Multiple Actively Exploited Vulnerabilities and Social-Engineering Breaches Reported Across Zoom, SmarterMail, Vite, and Appsmith
Several vendors and security trackers reported high-impact vulnerabilities with exploitation risk, alongside separate social-engineering-driven breaches. Zoom disclosed a command injection issue in Zoom Node Multimedia Routers (MMRs) used in certain hybrid meeting environments, tracked as CVE-2026-22844 (reported with a high technical severity), which could allow meeting participants to execute arbitrary code; administrators were advised to update to Zoom version 5.2.1716.0. SmarterTools reported a critical authentication bypass in SmarterMail (CVE-2026-23760) that could allow unauthenticated attackers to reset admin passwords via the force-reset-password API endpoint and potentially reach OS command execution and full remote code execution; mitigations included upgrading to Build 9511, resetting admin passwords, and enabling MFA.
Separately, Vite was reported as affected by an improper access control flaw (CVE-2025-31125) enabling exposure of sensitive files by bypassing server.fs.deny protections using crafted query parameters (e.g., ?inline&import or ?raw&import); the issue was noted as being exploited in the wild and added to the CISA Known Exploited Vulnerabilities catalog. SC Media also reported active exploitation of an Appsmith authentication flaw (CVE-2026-22794) tied to the password reset flow, enabling account takeover by leaking reset tokens; defenders were urged to upgrade to Appsmith 1.93, which tightens Origin header validation and trusted base URL enforcement. In parallel to these vulnerability-driven risks, the Canadian Investment Regulatory Organization (CIRO) disclosed a phishing-led breach affecting ~750,000 investors with exposure of highly sensitive identifiers (including social insurance numbers and investment information), while Betterment confirmed unauthorized access via social engineering that exposed customer contact/identity data and was used to send fraudulent cryptocurrency-scam notifications to users.
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Zoom Windows Client Vulnerabilities Including Critical Privilege Escalation
Zoom published security advisories on March 10, 2026 addressing multiple vulnerabilities affecting Windows components, including *Zoom Workplace for Windows*, *Zoom Meeting SDK for Windows*, *Zoom Rooms for Windows*, and the *Zoom Workplace VDI Client for Windows*. The Canadian Centre for Cyber Security advisory **AV26-231** urged organizations to review Zoom’s bulletins and apply updates, noting issues spanning **external control of file name or path**, **improper privilege management**, **improper input validation**, and an **improper check** condition across the affected Windows products and versions. Reporting on the same Zoom bulletin set, one write-up highlighted four Windows-side flaws ranging from **High to Critical** severity, including a **Critical** issue in the Zoom Workplace for Windows Mail feature tracked as **CVE-2026-30903 (ZSB-26005)**, described as an *External Control of File Name or Path* weakness that could enable **unauthenticated remote privilege escalation**. The additional disclosed issues were described as **CVE-2026-30902 (ZSB-26004)** affecting Zoom Clients for Windows (*Improper Privilege Management*), **CVE-2026-30901 (ZSB-26003)** affecting Zoom Rooms for Windows (*Improper Input Validation*), and **CVE-2026-30900 (ZSB-26002)** affecting Zoom Workplace Clients for Windows (*Improper Check*), with remediation requiring upgrading to fixed releases per Zoom’s advisories.
5 days ago
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
1 weeks ago
Active Exploitation of Critical Enterprise Software Vulnerabilities Added to CISA KEV
Multiple **critical, unauthenticated remote code execution and authentication-bypass vulnerabilities** in widely deployed enterprise products were reported as **actively exploited** and, in several cases, added to CISA’s **Known Exploited Vulnerabilities (KEV)** catalog. SmarterTools *SmarterMail* is being targeted in **ransomware** activity via **CVE-2026-24423**, an unauthenticated RCE caused by missing authentication on the `ConnectToHub` API (`/api/v1/settings/sysadmin/connect-to-hub`), where an attacker-controlled server can return JSON containing a `CommandMount` value that drives arbitrary command execution; the issue affects versions prior to `v100.0.9511`. Separately, SolarWinds *Web Help Desk* is affected by **CVE-2025-40551** (CVSS 9.8), a **deserialization of untrusted data** flaw in the `AjaxProxy` component enabling remote, unauthenticated command execution; CISA added it to KEV amid in-the-wild exploitation and set an accelerated patch deadline for US federal agencies. In parallel, Fortinet environments using **FortiCloud SSO** face authentication-bypass risk from **CVE-2025-59718**, **CVE-2025-59719**, and **CVE-2026-24858**, which can allow an attacker with a FortiCloud account to log into organizations’ **FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb** if SSO is enabled; Kaspersky published **SIEM correlation rules** to detect related suspicious logins and admin actions. Samsung *MagicInfo 9 Server* (digital signage management) was also reported with a trio of severe flaws affecting versions prior to `21.1090.1`, including **CVE-2026-25202** (hardcoded credentials, CVSS 9.8) and **CVE-2026-25201** (unauthenticated arbitrary file upload leading to RCE, CVSS 8.8), creating risk of server takeover and potential network compromise; the article does not indicate KEV inclusion or confirmed exploitation for these MagicInfo issues.
1 months ago