Reading view

10 February 2026 at 20:58

Microsoft is publishing 55 vulnerabilities this February 2026 Patch Tuesday. Microsoft is aware of exploitation in the wild for six of today’s vulnerabilities, and notes public disclosure for three of those. Earlier in the month, Microsoft provided patches to address three browser vulnerabilities, which are not included in the Patch Tuesday count above.

Windows/Office triple trouble: zero-day security feature bypass vulns

All three of the publicly disclosed zero-day vulnerabilities published today are security feature bypasses, and Microsoft acknowledges the same cast of reporters in each case.

CVE-2026-21510 describes a zero-day Windows Shell security feature bypass vulnerability which is already exploited in the wild. Not to be confused with PowerShell, most people will use the Windows Shell without ever learning its name or even really contemplating its existence. The Windows Shell is Microsoft’s term for the GUI interaction logic for the entire OS provided by explorer.exe and associated libraries and APIs.

CVE-2026-21510 provides an attacker with a way to dodge those pesky Smart Screen or other “are you sure?” prompts. The advisory sets out that “an attacker must convince a user to open a malicious link or shortcut file”. We could parse this wording more than one way, and while shortcut files with a .lnk extension are certainly a prime suspect here, it’s possible that .url files might also be a vector.

The venerable MSHTML/Trident web rendering engine is still present in Windows as a daily driver for Office and Explorer, many years after most people stopped using Internet Explorer. Accordingly, every so often Microsoft has to patch another zero-day vulnerability in the browser it can’t quite bring itself to rip out of its flagship operating system. Today’s example is CVE-2026-21513, a security feature bypass which starts with the attacker convincing a user to open a malicious HTML file or shortcut file.

If good things come in threes, then perhaps CVE-2026-21514 makes security bypass zero-day vulnerabilities a good thing. Exploitation involves bypassing Object Linking & Embedding (OLE) mitigations by convincing the user to open a malicious Word document. The advisory only lists remediations for LTSC versions of Office and on-prem Microsoft 365 Apps for Enterprise, without mentioning the standard Microsoft 365 suite.

It’s curious that Microsoft has evaluated the attack vector for CVE-2026-21514 as local, because MSRC typically assesses any vulnerability which boils down to “remote attacker tricks user into opening malicious payload” as a remote attack, based on the location of the attacker. However, the advisory specifically calls out that “reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.” It’s not clear whether this is a deviation from prior practice by MSRC, an inadvertent mis-assessment, or an unusual-but-correct assessment of an attack vector that relies on details which Microsoft has not made public. Happily, the Preview Pane is not a vector, which raises the bar slightly for an attacker, since the user must explicitly open the malicious file or web page.

Ultimately, although none of the advisories for CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 explicitly come out and say it, it’s likely that exploitation in each case involves tricking Windows into participating in another Mark-of the Web laundering scheme using flaws in old components.

Windows DWM: zero-day elevation of privilege

For the second month in a row, the Windows Desktop Windows Manager (DWM) is the site of an exploited-in-the-wild zero-day vulnerability. Last month’s CVE-2026-20805 was an information disclosure vulnerability, effectively a treasure map for threat actors seeking the otherwise obfuscated in-memory address of the kernel-space DWM process. The publication of zero-day elevation of privilege (EoP) vulnerability CVE-2026-21519 today very likely reflects MSTIC and MSRC working to thwart the same threat actor in both cases. As Rapid7 has noted in the past, initial access coupled with local elevation of privilege vulnerabilities is the staple diet of many successful attackers, so the lower CVSS v3 base score of 7.8 seen here versus a broadly equivalent remote code execution is not a sign to delay patching.

Remote Desktop Services: zero-day elevation of privilege

Remote Desktop Services (RDP) are designed to allow a duly authorized remote user to interact with the server, but CVE-2026-21533 allows an unauthorized local user to elevate privileges to SYSTEM. Every Windows Server product back as far as Server 2012 receives patches, so this one has been present for a while. It’s possible that today’s patches close off a long-running exploitation story for at least one threat actor.

RasMan: zero-day denial of service

Exploited in the wild, but perhaps of less concern is CVE-2026-21525, a local denial of service vulnerability in the Windows Remote Access Connection Manager (RasMan). Somewhat unusually for a local vulnerability, the advisory sets out that no privileges are required at all, so even a guest account can exploit this one. You have disabled those guest accounts, right?

Microsoft lifecycle update

There are no significant Microsoft product lifecycle changes this month.

Summary Charts

A bar chart showing vulnerability count by component for Microsoft Patch Tuesday 2026-Feb

A bar chart showing vulnerability count by impact for Microsoft Patch Tuesday 2026-Feb

A bar chart showing distribution of impact type by component for Microsoft Patch Tuesday 2026-Feb

Summary Tables

Apps vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-20841	Windows Notepad App Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.8

Azure vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21512	Azure DevOps Server Cross-Site Scripting Vulnerability	Exploitation Less Likely	No	6.5
CVE-2026-21529	Azure HDInsight Spoofing Vulnerability	Exploitation Unlikely	No	5.7
CVE-2026-21528	Azure IoT Explorer Information Disclosure Vulnerability	Exploitation Unlikely	No	6.5
CVE-2026-21228	Azure Local Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.1
CVE-2026-21531	Azure SDK for Python Remote Code Execution Vulnerability	Exploitation Less Likely	No	9.8
CVE-2026-21522	Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability	Exploitation Less Likely	No	6.7
CVE-2026-23655	Microsoft ACI Confidential Containers Information Disclosure Vulnerability	Exploitation Less Likely	No	6.5

Developer Tools vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21218	.NET Spoofing Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-21523	GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.0
CVE-2026-21518	GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability	Exploitation Less Likely	No	6.5
CVE-2026-21257	GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability	Exploitation Less Likely	No	8.0
CVE-2026-21256	GitHub Copilot and Visual Studio Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.8

ESU vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21519	Desktop Window Manager Elevation of Privilege Vulnerability	Exploitation Detected	No	7.8
CVE-2026-20846	GDI+ Denial of Service Vulnerability	Exploitation Less Likely	No	7.5
CVE-2026-21253	Mailslot File System Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.0
CVE-2026-21527	Microsoft Exchange Server Spoofing Vulnerability	Exploitation Less Likely	No	6.5
CVE-2026-21513	MSHTML Framework Security Feature Bypass Vulnerability	Exploitation Detected	Yes	8.8
CVE-2026-21236	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-21238	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-21234	Windows Connected Devices Platform Service Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.0
CVE-2026-21246	Windows Graphics Component Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-21235	Windows Graphics Component Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.3
CVE-2026-21240	Windows HTTP.sys Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-21248	Windows Hyper-V Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.3
CVE-2026-21247	Windows Hyper-V Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.3
CVE-2026-21244	Windows Hyper-V Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.3
CVE-2026-21255	Windows Hyper-V Security Feature Bypass Vulnerability	Exploitation Less Likely	No	8.8
CVE-2026-21239	Windows Kernel Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-21231	Windows Kernel Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-21222	Windows Kernel Information Disclosure Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-21249	Windows NTLM Spoofing Vulnerability	Exploitation Less Likely	No	3.3
CVE-2026-21525	Windows Remote Access Connection Manager Denial of Service Vulnerability	Exploitation Detected	No	6.2
CVE-2026-21533	Windows Remote Desktop Services Elevation of Privilege Vulnerability	Exploitation Detected	No	7.8
CVE-2026-21510	Windows Shell Security Feature Bypass Vulnerability	Exploitation Detected	Yes	8.8
CVE-2026-21508	Windows Storage Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-21242	Windows Subsystem for Linux Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-21237	Windows Subsystem for Linux Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0

Microsoft Office vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21259	Microsoft Excel Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-21258	Microsoft Excel Information Disclosure Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-21261	Microsoft Excel Information Disclosure Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-21260	Microsoft Outlook Spoofing Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-21511	Microsoft Outlook Spoofing Vulnerability	Exploitation More Likely	No	7.5
CVE-2026-21514	Microsoft Word Security Feature Bypass Vulnerability	Exploitation Detected	Yes	7.8

Other vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21516	GitHub Copilot for Jetbrains Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.8

Server Software vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21527	Microsoft Exchange Server Spoofing Vulnerability	Exploitation Less Likely	No	6.5

SQL Server vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21229	Power BI Remote Code Execution Vulnerability	Exploitation Unlikely	No	8.0

System Center vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21537	Microsoft Defender for Endpoint Linux Extension Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.8

Windows vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21251	Cluster Client Failover (CCF) Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-21519	Desktop Window Manager Elevation of Privilege Vulnerability	Exploitation Detected	No	7.8
CVE-2026-20846	GDI+ Denial of Service Vulnerability	Exploitation Less Likely	No	7.5
CVE-2026-21253	Mailslot File System Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.0
CVE-2026-21513	MSHTML Framework Security Feature Bypass Vulnerability	Exploitation Detected	Yes	8.8
CVE-2023-2804	Red Hat, Inc. CVE-2023-2804: Heap Based Overflow libjpeg-turbo	Exploitation Less Likely	No	6.5
CVE-2026-21236	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-21241	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.0
CVE-2026-21238	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-21517	Windows App for Mac Installer Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-21234	Windows Connected Devices Platform Service Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.0
CVE-2026-21246	Windows Graphics Component Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-21235	Windows Graphics Component Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.3
CVE-2026-21250	Windows HTTP.sys Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-21240	Windows HTTP.sys Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-21232	Windows HTTP.sys Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-21248	Windows Hyper-V Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.3
CVE-2026-21247	Windows Hyper-V Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.3
CVE-2026-21244	Windows Hyper-V Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.3
CVE-2026-21255	Windows Hyper-V Security Feature Bypass Vulnerability	Exploitation Less Likely	No	8.8
CVE-2026-21245	Windows Kernel Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-21239	Windows Kernel Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-21231	Windows Kernel Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-21222	Windows Kernel Information Disclosure Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-21243	Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-21249	Windows NTLM Spoofing Vulnerability	Exploitation Less Likely	No	3.3
CVE-2026-21525	Windows Remote Access Connection Manager Denial of Service Vulnerability	Exploitation Detected	No	6.2
CVE-2026-21533	Windows Remote Desktop Services Elevation of Privilege Vulnerability	Exploitation Detected	No	7.8
CVE-2026-21510	Windows Shell Security Feature Bypass Vulnerability	Exploitation Detected	Yes	8.8
CVE-2026-21508	Windows Storage Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-21242	Windows Subsystem for Linux Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-21237	Windows Subsystem for Linux Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0

Zero-Day Vulnerabilities: Known Exploited

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21519	Desktop Window Manager Elevation of Privilege Vulnerability	Exploitation Detected	No	7.8
CVE-2026-21514	Microsoft Word Security Feature Bypass Vulnerability	Exploitation Detected	Yes	7.8
CVE-2026-21513	MSHTML Framework Security Feature Bypass Vulnerability	Exploitation Detected	Yes	8.8
CVE-2026-21525	Windows Remote Access Connection Manager Denial of Service Vulnerability	Exploitation Detected	No	6.2
CVE-2026-21533	Windows Remote Desktop Services Elevation of Privilege Vulnerability	Exploitation Detected	No	7.8
CVE-2026-21510	Windows Shell Security Feature Bypass Vulnerability	Exploitation Detected	Yes	8.8

Critical Remote Code Execution/Elevation of Privilege

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21531	Azure SDK for Python Remote Code Execution Vulnerability	Exploitation Less Likely	No	9.8

Measuring AI Security: Separating Signal from Panic

Rapid7 Blog

By:Christiaan Beek

10 February 2026 at 13:00

The conversation around AI security is full of anxiety. Every week, new headlines warn of jailbreaks, prompt injection, agents gone rogue, and the rise of LLM-enabled cybercrime. It’s easy to come away with the impression that AI is fundamentally uncontrollable and dangerous, and therefore something we need to lock down before it gets out of hand.

But as a security practitioner, I wasn’t convinced. Most of these warnings are based on hypothetical examples or carefully engineered demos. They raise important questions, but rarely answer the most basic one: What does the real attack surface of today’s AI systems actually look like?

So instead of offering another opinion, I ran the numbers.

The method: Focused, real-world measurement

To ground the conversation in reality, I focused on MCP, the Model Context Protocol. This framework is widely used to help language models interact with tools, APIs, and external systems. It’s open source, replicated across many environments, and built for practical integration. That makes it an ideal test case for understanding actual exposure.

No adversarial prompting. No artificial exploits. Just a measurement of what real MCP servers expose. We used SDK import analysis to locate active repositories, filtered out those that wouldn’t run, and examined the tool schemas to understand what each was capable of.

What the data tells us

The MCP servers that met our criteria showed a familiar pattern. They exposed well-understood primitives used throughout modern software systems.

Observed capability classes:

Filesystem access
HTTP requests
Database queries
Local script or process execution
Orchestration and tool chaining
Read-only API search

These are not exotic capabilities unique to AI. They’re already embedded in cloud automation, infrastructure-as-code, and modern DevOps stacks. MCP simply gives them structure.

The frequency of high-severity risk is low

One of the most unexpected findings was the rarity of arbitrary code execution. Despite warnings in the media, this turned out to be the least common capability among all operational MCP servers analyzed.

This matters. It suggests that real-world deployments of AI tooling are not as reckless as some narratives claim. The most common issues are the ones we’ve known for years: weak defaults, excessive permissions, and poor input handling. There’s no mystery there (and that’s encouraging).

Where the real risk builds: Composition

The problem arises when those primitives are combined. Individually, most of the MCP servers we studied were low risk. But when orchestration enters the picture, the attack surface expands.

Some real-world examples we observed:

HTTP fetch + filesystem write = persistence or content injection
Database query + orchestration = stealthy exfiltration
Filesystem write + planning = poisoned output or config hijacking
HTTP + planning + execution = multi-stage agent attacks

These combinations reflect what adversaries already do in non-AI environments. MCP just reduces friction in putting the pieces together.

A critical counterpoint: The 'best effort' reality

The focus on constraining the model via schema and architecture is essential for 'secure by design,' yet a critical counterpoint must be considered as the industry evolves: We may not be able to stop many insecure AI applications (e.g., those built on architectures like OpenClaw or Claude Code) from shipping with insecure design choices. Similarly, the insecure design path for AI could force security teams to rely on non-deterministic, 'best effort' prompt injection defenses to prevent data exfiltration and remote code execution, rather than influencing developers toward inherently secure application design.

While the secure boundary is the schema, and we must influence application developers to adopt secure-by-design principles, the future suggests there will be many cases where this influence fails. This means security leaders must also prepare for a hybrid reality of championing architectural security while also building and operating robust, best effort runtime defenses to manage the fallout from the inevitable wave of insecure AI applications.

A shift in where security happens

As we embed AI deeper into operational systems, the control points change. Historically, we validated inputs at the UI layer, enforced roles through IAM, and wrapped logic in application code.

With AI agents, those controls now live in:

The orchestration layer
Tool composition workflows
Schema contracts
Execution sandboxes

Security needs to follow the shift. That means auditing tool chains, setting strict schema policies, isolating execution contexts, and applying existing practices like least privilege and defense in depth to this new architecture.

What security teams should do now

Security and architecture leaders can start applying pressure in the right places today:

Map AI tooling to known primitives
Don’t treat these systems as unknowns. Most expose capabilities like file handling, HTTP fetches, or basic shell commands - all of which are familiar territory for teams leveraging threat intelligence effectively.
Assess schema design before worrying about prompts
The schema defines what tools the AI can call and how. Poorly scoped parameters, such as unbounded URLs or file paths, are far more dangerous than clever prompts.
Limit orchestration where possible
Composability increases risk. If orchestration is required, monitor it like critical automation infrastructure.
Audit your environment for capability sprawl
Look for AI-connected services that may expose multiple sensitive capabilities together. Risk scales when these tools are combined.
Apply existing enterprise controls
Network segmentation, credential scoping, logging, and behavioral detections still work. Least privilege access is especially relevant in AI-integrated environments where tool chaining can escalate access unintentionally. AI requires adaptation, not reinvention.

Understanding the risk of AI without the hype

This blog condenses findings from my recent research, where I set out to answer a straightforward question: what are AI systems actually exposing in the real world today? Instead of relying on hypotheticals or fear-driven narratives, I looked at real, runnable Model Context Protocol (MCP) servers and measured their exposed capabilities and architectural design.

If you're looking for the technical deep dive, including methodology, data sets, and schema-level breakdowns, you can read the original research published on HackerNoon. You can also explore more of our ongoing threat analysis and security research on the Rapid7 Research Hub.

The bottom line: AI introduces complexity and scale, but the fundamental security principles remain the same. The real challenge is whether security teams can adapt traditional controls to new environments and influence developers toward inherently secure application design, rather than being forced to rely on non-deterministic, 'best effort' defenses like prompt injection mitigation.

CVE-2026-1731: Critical Unauthenticated Remote Code Execution in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)

Rapid7 Blog

By:Rapid7

9 February 2026 at 14:15

Overview

On February 6, 2026, BeyondTrust released security advisory BT26-02, disclosing a critical pre-authentication Remote Code Execution (RCE) vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. Assigned CVE-2026-1731 and a near-maximum CVSSv4 score of 9.9, the flaw allows unauthenticated, remote attackers to execute arbitrary operating system commands in the context of the site user by sending specially crafted requests. The vulnerability affects Remote Support (RS) versions 25.3.1 and prior, as well as Privileged Remote Access (PRA) versions 24.3.4 and prior.

While BeyondTrust automatically patched SaaS instances on February 2, 2026, self-hosted customers remain at risk until manual updates are applied. The issue was discovered by researchers at Hacktron AI using AI-enabled variant analysis; they identified approximately 8,500 on-premises instances exposed to the internet that could be susceptible to this straightforward exploitation vector.

