Active Exploitation of Critical Enterprise Software Vulnerabilities Added to CISA KEV
Multiple critical, unauthenticated remote code execution and authentication-bypass vulnerabilities in widely deployed enterprise products were reported as actively exploited and, in several cases, added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. SmarterTools SmarterMail is being targeted in ransomware activity via CVE-2026-24423, an unauthenticated RCE caused by missing authentication on the ConnectToHub API (/api/v1/settings/sysadmin/connect-to-hub), where an attacker-controlled server can return JSON containing a CommandMount value that drives arbitrary command execution; the issue affects versions prior to v100.0.9511. Separately, SolarWinds Web Help Desk is affected by CVE-2025-40551 (CVSS 9.8), a deserialization of untrusted data flaw in the AjaxProxy component enabling remote, unauthenticated command execution; CISA added it to KEV amid in-the-wild exploitation and set an accelerated patch deadline for US federal agencies.
In parallel, Fortinet environments using FortiCloud SSO face authentication-bypass risk from CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, which can allow an attacker with a FortiCloud account to log into organizations’ FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb if SSO is enabled; Kaspersky published SIEM correlation rules to detect related suspicious logins and admin actions. Samsung MagicInfo 9 Server (digital signage management) was also reported with a trio of severe flaws affecting versions prior to 21.1090.1, including CVE-2026-25202 (hardcoded credentials, CVSS 9.8) and CVE-2026-25201 (unauthenticated arbitrary file upload leading to RCE, CVSS 8.8), creating risk of server takeover and potential network compromise; the article does not indicate KEV inclusion or confirmed exploitation for these MagicInfo issues.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
CISA warns SmarterMail flaw is exploited in ransomware attacks
CISA warned that ransomware actors are actively exploiting CVE-2026-24423 in SmarterMail and added the flaw to the KEV catalog. The agency ordered federal agencies to patch, mitigate, or discontinue use of affected systems by February 26, 2026.
Kaspersky publishes SIEM rules for FortiCloud SSO exploitation detection
Kaspersky released a downloadable SIEM correlation-rule package to help detect abuse of FortiCloud SSO authentication-bypass vulnerabilities affecting multiple Fortinet products. The guidance recommended threat hunting back to December 2025 and tuning detections for suspicious admin actions and post-login behavior.
Samsung releases MagicInfo9 Server update 21.1090.1
Samsung released version 21.1090.1 or later to fix three high-severity MagicInfo9 Server vulnerabilities affecting all prior versions. The flaws included hardcoded database credentials, unauthenticated file upload leading to RCE, and unauthenticated HTML upload leading to stored XSS and possible admin takeover.
CISA adds SolarWinds WHD flaw to KEV catalog
CISA added CVE-2025-40551, a critical SolarWinds Web Help Desk remote code execution vulnerability, to its Known Exploited Vulnerabilities catalog, citing active exploitation in the wild. The agency also set a remediation deadline for U.S. federal civilian agencies.
SmarterTools releases SmarterMail Build 9526 with additional critical fixes
After addressing CVE-2026-24423, SmarterTools released SmarterMail Build 9526 with fixes for additional critical issues. The update followed reports of exploitation of a separate authentication bypass issue that could reset the administrator password without verification.
SolarWinds releases Web Help Desk fix for CVE-2025-40551
SolarWinds released Web Help Desk version 2026.1 to address CVE-2025-40551, a critical unauthenticated deserialization flaw in the AjaxProxy component. The bug could allow remote code execution and full control of affected servers.
