On February 6, 2026, BeyondTrust released security advisory BT26-02, disclosing a critical pre-authentication Remote Code Execution (RCE) vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. Assigned CVE-2026-1731 and a near-maximum CVSSv4 score of 9.9, the flaw allows unauthenticated, remote attackers to execute arbitrary operating system commands in the context of the site user by sending specially crafted requests. The vulnerability affects Remote Support (RS) versions 25.3.1 and prior, as well as Privileged Remote Access (PRA) versions 24.3.4 and prior.
While BeyondTrust automatically patched SaaS instances on February 2, 2026, self-hosted customers remain at risk until manual updates are applied. The issue was discovered by researchers at Hacktron AI using AI-enabled variant analysis; they identified approximately 8,500 on-premises instances exposed to the internet that could be susceptible to this straightforward exploitation vector.
While BeyondTrust has not reported active exploitation of CVE-2026-1731 in the wild, the platform’s immense footprint makes it a high-priority target for sophisticated adversaries. BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75% of the Fortune 100. This ubiquity has attracted state-sponsored actors in the past; notably, the Chinese hacking group "Silk Typhoon" weaponized previous zero-day flaws (CVE-2024-12356 and CVE-2024-12686) to breach the U.S. Treasury Department and access sensitive data related to sanctions, triggering emergency directives from CISA. Rapid7 research later revealed that the exploitation of CVE-2024-12356 actually required chaining it with a critical, then-unknown SQL injection vulnerability in an underlying PostgreSQL tool (CVE-2025-1094). Given this history of targeted attacks against such a widely used platform, these tools remain a critical attack vector that demands immediate defensive action.
Mitigation guidance
A vendor-provided patch is available to remediate CVE-2026-1731 in on-premise deployments.
BeyondTrust Remote Support (RS):
Versions 25.3.1 and prior are affected by CVE-2026-1731.
CVE-2026-1731 is fixed in 25.3.2 and later.
BeyondTrust Privileged Remote Access (PRA):
Versions 24.3.4 and prior are affected by CVE-2026-1731.
CVE-2026-1731 is fixed in 25.1.1 and later.
Please read the vendor advisory for the latest guidance.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2026-1731 on Remote Support and Privileged Remote Access using authenticated checks available in the Feb 9 content release.
Updates
February 11, 2026: Updated Rapid7 customers section to confirm checks were available on February 9.
We are grateful to the research team at Atredis for sharing their findings around a vulnerability (CVE-2026-1814) impacting our vulnerability management offerings (InsightVM and Nexpose). We have identified a fix that addresses this vulnerability and will be delivered via a Security Console product update with no customer action required. The update is currently being released through our normal gradual release cycle and will be rolled out to all customers by end of day Thursday, February 12.
InsightVM or Nexpose customers with automatic product updates enabled will receive and process this update when it is released. Customers who manually control their own update version can utilize the manual update process within the security console to update to version 8.36.0 when it is made available. We recommend those customers schedule this update as soon as reasonably possible.
As outlined in our policies around vulnerabilities and disclosures, Rapid7 practices and advocates for timely public disclosure of vulnerabilities across both third-party products and our own systems and solutions. This thoughtful collaboration between researchers and vendors is a critical component of a healthy cybersecurity ecosystem. Atredis exemplified how the process should work.
When Rapid7 published its analysis of the Chrysalis backdoor linked to a compromise of Notepad++ update infrastructure, it raised understandable questions from customers and security teams. The investigation showed that attackers did not exploit a flaw in the application itself. Instead, they compromised the hosting infrastructure used to deliver updates, allowing a highly targeted group to selectively distribute a previously undocumented backdoor associated with the Lotus Blossom APT.
Subsequent reporting from outlets including BleepingComputer, The Register, SecurityWeek, and The Hacker News has helped clarify the scope of the incident. What’s clear is that this was a supply chain attack against distribution infrastructure, not source code. The attackers maintained access for months, redirected update traffic selectively, and limited delivery of the Chrysalis payload to specific targets, helping them stay hidden and focused on espionage rather than mass compromise.
What does the Notepad++ incident mean?
This incident highlights how modern supply chain attacks have evolved. Rather than targeting application code, attackers abused shared hosting infrastructure and weaknesses in update verification to quietly deliver malware. The broader takeaway is that supply chain risk now extends well beyond build systems and repositories. Update mechanisms, hosting providers, and distribution paths have become attractive targets, especially when they sit outside an organization’s direct control.
Was Notepad++ itself compromised?
Based on public statements from the Notepad++ maintainer and independent reporting, there is no evidence that the application’s source code or core development process was compromised. The risk stemmed from the update delivery infrastructure, reinforcing that even trusted software can become a delivery mechanism when upstream systems are abused.
Who was behind the Chrysalis backdoor & Notepad++ attack?
Rapid7 was the first to publish attribution linking this activity to Lotus Blossom, a Chinese state-aligned advanced persistent threat (APT) group. Based on our analysis, we assess with moderate confidence that this group is responsible for the Notepad++ infrastructure compromise and the deployment of the Chrysalis backdoor.
Lotus Blossom has been active since at least 2009 and is known for long-running espionage campaigns targeting government, telecommunications, aviation, critical infrastructure, and media organiations, primarily across Southeast Asia, and more recently, Latin America.
The tactics, tooling, and infrastructure used in this campaign - including the abuse of update infrastructure, the use of selective targeting, and the deployment of custom malware, are consistent with the group’s historical tradecraft. As with any attribution, this conclusion is based on observed behaviors and intelligence correlations, not a single, definitive indicator.
What should organizations do right now?
Based on what we know today, there are several immediate actions organizations should take:
Check and update Notepad++ installations. Ensure any instances are running the latest version, which includes improved certificate and signature verification.
Review historical telemetry. Even though attacker infrastructure has been taken down, organizations should scan logs and environments going back to October 2025 for indicators of compromise associated with this campaign.
Hunt, don’t just scan. This activity was selective and low‑volume. Absence of alerts does not guarantee absence of compromise.
Use available intelligence. Rapid7 Intelligence Hub customers have access to the Chrysalis campaign intelligence, along with follow‑up indicators provided by partners such as Kaspersky, to support targeted hunting across endpoints and network telemetry.
Why does this matter beyond Notepad++?
This incident is a case study in how trust is exploited in modern environments. The attackers didn’t rely on zero days or noisy malware. They abused update workflows, hosting relationships, and assumptions about trusted software. That same approach applies across countless tools and platforms used daily inside enterprise environments.
It also reinforces a broader trend we’ve seen over the last year: attackers are patient, selective, and focused on long‑term access rather than immediate impact. That has implications for detection strategies, incident response planning, and supply chain risk management.
What does this mean for software supply chain security?
For defenders, this incident reinforces several lessons:
Supply chain security must include distribution and hosting infrastructure, not just source code.
Update mechanisms should enforce strong signature and metadata validation by default.
Shared hosting environments represent an often overlooked risk, especially for widely deployed tools.
Trust in software must be continuously validated, not assumed.
The Chrysalis incident is not just about a single tool or a single campaign. It reflects a broader shift in how advanced threat actors think about access, persistence, and trust. Software supply chains are no longer just a development concern. They are an operational and security concern that extends into hosting providers, update mechanisms, and the assumptions organizations make about what is “safe.”
As attackers continue to favor selective targeting and long‑term access over noisy, large‑scale compromise, defenders need to adapt accordingly. That means moving beyond basic scanning, validating trust continuously, and treating update and distribution infrastructure as part of the attack surface.
Learn more: Watch the full Chrysalis debrief webinar
If you’d like to hear directly from the researchers behind this discovery, watch the full Chrysalis: Inside the Supply Chain Compromise of Notepad++ webinar, now available on BrightTALK. In this detailed session, Christian Beek (Senior Director, Threat Analytics) and Steve Edwards (Director, Threat Intel & Detection Engineering) walk through the full attack chain, from initial compromise to malware behavior, attribution to Lotus Blossom, and what organizations can do right now to assess exposure and strengthen supply chain security. [Watch Now]
In 2026, security teams are still grappling with the challenges posed by expanding attack surfaces and persistent resource constraints. Together with the rapid onset of AI-driven threats, security leaders are weathering this ‘perfect storm’ by seeking consolidation of their technology stacks – favoring trusted partnerships that truly understand their unique ecosystems.
To elevate security partners from mere service providers to essential, trusted security advisors, it is vital to help customers achieve a comprehensive view of their IT environments. This includes a clear understanding of their risk profiles and a cohesive approach to continuous detection, response, and compliance, says Kelly Hiscoe, Sr. Director, Global Partner Programs & Experience.
Kelly brings to Rapid7 more than 17 years of experience in cybersecurity channel ecosystems. And after being named to CRN’s Women of the Channel list in 2020, 2024, and 2025, CRNhashonored her as a Channel Chief for 2026.
She has consistently led her teams to design competitive programs, drive operational excellence, and enhance the partner experience from the ground-up. Here’s what makes her tick, and how Kelly (and Rapid7) are thinking about the channel in 2026 and beyond.
A channel philosophy rooted in shared responsibility
Kelly’s approach to the channel is grounded in the simple belief that true success is built through shared ownership. Rather than being confined to a single team, channel success must be woven into a company’s DNA: reflected in its processes, tools, and most importantly, how sales teams consistently engage with partners.
For Kelly, this means a company-wide commitment to engaging and collaborating with partners, in a way that, at its heart, exists to help customers achieve their goals. That’s what “Channel-first” means, and what Rapid7 aims to reflect.
Refreshing Rapid7’s partner ecosystem
In February 2025, Rapid7 launched its reimagined PACT Partner Program, and Kelly led the global team responsible for that launch. The revamped program was designed to equip partners with the tools, training, and resources needed to address evolving global security challenges together.
Key enhancements included a modernized Partner Portal that enables real-time collaboration and automation, as well as tailored engagement programs and specializations, plus the launch of the Rapid7 Partner Academy. Since its debut, the Academy has seen more than 2,000 partner learners earn over 3,700 certifications. Rapid7’s partners consistently highlight its clarity, relevance, and impact in deepening cybersecurity expertise.
Looking ahead: Helping partners navigate 2026
As consolidation continues and competition in the market grows, partners are facing more challenges than ever in navigating that complexity and standing out amid the noise. Kelly remains focused on helping partners align with vendors that deliver clear, customer-centric value, comprehensive coverage across the expanding attack surface, and predictable engagement models. You can read Kelly’s full CRN Channel Chief details here.
On January 29, 2026, Ivanti disclosed two new critical vulnerabilities affecting Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340. The vendor has indicated that exploitation in the wild has already occurred prior to disclosure. This has been echoed by CISA who added CVE-2026-1281 to their Known Exploited Vulnerabilities (KEV) catalog shortly after the vendor disclosure. As an indication of how critical this development is, CISA has given a “due date” of only 3 days (Due Feb 1, 2026) for organizations, such as federal agencies, to remediate the vulnerabilities before the affected devices must be removed from a network.
While CVE-2026-1281 has been confirmed as exploited in the wild as a zero day, it is unclear if CVE-2026-1340 has also, or if this vulnerability was found separately to CVE-2026-1281. The two critical vulnerabilities are summarized below.
Both CVE-2026-1281 and CVE-2026-1340 are described identically by the vendor; they are code injection issues, allowing a remote unauthenticated attacker to execute arbitrary code on an affected device. Based on the vendor's guidance, the attackers can provide Bash commands as part of a malicious HTTP GET request to the endpoints that service either the “In-House Application Distribution” feature (i.e. /mifs/c/appstore/fob/) or the “Android File Transfer Configuration” feature (i.e. /mifs/c/aftstore/fob/), resulting in arbitrary OS command execution on the target.