While BeyondTrust has not reported active exploitation of CVE-2026-1731 in the wild, the platform’s immense footprint makes it a high-priority target for sophisticated adversaries. BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75% of the Fortune 100. This ubiquity has attracted state-sponsored actors in the past; notably, the Chinese hacking group "Silk Typhoon" weaponized previous zero-day flaws (CVE-2024-12356 and CVE-2024-12686) to breach the U.S. Treasury Department and access sensitive data related to sanctions, triggering emergency directives from CISA. Rapid7 research later revealed that the exploitation of CVE-2024-12356 actually required chaining it with a critical, then-unknown SQL injection vulnerability in an underlying PostgreSQL tool (CVE-2025-1094). Given this history of targeted attacks against such a widely used platform, these tools remain a critical attack vector that demands immediate defensive action.

Mitigation guidance

A vendor-provided patch is available to remediate CVE-2026-1731 in on-premise deployments.

BeyondTrust Remote Support (RS):

Versions 25.3.1 and prior are affected by CVE-2026-1731.
CVE-2026-1731 is fixed in 25.3.2 and later.

BeyondTrust Privileged Remote Access (PRA):

Versions 24.3.4 and prior are affected by CVE-2026-1731.
CVE-2026-1731 is fixed in 25.1.1 and later.

Please read the vendor advisory for the latest guidance.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2026-1731 on Remote Support and Privileged Remote Access using authenticated checks available in the Feb 9 content release.

Updates

February 11, 2026: Updated Rapid7 customers section to confirm checks were available on February 9.

Vulnerability Found in InsightVM & Nexpose: CVE-2026-1814 (FIXED)

Rapid7 Blog

By:Rapid7

9 February 2026 at 14:00

We are grateful to the research team at Atredis for sharing their findings around a vulnerability (CVE-2026-1814) impacting our vulnerability management offerings (InsightVM and Nexpose). We have identified a fix that addresses this vulnerability and will be delivered via a Security Console product update with no customer action required. The update is currently being released through our normal gradual release cycle and will be rolled out to all customers by end of day Thursday, February 12.

InsightVM or Nexpose customers with automatic product updates enabled will receive and process this update when it is released. Customers who manually control their own update version can utilize the manual update process within the security console to update to version 8.36.0 when it is made available. We recommend those customers schedule this update as soon as reasonably possible.

As outlined in our policies around vulnerabilities and disclosures, Rapid7 practices and advocates for timely public disclosure of vulnerabilities across both third-party products and our own systems and solutions. This thoughtful collaboration between researchers and vendors is a critical component of a healthy cybersecurity ecosystem. Atredis exemplified how the process should work.

Metasploit Wrap-Up 02/06/2026

Rapid7 Blog

By:Christopher Granleese

6 February 2026 at 13:52

Google Summer of Code 2026

Our very own Jack Heysel has added some documentation which outlines the Metasploit Framework project ideas for GSoC 2026. For anyone interested in applying please see GSoC-How-To-Apply documentation, or reach out on slack to any of the following GSoC mentors on Slack via the Metasploit Slack:

@jheysel
@zeroSteiner
@h00die

Gladinet

This week Chocapikk has added some Gladinet CentreStack/Triofox exploitation capabilities. Adding two auxiliary modules and updating an existing exploit. The updated exploit module now accepts a custom MACHINEKEY option to leverage newly discovered vulnerabilities that allow the extraction of machineKeys from Web.config files. The gladinet_storage_path_traversal_cve_2025_11371 module exploits path traversal to read arbitrary files and extract machineKeys, while gladinet_storage_access_ticket_forge forges access tickets using hardcoded cryptographic keys.

New module content (1)

Gladinet CentreStack/Triofox Access Ticket Forge

Authors: Huntress Team, Julien Voisin, and Valentin Lobstein chocapikk@leakix.net

Type: Auxiliary

Pull request: #20768 contributed by Chocapikk

Path: gather/gladinet_storage_access_ticket_forge

Description: This adds two auxiliary modules for Gladinet CentreStack/Triofox. Both modules can read arbitrary files and extract the machineKey, which is used to secure ASP.NET ViewState data. Furthermore, this change also includes a new mixin for Gladinet.

Enhancements and features (3)

#20739 from cdelafuente-r7 - This adds MITRE ATT&CK metadata tags to modules relating to Kerberos and unconstrained delegation. This enables users to search for the content based on the ATT&CK technique ID.
#20882 from karanabe - Adds the RSAKeySize advanced option and uses it when generating the CSR key pair, allowing users to increase key size to meet certificate template minimums and avoid CERTSRV_E_KEY_LENGTH errors when 2048-bit keys are rejected.
#20883 from jheysel-r7 - Updates Kerberos modules to present a user friendly message when the user specifies the IMPERSONATE option when running a module but also forgets to specify IMPERSONATION_TYPE.

Bugs fixed (5)

#20368 from isaac-app-dev - Fixes an issue that caused msfvenom to break if it were run from alternative directories.
#20680 from cdelafuente-r7 - Improves the RPC API with multiple fixes and enhancements.
#20834 from kuklycs - This fixes the NoMethodError in the team_viewer post module, caused by misuse of the each_key method. The keys array has been updated to a 1-D array to simplify the logic.
#20916 from Chepycou - Fixes a crash when running the SAP modules sap_soap_rfc_system_info or sap_icf_public_info.
#20920 from rudraditya21 - This fixes a bug in password cracking modules where the auto action would crash even when the path to a compatible executable was specified in CRACKER_PATH.

Documentation added (1)

#20910 from jheysel-r7 - This adds documentation regarding the projects for which we are soliciting submissions for as part of the Google Summer of Code program.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Chrysalis, Notepad++, and Supply Chain Risk: What it Means, and What to Do Next

Rapid7 Blog

By:Rapid7

5 February 2026 at 10:00

When Rapid7 published its analysis of the Chrysalis backdoor linked to a compromise of Notepad++ update infrastructure, it raised understandable questions from customers and security teams. The investigation showed that attackers did not exploit a flaw in the application itself. Instead, they compromised the hosting infrastructure used to deliver updates, allowing a highly targeted group to selectively distribute a previously undocumented backdoor associated with the Lotus Blossom APT.

Subsequent reporting from outlets including BleepingComputer, The Register, SecurityWeek, and The Hacker News has helped clarify the scope of the incident. What’s clear is that this was a supply chain attack against distribution infrastructure, not source code. The attackers maintained access for months, redirected update traffic selectively, and limited delivery of the Chrysalis payload to specific targets, helping them stay hidden and focused on espionage rather than mass compromise.

What does the Notepad++ incident mean?

This incident highlights how modern supply chain attacks have evolved. Rather than targeting application code, attackers abused shared hosting infrastructure and weaknesses in update verification to quietly deliver malware. The broader takeaway is that supply chain risk now extends well beyond build systems and repositories. Update mechanisms, hosting providers, and distribution paths have become attractive targets, especially when they sit outside an organization’s direct control.

Was Notepad++ itself compromised?

Based on public statements from the Notepad++ maintainer and independent reporting, there is no evidence that the application’s source code or core development process was compromised. The risk stemmed from the update delivery infrastructure, reinforcing that even trusted software can become a delivery mechanism when upstream systems are abused.

Who was behind the Chrysalis backdoor & Notepad++ attack?

Rapid7 was the first to publish attribution linking this activity to Lotus Blossom, a Chinese state-aligned advanced persistent threat (APT) group. Based on our analysis, we assess with moderate confidence that this group is responsible for the Notepad++ infrastructure compromise and the deployment of the Chrysalis backdoor.

Lotus Blossom has been active since at least 2009 and is known for long-running espionage campaigns targeting government, telecommunications, aviation, critical infrastructure, and media organiations, primarily across Southeast Asia, and more recently, Latin America.

The tactics, tooling, and infrastructure used in this campaign - including the abuse of update infrastructure, the use of selective targeting, and the deployment of custom malware, are consistent with the group’s historical tradecraft. As with any attribution, this conclusion is based on observed behaviors and intelligence correlations, not a single, definitive indicator.

What should organizations do right now?

Based on what we know today, there are several immediate actions organizations should take:

Check and update Notepad++ installations. Ensure any instances are running the latest version, which includes improved certificate and signature verification.
Review historical telemetry. Even though attacker infrastructure has been taken down, organizations should scan logs and environments going back to October 2025 for indicators of compromise associated with this campaign.
Hunt, don’t just scan. This activity was selective and low‑volume. Absence of alerts does not guarantee absence of compromise.
Use available intelligence. Rapid7 Intelligence Hub customers have access to the Chrysalis campaign intelligence, along with follow‑up indicators provided by partners such as Kaspersky, to support targeted hunting across endpoints and network telemetry.

Why does this matter beyond Notepad++?

This incident is a case study in how trust is exploited in modern environments. The attackers didn’t rely on zero days or noisy malware. They abused update workflows, hosting relationships, and assumptions about trusted software. That same approach applies across countless tools and platforms used daily inside enterprise environments.

It also reinforces a broader trend we’ve seen over the last year: attackers are patient, selective, and focused on long‑term access rather than immediate impact. That has implications for detection strategies, incident response planning, and supply chain risk management.

What does this mean for software supply chain security?

For defenders, this incident reinforces several lessons:

Supply chain security must include distribution and hosting infrastructure, not just source code.
Update mechanisms should enforce strong signature and metadata validation by default.
Shared hosting environments represent an often overlooked risk, especially for widely deployed tools.
Trust in software must be continuously validated, not assumed.

The Chrysalis incident is not just about a single tool or a single campaign. It reflects a broader shift in how advanced threat actors think about access, persistence, and trust. Software supply chains are no longer just a development concern. They are an operational and security concern that extends into hosting providers, update mechanisms, and the assumptions organizations make about what is “safe.”

As attackers continue to favor selective targeting and long‑term access over noisy, large‑scale compromise, defenders need to adapt accordingly. That means moving beyond basic scanning, validating trust continuously, and treating update and distribution infrastructure as part of the attack surface.

Learn more: Watch the full Chrysalis debrief webinar

If you’d like to hear directly from the researchers behind this discovery, watch the full Chrysalis: Inside the Supply Chain Compromise of Notepad++ webinar, now available on BrightTALK. In this detailed session, Christian Beek (Senior Director, Threat Analytics) and Steve Edwards (Director, Threat Intel & Detection Engineering) walk through the full attack chain, from initial compromise to malware behavior, attribution to Lotus Blossom, and what organizations can do right now to assess exposure and strengthen supply chain security. [Watch Now]

Kelly Hiscoe Recognized Among CRN 2026 Channel Chiefs for Innovation and Impact

Rapid7 Blog

By:Rapid7

4 February 2026 at 09:00

In 2026, security teams are still grappling with the challenges posed by expanding attack surfaces and persistent resource constraints. Together with the rapid onset of AI-driven threats, security leaders are weathering this ‘perfect storm’ by seeking consolidation of their technology stacks – favoring trusted partnerships that truly understand their unique ecosystems.

To elevate security partners from mere service providers to essential, trusted security advisors, it is vital to help customers achieve a comprehensive view of their IT environments. This includes a clear understanding of their risk profiles and a cohesive approach to continuous detection, response, and compliance, says Kelly Hiscoe, Sr. Director, Global Partner Programs & Experience.

Kelly brings to Rapid7 more than 17 years of experience in cybersecurity channel ecosystems. And after being named to CRN’s Women of the Channel list in 2020, 2024, and 2025, CRN has honored her as a Channel Chief for 2026.

She has consistently led her teams to design competitive programs, drive operational excellence, and enhance the partner experience from the ground-up. Here’s what makes her tick, and how Kelly (and Rapid7) are thinking about the channel in 2026 and beyond.

A channel philosophy rooted in shared responsibility

Kelly’s approach to the channel is grounded in the simple belief that true success is built through shared ownership. Rather than being confined to a single team, channel success must be woven into a company’s DNA: reflected in its processes, tools, and most importantly, how sales teams consistently engage with partners.

For Kelly, this means a company-wide commitment to engaging and collaborating with partners, in a way that, at its heart, exists to help customers achieve their goals. That’s what “Channel-first” means, and what Rapid7 aims to reflect.

Refreshing Rapid7’s partner ecosystem

In February 2025, Rapid7 launched its reimagined PACT Partner Program, and Kelly led the global team responsible for that launch. The revamped program was designed to equip partners with the tools, training, and resources needed to address evolving global security challenges together.

Key enhancements included a modernized Partner Portal that enables real-time collaboration and automation, as well as tailored engagement programs and specializations, plus the launch of the Rapid7 Partner Academy. Since its debut, the Academy has seen more than 2,000 partner learners earn over 3,700 certifications. Rapid7’s partners consistently highlight its clarity, relevance, and impact in deepening cybersecurity expertise.

Looking ahead: Helping partners navigate 2026

As consolidation continues and competition in the market grows, partners are facing more challenges than ever in navigating that complexity and standing out amid the noise. Kelly remains focused on helping partners align with vendors that deliver clear, customer-centric value, comprehensive coverage across the expanding attack surface, and predictable engagement models. You can read Kelly’s full CRN Channel Chief details here.

ICYMI: Experts on Experts – Season One Roundup

Rapid7 Blog

By:Emma Burdett

3 February 2026 at 09:23

In 2025, we launched Experts on Experts: Commanding Perspectives as a pilot video series designed to spotlight the ideas shaping cybersecurity, directly from the people driving them. Over five episodes, Rapid7 leaders shared short, candid conversations on topics like agentic AI, MDR ROI, cybercrime-as-a-service, and policy in practice. With Season Two launching soon, now is the perfect time to revisit the first run of expert conversations that started it all.

Each episode is now embedded in its supporting blog on rapid7.com, making it even easier to watch, read, and share. Here's your full recap of Season One.

Ep 1: What Happens When Agentic AIs Talk to Each Other?

Guest: Laura Ellis, VP of Data & AI

Agentic AI was one of the most talked-about themes of the year, but few tackled it with the clarity and urgency Laura Ellis brought to this episode. From governance models to inter-agent deception, the conversation explores how AI systems can interact in unpredictable ways. Laura shares her perspective on keeping humans at the helm, how to contain agent behavior in real-world infrastructure, and what’s realistic for security teams today. The episode came from a LinkedIn conversation about autonomy, oversight, and the potential for agent-to-agent manipulation, and answered a lot of questions. If you’re curious about how AI moves from experiment to ecosystem, this is a great place to start.

Ep 2: What MDR ROI Really Looks Like

Guest: Jon Hencinski, VP of Detection & Response

In this open and honest conversation, Jon Hencinski takes us inside the modern SOC to show what strong managed detection and response really looks like. From coverage and telemetry to analyst training and noise reduction, the episode walks through the building blocks of a high-performing MDR program. Jon speaks directly to security leaders and decision-makers, breaking down which metrics matter most, how to measure confidence in your provider, and why speed is still the differentiator. If you’re evaluating MDR partners or trying to articulate the value of your program internally, this episode offers a practical benchmark. It also pairs well with Rapid7’s IDC report on MDR business value, which (Spoiler Alert) found a 422% three-year ROI and payback in under six months.

Ep 3: The Business of Cybercrime

Guest: Raj Samani, SVP and Chief Scientist

Cybercrime is no longer just a threat, it’s an economy. In this episode, Raj Samani unpacks the business model behind ransomware, initial access brokers, and affiliate operations. He shares his view on how cybercriminals are scaling operations like startups, what security teams can do to map that behavior, and why understanding the economy of access is key to disruption. It’s an insightful look at how attacker innovation is outpacing the traditional response, and what needs to change. Raj also reflects on the blurred lines between opportunistic access and long-tail ransomware campaigns, and how buyers on the dark web shape the threat landscape. This conversation is especially useful for defenders who want to think more strategically about adversaries and the systems that support them.

Ep 4: What SOC Teams Are Doing Differently in 2025

Guest: Steve Edwards, Director of Threat Intelligence and Detection Engineering

This episode walks through the key findings of Rapid7’s IDC study on the business value of MDR and brings them to life through real-world SOC operations. Steve Edwards shares how telemetry access changes the game, what true coverage looks like in practice, and why teams are shifting away from reactive models to faster, context-rich detection. You’ll hear what happens in the first 24 to 48 hours of incident response and how Rapid7’s no-cap IR model improves confidence during high-pressure moments. Steve also breaks down how teams are using MITRE ATT&CK mapping to prioritize security investments and measure response maturity over time. For security leaders and buyers evaluating managed services, this conversation offers a clear, practical lens on what a successful MDR program looks like from a security and business perspective.

Ep 5: Policy to Practice - What Cyber Resilience Really Takes

Guest: Sabeen Malik, VP of Global Government Affairs and Public Policy

With new regulations emerging across the globe, it’s easy to confuse compliance with resilience. In this episode, Sabeen Malik unpacks what it takes to bridge that gap. She talks through disclosure laws, geopolitical tension, and the difficulty of turning policy into something operators can act on. Sabeen brings both policy expertise and operational realism, making the case that cybersecurity regulation needs to be built for the real world, not for a checklist. She also explores the cultural side of risk, including how insider threats and trust-based frameworks play into resilience planning. If your organization is tracking regulatory changes or working toward a more mature security posture, this episode offers a smart lens on where policy can help, and how to overcome it's shortfalls.

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Rapid7 Blog

By:Ivan Feigl

2 February 2026 at 10:49

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors.

Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor, which we have dubbed Chrysalis.

⠀

Figure 1: Telemetry on the custom backdoor samples

⠀

Beyond the discovery of the new implant, forensic evidence led us to uncover several custom loaders in the wild. One sample, “ConsoleApplication2.exe”, stands out for its use of Microsoft Warbird, a complex code protection framework, to hide shellcode execution. This blog provides a deep technical analysis of Chrysalis, the Warbird loader, and the broader tactic of mixing straightforward loaders with obscure, undocumented system calls.

