity Connection*, and *Webex Calling Dedicated Instance*, and claims it enables **unauthenticated command execution** via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances. Separately, **CISA added Broadcom VMware vCenter Server CVE-2024-37079** (CVSS 9.8) to the **Known Exploited Vulnerabilities (KEV)** catalog based on evidence of exploitation; the issue is described as a **DCE/RPC heap overflow** that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite **CVE-2025-61882** and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
Mar 21, 2026