As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant. An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information. This is in addition to the privileged position an attacker will have on the EPMM device itself, which may allow for lateral movement within the compromised network. Given the nature of the product, EPMM is a high-profile target. It has been repeatedly targeted by zero-day vulnerabilities in the past. In 2023 the product was exploited in the wild via CVE-2023-35078, and again in 2025 via an exploit chain of CVE-2025-4427 and CVE-2025-4428. As of January 30, 2026, a public working proof-of-concept exploit for remote code execution is available. Organizations running EPMM are urged to act quickly and follow the vendor guidance to remediate these issues.
Threat hunting
The following vendor supplied regular expression can be used to search the HTTP daemon’s log files for evidence of potential exploitation of CVE-2026-1281 and CVE-2026-1340:⠀
A vendor supplied update is available to remediate both vulnerabilities.
The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.0.x patch:
Versions 12.7.0.0 and below
Versions 12.6.0.0 and below
Versions 12.5.0.0 and below
The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.1.x patch:
Versions 12.6.1.0 and below
Versions 12.5.1.0 and below
Customers are advised to update to the latest remediated version of EPMM, on an emergency basis outside of normal patching cycles, as exploitation in-the-wild is already occurring.
For the latest mitigation guidance for Ivanti EPMM, please refer to the vendor’s security advisory. In addition to remediation, the vendor has provided additional threat hunting guidance.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-1281 and CVE-2026-1340 with authenticated vulnerability checks expected to be available in today's (Jan 30) content release. Note that the "Potential" category must be enabled in the scan template to run the checks.
Updates
January 30, 2026: Added reference to the watchTowr technical analysis and proof-of-concept exploit.
On January 28, 2026, SolarWinds published an advisory for multiple new vulnerabilities affecting their Web Help Desk product. Web Help Desk is an IT help desk ticketing and asset management software solution. Of the six new CVEs disclosed in the advisory, four are critical, and allow a remote attacker to either achieve unauthenticated remote code execution (RCE) or bypass authentication.
As of this writing, there is currently no known in-the-wild exploitation occurring. However, we expect this to change as and when technical details become available. Notably, this product has been featured on CISA’s Known Exploited Vulnerabilities (KEV) list twice in the past, circa 2024, indicating that it is a target for real-world attackers.
Update #1: On February 3, 2026, the unsafe deserialization vulnerability, CVE-2025-40551, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.
Update #2: On February 12, 2026, the access control bypass vulnerability, CVE-2025-40536, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.
Technical overview
Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution. RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.
The other two critical vulnerabilities, CVE-2025-40552 and CVE-2025-40554, are authentication bypasses that allow a remote unauthenticated attacker to execute actions or methods on a target system which are intended to be gated by authentication. Based upon the vendor supplied CVSS scores for these two authentication bypass vulnerabilities, the impact is equivalent to the two RCE deserialization vulnerabilities, likely meaning they can also be leveraged for RCE.
In addition to the four critical vulnerabilities, two high severity vulnerabilities were also disclosed. CVE-2025-40536 is an access control bypass vulnerability, allowing an attacker to access functionality on the target system that is intended to be restricted to authenticated users. Separately, CVE-2025-40537 may, under certain conditions, allow access to some administrative functionality on the target system due to the existence of hardcoded credentials.
SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below.
Customers are advised to update to the latest Web Help Desk version, 2026.1, on an urgent basis outside of normal patching cycles.
For the latest mitigation guidance for SolarWinds Web Help Desk, please refer to the vendor’s security advisory.
Rapid7 customers
Exposure Command, InsightVM and Nexpose customers can assess their exposure to CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 CVE-2025-40554 with remote vulnerability checks available in the Jan 28 content release.
Updates
January 28, 2026: Added reference to the Horizon3.ai technical analysis.
January 29, 2026: Updated coverage information
February 3, 2026: Updated Overview to add a reference to CVE-2025-40551 being added to the CISA KEV list.
February 13, 2026: Updated Overview to add a reference to CVE-2025-40536 being added to the CISA KEV list.
The 2026 Security Predictions webinar reinforced a simple but uncomfortable truth. The forces shaping cyber risk are not new, but they are converging faster and with greater impact than many organizations are ready for. Geopolitics, insider risk, and threat intelligence have long influenced cyber operations. What has changed is the extent to which they directly affect everyday security decisions.
Geopolitical risk is now an operational concern
Cyber operations have always reflected geopolitical realities. Nation-states have used cyber capabilities for espionage, surveillance, and disruption for decades. Historically, these activities focused on governments, critical infrastructure, or defense sectors.
That line has faded.
Today, private organizations are increasingly targeted as proxies. Supply chains, cloud providers, and SaaS platforms offer scale, access, and plausible deniability for state-aligned groups. Many of these campaigns are not designed for immediate disruption. Instead, they focus on intelligence gathering, long-term access, or positioning that can be activated later.
For security teams, this shift creates a new challenge. Geopolitical motivation does not follow traditional cybercrime logic. Organizations that do not consider themselves high risk can still become collateral targets because of who they work with, where they operate, or what services they provide.
Geopolitical awareness can no longer sit outside the SOC. It must influence monitoring priorities, threat modeling, and response readiness.
Looking ahead: Action plan for 2026
Security teams should track geopolitical developments and understand how global events influence attacker behavior. Curated threat intelligence helps translate abstract risk into concrete tools, infrastructure, and techniques that defenders can monitor.
Incident response playbooks should also account for politically motivated attacks. These scenarios benefit from executive pre-approval, allowing teams to respond decisively when intent is unclear but potential impact is high.
Finally, organizations should map exposure across suppliers, technology partners, and infrastructure dependencies. Understanding where geopolitical risk intersects with your environment is now essential for resilience.
Insider threats are becoming a primary breach driver
Insider threats are not a new problem, but their role in breaches continues to grow. Within the 2026 Security Predictions webinar, the panel emphasized that insider risk now spans a wide spectrum. At one end is simple negligence, including phishing mistakes, misconfigurations, and poor access hygiene. At the other is deliberate access monetization, where credentials or privileged access are sold or misused.
Several factors are accelerating this trend. Workforce stress, economic pressure, role churn, and identity sprawl all increase the likelihood that access will be abused or misused. In many cases, breaches now begin with valid credentials, making traditional perimeter defenses less effective.
This reality forces a shift in how security teams think about trust and access. Valid access no longer means safe access.
Looking ahead: Action plan for 2026
Security teams should establish behavior baselines across users and roles to identify anomalous activity early. Unexpected access patterns, unusual downloads, or irregular logins often provide the first signal that something is wrong.
Just as important is fostering a speak-up culture. Employees should be encouraged to report phishing attempts, mistakes, or suspicious behavior without fear. Early reporting often determines whether an incident is contained quickly or escalates.
Privilege models also require regular review. Least privilege must be continuous, not static. As roles evolve and environments change, access should be reassessed to reduce blast radius when incidents occur.
Context is becoming the decisive advantage
Threat intelligence and detection capabilities have advanced rapidly, but volume alone does not improve outcomes. Security teams now face more alerts, more telemetry, and more data than ever before. The challenge is deciding what matters.
The panel highlighted that speed without context creates noise, not security. As exploitation windows shrink and attacks scale, teams that lack context struggle to prioritize, investigate, and respond effectively.
Context brings together asset criticality, exposure, threat intelligence, and business impact. Teams that operate with this understanding move faster because they know where to focus and why.
This shift also changes how security leaders communicate value. Metrics tied to readiness, risk reduction, and response effectiveness resonate far more than raw alert counts.
Looking ahead: Action plan for 2026
Security leaders should align SecOps and executive stakeholders around shared dashboards and context-rich briefings. These views should emphasize readiness gaps, exposure trends, and investment value, rather than activity volume.
Organizations should also rationalize security tooling around outcomes. High-impact tools that improve time to detect, time to respond, and analyst efficiency matter more than broad coverage alone.
Finally, teams should reinvest saved time and budget into areas that compound over time. Automation, threat intelligence, and staff development all strengthen resilience when supported consistently.
Preparing for what comes next
The webinar made it clear that success in 2026 will depend on integration, awareness, and context. Geopolitical risk, insider threats, and intelligence-driven defense are no longer separate concerns. They intersect daily inside modern security operations.
Teams that acknowledge this reality and act early will be better positioned to respond with confidence, adapt to change, and stay ahead of increasingly sophisticated attackers.
Missed the live session? Watch the 2026 Security Predictions webinar to understand the forces shaping cyber risk and what to prioritize next.
Organizations increasingly rely on Microsoft as their foundational productivity and security technology provider. As these environments grow in scale and complexity, security leaders are responsible for operationalizing the vast signals traversing their Microsoft stack in order to anticipate and preempt threats. At the same time, those efforts must deliver measurable security outcomes and clear return on investment.
If you’re reading this, you already know what’s at stake. But I’ll say it louder for the folks in the back: As more of your environment consolidates onto Microsoft, the attack surface evolves – and without fully operationalizing that ecosystem, risk grows alongside it.
We are excited to announce the availability of Rapid7 MDR for Microsoft – a preemptive threat detection, investigation, and response service that brings together Rapid7’s global SOC, our market-leading SIEM technology, and deeper bi-directional Microsoft Defender integrations. The service helps security and IT teams maximize their investments, reduce cost and complexity, respond decisively to threats, and improve their security posture and resilience.
Extend the power of your stack
Microsoft Defender provides broad visibility across modern environments – from endpoint and identity to cloud and email. That visibility leads many organizations to a fine line, where it can either mean rich, actionable insight for some security teams, and overwhelming signal volume and missed alerts for others. Rapid7 helps organizations build a clear picture from the rich telemetry by bringing these Microsoft signals together with our native telemetry. And by incorporating exposure and asset risk directly into investigations, our SOC is empowered to anticipate likely breach paths and intervene earlier in the attack lifecycle. Combining your Microsoft security stack with our preemptive MDR ultimately helps you:
Anticipate attacks before they start
Respond with certainty across the full attack lifecycle
Strengthen resilience through partnership
Get better outcomes from Microsoft - not overhead
Capabilities that drive real-world outcomes
Leaning into Rapid7’s proven record as a leader in managed detection and response, MDR for Microsoft combines powerful AI-SOC technology with expert human service delivery to help Microsoft-centric organizations achieve measurable security outcomes. In IDC’s recent Business Value of Rapid7 MDR study, customers achieved a 422% three-year ROI, identified threats 87% faster, and reduced the likelihood of a major security event by 54%. MDR for Microsoft delivers these same results through capabilities designed to operationalize and protect Microsoft environments at scale, including:
Risk-aware analysis that stops attacks earlier: By pairing enterprise vulnerability risk management with analysis of live threat activity, the service preemptively identifies the attack paths most likely to be exploited – empowering efficient analyst evaluation with a clear understanding of underlying asset context.
Dedicated cybersecurity advisor extends your team: Your advisor leverages their practitioner experience to provide regular threat briefings, environment-hardening advice, program governance, and health checks – helping drive long-term maturity without adding headcount.
Decisive response backed by deep forensics and unlimited IR: Remote containment, endpoint forensics powered by our open-source DFIR framework – Velociraptor – and unlimited incident response ensure threats are stopped quickly, and fully investigated and neutralized before our team rests.
Unlimited log ingestion delivers predictable value: Remove SIEM cost constraints and ensure complete visibility so investigations are never limited by data volume or surprise overage fees.
Bi-Directional Defender integration that reduces friction: Endpoint alerts and analyst actions stay synchronized between Rapid7 and Microsoft consoles, keeping systems aligned while laying the foundation for broader integrations across additional Microsoft security vectors.
Always-on, expert-led SOC coverage: Our 24x7x365 global SOC continuously monitors and investigates activity across Microsoft and non-Microsoft environments, ensuring threats are identified and acted on as soon as they emerge.
Full transparency into SOC activity and outcomes: With direct access to the SIEM and investigation workflows, your team can ride sidecar on investigations, run your own queries, upskill internal teams, and clearly see the outcomes being delivered by the Rapid7 SOC over time.