Initial access vector: Notepad++ and update.exe

Forensic analysis conducted by the MDR team suggests that the initial access vector aligns with publicly disclosed abuse of the Notepad++ distribution infrastructure. While reporting references both plugin replacement and updater-related mechanisms, no definitive artifacts were identified to confirm exploitation of either. The only confirmed behavior is that execution of “notepad++.exe” and subsequently “GUP.exe” preceded the execution of a suspicious process “update.exe” which was downloaded from 95.179.213.0.

Analysis of update.exe

Figure 2: Execution diagram of update.exe

⠀

Analysis of “update.exe” shows the file is actually an NSIS installer, a tool commonly used by Chinese APT to deliver initial payload.

The following are the extracted NSIS installer files:

[NSIS].nsi

Description: NSIS Installation script
SHA-256: 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e

BluetoothService.exe

Description: renamed Bitdefender Submission Wizard used for DLL sideloading
SHA-256: 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924

BluetoothService

Description: Encrypted shellcode
SHA-256: 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e

log.dll

Description: Malicious DLL sideloaded by BluetoothService.exe
SHA-256: 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad

⠀

Installation script is instructed to create a new directory “Bluetooth” in “%AppData%” folder, copy the remaining files there, change the attribute of the directory to HIDDEN and execute BluetoothService.exe.

DLL sideloading

Shortly after the execution of BluetoothService.exe, which is actually a renamed legitimate Bitdefender Submission Wizard abused for DLL sideloading, a malicious log.dll was placed alongside the executable, causing it to be loaded instead of the legitimate library. Two exported functions from log.dll are called by Bitdefender Submission Wizard: LogInit and LogWrite.

LogInit and LogWrite - Shellcode load, decrypt, execute

LogInit loads BluetoothService into the memory of the running process.

LogWrite has a more sophisticated goal – to decrypt and execute the shellcode.

The decryption routine implements a custom runtime decryption mechanism used to unpack encrypted data in memory. It derives key material from previously calculated hash value and applies a stream‑cipher–like algorithm rather than standard cryptographic APIs. At a high level, the decryption routine relies on a linear congruential generator, with the standard constants 0x19660D and 0x3C6EF35F, combined with several basic data transformation steps to recover the plaintext payload.

Once decrypted, the payload replaces the original buffer and all temporary memory is released. Execution is then transferred to this newly decrypted stage, which is treated as executable code and invoked with a predefined set of arguments, including runtime context and resolved API information.

IAT resolution

Log.dll implements an API hashing subroutine to resolve required APIs during execution, reducing the likelihood of detection by antivirus and other security solutions.

API hashing subroutine

The hashing algorithm will hash export names using FNV‑1a (fnv-1a hash 0x811C9DC5, fnv-1a prime 0x1000193 observed), then apply a MurmurHash‑style avalanche finalizer (murmur constant 0x85EBCA6B observed), and compare the result to a salted target hash.

Analysis of the Chrysalis backdoor

The shellcode, once decrypted by log.dll, is a custom, feature-rich backdoor we've named “Chrysalis”. Its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility. It uses legitimate binaries to sideload a crafted DLL with a generic name, which makes simple filename-based detection unreliable. It relies on custom API hashing in both the loader and the main module, each with its own resolution logic. This is paired with layered obfuscation and a fairly structured approach to C2 communication. Overall, the sample looks like something that has been actively developed over time, and we’ll be keeping an eye on this family and any future variants that show up.

Decryption of the main module

Once the execution is passed to decrypted shellcode from log.dll, malware starts with decryption of the main module via a simple combination of XOR, addition and subtraction operations, with a hardcoded key gQ2JR&9;. See below the pseudocode of decryption routine:

⠀

char XORKey[8] = "gQ2JR&9;";
DWORD counter = 0;
DWORD pos = BufferPosition;

while (counter < size) {
    BYTE k = XORKey[counter & 7];
    BYTE x = encrypted[pos];

    x = x + k;
    x = x ^ k;
    x = x - k;

    decrypted[pos] = x;

    pos++;
    counter++;
}

⠀

XOR operation is performed 5 times in total, suggesting a section layout similar to PE format. Following the decryption, malware will proceed to yet another dynamic IAT resolution using LoadLibraryA to acquire a handle to Kernel32.dll and GetProcAddress. Once exports are resolved, the jump is taken to the main module.

Main module

The decrypted module is a reflective PE-like module that executes the MSVC CRT initialization sequence before transferring control to the program’s main entry point. Once in the Main function, the malware will dynamically load DLLs in the following order: oleaut32.dll, advapi32.dll, shlwapi.dll, user32.dll, wininet.dll, ole32.dll and shell32.dll.

Names of targeted DLLs are constructed on the run, using two separate subroutines. These two subroutines implement a custom, position-dependent character obfuscation scheme. Each character is transformed using a combination of bit rotations, conditional XOR operations, and index-based arithmetic, ensuring that identical characters encrypt differently depending on their position. The second routine reverses this process at runtime, reconstructing the original plaintext string just before it is used. The purpose of these two functions is not only to conceal strings, but also to intentionally complicate static analysis and hinder signature-based detection.

After the DLL name is reconstructed, the Main module implements another, more sophisticated API hashing routine.

API hashing subroutine

⠀

The first difference between this and the API hashing routine used by the loader is that this subroutine accepts only a single argument: the hash of the target API. To obtain the DLL handle, the malware walks the PEB to reach the InMemoryOrderModuleList, then parses each module’s export table, skipping the main executable, until it resolves the desired API. Instead of relying on common hashing algorithms, the routine employs multi-stage arithmetic mixing with constants of MurmurHash-style finalization. API names are processed in 4-byte blocks using multiple rotation and multiplication steps, followed by a final diffusion phase before comparison with the supplied hash. This design significantly complicates static recovery of resolved APIs and reduces the effectiveness of traditional signature-based detection. As a fallback, the resolver supports direct resolution via GetProcAddress if the target hash is not found through the hashing method. The pointer to GetProcAddress is obtained earlier during the “main module preparation” stage.

⠀

Config decryption

The next step in the malware’s execution is to decrypt the configuration. Encrypted configuration is stored in the BluetoothService file at offset 0x30808 with the size of 0x980. Algorithm for the decryption is RC4 with the key qwhvb^435h&*7. This revealed the following information:

Command and Control (C2) url: https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821
Name of the module: BluetoothService
User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36

The URL structure of the C2 is interesting, especially the section /a/chat/s/{GUID}), which appears to be the identical format used by Deepseek API chat endpoints. It looks like the actor is mimicking the traffic to stay below the radar.

Decrypted configuration doesn’t give much useful information besides the C2. The name of the module is too generic and the user agent belongs to Google Chrome browser. The URL resolves to 61.4.102.97, IP address based in Malaysia. At the time of the writing of this blog, no other file has been seen to communicate with this IP and URL.

Persistence and command-line arguments

To determine the next course of action, malware checks command-line arguments highlighted in Table 1 and chooses one of four potential paths. If the amount of the command-line arguments is greater than two, the process will exit. If there is no additional argument, persistence is set up primarily via service creation or registry as a fall back mechanism.

See Table 2 below:

Argument	Mode	Action
(None)	Installation	Installs persistence (Service or Registry) pointing to binary with -i flag, then terminates.
-i	Launcher	Spawns a new instance of itself with the -k flag via ShellExecuteA, then terminates.
-k	Payload	Skips installation checks and executes the main malicious logic (C2 & Shellcode).

⠀

With the expected arguments present, the malware proceeds to its primary functionality - to gather information about the infected asset and initiate the communication with C2.

Information gathering and C2 communication

A mutex Global\\Jdhfv_1.0.1 is registered to enforce single instance execution on the host. If it already exists, malware is terminated. If the check is clear, information gathering begins by querying for the following: current time, installed AVs, OS version, user name and computer name. Next, computer name, user name, OS version and string 1.01 are concatenated and the data are hashed using FNV-1A. This value is later turned into its decimal ascii representation and used most likely as a unique identifier of the infected host.

Final buffer uses a dot as delimiter and follows this pattern:

⠀

<UniqueID>.<ComputerName>.<UserName>.<OSVersion>.<127.0.0.1>.<AVs>.<DateAndTime>

⠀

The last piece of information added to the beginning of the buffer is a string 4Q. The buffer is then RC4 encrypted with the key vAuig34%^325hGV.

Following data encryption, the malware establishes an internet connection using previously mentioned user agent and C2 api.skycloudcenter.com over port 443. Data is then transferred via HttpSendRequestA using the POST method. Response from the server is then read to a temporary buffer which is later decrypted using the same key vAuig34%^325hGV.

Response and command processing

Note: C2 server was already offline during the initial analysis, preventing recovery of any network data. As a result, and due to the complexity of the malware, parts of the following analysis may contain minor inaccuracies.

The response from the C2 undergoes multiple checks before further processing. First, the HTTP response code is compared against the hardcoded value 200 (0xC8), indicating a successful request, followed by a validation of the associated WinInet handle to ensure no error occurred. The malware then verifies the integrity of the received payload and execution proceeds only if at least one valid structure is detected. Next, malware looks into the response data for a small tag to determine what to do next. Tag is used as a condition for a switch statement with 16 possible cases. The default case will simply set up a flag to TRUE. Setting up this flag will result in completely jumping out of the switch. Other switch cases includes following options:

⠀

Char representation	Hex representation	Purpose
4T	0x3454	Spawn interactive shell
4U	0x3455	Send ‘OK’ to C2
4V	0x3456	Create process
4W	0x3457	Write file to disk
4X	0x3458	Write chunk to open file
4Y	0x3459	Read & send data
4Z	0x345A	Break from switch
4\\	0x345C	Uninstall / Clean up
4]	0x345D	Sleep
4_	0x345F	Get info about logical drives
4`	0x3460	Enumerate files information
4a	0x3661	Delete file
4b	0x3662	Create directory
4c	0x3463	Get file from C2
4d	0x3464	Send file to C2

⠀

4T - The malware implements a fully interactive cmd.exe reverse shell using redirected pipes. Incoming commands from the C2 are converted from UTF‑8 to the system OEM code page before being written to the shell’s standard input, while a dedicated thread continuously reads shell output, converts it from OEM encoding to UTF‑8 using GetOEMCP API, and forwards the result back to the C2.

4V - This option allows remote process execution by invoking CreateProcessW on a C2-supplied command line and relaying execution status back to the C2.

4W - This option implements a remote file write capability, parsing a structured response containing a destination path and file contents, converting encodings as necessary, writing the data to disk, and returning a formatted status message to the command-and-control server.

4X - Similar to the previous switch, it supports a remote file-write capability, allowing the C2 to drop arbitrary files on the victim system by supplying a UTF-8 filename and associated data blob.

4Y - Switch implements a remote file-read capability. It opens a specified file with, retrieves its size, reads the entire contents into memory, and transmits the data back to the C2.

4\\ - The option implements a full self-removal mechanism. It deletes auxiliary payload files, removes persistence artifacts from both the Windows Service registry hive and the Run key, generates and executes a temporary batch file u.bat to delete the running executable after termination, and finally removes the batch script itself.

4_ - Here malware enumerates information about logical drivers using GetLogicalDriveStringsA and GetDriveTypeA APIs and sends the information back to the C2.

4` - This switch option shares similarities with previously analyzed data exfiltration function - 4Y. However, its primary purpose differs. Instead of transmitting preexisting data, it enumerates files within a specified directory, collects per-file metadata (timestamps, size, and filename), serializes the results into a custom buffer format, and sends the aggregated listing to the C2.

4a - 4b - 4c - 4d - In the last 4 cases, malware implements a custom file transfer protocol over its C2 channel. Commands 4a and 4b act as control messages used to initialize file download and upload operations respectively, including file paths, offsets, and size validation. Once initialized, the actual data transfer occurs in a chunked fashion using commands 4c (download) and 4d (upload). Each chunk is wrapped in a fixed-size 40-byte response structure, validated for successful HTTP status and correct structure count before processing. Transfers continue until the C2 signals completion via a non-zero termination flag, at which point file handles and buffers are released.

Additional artifacts discovered on the infected host

During the initial forensics analysis of the affected asset, Rapid7’s MDR team observed execution of following command:

⠀

C:\ProgramData\USOShared\svchost.exe-nostdlib -run
C:\ProgramData\USOShared\conf.c

⠀

The retrieved folder “USOShared” from the infected asset didn’t contain svchost.exe but it contained “libtcc.dll” and “conf.c”. The hash of the binary didn’t match any known legitimate version but the command line arguments and associated “libtcc.dll” suggested that svchost.exe is in fact renamed Tiny-C-Compiler. To confirm this, we replicated the steps of the attacker successfully loaded shellcode from “conf.c” into the memory of “tcc.exe”, confirming our previous hypothesis.

Analysis of conf.c

The C source file contains a fixed size (836) char buffer containing shellcode bytes which is later casted to a function pointer and invoked. The shellcode is consistent with 32-bit version of Metasploit’s block API.

The shellcode loads Wininet.dll using LoadLibraryA, resolves Internet-related APIs such as InternetConnectA and HttpSendRequestA, and downloads a file from api.wiresguard.com/users/admin. The file is read into a newly allocated buffer, and execution is then transferred to the start of the 2000-byte second-stage shellcode.

⠀

⠀

This stub is responsible for decrypting the next payload layer and transferring execution to it. It uses a rolling XOR-based decryption loop before jumping directly to the decrypted code.

A quick look into the decrypted buffer revealed an interesting blob with a repeated string CRAZY, hinting at an additional XORed layer, later confirmed by a quick test.

⠀

⠀

⠀

Parsing of the decrypted configuration data confirms that retrieved shellcode is Cobalt Strike (CS) HTTPS beacon with http-get api.wiresguard.com/update/v1 and http-post api.wiresguard.com/api/FileUpload/submit urls.

Analysis of the initial evidence revealed a consistent execution chain: a loader embedding Metasploit block_api shellcode that downloads a Cobalt Strike beacon. The unique decryption stub and configuration XOR key CRAZY allowed us to pivot into an external hunt, uncovering additional loader variants.

⠀

Figure 9: Execution flow followed by conf.c and other loaders

Variation of loaders and shellcode

In the last year, four similar files were uploaded to public repositories.

Loader 1:

SHA-256: 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd

Shellcode SHA-256: 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4472.114 Safari/537.36

URL hosting CS beacon: http://59[.]110.7.32:8880/uffhxpSy

CS http-get URL: http://59[.]110.7.32:8880/api/getBasicInfo/v1

CS http-post URL: http://59[.]110.7.32:8880/api/Metadata/submit

Loader 2:

SHA-256: e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda

Shellcode SHA-256: 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4472.114 Safari/537.36

URL hosting CS beacon: http://124[.]222.137.114:9999/3yZR31VK

CS http-get URL: http://124[.]222.137.114:9999/api/updateStatus/v1

CS http-post URL: http://124[.]222.137.114:9999/api/Info/submit

Loader 3:

SHA-256: b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3

Shellcode SHA-256: 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

URL hosting CS beacon: https://api[.]wiresguard[.]com/users/system

CS http-get URL: https://api[.]wiresguard[.]com/api/getInfo/v1

CS http-post URL: https://api[.]wiresguard[.]com/api/Info/submit

Loader 4:

SHA-256: fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a

Shellcode SHA-256: 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

URL hosting CS beacon: https://api[.]wiresguard[.]com/users/system

CS http-get URL: https://api[.]wiresguard[.]com/api/getInfo/v1

CS http-post URL: https://api[.]wiresguard[.]com/api/Info/submit

⠀

From all the loaders we analyzed, Loader 3 piqued our interest for three reasons - shellcode encryption technique, execution , and almost identical C2 to beacon that was found on the infected asset. All the previous samples used a pretty common technique to execute the shellcode - decrypt embedded shellcode in user space, change the protection of memory region to executable state, and invoke decrypted code via CreateThread / CreateRemoteThread; Loader 3 (original name “ConsoleApplication2.exe”) violates this approach.

Analysis of Loader 3 - ConsoleApplication2.exe

At the first glance, the logic of the sample is straightforward: Load the DLL clipc.dll, overwrite first 0x490 bytes, change the protection to PAGE_EXECUTE_READ (0x20), and then invoke NtQuerySystemInformation. Two interesting notes to highlight here - bytes copied into the memory region of clipc.dll are not valid shellcode and NtquerySystemInformation is used to “Retrieve the specified system information”, not to execute code.

⠀

Figure 10: Snippet from ConsoleApplication2.exe

⠀

Looking into the copied data reveals two “magic numbers” DEADBEEF and CAFEAFE, but nothing else. However, the execution of shellcode is somehow successful, so what’s going on?

⠀

⠀

According to the official documentation, the first parameter of NtQuerySystemInformation is of type SYSTEM_INFORMATION_CLASS which specifies the category of system information to be queried. During static analysis in IDA Pro, this parameter was initially identified as SystemExtendedProcessInformation|0x80 but looking for this value in MSDN and other public references didn’t provide any explanation on how the execution was achieved. But, searching for the original value passed to the function (0xB9) uncovered something interesting. The following blog by DownWithUp covers Microsoft Warbird, which could be described as an internal code protection and obfuscation framework. These resources confirm IDA misinterpretation of the argument which should be SystemCodeFlowTransition, a necessary argument to invoke Warbird functionality. Additionally, DownWithUp’s blog post mentioned the possible operations:

⠀

lotus-blossom-Warbird-operations-documented-by-DownWithUp.png — Figure 12: Warbird operations documented by DownWithUp

⠀

Referring to the snippet we saw from “ConsoleApplication2.exe”, the operation is equal to WbHeapExecuteCall which gives us the answer on how the shellcode gained execution. Thanks to work of other researchers, we also know that this technique only works if the code resides inside of memory of Microsoft signed binary, thus revealing why clipc.dll has been used. The blog post from cirosec also contains a link for their POC of this technique which is almost the same replica of “ConsoleApplication2.exe”, hinting that author of “ConsoleApplication2.exe” simply copied it and modified to execute Metasploit block_api shellcode instead of the benign calc from POC. The comparison of the Cobalt Strike beacon configuration delivered via “conf.c” and “ConsoleApplication2.exe” revealed shared trades between these two, most notably domain, public key, and process injection technique.