SmarterTools patches SmarterMail RCE flaw in Build 9511
SmarterTools fixed CVE-2026-24423, a critical unauthenticated remote code execution flaw in SmarterMail, in Build 9511. The vulnerability allowed command execution through the ConnectToHub API by redirecting the instance to a malicious HTTP server.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Ransomware attackers are exploiting critical SmarterMail vulnerability (CVE-2026-24423) - Help Net Security
helpnetsecurity.com
Open sourceCISA warns of SmarterMail RCE flaw used in ransomware attacks
bleepingcomputer.com
Open sourceSIEM Rules for detecting exploitation of vulnerabilities in FortiCloud SSO
kaspersky.com
Open sourceVulnerability Overview: SolarWinds CVE-2025-40551 | UpGuard
upguard.com
Open sourceSignage Hijack: Samsung MagicInfo9 Flaws (CVSS 9.8) Expose Servers
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
Mar 21, 2026
CISA Expands KEV Catalog With Broad Wave of Actively Exploited Enterprise Flaws
CISA repeatedly expanded its **Known Exploited Vulnerabilities (KEV) Catalog** after confirming active exploitation across a wide range of products, including Apple platforms, Ivanti EPM and EPMM, SolarWinds Web Help Desk, Omnissa Workspace ONE, n8n, Google Chromium and Skia, Wing FTP Server, Zimbra, Cisco firewall management products, Langflow, Aqua Security Trivy, F5 BIG-IP, Fortinet FortiClient EMS, Microsoft Exchange, SharePoint, Windows, Defender, Adobe Acrobat/Reader, Apache ActiveMQ, Trend Micro Apex One, Palo Alto PAN-OS, and other enterprise software. Several entries were especially notable because they involved **remote code execution, code injection, deserialization, authentication bypass, privilege escalation, and supply-chain-style malicious code risks**, while CISA also highlighted active exploitation of older legacy Microsoft and Adobe flaws that remain dangerous on unpatched or end-of-life systems. Reporting tied some of the newly listed issues to concrete attack activity and elevated operational risk. Apple flaws added to KEV were reported as exploitable through malicious web content or apps and could lead to arbitrary code execution or kernel-level execution, while the critical Langflow bug `CVE-2025-34291` was described as enabling session hijacking, token theft, persistence, and possible full system compromise in AI workflow deployments; separate reporting said the Iranian threat actor **MuddyWater** used it for initial access. Trend Micro said it observed at least one attempted in-the-wild exploitation of its Apex One flaw, and coverage of Ivanti vulnerabilities warned that defenders should not rely solely on shared indicators of compromise. Under **Binding Operational Directive 22-01**, Federal Civilian Executive Branch agencies were ordered to remediate each KEV-listed flaw by assigned deadlines, and CISA urged all organizations to apply vendor fixes or mitigations immediately and discontinue affected products if no mitigation is available.
Jun 16, 2026
CISA Expands KEV Catalog With Actively Exploited Enterprise Software Flaws
CISA added 14 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog across two updates, citing evidence of active exploitation against widely used enterprise products from Fortinet, Microsoft, Adobe, Cisco, JetBrains, PaperCut, Kentico, Quest, and Zimbra. The newly listed flaws include issues in FortiClient EMS, Adobe Acrobat Reader, Microsoft Windows Common Log File System Driver, Microsoft Exchange Server, Host Process for Windows Tasks, Microsoft Visual Basic for Applications, JetBrains TeamCity, PaperCut NG/MF, Kentico Xperience, Quest KACE SMA, Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager, including privilege escalation, credential exposure, sensitive information disclosure, and cross-site scripting weaknesses. Reporting tied several of the vulnerabilities to real-world intrusion activity and ransomware operations. Microsoft said threat actor **Storm-1175** used `CVE-2023-21529` to deliver **Medusa ransomware**, while `CVE-2023-27351` has been linked to **Lace Tempest** deployments of **Cl0p** and **LockBit**. Defused Cyber also reported exploitation attempts against `CVE-2026-21643`, and CISA said federal civilian agencies must remediate the newly added flaws on deadlines running from late April into May 2026 under Binding Operational Directive requirements, while private-sector defenders were urged to prioritize the KEV entries for patching and exposure reduction.
Apr 29, 2026