Additional value-drivers included in the service are unlimited SOAR automation, standard 13-month data retention with the ability to extend, proactive threat hunting, and AI-assisted investigation workflows, delivering a comprehensive MDR experience that scales with your environment and outpaces attackers.
Make the most of Microsoft Defender with Rapid7
As Microsoft continues to serve as the backbone of modern environments, the ability to translate security signals into consistent action becomes increasingly critical. MDR for Microsoft is designed to help security leaders move confidently from visibility to outcomes – pairing the strength of Microsoft Defender with Rapid7’s proven expertise, preemptive risk-awareness, and resilience-building capabilities. The result is a security program that not only sees more, but responds faster, operates with greater confidence, and proves its value as environments continue to scale.
If you’d like to see how MDR for Microsoft can help you operationalize your Microsoft security stack, request a demo or reach out to your Rapid7 account team to continue the conversation.
On November 18, 2025, a patched release was published for a critical unauthenticated file read vulnerability in n8n, a popular piece of automation software. The advisory for this vulnerability, CVE-2026-21858, was subsequently published on January 7, 2026; the vulnerability holds a CVSS score of 10.0. If a server has a custom configured web form that implements file uploads with no validation of content type, an attacker can overwrite an internal JSON object to read arbitrary files and, in some cases, establish remote code execution. This vulnerability has been dubbed “Ni8mare” by the finders.
The finders, Cyera, published a technical blog post about the vulnerability on January 7, 2026, and a separate technical analysis and proof-of-concept (PoC) exploit were published by third-party security researcher Valentin Lobstein the same day. The Cyera writeup demonstrates CVE-2026-21858, while the third-party exploit also leverages CVE-2025-68613, an authenticated expression language injection vulnerability in n8n, for remote code execution. Additional authenticated vulnerabilities, tracked as CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, and CVE-2026-21877 can be chained with the unauthenticated vulnerability CVE-2026-21858 for code execution or arbitrary file write on specific affected versions of n8n.
In total there are five CVEs that n8n users should be aware of:
Certain form-based workflows are vulnerable to improper file handling that can result in arbitrary file read. When exploited, attackers can establish administrator-level access to n8n.
A vulnerability in n8n’s expression evaluation system allows authenticated users to execute arbitrary system commands through crafted expressions in workflow parameters.
A sandbox bypass vulnerability exists in the n8n Python Code node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n in the context of the service user.
In self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This permits reading and writing files on the host.
No
Technical overview
CVE-2026-21858: “Unauthenticated File Access via Improper Webhook Request Handling”
This is the primary access vector for the n8n exploit chain and holds a maximum CVSS score of 10.0. It is a critical unauthenticated file read vulnerability that occurs when custom web forms implement file uploads without validating the content type. By exploiting this flaw, an attacker can overwrite an internal JSON object to read arbitrary files from the server. This capability may be leveraged to forge an administrator session token and exploit subsequent authenticated vulnerabilities for code execution.
CVE-2025-68613: “Remote Code Execution via Expression Injection”
This vulnerability is characterized as an authenticated expression language injection flaw. While it requires an established session to exploit, it can be chained with CVE-2026-21858 to achieve remote code execution. It affects n8n versions starting at 0.211.0 and below 1.20.4. Attackers can leverage this flaw by injecting malicious expression language commands once they have gained a foothold as an administrator.
CVE-2025-68668: “Arbitrary Command Execution in Pyodide based Python Code node”
Affecting n8n versions between 1.0.0 and 2.0.0, this is an authenticated vulnerability used for secondary exploitation. Depending on the specific configuration of the affected version, it allows an attacker to execute arbitrary OS commands. Because it requires authentication, it is used on a case-by-case basis after an initial breach has compromised the management interface.
CVE-2025-68697: “Legacy Code node enables file read/write in self-hosted n8n”
CVE-2025-68697 is an authenticated vulnerability that facilitates arbitrary file read/write in the context of the n8n process when exploited. Per the advisory, systems are vulnerable when the Code node runs in legacy (non-task-runner) JavaScript execution mode. CVE-2025-68697 specifically impacts n8n versions ranging from 1.2.1 up to 2.0.0, though n8n version 1.2.1 and higher automatically prevents read/write access to the `.n8n` directory by default. As a result, exploitation of CVE-2025-68697 is likely to require a more bespoke strategy for each specific target, making it a less likely vulnerability to be exploited as a secondary chained bug with CVE-2026-21858.
CVE-2026-21877: “RCE via Arbitrary File Write”
This vulnerability has a CVSS score of 9.9 and affects both self-hosted and cloud versions of n8n. It allows for remote code execution within n8n versions 0.123.0 through 1.121.3. Although it is an authenticated vulnerability, its high severity stems from its ability to grant an attacker full system control once they have bypassed initial authentication using the CVE-2026-21858 file read flaw.
Mitigation guidance
Organizations running self-hosted instances of n8n should prioritize upgrading to a version at or above 1.121.0 immediately to remediate the unauthenticated initial access vulnerability CVE-2026-21858.
According to the vendor, the following versions are affected:
CVE-2026-21858: Versions at or above 1.65.0 and below 1.121.0.
CVE-2025-68613: Versions at or above 0.211.0 and below 1.20.4.
CVE-2025-68668: Versions at or above 1.0.0 and below 2.0.0.
CVE-2025-68697: Versions at or above 1.2.1 and below 2.0.0.
CVE-2026-21877: Versions at or above 0.123.0 and below 1.121.3.
For the latest mitigation guidance, please refer to the vendor’s security advisories.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2026-21858, CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, CVE-2026-21877 with vulnerability checks available in the January 9th content release.
Updates
January 8, 2026: Initial publication.
January 12, 2026: Updated Rapid7 customers section to confirm checks shipped on January 9, 2026.
As the threat landscape keeps shifting, security teams are being asked to do more than react. They are expected to look ahead, connect the dots, and make decisions in environments that change faster every year. That challenge was at the heart of Rapid7’s 2026 Security Predictions webinar, where our experts reflected on what the past year revealed about attacker behavior, defender priorities, and the realities of running a modern SOC.
The conversation looked back just long enough to spot the patterns that matter, then turned forward to the forces shaping 2026. Geopolitics, insider risk, and the need for context-driven defense all surfaced repeatedly. The takeaway was simple but important. Attackers are adapting quickly, and security teams need to adapt with the same urgency.
Below are the key takeaways from the discussion, along with the top predictions shaping the year ahead.
Key takeaways from the discussion
The threat landscape is no longer isolated
One of the strongest themes from the webinar was how interconnected today’s risks have become. Cyber activity does not exist in a vacuum. Geopolitical tensions, economic pressure, workforce challenges, and technological acceleration all feed directly into attacker behavior.
Security teams can no longer separate cyber risk from broader business and global risk. Decisions made outside the SOC, from supplier choices to workforce strategy, increasingly influence exposure and attack paths.
Identity and access remain the most reliable attack paths
Despite continued investment in perimeter defenses, attackers are still finding success through compromised credentials, misused access, and human error. The webinar panel reinforced that identity-based compromise remains one of the most consistent and scalable techniques used by threat actors.
This means defenders must treat identity, behavior, and access governance as core detection and response signals, not secondary controls.
Speed without context creates noise, not security
The rise of AI-driven attacks and automation has increased the volume and pace of activity security teams must process. However, the panel stressed that faster alerts alone do not improve outcomes.
Without understanding which assets matter, which exposures are exploitable, and which alerts represent real risk, teams risk moving quickly in the wrong direction. Context is now essential for effective prioritization and response.
The top cybersecurity predictions for 2026
1. Geopolitical fault lines will redraw the cyber battlefield
In 2026, geopolitical tensions will continue to spill into the digital domain, with private organizations increasingly caught in the middle. State-aligned and state-tolerated groups will target critical supply chains, service providers, and global enterprises as proxy targets, blending espionage with economic disruption.
For security teams, this means geopolitical risk must be factored into threat modeling, vendor assessments, and incident response planning. Even organizations far from traditional conflict zones may find themselves impacted by campaigns tied to global tensions.
2. Insider threats will dominate breach root causes
The panel highlighted that many of tomorrow’s breaches will not start with attackers breaking in, but with access already in place. Insider threats, driven by simple negligence, compromised credentials, or monetized access selling, will continue to rise.
Economic stress, workforce changes, and growing access complexity all contribute to this trend. As a result, organizations must focus more on access hygiene, behavior monitoring, and creating environments where employees can report mistakes early without fear.
3. Context will become the new currency of cyber performance
As attacks scale and exploitation windows shrink, the ability to understand what matters most will define successful security operations. The panel emphasized that visibility alone is no longer enough.
Security teams that integrate exposure management, detection, and response will outperform those relying on disconnected tools and alert-heavy workflows. Context-rich defense allows teams to triage faster, investigate smarter, and respond based on real business risk rather than alert volume.
What this means for security teams heading into 2026
The predictions shared during the webinar point to a future where success depends less on adding more tools and more on using intelligence, context, and automation effectively. Security teams that can unify visibility, prioritize risk, and act decisively will be better positioned to keep pace with increasingly adaptive attackers.
The message from the panel was clear. 2026 will reward teams that focus on understanding their environment, aligning security efforts with real-world risk, and preparing for threats shaped by forces far beyond the SOC.
Watch the 2026 Security Predictions webinar to hear directly from Rapid7’s experts on what’s shaping the threat landscape and how security teams should prepare.
On December 19, 2025, MongoDB Inc. disclosed a critical new vulnerability, CVE-2025-14847, which has since been dubbed MongoBleed. This vulnerability is a high-severity unauthenticated memory leak affecting MongoDB, one of the world's most popular document-oriented databases. While initially identified as a data exposure flaw, the severity is underscored by the fact that it allows attackers to bypass authentication entirely to extract sensitive information directly from server memory. On December 26, 2025, public proof-of-concept (PoC) exploit code was published and on December 29th, 2025 exploitation in-the-wild has been confirmed.
While CVE-2025-14847 is rated as a high-severity vulnerability, CVSS 8.7, its impact is critical. Successful exploitation allows a remote, unauthenticated attacker to "bleed" uninitialized heap memory from the database server by manipulating Zlib-compressed network packets. This memory often contains high-value secrets such as cleartext credentials, authentication tokens, and sensitive customer data from other concurrent sessions. Because the vulnerability returns "uninitialized heap memory," an attacker cannot target specific credentials or data records with precision; they must instead rely on repeated exploitation attempts and chance to capture sensitive information.
The vulnerability specifically affects MongoDB servers configured to use the Zlib compression algorithm for network messages, which is a common configuration in many production environments. It affects a wide range of versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. Older, End-of-Life (EOL) versions are also believed to be vulnerable but will not receive official patches, leaving users of legacy systems at significant continued risk.
As of this writing, the public PoC has been successfully verified by Rapid7 Labs. Unlike scenarios where valid exploits are initially scarce, the exploit for MongoBleed is functional and reliable.
Organizations running self-managed MongoDB instances are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles. Given the nature of the leak, simply patching is insufficient; organizations are advised to also rotate all database and application credentials that may have been exposed prior to remediation.
Mitigation guidance
CVE-2025-14847 affects a wide range of versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. Older, End-of-Life (EOL) versions are also believed to be vulnerable but will not receive official patches, leaving users of legacy systems at significant continued risk. Organizations managing their own MongoDB instances should prioritize upgrading to the fixed versions released by the vendor (e.g., 8.0.4, 7.0.16, 6.0.20, etc.) immediately. This is the only complete remediation for the vulnerability.
If an immediate upgrade is not feasible, or if the organization is running an End-of-Life (EOL) version that will not receive a patch, the risk can be effectively mitigated by disabling the Zlib network compressor in the server configuration. This prevents the specific memory allocation path used by the exploit.