Attribution to Lotus Blossom

Attribution is primarily based on strong similarities between the initial loader observed in this intrusion and previously published Symantec research. Particularly the use of a renamed “Bitdefender Submission Wizard” to side-load “log.dll” for decrypting and executing an additional payload.
In addition, similarities of the execution chain of “conf.c” retrieved from the infected asset and other loaders that we found, supported by the same public key extracted from CS beacons delivered through “conf.c” and “ConsoleApplication2.exe” suggests with moderate confidence, that the threat actor behind this campaign is likely Lotus Blossom.

Conclusion

The discovery of the Chrysalis backdoor and the Warbird loader highlights an evolution in Lotus Blossom's capabilities. While the group continues to rely on proven techniques like DLL sideloading and service persistence, their multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a clear shift toward more resilient and stealth tradecraft.

What stands out is the mix of tools: the deployment of custom malware (Chrysalis) alongside commodity frameworks like Metasploit and Cobalt Strike, together with the rapid adaptation of public research (specifically the abuse of Microsoft Warbird). This demonstrates that Lotus Blossom is actively updating their playbook to stay ahead of modern detection.

Rapid7 customers

InsightIDR and MDR

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Suspicious Process - Child of Notepad++ Updater (gup.exe) and Suspicious Process - Chrysalis Backdoor are two examples of deployed detections that will alert on behavior related to Chrysalis. Rapid7 will also continue to iterate detections as new variants emerge, giving customers continuous protection without manual tuning.

Intelligence Hub

Customers using Rapid7’s Intelligence Hub gain direct access to Chrysalis backdoor, Metasploit loaders and Cobalt Strike IOCs, including any future indicators as they are identified.

Indicators of compromise (IoCs)

File indicators

Note: data may appear cut-off or hidden due to the string lengths in column 2. You can copy the full string by highlighting what is visible.

update.exe	a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9
[NSIS.nsi]	8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e
BluetoothService.exe	2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924
BluetoothService	77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e
log.dll	3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad
u.bat	9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600
conf.c	f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a
libtcc.dll	4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906
admin	831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd
loader1	0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd
uffhxpSy	4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8
loader2	e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda
3yzr31vk	078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5
ConsoleApplication2.exe	b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3
system	7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd
s047t5g.exe	fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a

Network indicators

95.179.213.0

api[.]skycloudcenter[.]com

api[.]wiresguard[.]com

61.4.102.97

59.110.7.32

124.222.137.114

MITRE TTPs

ATT&CK ID	Name
T1204.002	User Execution: Malicious File
T1036	Masquerading
T1027	Obfuscated Files or Information
T1027.007	Obfuscated Files or Information: Dynamic API Resolution
T1140	Deobfuscate/Decode Files or Information
T1574.002	DLL Side-Loading
T1106	Native API
T1055	Process Injection
T1620	Reflective Code Loading
T1059.003	Command and Scripting Interpreter: Windows Command Shell
T1083	File and Directory Discovery
T1005	Data from Local System
T1105	Ingress Tool Transfer
T1041	Exfiltration Over C2 Channel
T1071.001	Application Layer Protocol: Web Protocols (HTTP/HTTPS)
T1573	Encrypted Channel
T1547.001	Boot or Logon Autostart Execution: Registry Run Keys
T1543.003	Create or Modify System Process: Windows Service
T1480.002	Execution Guardrails: Mutual Exclusion
T1070.004	Indicator Removal on Host: File Deletion

*IOCs contributed by @AIexGP on X.

Mitigation guidance

Rapid7 recommends updating to the latest version of Notepad++. In addition, the IoCs provided above and within Rapid7 Intelligence Hub can be used to hunt within your logs during the timeframe of June through November, 2025, as this is the timeframe when the backdoor activity is known to have been taking place.

Interested in learning more?

Catch Inside Chrysalis, Rapid7's webinar led by Christiaan Beek, on-demand via BrightTALK.

Metasploit Wrap-Up 01/30/2026

Rapid7 Blog

30 January 2026 at 16:11

FreeBPX Content Galore

This week brings 3 new pieces of module content for targeting FreePBX. All three chain multiple vulnerabilities together, starting with CVE-2025-66039. This initial vulnerability allows unauthenticated users to bypass the authentication process to interact with FreePBX. From this point, the different modules leverage either a SQL injection vulnerability (CVE-2025-61675) or a file upload vulnerability (CVE-2025-61678) to obtain remote code execution.

New module content (7)

FreePBX endpoint SQLi to RCE

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20857 contributed by msutovsky-r7 Path: unix/http/freepbx_custom_extension_rce AttackerKB reference: CVE-2025-61675

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with a SQLi, CVE-2025-61675, which allows for a cron job to be added to the cron_job table of the database to allow for Remote Code Execution.

FreePBX firmware file upload

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20858 contributed by msutovsky-r7 Path: unix/http/freepbx_firmware_file_upload AttackerKB reference: CVE-2025-61678

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with an unrestricted file upload (via firmware upload), CVE-2025-61678, which allows for a webshell to be uploaded to the webserver resulting in remote code execution.

FreePBX Custom Extension SQL Injection

Authors: Noah King and msutovsky-r7 Type: Auxiliary Pull request: #20846 contributed by msutovsky-r7 Path: gather/freepbx_custom_extension_injection AttackerKB reference: CVE-2025-61675

Description: This adds an exploit module for FreePBX which chains an authentication bypass, (CVE-2025-66039) with an SQLi (CVE-2025-61675) to create an admin user in the database.

Cacti Graph Template authenticated RCE versions prior to 1.2.29

Authors: Jack Heysel and chutchut Type: Exploit Pull request: #20799 contributed by jheysel-r7 Path: multi/http/cacti_graph_template_rce AttackerKB reference: CVE-2025-24367

Description: This adds an exploit for CVE-2025-24367 which is an unauthenticated RCE in Cacti.

SmarterTools SmarterMail GUID File Upload Vulnerability

Authors: Piotr Bazydlo, Sina Kheirkhah, and jheysel-r7 Type: Exploit Pull request: #20866 contributed by jheysel-r7 Path: multi/http/smartermail_guid_file_upload AttackerKB reference: CVE-2025-52691

Description: This adds a module for unauthenticated file upload in SmarterTools SmaterMail (CVE-2025-52691). The vulnerability allows an unauthenticated user to upload a file to any location on the system using path traversal using the guid variable. The module will either drop a webshell in the webroot directory (if the target is Windows) or create a cron job by dropping a file in /etc/cron.d (if the target is Linux).

Burp Extension Persistence

Author: h00die Type: Exploit Pull request: #19821 contributed by h00die Path: multi/persistence/burp_extension

Description: This adds a new persistence module for BurpSuite. The module adds a malicious extension to both the Pro and Community versions, which is triggered when the user starts BurpSuite.

SSH Key Persistence

Authors: Dean Welch dean_welch@rapid7.com and h00die mike@shorebreaksecurity.com Type: Exploit Pull request: #20778 contributed by h00die Path: multi/persistence/ssh_key

Description: Combines the Windows and Linux ssh key persistence modules.

Enhancements and features (1)

#20778 from h00die - Combines the Windows and Linux ssh key persistence modules.

Bugs fixed (3)

#20897 from h00die - This fixes a bug that was preventing collected hash data from being formatted as input for the John the Ripper cracker. The result is that users can now once again crack passwords using John.
#20902 from rudraditya21 - This fixes a bug in the auxiliary/scanner/ssh/ssh_login module that would incorrectly state that a login failed when it in fact succeeded but the module was unable to open a session. This was only an issue when the CreateSession option is true.
#20909 from adfoster-r7 - Fixes a bug in Metasploit Pro that reported false positives for HTTP bruteforcing.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Critical Ivanti Endpoint Manager Mobile (EPMM) zero-day exploited in the wild (CVE-2026-1281 & CVE-2026-1340)

Rapid7 Blog

By:Rapid7

30 January 2026 at 11:14

Overview

On January 29, 2026, Ivanti disclosed two new critical vulnerabilities affecting Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340. The vendor has indicated that exploitation in the wild has already occurred prior to disclosure. This has been echoed by CISA who added CVE-2026-1281 to their Known Exploited Vulnerabilities (KEV) catalog shortly after the vendor disclosure. As an indication of how critical this development is, CISA has given a “due date” of only 3 days (Due Feb 1, 2026) for organizations, such as federal agencies, to remediate the vulnerabilities before the affected devices must be removed from a network.

While CVE-2026-1281 has been confirmed as exploited in the wild as a zero day, it is unclear if CVE-2026-1340 has also, or if this vulnerability was found separately to CVE-2026-1281. The two critical vulnerabilities are summarized below.

⠀

CVE	CVSSv3	CWE
CVE-2026-1281	9.8 (Critical)	Improper Control of Generation of Code (CWE-94)
CVE-2026-1340	9.8 (Critical)	Improper Control of Generation of Code (CWE-94)

⠀

Both CVE-2026-1281 and CVE-2026-1340 are described identically by the vendor; they are code injection issues, allowing a remote unauthenticated attacker to execute arbitrary code on an affected device. Based on the vendor's guidance, the attackers can provide Bash commands as part of a malicious HTTP GET request to the endpoints that service either the “In-House Application Distribution” feature (i.e. /mifs/c/appstore/fob/) or the “Android File Transfer Configuration” feature (i.e. /mifs/c/aftstore/fob/), resulting in arbitrary OS command execution on the target.

As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant. An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information. This is in addition to the privileged position an attacker will have on the EPMM device itself, which may allow for lateral movement within the compromised network.
Given the nature of the product, EPMM is a high-profile target. It has been repeatedly targeted by zero-day vulnerabilities in the past. In 2023 the product was exploited in the wild via CVE-2023-35078, and again in 2025 via an exploit chain of CVE-2025-4427 and CVE-2025-4428. As of January 30, 2026, a public working proof-of-concept exploit for remote code execution is available. Organizations running EPMM are urged to act quickly and follow the vendor guidance to remediate these issues.

Threat hunting

The following vendor supplied regular expression can be used to search the HTTP daemon’s log files for evidence of potential exploitation of CVE-2026-1281 and CVE-2026-1340:⠀

^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404

Mitigation guidance

A vendor supplied update is available to remediate both vulnerabilities.

The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.0.x patch:

Versions 12.7.0.0 and below
Versions 12.6.0.0 and below
Versions 12.5.0.0 and below

The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.1.x patch:

Versions 12.6.1.0 and below
Versions 12.5.1.0 and below

Customers are advised to update to the latest remediated version of EPMM, on an emergency basis outside of normal patching cycles, as exploitation in-the-wild is already occurring.

For the latest mitigation guidance for Ivanti EPMM, please refer to the vendor’s security advisory. In addition to remediation, the vendor has provided additional threat hunting guidance.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-1281 and CVE-2026-1340 with authenticated vulnerability checks expected to be available in today's (Jan 30) content release. Note that the "Potential" category must be enabled in the scan template to run the checks.

Updates

January 30, 2026: Added reference to the watchTowr technical analysis and proof-of-concept exploit.

Patch Tuesday and the Enduring Challenge of Windows’ Backwards Compatibility

Rapid7 Blog

Explore a confident path forward.

28 January 2026 at 12:04

Introduction

If you received an email with the subject “I LOVE YOU” and an attachment called “LOVE-LETTER-FOR-YOU.TXT”, would you open it? Probably not, but back in the year 2000, plenty of people did exactly that. The internet learned a hard lesson about the disproportionate power available to a university dropout with some VBScript skills, and millions of ordinary people suffered the anguish of deleted family photos or even reputational damage as the worm propagated itself across their entire Outlook address book.

In the quarter century since ILOVEYOU rampaged across global networks, cybersecurity has moved from a niche topic to an “everyone” problem, and many users are wary of all sorts of threats. In recent years, the increasing ubiquity and urgency of AI adoption across the business landscape has attracted the attention of both security researchers and threat actors.

Of course, recency bias and shiny object fixation are real. Even as AI and automation continue to drive down time to known exploitation (TTKE), an attacker who abuses a traditional exploit chain to achieve SYSTEM privileges on a sensitive server still has the keys to the kingdom.

Wormable remote code execution (RCE) vulnerabilities remain rare, but well over half of the 25 exploited-in-the-wild zero-day vulnerabilities published by Microsoft during 2025 provided attackers with elevation of privilege opportunities on Windows assets. Some of those flaws are older than the iPhone, let alone ChatGPT.

Microsoft's decades-long commitment to backwards compatibility creates a conveyor belt supply of déjà vu vulnerabilities. Ultimately, the most pressing threats faced by defenders managing Microsoft estates remain essentially unchanged. Rather than a new wave of AI-related flaws, the chief danger stems from the towering tech debt within core Windows components.

A whirlwind tour of exploited-in-the-wild Microsoft vulnerabilities (2025 edition)

If we really want to know which Microsoft vulnerabilities will provide the most value to attackers in 2026, we should ask a threat actor. Since that might prove difficult to arrange, we’ll do the next best thing: review vulnerabilities exploited in the wild during 2025.

⠀

Chart-exploited-in-the-wild-eitw-microsoft-by-vulnerable-component-rapid7.png — Chart 1: Exploited-in-the-wild Microsoft vulnerabilities, by vulnerable component

January: The great escape

The vast Microsoft ecosystem has something for everyone, whether customer or threat actor. Patch Tuesday January 2025 brought us a trio of exploited-in-the-wild Hyper-V kernel vulnerabilities. By September 2025, at least one plausible public proof-of-concept (PoC) for CVE-2025-21333 was published by a vulnerability researcher who apparently shares a name with a Kazakhstani Olympic gymnast. The only safe assumption is that a well-resourced threat actor could develop a private exploit far in advance of that.

Starting from a child VM or Windows Sandbox, exploitation first requires setting out a banquet of benign requests for the hypervisor, delivered via the Hyper-V Virtualization Service Provider (VSP). The goal: mass-allocating objects to arrange large swathes of hypervisor memory in a predictable pattern (aka “heap feng shui”). Next, the attacker sends a malicious request with an oversized buffer, which an unpatched VSP merrily copies into kernel memory, overwriting the header of the adjacent object, whose relative position is now easily surmised. Once the kernel subsequently references the artfully corrupted sibling object, execution as SYSTEM jumps to a portion of memory where the attacker has planted shellcode to exfiltrate a token. The compromised hypervisor could be anything from a developer laptop running a malicious container all the way up to enterprise private cloud infrastructure.

So far, January 2025 is the only time that Microsoft has ever published vulnerabilities in the Hyper-V VSP. Generally speaking, a significant degree of sophistication is required to develop successful exploits of this nature. This goes double if the name of the game is stealth and stability, since a wave of unexplained BSOD events on critical production infrastructure tends to attract blue team attention. Still, once a viable proof of concept hits the public internet, ransomware crews will fold it into their toolkits, and someone, somewhere, is either sitting on an unknown Hyper-V VSP exploit, or hard at work creating the next one.

February: Socket to me

It’s hard to imagine a modern computer without storage or networking capabilities. In fact, it’s hard to imagine a computer from several decades ago without storage or networking. Microsoft is now middle-aged, and that means that buried deep within your shiny new PC are a variety of architectural decisions and logic paths born in the 1980s. If this sounds far-fetched, take a minute to find yourself a fully-patched Windows 11 25H2 machine, and then try to rename any file or directory CON, NUL or PRN. I’ll wait.

Generally speaking, user-mode applications are prevented from wreaking havoc on the kernel through a careful separation of concerns. On Windows, when a user mode application wants to communicate over the network, it talks to WinSock, which in turn talks to the ancillary function driver (AFD), which sits on the kernel side, and coordinates with the kernel network drivers which handle the actual traffic. The AFD is a security boundary between user space and kernel space, and it must be universally accessible to local processes, because even a browser tab in a sandbox needs to make network calls. Any defect in the way AFD parses input from user space can thus provide a way to influence the kernel in unexpected ways. A number of advanced exploit development courses, including offerings from SANS and OffSec, cover AFD in detail.

⠀

Chart 2: Windows AFD vulnerabilities timeline, 2021-2025

⠀

Patch Tuesday February 2025 brought us CVE-2025-21418, which Microsoft credited to Anonymous. We don’t know whether the unnamed tipster provided evidence of exploitation in the wild, or whether Microsoft threat hunters subsequently tracked down their own trail of suspicious bread crumbs, but notorious threat actors such as North Korea’s Lazarus are known to be enthusiastic students of AFD exploits. With several high-profile zero-day vulnerabilities emerging from AFD from late 2024 onwards, it tracks that Microsoft subsequently published and patched a cluster of AFD vulnerabilities in the latter half of 2025.

March: File system shenanigans

Any defenders who had enjoyed a quieter start to the year were rudely awakened by Patch Tuesday March 2025, when six exploited-in-the-wild vulnerabilities all dropped at once. Exploitation of most of the zero-day vulnerabilities published in March starts with the user mounting a malicious Virtual Hard Disk (VHD) image or plugging in a malicious USB stick so that the attacker can exploit a weakness in a filesystem driver, including NTFS and FastFAT.

