Multiple Actively Exploited Vulnerabilities and Social-Engineering Breaches Reported Across Zoom, SmarterMail, Vite, and Appsmith
Several vendors and security trackers reported high-impact vulnerabilities with exploitation risk, alongside separate social-engineering-driven breaches. Zoom disclosed a command injection issue in Zoom Node Multimedia Routers (MMRs) used in certain hybrid meeting environments, tracked as CVE-2026-22844 (reported with a high technical severity), which could allow meeting participants to execute arbitrary code; administrators were advised to update to Zoom version 5.2.1716.0. SmarterTools reported a critical authentication bypass in SmarterMail (CVE-2026-23760) that could allow unauthenticated attackers to reset admin passwords via the force-reset-password API endpoint and potentially reach OS command execution and full remote code execution; mitigations included upgrading to Build 9511, resetting admin passwords, and enabling MFA.
Separately, Vite was reported as affected by an improper access control flaw (CVE-2025-31125) enabling exposure of sensitive files by bypassing server.fs.deny protections using crafted query parameters (e.g., ?inline&import or ?raw&import); the issue was noted as being exploited in the wild and added to the CISA Known Exploited Vulnerabilities catalog. SC Media also reported active exploitation of an Appsmith authentication flaw (CVE-2026-22794) tied to the password reset flow, enabling account takeover by leaking reset tokens; defenders were urged to upgrade to Appsmith 1.93, which tightens Origin header validation and trusted base URL enforcement. In parallel to these vulnerability-driven risks, the Canadian Investment Regulatory Organization (CIRO) disclosed a phishing-led breach affecting ~750,000 investors with exposure of highly sensitive identifiers (including social insurance numbers and investment information), while Betterment confirmed unauthorized access via social engineering that exposed customer contact/identity data and was used to send fraudulent cryptocurrency-scam notifications to users.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Appsmith vulnerability reported as actively exploited
Reporting said threat actors were actively exploiting CVE-2026-22794, a critical Appsmith authentication flaw in the password reset process that can enable silent account takeover. Organizations were urged to upgrade to Appsmith 1.93, which adds stricter Origin header validation and trusted base URL enforcement.
Vite discloses exploited file exposure vulnerability
Vite disclosed a security incident tied to CVE-2025-31125, an improper access control flaw that can expose sensitive files by bypassing server.fs.deny restrictions with crafted query parameters. The issue was described as exploited in the wild and capable of leaking source code, configuration files, and credentials from exposed development servers.
SmarterMail authentication bypass is publicly disclosed
CVE-2026-23760 was publicly disclosed as a critical SmarterMail vulnerability affecting versions before Build 9511. Reporting noted that the flaw was already being actively exploited and was later added to CISA's Known Exploited Vulnerabilities catalog.
Zoom discloses critical Node MMR command injection issue
Zoom disclosed a security incident involving CVE-2026-22844, a command injection vulnerability in certain hybrid meeting environments affecting Node Multimedia Routers. Zoom said the issue was identified by its internal Offensive Security team and advised administrators to update to version 5.2.1716.0 and review logs for unauthorized access.
Active exploitation of SmarterMail flaw begins
Security researchers observed active exploitation of CVE-2026-23760 beginning around this date, suggesting attackers may have reverse-engineered the recent SmarterMail patch. Successful exploitation could lead to administrator compromise and remote code execution.
SmarterTools releases SmarterMail Build 9511 patch
SmarterTools released SmarterMail Build 9511 to fix CVE-2026-23760, a critical authentication bypass that could let unauthenticated attackers reset administrator passwords and gain full administrative control. The patch preceded public disclosure of the flaw by a week.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Critical Zoom Vulnerability (CVE-2026-22844) | UpGuard
upguard.com
Open sourceOverview of Critical SmarterMail Vulnerability (CVE-2026-23760) | UpGuard
upguard.com
Open sourceActively Exploited Vite Vitejs Vulnerability (CVE-2025-31125) | UpGuard
upguard.com
Open sourceAccount hijacking likely with actively exploited critical Appsmith vulnerability | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Zoom Windows Client Vulnerabilities Including Critical Privilege Escalation
Zoom published security advisories on March 10, 2026 addressing multiple vulnerabilities affecting Windows components, including *Zoom Workplace for Windows*, *Zoom Meeting SDK for Windows*, *Zoom Rooms for Windows*, and the *Zoom Workplace VDI Client for Windows*. The Canadian Centre for Cyber Security advisory **AV26-231** urged organizations to review Zoom’s bulletins and apply updates, noting issues spanning **external control of file name or path**, **improper privilege management**, **improper input validation**, and an **improper check** condition across the affected Windows products and versions. Reporting on the same Zoom bulletin set, one write-up highlighted four Windows-side flaws ranging from **High to Critical** severity, including a **Critical** issue in the Zoom Workplace for Windows Mail feature tracked as **CVE-2026-30903 (ZSB-26005)**, described as an *External Control of File Name or Path* weakness that could enable **unauthenticated remote privilege escalation**. The additional disclosed issues were described as **CVE-2026-30902 (ZSB-26004)** affecting Zoom Clients for Windows (*Improper Privilege Management*), **CVE-2026-30901 (ZSB-26003)** affecting Zoom Rooms for Windows (*Improper Input Validation*), and **CVE-2026-30900 (ZSB-26002)** affecting Zoom Workplace Clients for Windows (*Improper Check*), with remediation requiring upgrading to fixed releases per Zoom’s advisories.
Mar 21, 2026
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
Mar 21, 2026
Active Exploitation of Critical Enterprise Software Vulnerabilities Added to CISA KEV
Multiple **critical, unauthenticated remote code execution and authentication-bypass vulnerabilities** in widely deployed enterprise products were reported as **actively exploited** and, in several cases, added to CISA’s **Known Exploited Vulnerabilities (KEV)** catalog. SmarterTools *SmarterMail* is being targeted in **ransomware** activity via **CVE-2026-24423**, an unauthenticated RCE caused by missing authentication on the `ConnectToHub` API (`/api/v1/settings/sysadmin/connect-to-hub`), where an attacker-controlled server can return JSON containing a `CommandMount` value that drives arbitrary command execution; the issue affects versions prior to `v100.0.9511`. Separately, SolarWinds *Web Help Desk* is affected by **CVE-2025-40551** (CVSS 9.8), a **deserialization of untrusted data** flaw in the `AjaxProxy` component enabling remote, unauthenticated command execution; CISA added it to KEV amid in-the-wild exploitation and set an accelerated patch deadline for US federal agencies. In parallel, Fortinet environments using **FortiCloud SSO** face authentication-bypass risk from **CVE-2025-59718**, **CVE-2025-59719**, and **CVE-2026-24858**, which can allow an attacker with a FortiCloud account to log into organizations’ **FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb** if SSO is enabled; Kaspersky published **SIEM correlation rules** to detect related suspicious logins and admin actions. Samsung *MagicInfo 9 Server* (digital signage management) was also reported with a trio of severe flaws affecting versions prior to `21.1090.1`, including **CVE-2026-25202** (hardcoded credentials, CVSS 9.8) and **CVE-2026-25201** (unauthenticated arbitrary file upload leading to RCE, CVSS 8.8), creating risk of server takeover and potential network compromise; the article does not indicate KEV inclusion or confirmed exploitation for these MagicInfo issues.
Mar 21, 2026