In addition, because CVE-2025-14847 allows for the exfiltration of credentials and session tokens from server memory, patching alone is insufficient to ensure security. Administrators should assume that any secrets residing in the database memory prior to patching may have been compromised; therefore, all database passwords, API keys, and application secrets should be rotated immediately after the vulnerability is remediated.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-14847 with a vulnerability check expected to be available in today's (Dec 29) content release.
Intelligence Hub
Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-14847, including a Suricata rule.
Rapid7 observations
Rapid7 Labs has become aware of a new exploitation tool that streamlines the extraction of sensitive data from vulnerable MongoDB instances. This utility introduces a graphical user interface that allows an attacker to either batch-dump 10MB of memory or monitor the extraction process via a live visual feed. Rapid7 Labs has confirmed the tool operates as described, as demonstrated in the video below.
Click to view in new tab
Detection and Hunting
Velociraptor
Velociraptor published a Linux.Detection.CVE202514847.MongoBleed hunting artifact written by Eric Capuano designed to detect indicators related to CVE-2025-14847 memory leakage activity. This artifact enables defenders to proactively identify suspicious network or process behaviors consistent with mangled Zlib protocol abuse.
Updates
December 29, 2025: Initial publication
December 29, 2025: "Rapid7 Observations" section added with video
December 29, 2025: Added exploitation confirmation
On December 17, 2025, Hewlett Packard Enterprise (HPE) published an advisory for CVE-2025-37164, a CVSS 10.0 vulnerability in HPE OneView. The vulnerability, which was reported to HPE by security researcher Nguyen Quoc Khanh, facilitates unauthenticated remote code execution (RCE) on versions of HPE OneView before 11.0. Defenders are advised to prioritize upgrading to version 11.0 or applying the emergency hotfixes (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) as soon as possible.
OneView sits at a privileged control plane for enterprise infrastructure, so successful exploitation isn’t just about establishing remote code execution, it’s about gaining centralized control over servers, firmware, and lifecycle management at scale. The real concern here is exposure and trust assumptions. Management platforms are often deployed deep inside the network with broad privileges and minimal monitoring because they’re ‘supposed’ to be trusted. When an unauthenticated RCE shows up in that layer, defenders need to treat it as an assumed-breach scenario, prioritize patching immediately, and review access paths and segmentation.
Update #1: A Rapid7 technical analysis of CVE-2025-37164 has been published on AttackerKB, and a Metasploit module is now available.
Update #2: On January 7, 2026, CVE-2025-37164 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.
Hotfix analysis
Rapid7 Labs has begun an initial analysis of the vendor-supplied hotfix HPE_OneView_CVE_37164_Z7550-98077.bin. This hotfix applies a new HTTP rule to the appliance’s webserver to block access to a specific REST API endpoint. This endpoint is /rest/id-pools/executeCommand. Initial inspection of the appliance code indicates this endpoint is reachable without authentication. Rapid7 Labs assesses with a high degree of confidence that this is the access vector for triggering the vulnerability and achieving remote code execution.
For the latest mitigation guidance for HPE OneView, please refer to the vendor’s security advisory.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-37164 with an unauthenticated vulnerability check expected to be available in today's (December 18) content release.
Updates
December 18, 2025: Initial publication.
December 19, 2025: Updated to link to the new Rapid7 technical analysis and Metasploit module for CVE-2025-37164.
January 8, 2026: Updated Overview to add a reference to the CISA KEV list.
Update for CVE-2026-24858: On January 27, 2026, Fortinet disclosed CVE-2026-24858, a critical unauthenticated vulnerability allowing authentication bypass via Fortinet’s cloud SSO. Confirmed as a net-new vulnerability rather than a patch bypass, it has been observed under active zero-day exploitation. The issue affects FortiAnalyzer, FortiManager, FortiOS, and FortiProxy. However, because Fortinet has deployed a fix to the cloud environment, a client-side patch is not required to prevent exploitation. Please refer to the ‘Mitigation guidance’ section for further details.
A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device. Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager.
While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out. This behavior significantly increases the likelihood of exposure across registered deployments. Arctic Wolf has confirmed active exploitation and CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 16.
Observed attacks show threat actors authenticating as the admin user and immediately downloading the system configuration file, which often contains hashed credentials. As a result, any organization with indicators of compromise must assume credential exposure and respond accordingly.
Rapid7 observations
Rapid7 initially observed CVE-2025-59718 exploitation attempts against honeypots on December 17, 2025, alongside a proof-of-concept exploit on GitHub resembling those requests. Update as of January 16, 2026, Rapid7 has identified threat actors actively exploiting authentication bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 on vulnerable FortiGate devices exposed to the public internet.
Mitigation guidance
CVE-2025-59718 and CVE-2025-59719:
Fortinet has published an advisory that lists fixed versions for CVE-2025-59718 and CVE-2025-59719.
CVE-2026-24858:
According to Fortinet’s advisory, a patch deployed to their own FortiCloud SSO infrastructure on January 26, 2026 has remediated the vulnerability. However, patched software is available for customers, since the cloud-side fix introduces breaking changes to the FortiCloud SSO login protocol. Because of this, fixed versions are listed, along with IoCs from exploitation in the wild.
Per Fortinet, FortiAnalyzer, FortiManager, FortiOS, and FortiProxy are confirmed to be affected, and a vendor investigation is ongoing (as of January 27, 2026) to determine if FortiWeb and FortiSwitchManager are affected.
For the latest information, please refer to the official Fortinet advisory for CVE-2026-24858.
Rapid7 customers
Exposure Command, InsightVM and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess their exposure to CVE-2025-59718 and CVE-2025-59719 with authenticated vulnerability checks available in the December 17 content release.
Intelligence Hub
Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-59718 and CVE-2025-59719, including indicators of compromise (IOCs).
Updates
December 17, 2025: Initial publication.
December 17, 2025: Coverage updated.
December 18, 2025: Added Intelligence Hub section.
January 16, 2026: Active exploitation observed.
January 26, 2026: Added information about the January, 2026 advisory blog post and the new recommended mitigation steps.
January 27, 2026: Added information about CVE-2026-24858.
Following disclosure of the React2Shell vulnerability (CVE-2025-55182), a maximum-severity Remote Code Execution (RCE) in React Server Components (RSC) a.k.a. the Flight protocol, security teams are assessing exposure and validating fixes. React and ecosystem vendors have released patches; exploitation in the wild has been reported, so rapid validation matters.
What is React2Shell?
React2Shell is an unauthenticated RCE flaw caused by insecure Flight payload deserialization in server-side React/RSC implementations (including popular frameworks like Next.js). It carries a CVSS 10.0 rating and affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 as well as Next.js versions 15.0.0-15.1.6 and 16.0.0-16.0.6 prior to recent patches. You can read more about it in this detailed CVE overview blog post.
In this detailed writeup, we will share how our customers can specifically test for React2Shell with Rapid7’s Application Security solution.
Testing for React2Shell with application security
With our dynamic application security testing (DAST) solution, customers can assess the risk of their applications. Rapid7 allows you to configure various attacks of your applications to identify response behaviors that make your applications more vulnerable to attacks. These attacks are run during scans that you can customize based on your needs. In this case, we’ve extended our RCE attack module to include a check for React2Shell.
What does this mean? Customers can now run an Attack Injection using the RCE, which includes an attack type for React2Shell. Our React2Shell vulnerability detection will simulate an attacker on your website. This is a benign attack which will not execute any code and only shows that RCE is possible. Rapid7 will validate the exploitability of the application and the associated risk.
How to run a React2Shell attack in the Rapid7 DAST
You can scan for this new RCE attack using either the new Arbitrary Code Execution attack template we have created or by creating your own custom attack template and selecting the RCE module. We have added some steps for you to follow below:
Default attack template option:
Choose the Arbitrary Code Execution attack template in your scan configuration:
⠀
Default Arbitrary Code Execution attack template with RCE attack module
Custom attack template option:
Custom Attack Template with RCE module
Run a scan
Choosing the scan configuration you made earlier, scan against your selected app(s).
Scan results - React2Shell RCE finding
Now that you have run your scan, you can review the results to see if your app(s) have any findings. These will include remediation advice that you can follow.
⠀
Manage attack templates
You can now manage your attack templates by navigating to the appropriate section and selecting the Arbitrary Code Execution attack template as below.
⠀
Manage attack templates
What’s next?
Patch immediately, upgrade React to 19.0.1, 19.1.2, or 19.2.1 (or newer). For Next.js, the recommended action is to update to the following respective patched versions: 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, or later*. You should seek to remediate this vulnerability on an urgent basis, outside of normal patch cycles and consider temporary web application firewall (WAF) rules for Flight endpoints while patching. If you’re looking to validate any fixes you have implemented, feel free to run a validation scan with our application security tool to verify the fixes are correct.
* For Next.js, the recommendation from Nextjs is to update to the following respective patched versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, or later. However, we have identified that versions 15.0.5 and 15.1.9 have a different critical vulnerability and would recommend against using them.
Every year, Rapid7 brings together some of the most experienced minds in cybersecurity to pause, zoom out, and take stock of where the threat landscape is heading. Last year's predictions webinar sparked lively debate among practitioners, leaders, and researchers alike, and many of those early warnings were proven accurate.
We talked about expanding attack surfaces, the acceleration of zero-day exploitation, and the shifting role of SecOps teams navigating unpredictable regulatory and operational pressure. We explored how AI was beginning to shape attacker behavior and how defenders could prepare for a world where speed and context matter more than ever. Looking back, the real takeaway was not just the predictions themselves. It was how quickly the landscape shifted around them.
This year's predictions webinar builds on that momentum. The conversation feels different now. Threat actors have adapted. Business environments have tightened. Defenders are operating with more constraints and higher expectations than at any point in recent memory. That is exactly why our experts are once again stepping up to share what they are seeing, what is keeping them curious, and what they believe security teams should be paying closer attention to as we head into 2026.
A panel shaped by diverse vantage points
One of the strengths of this session is the range of perspectives represented on the panel.
Philip Ingram, Former Senior Military Intelligence Officer at Grey Hare Media, brings a global geopolitical lens that connects cyber activity with real-world tensions and state-aligned movements. His vantage point helps translate complex geopolitical signals into practical considerations for security teams.
Raj Samani, SVP and Chief Scientist at Rapid7, offers deep insight into attacker behavior, AI-driven disruption, and the evolving threat landscape. His work tracking threat actor tradecraft and the mechanics of cybercrime economies gives him a unique perspective on how attacks scale and shift over time.
Sabeen Malik, VP of Global Government Affairs and Public Policy at Rapid7, brings a policy and regulatory perspective that is essential for understanding how global mandates and governance trends influence security operations. Her insights shed light on the intersection of cyber risk, legislative pressure, and organizational responsibility.
Together, they create a multi-dimensional picture of what is coming next. Not hype. Not speculation. Instead, grounded observations from experts who see attacker behavior unfold from very different angles.
What we learned from last year
Last year's session made one thing clear: the forces shaping cyber risk are not isolated. They are interconnected, and they are accelerating.
We saw that:
Attackers were closing the gap between vulnerability disclosure and exploitation.
Identity-based compromise continued to outpace traditional malware.
Economic and operational pressures made it harder for security teams to keep up.
Global events had tangible ripple effects on what attackers chose to target next.
Those insights helped set a realistic direction for 2025. Only twelve months later, the ground has shifted again. AI-assisted exploitation, insider-driven breaches, geopolitical instability, and expanding exposure surfaces are changing both attacker priorities and defender responsibilities.
This webinar is not a rehash. It is a recalibration, grounded in what is actually happening across the threat landscape right now.
Themes our experts will explore
While the predictions themselves will be revealed live during the session, we can share a few of the themes shaping this year's discussion.