Remember that information security training which asked you to imagine finding a USB stick with an “IMPORTANT (CONFIDENTIAL)” label on the floor outside the office? The one which asked if you would A) plug the mystery stick into your work PC B) use your boss’ personal laptop in case the files are business critical C) try it in all the PCs in the office until someone asks you to stop or D) report it immediately to the security officer? This is why.

Meanwhile, the true villain of the month was almost certainly CVE-2025-24983, a no-user-interaction-required elevation of privilege vulnerability in the Win32 kernel subsystem. At the time, we pondered why Windows 11 and Server 2019 onwards didn’t receive patches for what looks like a fairly severe vulnerability, but since Microsoft is gradually reimplementing portions of the kernel in memory-safe Rust, we can hope that the vulnerability simply doesn’t exist in modern Windows.

April: Common Log File System driver vulns are quite common

If anyone ever corners you at a party and talks at length about the Ancillary Function Driver as a bounteous source of elevation of privilege vulnerabilities, you will probably have to concede that they are technically correct. While your options include “doing a lap” and then climbing out of the bathroom window, the power move here is to hold your ground, and point to the Common Log File System driver as a far richer vein of exploitable goodness.

As of Patch Tuesday April 2025, CLFS boasts almost twice the number of total vulnerabilities over the past five years vs. AFD, and more than double the number of known-exploited zero-day vulnerabilities. It really is the gift which keeps on giving.

⠀

Windows CLFS vulnerabilities timeline, 2021-2025

⠀

It makes sense that something like the Ancillary Function Driver lives in kernel space. After all, something has to sit inside the perimeter to marshall all those network requests from dozens of Chrome tabs. What about the Common Log File System driver though?

It would be tempting to imagine that anything which simply handles log files shouldn’t need direct kernel access at all. When exploring this concept, it’s useful to understand that not only was CLFS designed a long time ago, when high performance in user mode was harder to achieve than it is today, but also that CLFS is much more than simply a means to interact with log files. CLFS is the home of still-essential building blocks like Transactional NTFS (TxF), first introduced almost 25 years ago in Windows Vista, which provides a means for applications to guarantee the integrity of data on disk.

For the past several years, Microsoft has strongly recommended that developers avoid the use of TxF, and while Microsoft is gradually providing modern alternatives to TxF functionality, essential Windows functions such as Windows Update still rely on it to manage critical file integrity. Moreover, CLFS is more than just TxF, and is so tightly integrated into Windows that it’s here to stay for the foreseeable future.

May: The month of expectation, wishes, hope, and classic Windows zero-days [1]

A few days after Patch Tuesday May 2025, Satya Nadella took to the stage at Microsoft Build 2025 to pitch his vision of the open agentic web, although exactly who this version of the future would be open to remains an open question, like: What if a cloud email service was vulnerable to a zero-click prompt injection attack, but could also now buy things with your credit card?

While critical reception for the open agentic web has been mixed, threat actors will be glad of the new attack surface. Meanwhile, defenders worried about in-the-wild exploitation were hard at work patching some more frequent fliers, including another pair of CLFS vulnerabilities and an MSHTML/Trident arbitrary code execution bug. That last one will be familiar to regular Patch Tuesday watchers, but it might come as a surprise to anyone who thought Internet Explorer had gone to live on a nice farm upstate years ago.

The Ancillary Function Driver made another appearance, although it couldn’t quite summon the same main character energy this time around. The May 2025 episode of “AFD vulns exploited in the wild” offered elevation to Administrator, rather than SYSTEM, and a lower exploit code maturity rating. We can always be grateful for small mercies.

[1]: With apologies to Emily Brontë.

June: I’m afraid I can’t let you do that, WebDAV

Windows archeologists and internet users of a certain age may remember WebDAV, a standard originally dreamed up to support interactivity on the web. It was employed by versions of Microsoft Exchange up to and including 2010 to handle interactions with mailboxes and public folders.

Surprising no-one, Windows still more or less supports WebDAV, and it was only a matter of time before that turned out to be a bit of a problem, in the form of CVE-2025-33053 published as part of Patch Tuesday June 2025. Microsoft acknowledged Check Point Research (CPR) on the advisory; CPR in turn attributes exploitation to an APT (Advanced Persistent Threat), which they track as the objectively cool-sounding Stealth Falcon, an established threat actor with a long-running interest in governments and government-adjacent entities across the Middle East and beyond.

June 2025 also saw the publication of CVE-2025-32711, a critical information disclosure vulnerability in Microsoft 365 Copilot. Microsoft is not aware of exploitation in the wild. The researchers named it EchoLeak, describing it as “the first real-world zero-click prompt injection exploit in a production LLM system,” although other researchers arguably got there first.

EchoLeak relies on hidden white-text-on-white-background instructions in an email, which are then ingested into the LLM via RAG (Retrieval-Augmented Generation) when the user asks an entirely pedestrian question (e.g. “Summarize my emails from the past two days”) which requires Copilot to scan the inbox. The malicious instructions have two parts: First, dig up some juicy info, and then retrieve an image from an attacker-controlled server with the sensitive data exfiltrated as a URL parameter.

EchoLeak circumvented Copilot’s Content Security Policy by making the request via a trusted Microsoft service: a now-patched Teams image preview proxy. History suggests that attackers will find other ways out of the walled garden. The Microsoft advisory makes a virtue of minimalism by providing almost no information about the nature of the vulnerability, although Microsoft is surely to be commended for assigning CVEs for cloud service vulnerabilities.

July: The call is coming from inside the intranet

When Patch Tuesday July 2025 came and went without a single exploited-in-the-wild vulnerability published, many people may have breathed a sigh of relief. Possibly this was a valid move, at least for anyone not responsible for a SharePoint instance.

SharePoint defenders will remember July as the month of ToolShell, an actively-exploited vulnerability chain in SharePoint which Microsoft published out of band ten days after Patch Tuesday. Out of band patches for Microsoft flagship products are rare, since they inevitably cause downstream disruption. Once MSTIC publicly attributes exploitation to two Chinese nation-state actors, that line has been crossed.

The vulnerability described by the out-of-band CVE-2025-53770 turned out to be a bypass for the patch introduced by CVE-2025-49704 earlier in the month, which was itself a response to a successful Pwn2Own Berlin entry from May.

August: It’s almost too quiet

Microsoft was not aware of exploitation in the wild for any of the vulnerabilities published as part of Patch Tuesday August 2025. SharePoint admins may have been dealing with the fallout from last month’s ToolShell and bracing for a possible repeat, but August might otherwise have made for an eerily quiet month. Still, the Windows implementation of Kerberos managed to cough up a publicly-disclosed elevate-to-domain-admin vulnerability.

Separately, we learned that simply saving a JPEG could be enough to hand an attacker RCE capabilities, because the internet never sleeps. If the vulnerable codepath had been within JPEG decoding, rather than encoding, this one could have been the biggest vuln of the year.

September: Almost too quiet, part 2

Patch Tuesday September 2025 was the second month in a row with no known-exploited vulnerabilities, but vuln spotters will appreciate that this month saw the publication of a fairly rare beast: a Microsoft vulnerability with a perfect(?) CVSS v3 base score of 10.0, albeit a cloud service vulnerability discovered by Microsoft and patched prior to publication. No customer action required, but also no customer verification possible, and since the impacted cloud service was Azure Networking, the blast radius could have been stupendous.

October: Dial M for exploitation

These days, there are plenty of seasoned IT professionals who don’t even know what a dialup modem negotiation song sounds like, simply because broadband has been around for that long. For younger readers, “broadband” is what we used to call “internet fast enough that you don’t have to wait to download a single email attachment”.

By this point, we all know where this is going: Windows still ships with modem capabilities well beyond their sell-by date, and someone found a good old elevation of privilege vulnerability. The vulnerable fax modem driver was developed almost 30 years ago by a long-defunct third party, and Microsoft has now taken uncharacteristically bold action by removing it from Windows altogether, perhaps recognizing that traditional landlines are no longer available at all in many places. Are there other fax modem drivers still lurking in Windows? You betcha.

Patch Tuesday October 2025 also marked the end of Windows 10, unless you count the cash-for-patches Extended Security Updates (ESU) program.

November: Kernel vuln? Popcorn time

Patch Tuesday November 2025 included an exploited-in-the-wild vulnerability in the Windows kernel itself. While the advisory was light with details, exploitation of CVE-2025-62215 led to elevation to SYSTEM, presumably via a complex bit of memory management three card monte. Those kernel Rust rewrites can’t come soon enough.

December: A cloud of suspicion

After a year filled with variations of the same old exploitable vulns, it might almost be refreshing to consider the altogether more modern-sounding exploited-in-the-wild vulnerability published on Patch Tuesday December 2025. CVE-2025-62221 describes an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.

On Windows, a file or directory can contain a reparse point, a collection of user-controlled metadata designed to be interpreted by a file filter driver. An example would be a file which appears present in a local folder, but where the actual contents of the file are stored remotely on OneDrive. The user double-clicks on the file, the file filter driver intercepts the request, reads the metadata, and calls out to OneDrive, while the user gets the experience of opening the file as though it had been stored locally. Of course, the file filter driver needs kernel access to perform its duties. Find an exploitable flaw in the way a file filter driver parses the metadata, and you can trick it into doing things like overwriting protected system files.

What’s next?

Everything gets faster, including bad things

As Rapid7 has observed repeatedly, time to known exploitation for widely-exploited vulnerabilities has been shrinking year-on-year. By 2022, the time to exploitation after public disclosure for some of the most notable security vulnerabilities was as low as 24 hours. With exploit development now widely augmented by automation and AI, there is every reason to suppose that the window will continue to shrink further.

Threat actors will stay best friends with elevation of privilege vulns

A wormable unauthenticated RCE vulnerability remains the scariest scenario, but mercifully these are historically rare. The one-two combo of minimally-privileged initial access and local privilege escalation presents a much more clear and present danger in most modern threat models. Sure, you could parachute in from a helicopter, abseil down from the roof, and crawl through an air vent to steal the diamond, but why bother when you could simply tailgate a delivery driver, and then distract a maintenance worker while you swipe their all-access keycard?

AI is here to stay, but tech debt is the real killer

In 2026, Microsoft will regularly publish AI-related vulnerabilities, and AI-wielding threat actors will hammer Microsoft’s cloud services. Blue teams managing significant Windows estates will still spend more time worrying about on-prem vulnerabilities where the root cause is a classic software engineering snafu.

Final thoughts

Arguably the biggest takeaway from 2025 is that the more things change, the more they stay the same. The scariest Microsoft vulnerabilities tend to emerge from the same few familiar places: core Windows components with codebases older than many of the humans who rely on them.

Microsoft’s wildly successful business model is founded on a decades-long insistence on ironclad backwards compatibility. Why? Enterprise customers with deep pockets and deeper catalogues of ancient business applications. These retro capabilities come at a high price: a supervolcano of tech debt potentially unmatched in all of human history, and a seemingly endless supply of sort-of-new but depressingly familiar vulnerabilities.

For anyone responsible for defending a significant Microsoft footprint in 2026, tomorrow’s biggest problem remains today’s secrets exposed by yesterday’s software design choices.

Multiple Critical SolarWinds Web Help Desk Vulnerabilities: CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

Rapid7 Blog

By:Rapid7

28 January 2026 at 09:53

Overview

On January 28, 2026, SolarWinds published an advisory for multiple new vulnerabilities affecting their Web Help Desk product. Web Help Desk is an IT help desk ticketing and asset management software solution. Of the six new CVEs disclosed in the advisory, four are critical, and allow a remote attacker to either achieve unauthenticated remote code execution (RCE) or bypass authentication.

As of this writing, there is currently no known in-the-wild exploitation occurring. However, we expect this to change as and when technical details become available. Notably, this product has been featured on CISA’s Known Exploited Vulnerabilities (KEV) list twice in the past, circa 2024, indicating that it is a target for real-world attackers.

The six vulnerabilities are summarized below.

CVE	CVSSv3	CWE
CVE-2025-40551	9.8 (Critical)	Deserialization of Untrusted Data (CWE-502)
CVE-2025-40552	9.8 (Critical)	Weak Authentication (CWE-1390)
CVE-2025-40553	9.8 (Critical)	Deserialization of Untrusted Data (CWE-502)
CVE-2025-40554	9.8 (Critical)	Weak Authentication (CWE-1390)
CVE-2025-40536	8.1 (High)	Protection Mechanism Failure (CWE-693)
CVE-2025-40537	7.5 (High)	Use of Hard-coded Credentials (CWE-798)

Update #1: On February 3, 2026, the unsafe deserialization vulnerability, CVE-2025-40551, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.

Update #2: On February 12, 2026, the access control bypass vulnerability, CVE-2025-40536, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.

Technical overview

Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution. RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.

The other two critical vulnerabilities, CVE-2025-40552 and CVE-2025-40554, are authentication bypasses that allow a remote unauthenticated attacker to execute actions or methods on a target system which are intended to be gated by authentication. Based upon the vendor supplied CVSS scores for these two authentication bypass vulnerabilities, the impact is equivalent to the two RCE deserialization vulnerabilities, likely meaning they can also be leveraged for RCE.

In addition to the four critical vulnerabilities, two high severity vulnerabilities were also disclosed. CVE-2025-40536 is an access control bypass vulnerability, allowing an attacker to access functionality on the target system that is intended to be restricted to authenticated users. Separately, CVE-2025-40537 may, under certain conditions, allow access to some administrative functionality on the target system due to the existence of hardcoded credentials.

A full technical analysis of CVE-2025-40551, CVE-2025-40536, and CVE-2025-40537 has been published by the original finders, Horizon3.ai.

Mitigation guidance

A vendor supplied update is available to remediate all six vulnerabilities: CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554, CVE-2025-40536, and CVE-2025-40537. The following product versions are affected:

SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below.

Customers are advised to update to the latest Web Help Desk version, 2026.1, on an urgent basis outside of normal patching cycles.

For the latest mitigation guidance for SolarWinds Web Help Desk, please refer to the vendor’s security advisory.

Rapid7 customers

Exposure Command, InsightVM and Nexpose customers can assess their exposure to CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 CVE-2025-40554 with remote vulnerability checks available in the Jan 28 content release.

Updates

January 28, 2026: Added reference to the Horizon3.ai technical analysis.
January 29, 2026: Updated coverage information
February 3, 2026: Updated Overview to add a reference to CVE-2025-40551 being added to the CISA KEV list.
February 13, 2026: Updated Overview to add a reference to CVE-2025-40536 being added to the CISA KEV list.

Threat Actors Using AWS WorkMail in Phishing Campaigns

Rapid7 Blog

By:Jan Blažek

27 January 2026 at 12:31

Introduction

At Rapid7, we track a wide range of threats targeting cloud environments, where a frequent objective is hijacking victim infrastructure to host phishing or spam campaigns. Beyond the obvious security risks, this approach allows threat actors to offload their operational costs onto the target company, often resulting in significant, unwanted bills for services the victim never intended to use.

Rapid7 recently investigated a cloud abuse incident in which threat actors leveraged compromised AWS credentials to deploy phishing and spam infrastructure using AWS WorkMail, bypassing the anti-abuse controls normally enforced by AWS Simple Email Service (SES). AWS SES is a general-purpose, API-driven email platform intended for application-generated email such as transactional notifications and marketing messages. This allows the threat actor to leverage Amazon’s high sender reputation to masquerade as a valid business entity, with the ability to send email directly from victim-owned AWS infrastructure. Generating minimal service-attributed telemetry also makes threat actor activity difficult to distinguish from routine activity. Any organization with exposed AWS credentials and permissive Identity and Access Management (IAM) policies are potentially at risk, particularly those without guardrails or monitoring around WorkMail and SES configuration.

In this post, we analyzed a real-world incident observed by our MDR team in which threat actors abused native AWS email services to build phishing and spam infrastructure inside a compromised cloud environment. We will reconstruct the attacker’s progression from credential validation and IAM reconnaissance to bypassing Amazon SES safeguards by pivoting to AWS WorkMail. Along the way, we highlight how legitimate service abstractions can be leveraged to evade detection, examine the resulting logging and attribution gaps, and outline practical detection and prevention strategies defenders can use to identify and disrupt similar cloud-native abuse.

Background: AWS WorkMail and its key components

AWS WorkMail is a fully managed business email and calendaring service that allows organizations to operate corporate mailboxes without deploying or maintaining their own mail servers. It supports standard email protocols such as IMAP and SMTP, as well as common desktop and mobile clients, making it a lightweight, pay-as-you-go alternative for teams already operating within AWS.

To understand the activities performed by threat actors in the incident, it’s important to first introduce several core concepts within AWS WorkMail.

Organization

An Organization is the top-level container in WorkMail. It represents an isolated email environment that holds all users, groups, and domains. Each WorkMail organization is region-specific and operates independently, which allows attackers to create disposable, self-contained email infrastructures with minimal setup.

Users

Users represent individual mail-enabled identities within a WorkMail organization. After a user is created using the “workmail:CreateUser” API call, a mailbox can be assigned via a “workmail:RegisterToWorkMail”API call. Once registered, the user can authenticate to the AWS WorkMail web client or connect via standard email protocols and immediately begin sending and receiving email.

Groups

Groups are collections of users that can receive email on behalf of multiple members. They are typically used for distribution lists or shared inboxes and can simplify bulk message delivery or internal coordination within a WorkMail organization.

