Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being actively exploited, enabling unauthenticated remote code execution as root and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks.
Fortinet FortiSIEM is reported as under active attack via CVE-2024-23108, an unauthenticated command-injection issue in the phMonitor component (noted as listening on TCP 8014) that can yield full system compromise. Separately, Cisco Secure Email Gateway / Secure Email and Web Manager is reported as exploited via CVE-2024-20353 (CVSS 10.0), with activity attributed to China-linked UAT-9686 leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes RondoDox botnet-driven exploitation of HPE OneView CVE-2025-37164 at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Active Exploitation of Critical Enterprise Software Vulnerabilities Added to CISA KEV
Multiple **critical, unauthenticated remote code execution and authentication-bypass vulnerabilities** in widely deployed enterprise products were reported as **actively exploited** and, in several cases, added to CISA’s **Known Exploited Vulnerabilities (KEV)** catalog. SmarterTools *SmarterMail* is being targeted in **ransomware** activity via **CVE-2026-24423**, an unauthenticated RCE caused by missing authentication on the `ConnectToHub` API (`/api/v1/settings/sysadmin/connect-to-hub`), where an attacker-controlled server can return JSON containing a `CommandMount` value that drives arbitrary command execution; the issue affects versions prior to `v100.0.9511`. Separately, SolarWinds *Web Help Desk* is affected by **CVE-2025-40551** (CVSS 9.8), a **deserialization of untrusted data** flaw in the `AjaxProxy` component enabling remote, unauthenticated command execution; CISA added it to KEV amid in-the-wild exploitation and set an accelerated patch deadline for US federal agencies. In parallel, Fortinet environments using **FortiCloud SSO** face authentication-bypass risk from **CVE-2025-59718**, **CVE-2025-59719**, and **CVE-2026-24858**, which can allow an attacker with a FortiCloud account to log into organizations’ **FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb** if SSO is enabled; Kaspersky published **SIEM correlation rules** to detect related suspicious logins and admin actions. Samsung *MagicInfo 9 Server* (digital signage management) was also reported with a trio of severe flaws affecting versions prior to `21.1090.1`, including **CVE-2026-25202** (hardcoded credentials, CVSS 9.8) and **CVE-2026-25201** (unauthenticated arbitrary file upload leading to RCE, CVSS 8.8), creating risk of server takeover and potential network compromise; the article does not indicate KEV inclusion or confirmed exploitation for these MagicInfo issues.
1 months ago
Public Exploit Released for Critical FortiSIEM Unauthenticated Command Injection (CVE-2025-25256)
Technical details and public exploit code were released for a **critical Fortinet FortiSIEM** vulnerability, **CVE-2025-25256**, that enables a **remote, unauthenticated attacker** to execute unauthorized OS commands/code via crafted TCP requests. Reporting attributes the issue to exposed command handlers on the `phMonitor` service that can be invoked without authentication, chaining an arbitrary write with elevated permissions and privilege escalation to achieve **root** access. Fortinet has issued patches across affected FortiSIEM versions (reported as impacting **6.7 through 7.5**) and stated that all vulnerable versions are now fixed, following earlier partial fixes across product branches. Researchers noted `phMonitor` has been a recurring entry point for prior FortiSIEM flaws (including **CVE-2023-34992** and **CVE-2024-23108**) and warned that ransomware operators (e.g., **Black Basta**) have previously shown interest in FortiSIEM exploitation, increasing the likelihood of opportunistic targeting now that exploit code is public.
2 months ago
Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of **in-the-wild exploitation** of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, **CVE-2024-20253**, impacting *Cisco Unified Communications Manager (Unified CM)*, *Cisco Unity Connection*, and *Webex Calling Dedicated Instance*, and claims it enables **unauthenticated command execution** via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances. Separately, **CISA added Broadcom VMware vCenter Server CVE-2024-37079** (CVSS 9.8) to the **Known Exploited Vulnerabilities (KEV)** catalog based on evidence of exploitation; the issue is described as a **DCE/RPC heap overflow** that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite **CVE-2025-61882** and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
1 months ago