How global tensions are redefining cyber risk for private organizations, even those far from the front lines
Why identity, behavior, and access are becoming the most reliable early indicators of compromise
Where AI is helping and hurting defenders, and how attackers are using automation and tooling to accelerate the earliest stages of intrusion
Why context and prioritization are becoming essential as vulnerability volumes and exploitation speeds continue to rise
How security teams can get ahead of exposure, not just react to it, through more integrated and risk-aware workflows
These are not abstract conversations. They reflect the real operational and strategic challenges security teams face every day.
Why you will not want to miss it
Whether you are leading a security program or defending in the trenches, this session will help you:
Understand the forces shaping attacker strategy Identify the signals that matter most for early detection
Anticipate the operational pressures teams will face in 2026
Prioritize investments, workflows, and practices that support resilience
You will walk away with a clearer sense of where to focus, what to watch for, and how to prepare your team for what comes next, without getting lost in noise or speculation.
Join the conversation
This webinar is one of our most anticipated sessions of the year. If you have not registered yet, now is the perfect time to save your spot and hear directly from the experts shaping the conversation around what 2026 will look like for security teams everywhere.
Update #1: As of 4:30 PM Eastern, December 4, 2025, Rapid7 has validated that a working weaponized proof-of-concept exploit, shared by researcher @maple3142, is now publicly available.
Update #3: At 10:00 AM Eastern, December 5, 2025, CVE-2025-55182 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), confirming exploitation in-the-wild has begun.
On December 3, 2025, Meta disclosed a new vulnerability, CVE-2025-55182, which has since been dubbed React2Shell. A second CVE identifier, CVE-2025-66478, was assigned and published to track the vulnerability in the context of Next.js. However this second CVE has since been rejected as a duplicate of CVE-2025-55182, as the root cause in all cases is the same and should be referred to with a single common CVE identifier.
CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React, a very popular library for building modern web applications. This new vulnerability has a CVSS rating of 10.0, which is the maximum rating possible and indicates the highly critical nature of the issue. Successful exploitation of CVE-2025-55182 allows a remote unauthenticated attacker to execute arbitrary code on an affected server via malicious HTTP requests.
The vulnerability affects React applications that support React Server Components. While the vulnerability affects the React Server Components feature, server applications may still be vulnerable even if the application does not explicitly implement any React Server Function endpoints but does support React Server Components. Additionally, many popular frameworks based on React, such as Next.js, are also affected by this vulnerability.
A separate advisory was published by Vercel, the vendor for Next.js. This advisory tracks the impact of CVE-2025-55182 as it applies to the Next.js framework, and provides information for Next.js users to remediate the issue.
As of this blog’s publication on December 4, 2025, there is no known public exploit code available. Several exploits have been published claiming to exploit CVE-2025-55182; however, they have not been successfully verified as actually exploiting this vulnerability. This has been noted in the original finder’s website, react2shell.com. Although broad exploitation has not yet begun, we expect this to quickly change once a viable public exploit becomes available.
Organizations who use React or the affected downstream frameworks are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles and before broad exploitation begins.
Mitigation guidance
CVE-2025-55182 affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following React packages:
A vendor-supplied update for the above packages is available in versions 19.0.1, 19.1.2, and 19.2.1. Users of affected React packages are advised to update to the latest remediated version on an urgent basis.
Downstream frameworks that depend on React are also affected, this includes (but is not limited to):
For the latest mitigation guidance for React, please refer to the React security advisory. For the latest mitigation guidance specific to Next.js, please refer to the Vercel security advisory.
Rapid7 customers
Exposure Command, InsightVM and Nexpose
An unauthenticated check for CVE-2025-55182 has been available to Exposure Command, InsightVM and Nexpose customers since the December 4th content release. Note that the first iteration of the check was a "potential" type check which was later revised to a non-potential (normal remote check) one on Friday, the 5th December.
Intelligence Hub
Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-55182, including indicators of compromise (IOCs), Yara and Sigma rules.
Observed exploitation
As of December 8, 2025, Rapid7 honeypots have observed exploitation attempts of CVE-2025-55182 using the same RCE technique from the PoC published on December 4, 2025. While the exploit attempts seen on our honeypots match the RCE technique from that original PoC, the actual payloads being delivered (i.e. what the attackers are trying to execute on a compromised server), are now different and show malicious intent.
One such example we are seeing is the deployment of MeshAgent remote control software, which if successful will allow an attacker to remotely control newly compromised systems from a centralized location. The decoded malicious payload command can be seen here:
In cybersecurity today, regulation is everywhere, but resilience isn’t keeping pace.
In this episode of Experts on Experts: Commanding Perspectives, Craig Adams chats with Sabeen Malik, VP of Public Policy & Government Affairs at Rapid7, about what’s broken (and what’s promising) in today’s regulatory landscape.
Sabeen pulls from her experience across diplomacy, operations, and government relations to highlight where policy too often fails to account for how risk actually works. From insider threats to government shutdowns, it’s a sharp, timely look at how security leaders should approach strategy, structure, and compliance going into 2026.
Key themes:
The growing trust gap between public, private, and institutional actors
Why insider threats are a cultural problem, not just a controls one
Where UK and US guidance is falling short on resilience
What small and midsized businesses are still missing
Why AI, exposure, and threat governance need to be connected
Whether you're thinking about AI use cases or modern regulation fatigue, this episode offers a much-needed reset.
AI dominates headlines, yet one cornerstone of security operations keeps evolving to meet today’s threats. Security Information and Event Management (SIEM) has come a long way from basic logging. Modern platforms unify threat detection, investigation, and response with automation, context, and AI, so analysts can act faster and with confidence. That is the focus of our new Next-gen SIEM Buyer’s Guide.
Why this guide now
Many teams are still wrestling with legacy SIEMs that were built for storage and compliance, not for today’s hybrid environments or AI-enabled adversaries. The market is crowded and the language is inconsistent, which makes evaluation tough. This guide cuts through the noise with a practical definition of next-gen SIEM and a clear set of evaluation criteria grounded in outcomes, not buzzwords. It explains how a SIEM should help you see more, decide faster, and respond with precision, by pairing analytics with automation and exposure context.
In this guide you will learn the core capabilities that define a next-gen SIEM, including high-fidelity data ingestion, curated detections, AI-assisted triage, automation, and integrated exposure context. Next, you’ll better understand how to assess platforms for usability, scalability, and total cost of ownership without sacrificing effectiveness. Finally, we will offer some questions to ask vendors so you can separate claims from proof and align the solution to your team’s workflows and maturity. The guide also highlights where SIEM sits alongside adjacent tools and why data quality, context, and integrated workflows matter more than feature lists.
Who should read it
Security leaders and practitioners who are evaluating SIEMs, planning a modernization, or looking to improve analyst efficiency and overall SOC performance will find practical guidance they can use in vendor conversations and internal planning. If your goals include reducing false positives, accelerating investigation and response, and tying detections to business risk, this guide will help you level set your needs with the right requirements.
How Rapid7 approaches next-gen SIEM
Rapid7’s approach brings detection and response together in a single, streamlined experience that helps analysts identify, investigate, and contain threats faster. Rapid7’s next-gen SIEM delivers curated detections mapped to attacker behavior, reducing false positives and surfacing high-priority alerts with clear context. Integrated investigation and response workflows guide analysts from alert to action within one interface, linking threat intelligence, identity, and asset data to drive faster, more confident decisions. Built on the Rapid7 Command Platform, this unified approach consolidates visibility across endpoints, networks, cloud, and SaaS environments, enabling coordinated detection and response without tool sprawl.
Get the guide
Download Rapid7’s Next-Gen SIEM Buyer’s Guide to learn how to evaluate platforms that deliver measurable detection and response outcomes, not just more data. If you want to see how these principles show up in the product, explore the Rapid7 Command Platform.
Every great product experience starts with a smooth beginning. But in the world of cloud security, onboarding can sometimes feel like an obstacle course. Detailed fine-grained Identity and Access Management (IAM) configurations, lengthy deployment steps, and manual permission setups can turn what should be an exciting first impression into a tedious chore.
That’s changing. Rapid7 has enhanced the onboarding experience for Exposure Command and InsightCloudSec by integrating with AWS IAM temporary delegation - a new AWS capability that lets customers approve deployment access directly in the AWS console. The result? A faster, simpler, and more secure path to getting up and running in the cloud.
Why onboarding matters - and why it often fails
The first minutes with a new platform matter. It’s the difference between “this is amazing” and “I’ll come back to it later.”
In cloud environments, setup usually involves multiple AWS services - compute, storage, networking, access management - all of which must be configured precisely to maintain security. Traditionally, customers have had to manually create IAM roles, adjust trust relationships, and fine-tune permissions just to let a partner solution like Rapid7 deploy resources.
It’s not just time-consuming; it’s error-prone. Misconfigured roles can cause deployment failures or unnecessary security risk. Support teams spend hours walking customers through the process, and the friction delays time-to-value. When scaling across dozens or hundreds of AWS accounts, those delays multiply fast.
Meet AWS IAM temporary delegation: What it is and why it matters
AWS IAM temporary delegation simplifies the entire setup journey. It allows trusted partners like Rapid7 to automate deployment securely - but only after the customer grants explicit, time-bound approval.
Here’s how it works: When you initiate onboarding from within Rapid7’s interface, you’re redirected to the AWS console. There, you can review the exact permissions Rapid7 is requesting and how long access will last. Once approved, AWS provides Rapid7 with temporary credentials to complete the setup. After the time window expires, that access ends automatically.
No long-term IAM keys, no manual role creation, and no guesswork. Customers stay in control, with full visibility and auditability. It’s automation with accountability built in.
How Rapid7 is putting this into action
With the latest release, Rapid7 has integrated this capability directly into Exposure Command and InsightCloudSec, creating a guided onboarding experience that happens almost entirely inside the Rapid7 interface.
Here’s the new flow:
Customers configure deployment options in Rapid7’s InsightCloudSec environment.
A temporary delegation request appears via an AWS console pop-up.
An authorized AWS user reviews and approves the request.
Rapid7 automatically deploys the necessary resources on the customer’s behalf.
This streamlined workflow eliminates dozens of manual steps and reduces onboarding time from hours to minutes. It’s faster, simpler, and still fully aligned with AWS’s strict security model.
Speed, simplicity, and security
This integration hits the sweet spot between automation and trust:
Speed: Customers can start realizing value from Rapid7’s cloud security solutions in minutes instead of days.
Simplicity: The UI-driven process means no wrestling with IAM policies or JSON templates.
Security: Access is temporary and permission-scoped. Customers retain complete oversight through the AWS console and CloudTrail logs.
For organizations with compliance or security governance requirements, this is the ideal balance: operational efficiency without compromising control.
Beyond onboarding: What this says about Rapid7 and AWS alignment
This update isn’t just about faster onboarding. It’s a glimpse into Rapid7’s broader partnership with AWS. Rapid7 has long been an AWS Advanced Tier Partner, building integrations that help customers manage security across cloud-native environments. From leveraging AWS telemetry in MXDR to integrating with AWS services like CloudTrail and GuardDuty, Rapid7’s platform has been designed to meet customers where they already operate within AWS.
By adopting AWS IAM temporary delegation early, Rapid7 reinforces its commitment to cloud-first innovation and shared responsibility principles. Customers get the assurance that their onboarding, deployment, and operations all align with AWS security best practices.
What this means for customers
If you’re deploying Rapid7 Exposure Command (Advanced or Ultimate) or InsightCloudSec on AWS, here’s what to expect:
A guided onboarding experience that automates AWS resource setup.
A faster, less error-prone workflow that still keeps you in control.
The ability for authorized users to approve temporary access requests directly in the AWS console.
Before onboarding, make sure someone in your organization has the permissions to approve delegation requests. After deployment, review your CloudTrail logs as part of normal governance; you’ll see every action logged and time-bounded.