Domains

Domains define the email address namespace used by a WorkMail organization (e.g.@example.com). Before a domain can be used, ownership must be verified. This verification process leverages the standard domain verification mechanism of Amazon Simple Email Service, typically via DNS records. Once verified, the domain can be actively used for sending and receiving email, enabling threat actors to operate from attacker-controlled, but seemingly legitimate, domains.

Attack analysis

The diagram below contains a graphical representation of the key events carried out by the attackers throughout the attack, starting with initial access actions, continuing through privilege escalation, and ending with the achievement of objectives.

Graphical-visualization-of-AWS-workmail-phishing-attack.png — Figure 1: Graphical visualization of the attack

Initial access

The compromise began with the exposure of long-term AWS access keys. The first indication of malicious activity was an “sts:GetCallerIdentity” API call with the User-Agent set to “TruffleHog Firefox.” This strongly suggests the use of TruffleHog, a tool commonly leveraged by adversaries to discover and validate leaked credentials from sources such as GitHub, GitLab, and public S3 buckets. Rapid7 has frequently observed TruffleHog usage in active campaigns, including activity attributed to groups such as the Crimson Collective.

Several days after this initial credential validation, we observed suspicious activity involving a second IAM user authenticated via long-term access keys. While we cannot conclusively prove that both users were accessed by the same operator, multiple factors suggest they were part of the same intrusion activity. Notably, both authentications originated from the same geographic region, which was anomalous for the victim’s normal operating patterns. Throughout the incident window, access to both accounts was conducted through a rotating set of IP addresses associated primarily with cloud service providers such as Amazon and DigitalOcean. This infrastructure choice is consistent with common adversary tradecraft used to obfuscate true origin and blend into legitimate cloud-to-cloud traffic.

⠀

TruffleHog-output-discovered-credentials-for-Google-Cloud-Platform.png — Figure 2: Example TruffleHog output showing discovered credentials for Google Cloud Platform (GCP)

Discovery phase and privilege escalation

Following initial access, the first compromised user was used to perform basic environment discovery via native AWS APIs. These attempts repeatedly resulted in AccessDenied errors, indicating that the exposed credentials were constrained by limited permissions. The activity was conducted using the AWS command-line interface (CLI), suggesting hands-on, interactive exploration by the threat actor rather than automated tooling.

After encountering these limitations, the adversary shifted activity to the second set of compromised credentials, which possessed significantly broader permissions. With this user, enumeration became more deliberate and structured. The actor began with iam:ListUsers API calls to understand the identity landscape and then used a technique of intentionally triggering API errors to confirm specific permissions without making persistent changes.

As part of this broader discovery effort, the actor also queried Amazon SES to assess its current configuration and readiness for abuse. Specifically, they executed ses:GetAccount and ses:ListIdentities. These calls allowed the adversary to quickly map the operational status of SES within the account. The ses:ListIdentities API call was used to determine whether any verified identities (domains or email addresses) already existed that could be immediately leveraged for sending mail; none were present at the time. In parallel, ses:GetAccount was used to identify whether the account was operating in the SES sandbox, which would impose strict sending limits and require additional steps before large-scale email campaigns could be launched.

This SES-focused reconnaissance indicates early intent to abuse email-sending capabilities and demonstrates how attackers can efficiently evaluate service readiness using only a small number of low-noise management API calls.

For example, the actor attempted to create an IAM user that already existed. The resulting error response confirmed possession of iam:CreateUser permissions without successfully creating a new entity:

⠀

{
"userAgent": "aws-cli/1.22.34 Python/3.10.12 Linux/5.15.0-113-generic botocore/1.23.34",
"errorCode": "EntityAlreadyExistsException",
"errorMessage": "User with name xxxx already exists."
}

Listing 1: Part of the iam:CreateUser CloudTrail log

⠀

A similar validation was performed using iam:CreateLoginProfile. By supplying a password that violated the account’s password policy, the actor received a PasswordPolicyViolationException, confirming their ability to create console login profiles:

⠀

{
"userAgent": "aws-cli/1.22.34 Python/3.10.12 Linux/5.15.0-113-generic botocore/1.23.34",
"errorCode": "PasswordPolicyViolationException",
"errorMessage": "Password should have at least one uppercase letter"
}

Listing 2: Part of the iam:CreateLoginProfile CloudTrail log

⠀

After validating the scope of their privileges, the adversary created a new IAM user, attached the AWS managed policy “AdministratorAccess”, and established a login profile to enable AWS Management Console access. This marked a transition from CLI-based reconnaissance to full GUI-based control, providing unrestricted access and setting the stage for subsequent operational activity.

Action on objectives: Preparing email infrastructure for abuse

By the end of the discovery phase, the threat actor had established two critical facts:

No verified identities existed in Amazon Simple Email Service (SES).
The account remained restricted by the SES sandbox.

The SES sandbox is explicitly designed to limit fraud and abuse, and its restrictions effectively prevent meaningful phishing or spam campaigns. While an account remains in the sandbox, the following controls apply:

Emails can only be sent to verified identities (email addresses or domains) or the SES mailbox simulator.
A maximum of 200 messages per 24-hour period.
A maximum sending rate of 1 message per second.

These constraints made SES unsuitable for immediate abuse at scale. Rather than abandoning the service, the attacker initiated a process to legitimize higher-volume email sending.

First, they opened a support case with AWS requesting removal from the SES sandbox. In parallel, they requested a substantial increase to the daily sending quota— setting it to 100,000 emails per day —using the servicequotas:RequestServiceQuotaIncrease API call.

⠀

{
    "requestParameters": {
"serviceCode": "ses",
"quotaCode": "L-XXXXXX",
"desiredValue": 100000
	
}

Listing 3: Request parameters from RequestServiceQuotaIncrease API call

⠀

During this waiting period, the actor focused on persistence and stealth. Multiple IAM users were created.. These usernames were deliberately chosen to resemble region- or service-scoped automation accounts rather than human operators. To further reduce suspicion during IAM audits, the attacker attached narrowly scoped, SES-only policies to these users instead of broad administrative permissions. This approach allowed them to preserve operational access while minimizing obvious indicators of compromise such as over-privileged identities.

At this stage, the attacker had effectively prepared the account for large-scale email abuse-but they did not wait for AWS approval to proceed.

Bypassing SES controls by abusing AWS WorkMail

Rather than remaining idle while SES sandbox removal and quota increases were pending, the attacker pivoted to AWS WorkMail, which offers an alternative email-sending pathway with significantly fewer upfront restrictions.

Using the workmail:CreateOrganization API, the threat actor created multiple WorkMail organizations. They then initiated domain verification workflows for domains designed to appear legitimate and business-like, including:

cloth-prelove[.]me
ipad-service-london[.]com

Domain verification was performed through ses:VerifyDomainIdentity and ses:VerifyDomainDkim, with the calls originating from workmail.amazonaws.com. This highlights an important nuance for defenders: although SES APIs are involved, the activity is driven by WorkMail provisioning rather than traditional SES email campaigns.

Once domain verification was completed, the actor created multiple mailbox users directly within WorkMail, such as:

service@ipad-service-london[.]com
marketing@ipad-service-london[.]com

These accounts served two purposes. First, they established persistence at the application layer, independent of IAM. Second, they provided credible sender identities for phishing and spam operations, closely resembling legitimate corporate email addresses.

There were also AWS directory service events logged by CloudTrail that show new aliases created for the new sender domains, using the victim’s directory tenant:

CreateAlias

AuthorizeAppication

This pivot is particularly impactful because AWS WorkMail does not implement a sandbox model comparable to SES. Emails can be sent immediately to external, unverified recipients. Additionally, WorkMail supports significantly higher sending volumes than SES sandbox limits. While Rapid7 has not empirically validated the maximum throughput, AWS documentation cites a default upper limit of 100,000 external recipients per day per organization, aggregated across all users.

Email sending methods and logging gaps

The attacker had two viable options for sending email through WorkMail:

1. Web interface
Emails sent through the AWS WorkMail web client may surface indirectly in CloudTrail as “ses:SendRawEmail” events. These events are generated because WorkMail uses Amazon Simple Email Service (SES) as its underlying mail transport, even though the messages are composed and sent entirely through the WorkMail application.

While these events are not attributed to an IAM principal, they do expose several pieces of valuable metadata within the “requestParameters” field — most notably the sender’s email address and associated SES identity. This allows defenders to link outbound email activity to specific WorkMail users and recently verified domains, even in the absence of traditional application or message-level logs.

One notable limitation of these “ses:SendRawEmail” events is the absence of a true client source IP address. Because emails sent via the WorkMail web interface are executed by an AWS-managed service on behalf of the mailbox user, CloudTrail records the “sourceIPAddress” as “workmail.<region>.amazonaws.com” rather than the originating IP address of the actor’s browser session. This effectively obscures the attacker’s true network origin and prevents defenders from correlating email-sending activity with suspicious IP ranges, TOR exit nodes, or previously observed intrusion infrastructure.

⠀

{
"eventVersion": "1.11",
"userIdentity": {
"type": "AWSService",
"invokedBy": "workmail.us-east-1.amazonaws.com"
    },
"eventTime": "2025-12-20T11:26:59Z",
"eventSource": "ses.amazonaws.com",
"eventName": "SendRawEmail",
"awsRegion": "us-east-1",
"sourceIPAddress": "workmail.us-east-1.amazonaws.com",
"userAgent": "workmail.us-east-1.amazonaws.com",
"requestParameters": {
"sourceArn": "arn:aws:ses:us-east-1:123456789012:identity/malicious-organiation[.]com",
"destinations": [
"HIDDEN_DUE_TO_SECURITY_REASONS"
        ],
"source": "=?UTF-8?Q?Malicious_User?= <marketing@malicious-organiation[.]com>",
"fromArn": "arn:aws:ses:us-east-1:123456789012:identity/malicious-organiation[.]com",
"configurationSetName": "gcp-iad-prod-workmail-default-configuration-set",
"rawMessage": {
"data": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
    },
"responseElements": null,
"additionalEventData": {
"SignatureVersion": "4",
"sesMessageId": "0100019b3c4a8bb7-50af951c-fbd4-4610-bc94-c7fc35733699-000000"
    },
"requestID": "aff61405-04bd-4969-802a-7ce4d5946949",
"eventID": "c34ed12d-5bec-3fdd-aef9-57ae4313ca88",
"readOnly": true,
"resources": [
        {
"accountId": "123456789012",
"type": "AWS::SES::ConfigurationSet",
"ARN": "arn:aws:ses:us-east-1:123456789012:configuration-set/gcp-iad-prod-workmail-default-configuration-set"
        },
        {
"accountId": "123456789012",
"type": "AWS::SES::EmailIdentity",
"ARN": "arn:aws:ses:us-east-1:123456789012:identity/malicious-organiation[.]com"
        }
    ],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"sharedEventID": "xxx",
"eventCategory": "xxx"}

Listing 4: SendRawEmail event logged after an email is sent via AWS WorkMail web interface⠀

⠀

While limited, this telemetry can still be valuable for correlating suspicious sending behavior with recently created WorkMail users or newly verified domains.

2. SMTP access
Alternatively, the attacker can authenticate directly to WorkMail’s SMTP endpoint and send messages programmatically. Emails sent via SMTP do not generate CloudTrail events, even when SES data events are enabled, creating a significant blind spot for defenders.

An example Python script used to send email through WorkMail SMTP is shown below:

⠀

import smtplib
from email.message import EmailMessage

# Configuration
SMTP_SERVER = "smtp.mail.us-east-1.awsapps.com"
SMTP_PORT = 465
EMAIL_ADDRESS = "email@example.com"
EMAIL_PASSWORD = "****"

# Create the message
msg = EmailMessage()
msg["Subject"] = "WorkMail SMTP"
msg["From"] = EMAIL_ADDRESS
msg["To"] = "<unverified_email>"
msg.set_content("Email Delivered to an Unverified Email via AWS WorkMail")

# Send the email
try:
with smtplib.SMTP_SSL(SMTP_SERVER, SMTP_PORT) as smtp:
smtp.login(EMAIL_ADDRESS, EMAIL_PASSWORD)
smtp.send_message(msg)
print("Email sent successfully!")
except Exception as e:
print(f"Error: {e}")

Listing 5: Example script sending messages via AWS WorkMail via SMTP

⠀

From an attacker’s perspective, this method is ideal: higher volume, immediate external reach, and minimal centralized logging. From a defender’s perspective, it underscores the importance of monitoring WorkMail organization creation, domain verification events, and mailbox provisioning, as these actions often precede phishing activity that will never be visible in CloudTrail.

Conclusion

This incident illustrates how threat actors can abuse higher-level AWS services to deploy phishing and spam infrastructure closely resembling legitimate enterprise usage. While AWS WorkMail is not designed to support bulk email operations, attackers can still leverage it as an interim capability alongside Amazon SES. By abusing WorkMail’s authenticated mailboxes and relaxed upfront controls, adversaries can begin sending lower volumes of email immediately — well before SES is moved out of the sandbox and higher sending quotas are approved. This staged approach allows attackers to establish sender reputation, validate infrastructure, and maintain operational momentum while bypassing many of the friction points intentionally built into SES.

To mitigate this class of abuse, organizations should combine preventive guardrails with focused detection. Where AWS WorkMail is not required, its use should be explicitly blocked using AWS Organizations Service Control Policies (SCPs) to prevent organization creation and mailbox provisioning. In environments where WorkMail is needed, IAM policies should enforce strict least-privilege access and treat WorkMail and SES administration as privileged operations subject to monitoring and approval. Finally, organizations should reduce the likelihood of initial access by implementing secure development and operational practices — such as secret scanning in code repositories, regular key rotation, and minimizing long-term access keys — to limit the impact of credential leakage and prevent attackers from converting compromised credentials into scalable email abuse.

MITRE ATT&CK techniques

Tactic	Technique	Details
Initial Access	Valid Accounts: Cloud Accounts (T1078.004)	The attacker authenticated to AWS using exposed long-term access keys validated with sts:GetCallerIdentity
Persistence	Create Account: Cloud Account (T1136.003)	The attacker created multiple IAM users and AWS WorkMail mailbox users to maintain persistent access
Privilege Escalation	Account Manipulation: Additional Cloud Roles (T1098.003)	The attacker attached the AdministratorAccess managed policy to a newly created IAM user
Discovery	Cloud Infrastructure Discovery (T1580)	The attacker enumerated IAM users and assessed Amazon SES configuration and sandbox status via API calls
Impact	Resource Hijacking: Cloud Service Hijacking (T1496.004)	The attacker abused AWS WorkMail and SES to send high-volume phishing and spam emails from the victim account

Indicators of compromise (IOCs)

139.59.117[.]125

3.0.205[.]202

54.151.176[.]0

Note: IP addresses 3.0.205[.]202 and 54.151.176[.]0 are Amazon owned IP addresses so care should be taken when applying IP blocks.

Rapid7 customers

InsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through Rapid7’s expansive library of detection rules. These detections are deployed and will alert on the behaviors described in this technical analysis.

The End of the Road for Cisco Kenna: Take a Measured Path into Exposure Management

Rapid7 Blog

By:Michael Chroney

27 January 2026 at 09:09

Cisco’s announcement that it will sunset Cisco Vulnerability Management (Kenna) marks a clear inflection point for many security teams. With end-of-sale and end-of-life timelines now defined, and no replacement offering on the roadmap, Kenna customers face an unavoidable decision window.

Beyond the practical need to replace a tool, Kenna’s exit raises a bigger question for security leaders: what should vulnerability management look like moving forward?

Not just a tool change

For many organizations, Kenna wasn’t “just another scanner”. Before their acquisition by Cisco in 2021, Kenna Security helped pioneer a shift away from chasing raw CVSS scores and toward prioritization based on real-world risk, influencing how many teams approach risk-based vulnerability management. Security teams invested years building workflows, reporting, and executive trust around that model.

That’s why this moment feels different. Replacing Kenna isn’t about checking a feature box, it’s about protecting the integrity of the progress teams have already made while using this moment to elevate programs past traditional vulnerability management.

Security leaders are rightly cautious. No one wants to:

Rush into a short-term replacement vs. a platform that suits current and future needs
Trade proven prioritization for untested promises
Disrupt remediation workflows that engineering teams finally trust

At the same time, few teams believe traditional vulnerability management – isolated scanners, static scoring, endless ticket queues – is sufficient on its own anymore.

So where does that leave you?

“Risk-based vulnerability management is dead” doesn’t tell the full story

In response to Kenna’s end-of-life, much of the market has rushed to frame this as the end of risk-based vulnerability management (RBVM) altogether. The message is often loud and binary: RBVM is outdated, jump straight to exposure management.

In practice, that framing doesn’t match how security programs actually evolve.

Most organizations are not abandoning vulnerability management. They are expanding it:

From on-prem to hybrid and cloud
From isolated findings to broader attack surface context
From vulnerability lists to exposure-driven decisions
From static to continuous

The mistake is assuming this evolution requires a hard reset, or that exposure management is completely separate and not part of that evolution.

For CISOs and hands-on leaders alike, the smarter question is: how do we preserve what works today, while building toward what we know we’ll need tomorrow?

What Kenna customers should prioritize next

As you evaluate what comes after Kenna, the right decision comes down to which platform can consistently deliver security outcomes and measurable risk reduction:

Continuity without disruption

Your team already understands risk-based prioritization. The next platform should strengthen that muscle, not force you back to severity-only thinking or one-dimensional scoring models that ignore business context and threat intelligence.

See risk clearly across on-prem, cloud, and external environments

Risk doesn’t live exclusively on-prem or in the cloud. Vulnerability data needs to reflect the reality of modern environments – endpoints, cloud workloads, external-facing assets – without fragmenting visibility. It needs to build on what teams already have by supporting findings from a broad range of existing tools and services, so risk can be understood in one place instead of scattered across platforms.