Value from day one
Onboarding shouldn’t be a hurdle. And now with AWS IAM Temporary Delegation and Rapid7’s enhanced experience, it no longer is. Together, AWS and Rapid7 have reimagined what “getting started” looks like in the cloud - faster, more intuitive, and just as secure as you need it to be.
It’s one more way Rapid7 is helping organizations unlock value from day one, while staying aligned with AWS’s best practices for identity, access, and automation.
See how easy secure onboarding can be.Explore Rapid7’s listings for Exposure Command and InsightCloudSec straight from the AWS Marketplace.
Managing network security in a dynamic cloud environment is a constant challenge. As traffic volume grows and threat actors evolve their tactics, organizations need protection that can scale effortlessly while delivering robust, intelligent defense. That's where a service like AWS Network Firewall becomes essential, and we’re excited to partner with AWS to make it even more powerful.
What is AWS Network Firewall?
AWS Network Firewall (AWS NWF) is a managed service that provides essential, auto-scaling network protections for Amazon Virtual Private Clouds (VPCs). While its flexible rules engine offers granular control, defining and maintaining the right rules to defend against evolving threats is a complex and resource-intensive task.
Manually creating and updating rules often leads to coverage gaps and creates significant operational overhead. To simplify this process and empower teams to act with confidence, Rapid7 is proud to announce the availability of Curated Intelligence Rules for AWS Network Firewall. As an AWS partner, we convert our curated intelligence on Indicators of Compromise (IOCs) from into high-quality rule groups, delivering expert-vetted threat intelligence directly within your native AWS experience.
Harnessing industry-leading threat intelligence
In the world of threat intelligence, more isn’t always better. Too many low-fidelity alerts generate noise, distract analysts, and leave teams chasing false positives. At Rapid7, our approach is different. We focus on delivering high-fidelity intelligence, enabling customers to zero in on the threats most relevant to their unique environments.
Rapid7 Curated Intelligence Rules embody this same approach, and are built on three key principles:
⠀ Focus on quality over quantity - Rules emphasize meaningful, low-noise detection directly aligned with current, real-world threats, significantly reducing alert fatigue.
Curated global intelligence - Rule sets are powered by high-quality, region-specific data from unique sources, providing unparalleled visibility and context for actionable detections.
Dynamic and self-cleaning rule sets - Threat intelligence is not static. Using Rapid7’s proprietary , rules are automatically retired when an IOC passes a certain threshold, ensuring the delivered intelligence is always fresh, relevant, and current.
⠀
We’re launching with two distinct rule sets, each designed to address today’s most pressing threats:
Advanced Persistent Threat (APT) campaigns: Targets the subtle and persistent techniques used by state-sponsored and sophisticated threat actors.
Ransomware & cybercrime: Focuses on the tools, infrastructure, and indicators associated with financially motivated attacks.
⠀
These rule sets are updated daily to ensure you have the most current protections. Furthermore, our intelligence is dynamic. When an IOC passes a certain threshold in our proprietary Decay Scoring system, we remove it from the rule set. This process guarantees that the intelligence you receive is always current and actionable, significantly reducing alert fatigue.
The operational advantage
These Curated Intelligence Rules deliver immediate and tangible value, allowing your team to:
Automate threat protection: Reduce overhead with curated, continuously updated detections delivered natively within AWS Network Firewall.
Adopt protections faster: Deploy protections powered by Rapid7 Labs intelligence with just a few clicks in the console.
Maintain predictable operations: Rely on AWS-validated updates, clear rule group metadata, and transparent per-GB metering.
Common use cases addressed
Our rule sets provide practical defense against a wide range of attack scenarios. You can:
Block command and control (C2) communication from known malware families
Detect network reconnaissance activity associated with advanced persistent threats
Prevent data exfiltration to malicious domains linked to cybercrime groups
Identify and stop the download of malware payloads from compromised websites
Alert on traffic to newly registered domains used in malicious activities
Get started with Curated Intelligence Rules for AWS NFW today
As we close out 2025, one thing is clear: the security landscape is evolving faster than most organizations can keep up. From surging ransomware campaigns and AI-enhanced phishing to data extortion, geopolitical fallout, and gaps in cyber readiness, the challenges facing security teams today are as varied as they are relentless. But with complexity comes clarity and insight.
This year’s most significant breaches, breakthroughs, and behavioral shifts provide a critical lens through which we can view what’s next. That’s exactly what we’ll explore in our upcoming Security Predictions for 2026 webinar, where Rapid7’s experts will break down where we are now, what to expect next, and how organizations can proactively adapt.
Before we look ahead, let’s take stock of what defined 2025 and what it tells us about the state of cybersecurity today.
Ransomware: Same playbook, more precision
Ransomware remains one of the most consistent and costly threats facing organisations today, but the approach has shifted. According to Rapid7’s Q3 2025 Threat Landscape Report, data extortion continues to dominate, with groups increasingly focused on exfiltration and disruption rather than encryption alone. Over 80% of ransomware cases handled in Q3 involved data theft, often staged and timed to maximise leverage.
Threat actors like RansomHub, BlackSuit, NoEscape, and Scattered Spider continue to refine their operations. Many campaigns are multi-stage and collaborative, with Initial Access Brokers providing footholds that are later sold to ransomware operators. One common thread is a focus on identity and infrastructure abuse - attackers are compromising vSphere environments, exploiting misconfigurations in third-party platforms, and abusing legitimate remote access tools to move laterally before launching extortion phases.
These incidents increasingly target complex organizations with sprawling digital footprints. The result? Weeks of operational downtime, lost revenue, regulatory scrutiny, and enduring brand damage. In this landscape, ransomware is no longer just a malware problem - it’s a business continuity issue, a supply chain risk, and a board-level concern.
The offense is automated: AI goes to work
This year, we saw AI break through hype and land firmly in attackers' toolkits. Tools like WormGPT, FraudGPT, and DarkBERT gave cybercriminals an entry point to generate convincing phishing emails, polymorphic malware, and credential-harvesting scripts, all without needing advanced coding skills.
In our AI Offense blog, we detailed how these tools lower the barrier to entry and amplify the volume and sophistication of social engineering campaigns. Pair that with deepfakes, cloned voices, and LLM-powered targeting, and security teams now face threats that are faster, cheaper, and harder to detect than ever before.
The takeaway? AI is not a future threat. It is here. And defenders must embrace its potential just as aggressively as attackers have.
The human factor: Still the weakest link
Despite improved tooling, attacker playbooks still rely heavily on people. Our recent exploration of evolving social engineering trends highlighted the rise of Microsoft Teams-based impersonation, remote access tool abuse such as Quick Assist, and multi-stage credential compromise.
The fallout has been widespread. From attacks on major UK retailers to multiple airline disruptions and critical public sector breaches, social engineering is no longer just email phishing. It is phone calls, voice cloning, fake calendars, and chat-based manipulation.
Training helps. But attackers are innovating faster than awareness campaigns can keep up. Security teams need to simulate these threats internally and invest in visibility across identity platforms, because credentials remain the crown jewels.
From awareness to action: Resilience as a mandate
A growing number of incidents in 2025 underscored the readiness gap in many organizations. Our recent blog on preparedness broke down the UK’s National Cyber Security Centre guidance urging companies to revisit their offline contingency planning, including printed IR protocols and analog communications in case digital systems are taken offline.
This call followed a sharp rise in high-impact events, with over 200 nationally significant cyber incidents recorded in the UK alone this year.
The lesson? Cyber resilience is not a nice to have. It is foundational. Detection, backup, and patching are essential, but so is building response plans that assume failure, simulate outages, and bring the entire business to the table.
Join us: Predicting what’s next in 2026
We’ll explore these trends and where they’re heading in much greater depth in our Security Predictions for 2026 webinar, taking place on December 10.
Rapid7’s experts will unpack:
Which attacker tactics are here to stay and which are on the rise
Where AI, regulation, and infrastructure gaps are creating new exposures
How defenders can better prioritise risk and operate in resource-constrained environments
What CISOs, SOC leaders, and engineers need to align on in 2026 to stay ahead
This is our biggest global webinar of the year, and it is designed to help security professionals at every level get proactive and stay ahead of what’s next.
Register now and join thousands of security professionals from around the world as we set the stage for 2026. Because when the threat landscape keeps shifting, your best defense is a head start.
On October 6, 2025, the cyber deception company Defused published a proof-of-concept exploit on social media that was captured by one of their Fortinet FortiWeb Manager honeypots. FortiWeb is a Web Application Firewall (WAF) product that is designed to detect and block malicious traffic to web applications. Exploitation of this new vulnerability, now tracked as CVE-2025-64446, allows an attacker with no existing level of access to gain administrator-level access to the FortiWeb Manager panel and websocket command-line interface. Rapid7 has tested the latest FortiWeb version 8.0.2 and observed that the existing public proof-of-concept exploit does not work. However, the exploit does work against earlier versions, including version 8.0.1, which was released in August, 2025.
Based on the information circulated by Defused, this new vulnerability is claimed to have been exploited in the wild in October, 2025. On November 14, 2025, Fortinet PSIRT published CVE-2025-64446 and an official advisory for the critical vulnerability, which holds a CVSS score of 9.1. Organizations running versions of Fortinet FortiWeb that are listed as affected in the advisory are advised to remediate this vulnerability on an emergency basis, given that exploitation has been occurring since October in targeted attacks, and broad exploitation will likely occur in the coming days. A Metasploit module for CVE-2025-64446 is available here, and security firm watchTowr has published a technical analysis. CISA's KEV catalog has been updated to include CVE-2025-64446.
It’s unclear whether the FortiWeb release cycle intentionally included a silent patch for this vulnerability or merely coincidentally included changes that broke the existing exploit.
On November 18, 2025, Fortinet published a new advisory for CVE-2025-58034. This new vulnerability is an authenticated command injection affecting FortiWeb. Fortinet has indicated CVE-2025-58034 has also been exploited in-the-wild, and CISA's KEV catalog has been updated to include this new vulnerability. It is not clear at this time if both CVE-2025-64446 and CVE-2025-58034 have been exploited in-the-wild together as an exploit chain.
This blog post will be updated as new developments arise.
Rapid7 observations
On November 6, 2025, Rapid7 Labs observed that an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum. While it is not clear at this time if this is the same exploit as the one described above, the timing is coincidental.
⠀
Mitigation guidance
On November 14, 2025, Fortinet published an advisory that outlines remediation steps and workaround mitigations for CVE-2025-64446. According to Fortinet, the following versions are affected, and the fixed versions for each main release branch are also listed:
Versions 8.0.0 through 8.0.1 are vulnerable, 8.0.2 and above are fixed.
Versions 7.6.0 through 7.6.4 are vulnerable, 7.6.5 and above are fixed.
Versions 7.4.0 through 7.4.9 are vulnerable, 7.4.10 and above are fixed.
Versions 7.2.0 through 7.2.11 are vulnerable, 7.2.12 and above are fixed.
Versions 7.0.0 through 7.0.11 are vulnerable, 7.0.12 and above are fixed.
In cases where immediate upgrades are not possible, the advisory states the following: “Disable HTTP or HTTPS for internet facing interfaces. Fortinet recommends taking this action until an upgrade can be performed. If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced.”
Rapid7 Labs has confirmed that older unsupported versions of FortiWeb 6.x are also vulnerable to both CVE-2025-64446 and CVE-2025-58034. Customers using unsupported versions of FortiWeb should update to a supported version, as described above.
Exploitation behavior
When testing the public exploit against a target FortiWeb device, the target application’s differing responses between versions 8.0.1 and 8.0.2 are included below.
Against version 8.0.1, the application returns the following response for a successful exploitation attempt, in which a new malicious local administrator account “hax0r” was created:
Exposure Command, InsightVM and Nexpose customers can assess their exposure to both vulnerabilities described in this blog post as follows:
CVE-2025-64446: an unauthenticated vulnerability check is available in the November 14 content release. Please note that the “SAFE” check mode needs to be disabled while running scans to ensure the check for CVE-2025-64446 runs successfully.
CVE-2025-58034: an authenticated vulnerability check is available in the November 26 content release. There is no need to disable the “SAFE” check mode, since the CVE-2025-58034 check will run by default.
Intelligence Hub
Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-64446, including a Sigma rule and IOCs of IP addresses attempting to exploit this vulnerability.
Updates
November 14, 2025: The blog post has been updated to reflect the newly-published official advisory and CVE identifier, the availability of vulnerability checks and a Metasploit module for customer testing, the CISA KEV addition, and a published technical analysis.
November 17, 2025: The Rapid7 customers section has been updated to add Intelligence Hub coverage, and clarify that vulnerability checks were shipped on Nov 14, 2025.
November 19, 2025: The Overview section has been updated to reference the newly published vulnerability, CVE-2025-58034. The Rapid7 customers section has been updated to add expected coverage availability for CVE-2025-58034.
November 19, 2025: The Rapid7 customers section has been updated with CVE-2025-58034 coverage information for supported FortiWeb release branches.
December 1, 2025: The Mitigation guidance section has been updated with confirmation that older unsupported versions of FortiWeb 6.x are also vulnerable to both CVE-2025-64446 and CVE-2025-58034.
We’re proud to share that Rapid7 has been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms (EAP). We believe this recognition underscores our commitment to redefining security operations by embedding continuous, business-aligned exposure management into the core of modern defense strategies.
Our approach: Exposure Command at the core
At the root of Rapid7’s leadership is Exposure Command, our unified exposure management solution, underpinned by complete attack surface visibility, threat-informed risk assessment and integrated automated remediation capabilities.
Key capabilities highlighted in the report include:
Unified visibility across environments: Broad attack surface visibility with native support across hybrid infrastructure including on-prem, cloud, containers, and IoT/OT, alongside extensive integrations with third-party security and ITOps tools.
Threat-validated prioritization: Prioritization enhanced with real-world exploit intelligence, plus continuous red teaming and ad-hoc penetration testing through comprehensive managed services.
Comprehensive, AI-driven remediation: Prebuilt workflows and playbooks, intelligent automation, and dynamic persona-centric reporting.
Why exposure assessment matters more than ever
The security landscape has fundamentally changed. Traditional vulnerability management largely centered around point-in-time scans and CVSS scores can no longer keep pace with the dynamic, hybrid environments that define today’s enterprise. Organizations face an ever-expanding attack surface across cloud, on-prem, SaaS, and OT environments while regulations continue to evolve.
This means a dramatic expansion in the scope of IT and security leaders from tech-centric systems management and patching to a core pillar of the business at large. As a result, exposure management is no longer about finding more; it’s about finding what matters and acting on it decisively. This aligns directly with Gartner’s CTEM model, which calls for a continuous, outcome-focused cycle of scoping, prioritization, validation, and mobilization.
Why CTEM + EAP are the future of risk reduction
CTEM isn’t just a buzzword and a new acronym, it’s the next evolution of proactive security, acknowledging a core truth: no organization can patch everything, nor should they try.
The goal is validated exposure reduction through five stages:
Business-aligned scoping (e.g., revenue-generating services, critical data systems)
Threat-informed prioritization with real-world intelligence
Validation via attack-path modeling or adversary emulation (e.g., PTaaS, BAS, AEV)
Mobilization through integrated, repeatable remediation workflows
Gartner suggests CTEM is a way to translate technical vulnerabilities into business-relevant risks and mobilize cross-functional teams in response. EAPs, which Gartner defines as platforms that continuously identify and prioritize exposures across all environments with business and threat context, provide the operational foundation for CTEM.
⠀
⠀
Rapid7’s EAP capabilities allow teams to operationalize CTEM by translating technical findings into business-relevant risk and enabling cross-functional response, bridging the gap between posture and business continuity.
Looking ahead
As exposure management evolves from a siloed security function to an operational imperative, Rapid7 will continue to lead with innovation, transparency, and a relentless focus on customer outcomes. We believe our position as a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms is not just a recognition of the work we’ve done but a signal to the market of what’s next. Click here to download the full Report.
The Q3 2025 Threat Landscape Report, authored by the Rapid7 Labs team, paints a clear picture of an environment where attackers are moving faster, working smarter, and using artificial intelligence to stay ahead of defenders. The findings reveal a threat landscape defined by speed, coordination, and innovation.⠀
The quarter showed how quickly exploitation now follows disclosure: Rapid7 observed newly reported vulnerabilities weaponized within days, if not hours, leaving organizations little time to patch before attackers struck. Critical business platforms and third-party integrations were frequent targets, as adversaries sought direct paths to disruption. Ransomware remained a most visible threat, but the nature of these operations continued to evolve.
Groups such as Qilin, Akira, and INC Ransom drove much of the activity, while others went quiet, rebranded, or merged into larger collectives. The overall number of active groups increased compared to the previous quarter, signaling renewed energy across the ransomware economy. Business services, manufacturing, and healthcare organizations were the most affected, with the majority of incidents occurring in North America.
Many newer actors opted for stealth, limiting public exposure by leaking fewer victim details, opting for “information-lite” screenshots in an effort to thwart law enforcement. Some established groups built alliances and shared infrastructure to expand reach such as Qilin extending its influence through partnerships with DragonForce and LockBit. Meanwhile, SafePay gained ground by running a fully in-house, hands-on model avoiding inter-party duelling and law enforcement. These trends show how ransomware has matured into a complex, service-based ecosystem.
Nation-state operations in Q3 favored persistence and stealth over disruption. Russian, Chinese, Iranian, and North Korean-linked groups maintained long-running campaigns. Many targeted identity systems, telecom networks, and supply chains. Rapid7’s telemetry showed these actors shrinking the window between disclosure and exploitation and relying on legitimate synchronization processes to remain hidden for months. The result: attacks that are harder to spot and even harder to contain.
Threat actors are fully operationalizing AI to enhance deception, automate intrusions, and evade detection. Generative tools now power realistic phishing, deepfake vishing, influence operations, and adaptive malware like LAMEHUG. This means the theoretical risk of AI has been fully operationalized. Defenders must now assume attackers are using these tools and techniques against them and not just supposing they are.
This is but a taste of the valuable threat information the report has to offer. In addition to deeper dives on the subjects above, the threat report includes analysis of some of the most common compromise vectors, new vulnerabilities and existing ones still favored by attackers, and, of course, our recommendations to safeguard against compromises across your entire attack surface.
Across industries, Microsoft is everywhere. It powers productivity, collaboration, and security through Defender, Sentinel, Entra, and the broader Microsoft ecosystem that underpins how modern organizations operate.
⠀
As organizations deepen their Microsoft investments, there’s an even greater opportunity to strengthen and simplify threat detection and response. Microsoft delivers powerful visibility and security insights across user identities, endpoints, and cloud workloads, but security teams often need help bringing those capabilities together with the rest of their environment to ensure that data, detections, and decisions that drive their threat detection and response program align seamlessly.
⠀
That’s where Rapid7 comes in.
⠀
A shared vision for simplified, unified security
We’re excited to announce the launch of an expanded partnership between Rapid7 and Microsoft, focused on helping organizations fully realize the potential of their Microsoft security investments. Together, we’re building a unified approach to threat detection and response that combines Microsoft’s ecosystem and scale with Rapid7’s AI-native security operations platform and decades of SOC expertise.
⠀
Our shared goal: help customers protect their businesses with clarity, speed, and confidence.
⠀
For many organizations, Microsoft is the backbone of their IT and security programs. But it’s only one part of a larger, interconnected environment. Security leaders need a way to bring Microsoft Defender, Sentinel, and Entra data into context with the rest of their infrastructure, cloud, and SaaS investments. Rapid7 helps make that possible by connecting Microsoft’s advanced telemetry and analytics with broader visibility and context into all security data, automation, and 24/7 expert-led managed operations.
⠀
We’ve long incorporated deep Microsoft visibility across the Command Platform, integrating with tools across different use cases, such as attack surface management, exposure management, cloud security, and application security. This foundation already allows us to correlate insights across on-premises and cloud environments, including Active Directory, Azure, and Microsoft 365 – providing outcomes across endpoints, workloads, and applications. These capabilities unify context from more than a dozen different Microsoft and Azure tools, giving customers a complete picture of risk across their environment.
⠀
This partnership combines Microsoft Defender’s signal depth with Rapid7’s threat intelligence, automation, and human-led operations to deliver complete visibility and coordinated response across your environment – from Microsoft to everything it touches.
⠀
This means:
Unified security operations managed for you: Rapid7 delivers 24x7 monitoring, investigation, and response across Microsoft and non-Microsoft environments, combining Defender insights with our own detection and response workflows to act quickly on what matters most.
Faster, smarter response: AI-driven correlation and human-led expertise reduce alert noise and accelerate containment when threats arise.
Simplified, predictable operations: Our managed detection and response (MDR) service removes ingestion complexity so you can focus on security outcomes.
Transparency and trust: Built in through seamless integration with the Microsoft consoles security teams already use.
⠀
A foundation for what’s next
Over the coming months, we'll introduce new capabilities that make it easier for customers to operationalize Microsoft security within the Rapid7 ecosystem, including unified MDR coverage across the Defender products that protect the key vectors of endpoint, identity, cloud, and email.
⠀
These enhancements will enable organizations to not only respond to Microsoft-based threats faster but also proactively reduce risk across their entire environment through unified detection, investigation, and response.
⠀
We’re excited for this next step in advancing our MDR services to meet Microsoft customers where they are and maximize their investments with comprehensive visibility, faster response, and measurable security outcomes.
⠀
We’ll be releasing more information soon. In the meantime, learn more about Rapid7’s leading MDR service here.
A new meeting on your calendar or a new attack vector?
It starts innocently enough. A new meeting appears in your Google calendar and the subject seems ordinary, perhaps even urgent: “Security Update Briefing,”“Your Account Verification Meeting,” or “Important Notice Regarding Benefits.” You assume you missed this invitation in your overloaded email inbox, and click “Yes” to accept.
Unfortunately, calendar invites have become an overlooked delivery mechanism for social engineering and phishing campaigns. Attackers are increasingly abusing the .ics file format, a universally trusted, text-based standard to embed malicious links, redirect victims to fake meeting pages, or seed events directly into users’ calendars without interaction.
Because calendar files often bypass traditional email and attachment defenses, they offer a low-friction attack path into corporate environments.
Defenders should treat .ics files as active content, tighten client defaults, and raise awareness that even legitimate-looking calendar invites can carry hidden risk.
The underestimated threat of .ics files
The iCalendar (.ics) format is one of those technologies we all rely on without thinking. It’s text-based, universally supported, and designed for interoperability between Outlook, Google Calendar, Apple, and countless other clients.
Each invite contains a structured list of fields like SUMMARY, LOCATION, DESCRIPTION, and ATTACH. Within these, attackers have found an opportunity: they can embed URLs, malicious redirects, or even base64-encoded content. The result is a file that appears completely legitimate to a calendar client, yet quietly delivers the attacker’s message, link, or payload.
Because calendar files are plain text, they easily slip through traditional security controls. Most email gateways and endpoint filters don’t treat .ics files with the same scrutiny as executables or macros. And since users expect to receive meeting invites, often from outside their organization, it’s an ideal format for social engineering.
How threat actors abuse the invite
Over the past year, researchers have observed a rise in campaigns abusing calendar invites to phish credentials, deliver malware, or trick users into joining fake meetings. These attacks often look mundane but rely on subtle manipulation:
The lure: A professional-looking meeting name and sender, sometimes spoofed from a legitimate organization.
The link: A URL hidden in the DESCRIPTION or LOCATION field, often pointing to a fake login page or document-sharing site.
The timing: Invites scheduled within minutes, creating urgency (“Your access expires in 15 minutes — join now”).
The automation: Calendar clients that automatically add external invites, ensuring the trap appears directly in the user’s daily schedule.
⠀
Example of where some of the malicious components would reside in the .ics file
⠀
It’s clever, low-effort social engineering leveraging trust in a system built for collaboration.
The “invisible click” problem
The real danger of malicious calendar invites isn’t just the link inside, it’s the automatic delivery mechanism. In certain configurations, Outlook and Google Calendar will automatically process .ics attachments and create tentative events, even if the user never opens or even receives the email. That means the malicious link is now part of the user’s trusted interface with their calendar.
This bypasses the usual cognitive warning signs. The email might look suspicious, but the event reminder popping up later? That feels like part of your day. It’s phishing that moves in quietly and waits.
Why traditional defenses miss it
Security tooling has historically focused on attachments that execute code or scripts. By contrast, .ics files are plain text and standards-based, so they don’t inherently appear dangerous. Many detection engines ignore or minimally parse them.
Attackers exploit that gap. They rely on the fact that few organizations monitor for BEGIN:VCALENDAR content or inspect calendar metadata for embedded URLs. Once delivered, the file can bypass filters, land in the user’s calendar, and lead to a high-confidence click.
What defenders can do now
Defending against calendar-based attacks begins with recognizing that these are not edge cases anymore. They’re a natural evolution of phishing where user convenience becomes the delivery mechanism.
Here are a few pragmatic steps every organization should consider:
Treat .ics files like active content. Configure email filters and attachment scanners to inspect calendar files for URLs, base64-encoded data, or ATTACH fields.
Review calendar client defaults. Disable automatic addition of external events when possible, or flag external organizers with clear warnings.
Sanitize incoming invites. Content disarm and reconstruction (CDR) tools can strip out or neutralize dangerous links embedded in calendar fields.
Raise awareness among users. Train employees to verify unexpected invites — especially those urging immediate action or containing meeting links they didn’t anticipate. Employees can also follow the helpful advice in this Google Support article.
Use strong identity protection. Multi-factor authentication and conditional access policies mitigate the impact if a phishing link successfully steals credentials.
These steps don’t eliminate the threat, but they significantly increase friction for attackers and their malware.
A quiet evolution in social engineering campaigns
Malicious calendar invites represent a subtle yet telling shift in attacker behavior: blending into legitimate business processes rather than breaking them. In the same way that invoice-themed phishing emails once exploited trust in accounting workflows, .ics abuse leverages the quiet reliability of collaboration tools.
As organizations continue to integrate calendars with chat, cloud storage, and video platforms, the attack surface will only expand. Links inside invites will lead to files in shared drives, authentication requests, and embedded meeting credentials. These are all opportunities for exploitation.
Rethinking trust in everyday workflows
Defenders often focus on the extraordinary like zero days, ransomware binaries, and new exploits. Yet the most effective attacks remain the simplest: exploiting human trust in ordinary digital habits. A calendar invite feels harmless and that’s exactly why it works.
The next time an unexpected meeting appears in your calendar, it might be more than just a double-booking. It could be a reminder that security isn’t only about blocking malware, but about questioning what we assume to be safe.
Cybersecurity ROI is notoriously difficult to define, but not impossible.
In this Experts on Experts: Commanding Perspectivesepisode, Craig Adams chats with Steve Edwards, Director of Threat Intelligence & Detection Engineering, about what customers really get from Rapid7 MDR and how to think more clearly about value.
They cut through buzzwords and talk real-world outcomes: visibility, consolidation, faster response, and trust.
What ROI really looks like
As Steve explains, the ROI conversation starts with confidence. Once customers know they can trust the MDR team to cut through noise and take action, the benefits snowball from reduced false positives, to better visibility and smarter spend.
The IDC study highlighted a 422% ROI over three years. But the real signal is what teams can do with the time and clarity they gain.
To bring these numbers into your own context, you can use the Rapid7 MDR ROI Calculator - simply plug in your own parameters and apply IDC’s methodology to estimate your unique return. Try the ROI Calculator!
Telemetry without tradeoffs
Craig and Steve also dig into one of the biggest detection challenges today: partial visibility. Many orgs still pay by the log, creating disincentives for full data ingestion. MDR’s all-in access model helps customers detect threats earlier and act faster, without needing to triage upstream data decisions.
MITRE mapping makes it click
One of the most actionable insights? MITRE mapping. Steve talks about how customers are using visual coverage data to pinpoint gaps and prioritize onboarding new tech, or building compensating controls.
No-cap incident response
They also walk through what happens during the first 24 - 48 hours of an incident, and why having no cap on IR hours means Rapid7 can stay involved from containment to eradication.
Missed our earlier episodes? Catch up on Episode 1 with Laura Ellis on agentic AI and system governance [here], Episode 2 with Jon Hencinski on MDR strategy and SOC readiness [here] and Episode 3 with Raj Samani on cybercrime-as-a-service [here]
Every industry has their it’s-that-time-of-year-again rituals, and the cybersecurity industry is no different. The spring ushers in RSA, August is Hacker Summer Camp, October brings with it Cybersecurity Awareness Month — and, before we know it, it’s the end of the year and we’re once again making our “predictions” of what lies ahead.
A wise young man once said, “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” In our space, a whole lot is moving fast. To see clearly, it's certainly important to take a moment to step away from the noise and look outward.
Many experts offer their predictions for the coming year, but how many stop to look back at how their vision for the current year fared? With that in mind, let’s take a look at the predictions Rapid7 experts made for 2025.
A look back
Prediction: "Greater visibility will act as a life preserver for security teams treading water across an increasingly complex attack surface."
The importance of unified visibility, attack surface management, and exposure insight has become a leading theme in industry trends reports in 2025. The exposure management market is growing strongly, projected to hit ~$10.9 billion by 2030, which is up from ~$3.3 billion in 2024. Managed Detection and Response (MDR) adoption is also surging; the MDR market reached USD 4.19 billion in 2025 and is forecasted to keep growing fast.
Rapid7 customer New Zealand Automobile Association (NZAA) offers a real-world example of this trend. Before working with Rapid7, NZAA’s cybersecurity tools were fragmented and disjointed. This lack of a unified approach reduced visibility and slowed down threat responses. Now, with Rapid7’s MDR service, NZAA has a partner that can provide 24/7 support, centralized visibility, and predictable data usage — all with transparency and scalability.
This is just one example of the evidence we’ve seen that security teams are acting to consolidate disparate tooling and connect proactive exposure risk management with reactive detection and response capabilities. As a result, these teams and their organizations are shifting holistically into a confident, resilient security posture.
Prediction: "To thrive in a world where regulatory change is an ongoing concern, SecOps should prepare for both the predictable and the unpredictable."
Regulatory change is indeed accelerating. For example, the EU's Cyber Resilience Act was passed in 2024, with application phases extending toward 2027.
The UK announced the Cyber Security and Resilience Bill in 2024 to extend cyber obligations on organizations. Security operations teams have had to deal with both "expected" regulatory shifts (like NIS2, SEC rules) and unexpected mandates or cross-jurisdictional tensions.
Many organizations are now incorporating compliance readiness, threat modelling for future rules, and flexible architectures. Moving forward, SecOps should expect even more scrutiny over how operations are designed and architected, as well as how insights are shared and with whom.
Prediction: "Cybercriminals will increasingly exploit zero-day vulnerabilities, expanding potential entry points and bypassing traditional security measures to deliver more ransomware attacks."
Attackers are investing in zero-day toolchains, and zero-day brokers are emerging in dark markets (i.e., "exploit-as-a-service" trends). See our Initial Access Brokers Report for more detail.
Rapid7 Q2 2025 Ransomware Trends Analysis research highlights that threat actors are using zero days more often, especially in critical or targeted operations within sectors likeservices (21.2%), manufacturing (16.8%), retail (14.1%), healthcare (10.3%), and communications, and media (10%).
In Q3 there were several instances of cybercriminals continuing to leverage zero-day exploits as initial access vectors during their ransomware campaigns. For example, CVE-2025-61882 affecting Oracle E-Business Suite was exploited in the wild by CL0p. The trend of cybercriminals exploiting zero-day vulnerabilities continues, as does the recurrence of not only the same cybercriminal groups, but also the same products being targeted over time (e.g., the file transfer product GoAnywhere MFT).
A look ahead
2025 has certainly pushed security teams to their limits with an increasingly complex attack surface, accelerating regulatory changes, and a persistent rise in zero-day exploits and ransomware attacks. The ongoing talent gap and the struggle to bridge the divide between technical and business leadership have further compounded these challenges, making it crucial for organizations to prioritize visibility, proactive exposure management, and actionable threat intelligence.
What will 2026 bring? Take a look ahead with our experts: Register now for Rapid7’s Top Cybersecurity Predictions webinar.
Security teams have long depended on SIEM tools as the backbone of threat detection and response. But the threat landscape, and the technology required to defend against it, has changed dramatically.
Rapid7’s new whitepaper, The End of Legacy SIEM and the Rise of Incident Command, examines why legacy SIEM models can no longer keep up with the scale and complexity of modern attacks, and why next-gen SIEMs (like that offered by Rapid7) combined with exposure management capabilities is the better choice in combatting modern enemies.
A turning point for the SOC
When SIEM first emerged, it was a breakthrough. For the first time, organizations could centralize log data, generate compliance reports, and detect threats from a single pane of glass. But two decades later, that approach is showing its age.
Today, data is distributed across cloud, on-prem, and hybrid environments. Adversaries are using artificial intelligence to automate and accelerate increasingly complex attacks that are escaping detection. Analysts are overwhelmed by alert fatigue and unpredictable costs that hamper visibility.
Legacy SIEM tools were built to collect data. They rely on rigid pricing models, static correlation rules, and constant manual upkeep. These systems slow down investigations and prevent analysts from focusing on the alerts that truly matter. Modern attackers exploit exposures faster than human teams can respond. Without automation, context, and clear prioritization, organizations remain in a reactive state.
What comes after SIEM?
The whitepaper outlines how the security industry is shifting toward a unified approach that combines SIEM, Security Orchestration and Automation (SOAR), Attack Surface Management (ASM), and threat intelligence in one platform, augmented by artificial intelligence.
This new model emphasizes automation, machine learning, and contextual awareness while collecting data from a wider variety of sources than SIEMs were originally designed for. It gives security teams the ability to identify and act on high-impact threats quickly. It also changes how organizations think about risk, focusing less on collecting alerts and more on understanding exposure across assets, identities, and vulnerabilities.
Introducing Rapid7 Incident Command
At the center of this shift is Rapid7 Incident Command, a unified platform that redefines modern detection and response. Trained on trillions of real-world alerts from Rapid7’s 24/7 Managed Detection and Response (MDR) service, Incident Command can accurately classify benign activity 99.93 percent of the time. This precision saves hundreds of analyst hours each week and drastically reduces noise.
Incident Command connects exposure data directly to detection logic, helping analysts see which threats are most likely to impact their organization. Built-in automation enables teams to isolate hosts, revoke credentials, or run response playbooks, while keeping humans in control of every action.
With asset-based pricing and a fast, cloud-based deployment model, organizations can scale visibility and response without the fear of surprise costs or drawn-out implementations.
A new chapter for defenders
Legacy SIEM served its purpose, but it was built for a different era. The modern SOC requires a platform that is unified, intelligent, and focused on outcomes.
The End of Legacy SIEM and the Rise of Incident Command explores how this transformation is reshaping detection and response for security teams everywhere.
Read the full whitepaper to learn why the future of SIEM is already here and how you can take command of what comes next.
Login