Customizable remediation workflows

Prioritization only matters if it leads to action. Look for platforms that help security and IT teams collaborate, track ownership, and measure progress without creating more friction.

A credible path forward

Exposure management is valuable only when it’s grounded in accurate data, operational context, and day-to-day usability. Security teams are already drowning in findings across tools, and without context that explains what matters and why, exposure management adds more noise instead of helping teams make decisions and reduce risk. That noise shows up in familiar ways: duplicate findings aren’t reconciled, conflicting risk scores between tools, unclear ownership for remediation, and long lists of issues with no clear path to action.

Why this moment favors steady platforms, not big bets

Kenna’s exit creates pressure, but pressure shouldn’t drive risky or forced decisions. Security leaders are accountable not just for vision, but for outcomes, such as:

Are we reducing real risk this quarter?
Can we explain prioritization decisions to the board?
Will this platform still support us two or three years from now?

This is where vendor stability, roadmap clarity, and operational proof start to matter more than bold claims.

The strongest next steps are coming from platforms that already deliver visibility across hybrid environments, mature, threat-informed vulnerability prioritization, and integrated remediation workflows that teams actually use. From there, exposure management becomes an evolution, not a leap of faith.

A measured path forward

Kenna’s EOL doesn’t signal the end of risk-based vulnerability management. It signals that security programs are ready to expect more from it. For security leaders this is an opportunity to reaffirm what has worked in your program, close real visibility and workflow gaps, and choose a platform that supports both near-term continuity and long-term growth.

The goal isn’t to chase the next trend. It’s to make a confident, practical decision – one that protects today’s outcomes while positioning your team for what’s next.

Looking ahead

If you’re navigating what comes after Cisco Kenna, the most important step is understanding your options early, before timelines force rushed decisions. Explore what a confident transition can look like and how teams are approaching continuity today while preparing for exposure management tomorrow.

Metasploit Wrap-Up 01/23/2026

Rapid7 Blog

By:Jack Heysel

23 January 2026 at 16:00

Oracle E-Business Suite Unauth RCE

This week, we are pleased to announce the addition of a module that exploits CVE-2025-61882, a pre-authentication remote code execution vulnerability in Oracle E-Business Suite versions 12.2.3 through 12.2.14. The exploit chains multiple flaws—including SSRF, path traversal, HTTP request smuggling, and XSLT injection—to coerce the target into fetching and executing a malicious XSL file hosted by the attacker. Successful exploitation results in arbitrary command execution and an interactive shell on both Linux/Unix and Windows targets. The module is reliable, repeatable, and we here at Metasploit hope you enjoy it, happy hacking!

New module content (3)

Authenticated RCE in Splunk (splunk_archiver app)

Authors: Alex Hordijk, Maksim Rogov, and psytester Type: Exploit Pull request: #20770 contributed by vognik Path: linux/http/splunk_auth_rce_cve_2024_36985 AttackerKB reference: CVE-2024-36985

Description: This adds two separate Metasploit exploit modules targeting Remote Code Execution (RCE) vulnerabilities in Splunk Enterprise. CVE-2024-36985 exploits unsafe use of the "copybuckets" lookup function within the splunk_archiver application, resulting in execution of the sudobash helper script with attacker-controlled arguments. Affected versions: All releases prior to 9.0.10, 9.1.2 through 9.1.5, 9.2.0 through 9.2.2 CVE-2022-43571, exploits a Python code injection vulnerability in Splunk SimpleXML dashboards by injecting malicious code into sparkline style parameters. Malicious code is executed when a user exports the dashboard to PDF. Affected versions: All releases prior to 8.1.12, 8.2.0 through 8.2.9, 9.0.0 through 9.0.2.

Oracle E-Business Suite CVE-2025-61882 RCE

Authors: Mathieu Dupas and watchTowr (Sonny, Sina Kheirkhah, Jake Knott) Type: Exploit Pull request: #20750 contributed by MatDupas Path: multi/http/oracle_ebs_cve_2025_61882_exploit_rce AttackerKB reference: CVE-2025-61882

Description: This adds an exploit for CVE-2025-61882, a critical Remote Code Execution (RCE) vulnerability in Oracle E-Business Suite (EBS). The flaw allows unauthenticated attackers to execute arbitrary code by leveraging a combination of SSRF, HTTP request smuggling and XSLT injection. Affected Versions: Oracle E-Business Suite, 12.2.3-12.2.14.

Authenticated RCE in Splunk (SimpleXML dashboard PDF generation)

Authors: Danylo Dmytriiev, Maksim Rogov, and psytester Type: Exploit Pull request: #20770 contributed by vognik Path: multi/http/splunk_auth_rce_cve_2022_43571 AttackerKB reference: CVE-2022-43571

Enhancements and features (3)

#20755 from rudraditya21 - This adds an advanced datastore option, KrbClockSkew, to modules that use Kerberos authentication, allowing operators to adjust the Kerberos clock from the Metasploit side to fix clock skew errors.
#20840 from xaitax - This updates the MongoBleed auxiliary module and adds new options. The module can now use Wiz Magic Packet to detect the vulnerability quickly; it can detect compression libraries used by MongoDB (and warns or stops the user if zlib is not enabled). The module can also reuse the MongoDB socket connection during memory scanning, which significantly improves performance. Finally, it can better leak secrets, either by pattern matching or by storing the extracted information in raw or JSON format.
#20861 from bcoles - Adds multiple improvements to get_hostname resolution logic for post exploitation modules.

Bugs fixed (1)

#20888 from jheysel-r7 - Fixes an issue that caused dMSA kerberos authentication to fail.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

From Signals to Strategy: What Security Teams Must Prepare for in 2026

Rapid7 Blog

By:Rapid7

22 January 2026 at 10:29

The 2026 Security Predictions webinar reinforced a simple but uncomfortable truth. The forces shaping cyber risk are not new, but they are converging faster and with greater impact than many organizations are ready for. Geopolitics, insider risk, and threat intelligence have long influenced cyber operations. What has changed is the extent to which they directly affect everyday security decisions.

Geopolitical risk is now an operational concern

Cyber operations have always reflected geopolitical realities. Nation-states have used cyber capabilities for espionage, surveillance, and disruption for decades. Historically, these activities focused on governments, critical infrastructure, or defense sectors.

That line has faded.

Today, private organizations are increasingly targeted as proxies. Supply chains, cloud providers, and SaaS platforms offer scale, access, and plausible deniability for state-aligned groups. Many of these campaigns are not designed for immediate disruption. Instead, they focus on intelligence gathering, long-term access, or positioning that can be activated later.

For security teams, this shift creates a new challenge. Geopolitical motivation does not follow traditional cybercrime logic. Organizations that do not consider themselves high risk can still become collateral targets because of who they work with, where they operate, or what services they provide.

Geopolitical awareness can no longer sit outside the SOC. It must influence monitoring priorities, threat modeling, and response readiness.

Looking ahead: Action plan for 2026

Security teams should track geopolitical developments and understand how global events influence attacker behavior. Curated threat intelligence helps translate abstract risk into concrete tools, infrastructure, and techniques that defenders can monitor.

Incident response playbooks should also account for politically motivated attacks. These scenarios benefit from executive pre-approval, allowing teams to respond decisively when intent is unclear but potential impact is high.

Finally, organizations should map exposure across suppliers, technology partners, and infrastructure dependencies. Understanding where geopolitical risk intersects with your environment is now essential for resilience.

Insider threats are becoming a primary breach driver

Insider threats are not a new problem, but their role in breaches continues to grow. Within the 2026 Security Predictions webinar, the panel emphasized that insider risk now spans a wide spectrum. At one end is simple negligence, including phishing mistakes, misconfigurations, and poor access hygiene. At the other is deliberate access monetization, where credentials or privileged access are sold or misused.

Several factors are accelerating this trend. Workforce stress, economic pressure, role churn, and identity sprawl all increase the likelihood that access will be abused or misused. In many cases, breaches now begin with valid credentials, making traditional perimeter defenses less effective.

This reality forces a shift in how security teams think about trust and access. Valid access no longer means safe access.

Looking ahead: Action plan for 2026

Security teams should establish behavior baselines across users and roles to identify anomalous activity early. Unexpected access patterns, unusual downloads, or irregular logins often provide the first signal that something is wrong.

Just as important is fostering a speak-up culture. Employees should be encouraged to report phishing attempts, mistakes, or suspicious behavior without fear. Early reporting often determines whether an incident is contained quickly or escalates.

Privilege models also require regular review. Least privilege must be continuous, not static. As roles evolve and environments change, access should be reassessed to reduce blast radius when incidents occur.

Context is becoming the decisive advantage

Threat intelligence and detection capabilities have advanced rapidly, but volume alone does not improve outcomes. Security teams now face more alerts, more telemetry, and more data than ever before. The challenge is deciding what matters.

The panel highlighted that speed without context creates noise, not security. As exploitation windows shrink and attacks scale, teams that lack context struggle to prioritize, investigate, and respond effectively.

Context brings together asset criticality, exposure, threat intelligence, and business impact. Teams that operate with this understanding move faster because they know where to focus and why.

This shift also changes how security leaders communicate value. Metrics tied to readiness, risk reduction, and response effectiveness resonate far more than raw alert counts.

Looking ahead: Action plan for 2026

Security leaders should align SecOps and executive stakeholders around shared dashboards and context-rich briefings. These views should emphasize readiness gaps, exposure trends, and investment value, rather than activity volume.

Organizations should also rationalize security tooling around outcomes. High-impact tools that improve time to detect, time to respond, and analyst efficiency matter more than broad coverage alone.

Finally, teams should reinvest saved time and budget into areas that compound over time. Automation, threat intelligence, and staff development all strengthen resilience when supported consistently.

Preparing for what comes next

The webinar made it clear that success in 2026 will depend on integration, awareness, and context. Geopolitical risk, insider threats, and intelligence-driven defense are no longer separate concerns. They intersect daily inside modern security operations.

Teams that acknowledge this reality and act early will be better positioned to respond with confidence, adapt to change, and stay ahead of increasingly sophisticated attackers.

Missed the live session? Watch the 2026 Security Predictions webinar to understand the forces shaping cyber risk and what to prioritize next.

Rapid7 MDR Integrates Microsoft Defender Signals to Create Tangible Security Outcomes

Rapid7 Blog

By:Rapid7

21 January 2026 at 09:00

Organizations increasingly rely on Microsoft as their foundational productivity and security technology provider. As these environments grow in scale and complexity, security leaders are responsible for operationalizing the vast signals traversing their Microsoft stack in order to anticipate and preempt threats. At the same time, those efforts must deliver measurable security outcomes and clear return on investment.

If you’re reading this, you already know what’s at stake. But I’ll say it louder for the folks in the back: As more of your environment consolidates onto Microsoft, the attack surface evolves – and without fully operationalizing that ecosystem, risk grows alongside it.

We are excited to announce the availability of Rapid7 MDR for Microsoft – a preemptive threat detection, investigation, and response service that brings together Rapid7’s global SOC, our market-leading SIEM technology, and deeper bi-directional Microsoft Defender integrations. The service helps security and IT teams maximize their investments, reduce cost and complexity, respond decisively to threats, and improve their security posture and resilience.

Extend the power of your stack

Microsoft Defender provides broad visibility across modern environments – from endpoint and identity to cloud and email. That visibility leads many organizations to a fine line, where it can either mean rich, actionable insight for some security teams, and overwhelming signal volume and missed alerts for others. Rapid7 helps organizations build a clear picture from the rich telemetry by bringing these Microsoft signals together with our native telemetry. And by incorporating exposure and asset risk directly into investigations, our SOC is empowered to anticipate likely breach paths and intervene earlier in the attack lifecycle. Combining your Microsoft security stack with our preemptive MDR ultimately helps you:

Anticipate attacks before they start
Respond with certainty across the full attack lifecycle
Strengthen resilience through partnership
Get better outcomes from Microsoft - not overhead

Capabilities that drive real-world outcomes

Leaning into Rapid7’s proven record as a leader in managed detection and response, MDR for Microsoft combines powerful AI-SOC technology with expert human service delivery to help Microsoft-centric organizations achieve measurable security outcomes. In IDC’s recent Business Value of Rapid7 MDR study, customers achieved a 422% three-year ROI, identified threats 87% faster, and reduced the likelihood of a major security event by 54%. MDR for Microsoft delivers these same results through capabilities designed to operationalize and protect Microsoft environments at scale, including:

Risk-aware analysis that stops attacks earlier: By pairing enterprise vulnerability risk management with analysis of live threat activity, the service preemptively identifies the attack paths most likely to be exploited – empowering efficient analyst evaluation with a clear understanding of underlying asset context.

Dedicated cybersecurity advisor extends your team: Your advisor leverages their practitioner experience to provide regular threat briefings, environment-hardening advice, program governance, and health checks – helping drive long-term maturity without adding headcount.
Decisive response backed by deep forensics and unlimited IR: Remote containment, endpoint forensics powered by our open-source DFIR framework – Velociraptor – and unlimited incident response ensure threats are stopped quickly, and fully investigated and neutralized before our team rests.

Unlimited log ingestion delivers predictable value: Remove SIEM cost constraints and ensure complete visibility so investigations are never limited by data volume or surprise overage fees.
Bi-Directional Defender integration that reduces friction: Endpoint alerts and analyst actions stay synchronized between Rapid7 and Microsoft consoles, keeping systems aligned while laying the foundation for broader integrations across additional Microsoft security vectors.
Always-on, expert-led SOC coverage: Our 24x7x365 global SOC continuously monitors and investigates activity across Microsoft and non-Microsoft environments, ensuring threats are identified and acted on as soon as they emerge.
Full transparency into SOC activity and outcomes: With direct access to the SIEM and investigation workflows, your team can ride sidecar on investigations, run your own queries, upskill internal teams, and clearly see the outcomes being delivered by the Rapid7 SOC over time.

Additional value-drivers included in the service are unlimited SOAR automation, standard 13-month data retention with the ability to extend, proactive threat hunting, and AI-assisted investigation workflows, delivering a comprehensive MDR experience that scales with your environment and outpaces attackers.

Make the most of Microsoft Defender with Rapid7

As Microsoft continues to serve as the backbone of modern environments, the ability to translate security signals into consistent action becomes increasingly critical. MDR for Microsoft is designed to help security leaders move confidently from visibility to outcomes – pairing the strength of Microsoft Defender with Rapid7’s proven expertise, preemptive risk-awareness, and resilience-building capabilities. The result is a security program that not only sees more, but responds faster, operates with greater confidence, and proves its value as environments continue to scale.

If you’d like to see how MDR for Microsoft can help you operationalize your Microsoft security stack, request a demo or reach out to your Rapid7 account team to continue the conversation.

Metasploit Wrap-Up 01/16/2026

Rapid7 Blog

By:Simon Janusz

16 January 2026 at 13:49

Persistence, dMSA Abuse & RCE Goodies

This week, we have received a lot of contributions from the community, such as h00die, Chocapikk and countless others, which is greatly appreciated. This week’s modules and improvements in Metasploit Framework range from new modules, such as dMSA Abuse (resulting in escalation of privilege in Windows Active Directory environments), authenticated and unauthenticated RCE modules, as well as many improvements and additions to the persistence modules and techniques.

New module content (13)

BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory

Authors: AngelBoy, Spencer McIntyre, and jheysel-r7

Type: Auxiliary

Pull request: #20472 contributed by jheysel-r7

Path: admin/ldap/bad_successor

Description: This adds an exploit for "BadSuccessor" which is a vulnerability whereby a user with permissions to an Organizational Unit (OU) in Active Directory can create a Delegated Managed Service Account (dMSA) account in such a way that it can lead to the issuance of a Kerberos ticket for an arbitrary user.

Control Web Panel /admin/index.php Unauthenticated RCE

Authors: Egidio Romano and Lukas Johannes Möller

Type: Exploit

Pull request: #20806 contributed by JohannesLks

Path: linux/http/control_web_panel_api_cmd_exec

AttackerKB reference: CVE-2025-67888

Description: This adds a new module for Control Web Panel (CVE-2025-67888). The vulnerability is unauthenticated OS command injection through an exposed API. The modules require Softaculous to be installed.

Prison Management System 1.0 Authenticated RCE via Unrestricted File Upload

Author: Alexandru Ionut Raducu

Type: Exploit

Pull request: #20811 contributed by Xorriath

Path: linux/http/prison_management_rce

AttackerKB reference: CVE-2024-48594

Description: This adds a new module for Prison Management System 1.0 (CVE-2024-48594). The module requires admin credentials, which are subsequently used to exploit unrestricted file upload to upload a webshell.

udev Persistence

Author: Julien Voisin

Type: Exploit

Pull request: #20796 contributed by h00die

Path: linux/persistence/udev

Description: This moves the udev persistence module into the persistence category and adds the persistence mixin.

n8n Workflow Expression Remote Code Execution

Author: Lukas Johannes Möller

Type: Exploit

Pull request: #20810 contributed by JohannesLks

Path: multi/http/n8n_workflow_expression_rce

AttackerKB reference: CVE-2025-68613

Description: This adds a new module for n8n (CVE-2025-68613). The vulnerability is authenticated remote code execution in the workflow expression evaluation engine. The module requires credentials to create a malicious workflow that executes system commands via a JavaScript payload.

Web-Check Screenshot API Command Injection RCE

Author: Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #20791 contributed by Chocapikk

Path: multi/http/web_check_screenshot_rce

AttackerKB reference: CVE-2025-32778

Description: Adds an exploit module for CVE-2025-32778, a command injection vulnerability in Web-Check's screenshot API endpoint which allows unauthenticated remote code execution by injecting shell commands via URL query parameters in the /api/screenshot endpoint.

Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key

Authors: OJ Reeves and h00die

Type: Exploit

Pull request: #20751 contributed by h00die

Path: windows/persistence/accessibility_features_debugger

Description: This updates the Windows sticky keys post persistence module to use the new persistence mixin.

WMI Event Subscription Event Log Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die

Path: windows/persistence/wmi/wmi_event_subscription_event_log

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Interval Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die

Path: windows/persistence/wmi/wmi_event_subscription_interval

WMI Event Subscription Process Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die

Path: windows/persistence/wmi/wmi_event_subscription_process

WMI Event Subscription Logon Timer Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die

Path: windows/persistence/wmi/wmi_event_subscription_uptime

Linux Chmod

Author: bcoles bcoles@gmail.com

Type: Payload (Single)

Pull request: #20845 contributed by bcoles

Path: linux/armle/chmod and linux/aarch64/chmod

Description: Adds Linux ARM 32-bit / 64-bit Little Endian chmod payloads.

Enhancements and features (7)

#20706 from h00die - Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.
#20751 from h00die - This updates the Windows sticky keys post persistence module to use the new persistence mixin.
#20785 from Chocapikk - This adds Waku framework support to the existing react2shell module. Waku is a minimal React framework which differs slightly compared to Node.js. The module maintains backward compatibility with existing Next.js targets while adding Waku support through a modular framework configuration system.
#20786 from zeroSteiner - This updates the module code to merge the target Arch and Platform entries into the module's top level data. Prior to this change module developers had to define Arch and Platform entries twice, once at the module level and again per individual target. This updates over 500 modules and removes that duplication.
#20796 from h00die - This moves the udev persistence into the persistence category and adds the persistence mixin.
#20853 from zeroSteiner - Bumps metapsloit-payloads to 2.0.239.
#20855 from h00die - Adds additional ATT&CK references to persistence modules.

Bugs fixed (2)

#20738 from Shubham0699 - This fixes an issue in the bailiwicked DNS modules that was causing the module to fail with a stack trace due to a programming error.
#20847 from dwelch-r7 - This updates the auxiliary/scanner/ssh/ssh_login module to remove stale documentation, remove unnecessary characters that were printed in the output and update the correct documentation with the new information about key usage.

Documentation added (1)

#20665 from basicallyabidoof - Adds documentation for the ipv6_neighbor_router_advertisement module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Reducing Cloud Chaos: Rapid7 Partners with ARMO to Deliver Cloud Runtime Security

Rapid7 Blog

By:Joel Alcon

14 January 2026 at 09:00

Rapid7 has partnered with ARMO, a leader in cloud infrastructure and application security based on runtime data, to offer Cloud Runtime Security. The new offering, currently in beta, extends our vulnerability and exposure management solution, Exposure Command, into the moment where cloud risk becomes real: while applications and workloads are running. The solution does this with several differentiators that map directly to what security leaders need most: signal accuracy and response speed.

Introducing Rapid7 Cloud Runtime Security

Rapid7 Cloud Runtime Security combines kernel-level observability with AI-powered behavioral analysis to create a continuous, threat-aware defense layer within all cloud environments.

The solution provides:

AI-driven behavioral baselines for container activity. Because services, teams, and software releases create constant change, static policies can quickly become irrelevant and overly noisy. Cloud runtime security augmented by AI helps establish a behavioral baseline of what “normal” looks like for workload activity. This baseline becomes the standard for identifying deviations that indicate active exploits. This becomes even more critical for AI workloads in which runtime is the only place to understand behavior.
Root-cause in every risk finding. When a threat is detected, the platform does not just create noise by firing an alert. Instead, it reconstructs the entire event with root-cause insights by linking application-layer activity (like a SQL injection) to infrastructure-level changes (like a container escape). It also provides a natural-language narrative of the attack, showing exactly what happened, which credentials were used, and which resources were accessed.
Connected dots across the entire cloud ecosystem. Rapid7 Cloud Runtime displays the entire attack story, from cloud and Kubernetes events and clusters APIs, to container and workload processes and individual lines of code. Instead of sifting through siloed, disparate security tools that each present different alerts, teams gain a single source of objective truth for faster forensic analysis.
Deep application-layer visibility. Instantly detect and respond to common attacks, including SQL injections, command injections, local file inclusion (LFIs), and server-side request forgery (SSRF) that regular endpoint detection and response (EDR) tools overlook because their visibility is limited to the host and process level.
Orchestrated automated response to detected anomalies. Detection is only part of the full battle. Speed is the difference between a contained event and a disruptive, expensive data breach. The solution automatically terminates malicious processes, pauses compromised containers, isolates namespaces, or blocks egress to prevent an attacker’s lateral movement.

Rapid7 Cloud Runtime Security enables orchestrated automated response when anomalies are detected, enabling teams to quickly mobilize and contain threats.

Security amidst the chaos

Chaos is the natural state of cloud environments, where instances frequently shut down and containers constantly change. In these environments, chaos isn't a deficiency, but an inherent characteristic of distributed systems. Containers spin up and down constantly, deployments change multiple times per day, images get rebuilt and redeployed, identities and permissions drift, and workloads inherit misconfigurations at scale

Traditional vulnerability management (VM) was designed to protect static, on-prem technology architectures. Periodic scans, CVSS scores, and reactive patching have been effective here, but point-in-time snapshots and reactive remediation strategies collapse in dynamic, highly-distributed cloud environments for the following reasons:

Blind spots. Ephemeral cloud resources can spin up, perform a task, and disappear in minutes. If a vulnerable container exists for only 10 minutes between a scheduled scan, traditional VM tools will miss it and an automated attacker script will find and exploit it in seconds.
Missing context. Network scanners find CVEs, but they often lack contextual awareness. For instance, a ‘critical’ vulnerability may represent a low risk in a library that exists on an isolated container with no internet access. Conversely, a ‘medium’ vulnerability on a public-facing server with an over-privileged IAM role can be a catastrophic exploit.
Misconfigurations. In the cloud, vulnerabilities can live on unpatched software, but also arise from misconfigured systems. Consider a fully patched server that is compromised because of an open S3 bucket or a broad IAM policy. According to Gartner, “through 2026, nonpatchable attack surfaces will grow from less than 10% to more than half of the enterprise’s total exposure, reducing the impact of automated remediation practices¹.”
AI-driven complexity. AI is accelerating innovation cycles, and as organizations push out more code, AI has introduced several new dimensions to the attack surface. These can include vulnerabilities that trick LLM models into revealing sensitive data or bypassing security controls.

The new baseline for modern cloud security

As modern cloud environments are constantly changing, security teams need to know in real time when exposures become active threats. Rather than toiling over a ‘high’ or ‘critical’ vulnerability, they prioritize remediation actions based on the paths that lead to compromise. This is because a vulnerability can become a critical exposure when the conditions around it make it reachable, exploitable, and high impact. Savvy security teams use exposure management solutions to assess whether they are likely to get compromised, then lean on cloud runtime platforms to identify, in real-time, whether they are actively compromised. As a result, the best security programs now run on a “two-engine” model:

Predictive and preemptive with exposure management. This risk-forecasting layer discovers, prioritizes, and guides action on the exposures most likely to lead to material impact. Organizations utilize exposure management solutions to identify which exposures should be addressed first, the shortest paths to breach, and the remediation activities that most reduce risk.
Real-time and proactive with runtime security. This threat-reality layer detects anomalous behavior as it happens and supports immediate containment actions. Organizations use runtime security solutions to assess whether an exposure is actively being exploited, the configuration changes that may have led to the exposure, and the actions that need to be taken to contain the threat.

On their own, each part of the engine is valuable, but exposure management without runtime can cause teams to overlook active threats; runtime without exposure context can drown teams in noisy alerts. Together, these solutions enable teams to prioritize what matters most and respond instantly when it becomes active.

Visit our cloud security pages to learn more about how Rapid7 empowers teams to proactively manage risk, accelerate DevSecOps, and enforce compliance across multi-cloud environments.

¹ Gartner, Predicts 2023: Enterprises Must Expand From Threat to Exposure Management, Jeremy D'Hoinne, Pete Shoard, Mitchell Schneider, John Watts, December 2022

Patch Tuesday - January 2026

Rapid7 Blog

14 January 2026 at 00:13

Microsoft is publishing 114 vulnerabilities this January 2026 Patch Tuesday. Today’s menu includes just one vulnerability marked as exploited in the wild, as well as two vulnerabilities where Microsoft is aware of public disclosure. There are no critical remote code execution or elevation of privilege vulnerabilities. So far this month, Microsoft has already provided patches to address one browser vulnerability and around a dozen vulnerabilities in open source products, which are not included in the Patch Tuesday count above.

Windows DWM: exploited-in-the-wild information disclosure

The Windows Desktop Windows Manager (DWM) is a high value target for vulnerability researchers and threat actors, and CVE-2026-20805 is the latest in an occasional series of exploited-in-the-wild zero-day vulnerabilities to have emerged from it. DWM is responsible for drawing everything on the display of a Windows system, which means it offers an enticing combination of privileged access and universal availability, since just about any process might need to display something. In this case, exploitation leads to improper disclosure of an ALPC port section address, which is a section of user mode memory where Windows components coordinate various actions between themselves.

The CVSS v3 score of 5.5 evaluates to medium severity, which wouldn’t typically scream “patch me first”, but Microsoft evaluates CVE-2026-20805 as important on their proprietary severity scale, and information disclosure vulnerabilities by their very nature tend to end up with lower CVSS scores, since there’s no direct impact on integrity or availability. Also, Microsoft information disclosure vulnerabilities very rarely end up marked as exploited in the wild; any that do are very likely to be part of a longer exploit chain. In this case, it’s likely that the improperly disclosed memory address gives an attacker a starting point in the hunt for the in-memory address of the DWM process, sidestepping Address Space Layout Randomization (ASLR), and greatly increasing the chance of developing a stable elevation of privilege exploit for DWM rather than a flakey blue screen of death generator.

Windows Agere modem driver: publicly disclosed elevation of privilege

Back in October 2025, Microsoft removed a specific modem driver ltmdm64.sys from all versions of Windows, after it was implicated in CVE-2025-24052, an exploited-in-the-wild elevation of privilege vulnerability. Today sees another couple of modem drivers removed from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096. That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher. Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.

Two questions remain: how many more legacy modem drivers are still present on a fully-patched Windows asset, and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying living off the land[line] by exploiting an entire class of dusty old device drivers? Although Microsoft doesn’t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime. In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.

Secure Boot: critical security feature bypass

Today sees the publication of CVE-2026-21265, which is a critical security feature bypass vulnerability affecting Windows Secure Boot. Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet. Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.

Once the ancient 2011 certificates expire later this year, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes. When updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination you’re working with, since incorrect remediation steps can lead to an unbootable system.

Microsoft lifecycle update

Visual Studio 2022 LTSC 17.10 reaches end of support today, so now is a good time to upgrade to a newer minor version. Dynamics CRM 2016 (also known as Dynamics 365) also reaches end of life. There are no other significant Microsoft product lifecycle changes this month.

A bar chart showing vulnerability count by component for Microsoft Patch Tuesday 2026-Jan

A bar chart showing vulnerability count by impact for Microsoft Patch Tuesday 2026-Jan

A bar chart showing distribution of impact type by component for Microsoft Patch Tuesday 2026-Jan

Vulnerabilities by Product Family

Azure vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21224	Azure Connected Machine Agent Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-21226	Azure Core shared client library for Python Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.5
CVE-2026-20965	Windows Admin Center Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.5

Developer Tools vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-21219	Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability	Exploitation Unlikely	No	7.0

ESU vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-20805	Desktop Window Manager Information Disclosure Vulnerability	Exploitation Detected	No	5.5
CVE-2026-20847	Microsoft Windows File Explorer Spoofing Vulnerability	Exploitation Unlikely	No	6.5
CVE-2023-31096	MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability	Exploitation More Likely	Yes	7.8
CVE-2026-20925	NTLM Hash Disclosure Spoofing Vulnerability	Exploitation Less Likely	No	6.5
CVE-2026-20872	NTLM Hash Disclosure Spoofing Vulnerability	Exploitation Less Likely	No	6.5
CVE-2026-20821	Remote Procedure Call Information Disclosure Vulnerability	Exploitation Unlikely	No	6.2
CVE-2026-21265	Secure Boot Certificate Expiration Security Feature Bypass Vulnerability	Exploitation Less Likely	Yes	6.4
CVE-2026-20831	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20860	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20839	Windows Client-Side Caching (CSC) Service Information Disclosure Vulnerability	Exploitation Unlikely	No	5.5
CVE-2026-20940	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-20820	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-0386	Windows Deployment Services Remote Code Execution Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20929	Windows HTTP.sys Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20816	Windows Installer Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20849	Windows Kerberos Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20833	Windows Kerberos Information Disclosure Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-20809	Windows Kernel Memory Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20875	Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability	Exploitation Less Likely	No	7.5
CVE-2026-20869	Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2024-55414	Windows Motorola Soft Modem Driver Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-20936	Windows NDIS Information Disclosure Vulnerability	Exploitation Unlikely	No	4.3
CVE-2026-20840	Windows NTFS Remote Code Execution Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20922	Windows NTFS Remote Code Execution Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20824	Windows Remote Assistance Security Feature Bypass Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-20828	Windows rndismp6.sys Information Disclosure Vulnerability	Exploitation Less Likely	No	4.6
CVE-2026-20843	Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20868	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.8
CVE-2026-20856	Windows Server Update Service (WSUS) Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.1
CVE-2026-20927	Windows SMB Server Denial of Service Vulnerability	Exploitation Unlikely	No	5.3
CVE-2026-20919	Windows SMB Server Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20921	Windows SMB Server Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20926	Windows SMB Server Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20934	Windows SMB Server Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20848	Windows SMB Server Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20834	Windows Spoofing Vulnerability	Exploitation Less Likely	No	4.6
CVE-2026-20931	Windows Telephony Service Elevation of Privilege Vulnerability	Exploitation Unlikely	No	8.0

Microsoft Office vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-20946	Microsoft Excel Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20955	Microsoft Excel Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20956	Microsoft Excel Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20950	Microsoft Excel Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20957	Microsoft Excel Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20949	Microsoft Excel Security Feature Bypass Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20943	Microsoft Office Click-To-Run Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-20953	Microsoft Office Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.4
CVE-2026-20952	Microsoft Office Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.4
CVE-2026-20958	Microsoft SharePoint Information Disclosure Vulnerability	Exploitation Less Likely	No	5.4
CVE-2026-20963	Microsoft SharePoint Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.8
CVE-2026-20951	Microsoft SharePoint Server Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20947	Microsoft SharePoint Server Remote Code Execution Vulnerability	Exploitation Unlikely	No	8.8
CVE-2026-20959	Microsoft SharePoint Server Spoofing Vulnerability	Exploitation Less Likely	No	4.6
CVE-2026-20944	Microsoft Word Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.4
CVE-2026-20948	Microsoft Word Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.8

SQL Server vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-20803	Microsoft SQL Server Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.2

Windows vulnerabilities

CVE	Title	Exploitation status	Publicly disclosed?	CVSS v3 base score
CVE-2026-20815	Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-20830	Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.0
CVE-2026-21221	Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.0
CVE-2026-20835	Capability Access Management Service (camsvc) Information Disclosure Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-20851	Capability Access Management Service (camsvc) Information Disclosure Vulnerability	Exploitation Less Likely	No	6.2
CVE-2026-20805	Desktop Window Manager Information Disclosure Vulnerability	Exploitation Detected	No	5.5
CVE-2026-20871	Desktop Windows Manager Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20814	DirectX Graphics Kernel Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-20836	DirectX Graphics Kernel Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-20962	Dynamic Root of Trust for Measurement (DRTM) Information Disclosure Vulnerability	Exploitation Less Likely	No	4.4
CVE-2026-20941	Host Process for Windows Tasks Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20812	LDAP Tampering Vulnerability	Exploitation Less Likely	No	6.5
CVE-2026-20842	Microsoft DWM Core Library Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-20847	Microsoft Windows File Explorer Spoofing Vulnerability	Exploitation Unlikely	No	6.5
CVE-2023-31096	MITRE: CVE-2023-31096 Windows Agere Soft Modem Driver Elevation of Privilege Vulnerability	Exploitation More Likely	Yes	7.8
CVE-2026-20925	NTLM Hash Disclosure Spoofing Vulnerability	Exploitation Less Likely	No	6.5
CVE-2026-20872	NTLM Hash Disclosure Spoofing Vulnerability	Exploitation Less Likely	No	6.5
CVE-2026-20821	Remote Procedure Call Information Disclosure Vulnerability	Exploitation Unlikely	No	6.2
CVE-2026-21265	Secure Boot Certificate Expiration Security Feature Bypass Vulnerability	Exploitation Less Likely	Yes	6.4
CVE-2026-20826	Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20827	Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability	Exploitation Unlikely	No	5.5
CVE-2026-20829	TPM Trustlet Information Disclosure Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-20811	Win32k Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20920	Win32k Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-20863	Win32k Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-20810	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20831	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20860	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20839	Windows Client-Side Caching (CSC) Service Information Disclosure Vulnerability	Exploitation Unlikely	No	5.5
CVE-2026-20844	Windows Clipboard Server Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.4
CVE-2026-20857	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-20940	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-20820	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20864	Windows Connected Devices Platform Service Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-0386	Windows Deployment Services Remote Code Execution Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20817	Windows Error Reporting Service Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20808	Windows File Explorer Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-20823	Windows File Explorer Information Disclosure Vulnerability	Exploitation Unlikely	No	5.5
CVE-2026-20932	Windows File Explorer Information Disclosure Vulnerability	Exploitation Unlikely	No	5.5
CVE-2026-20937	Windows File Explorer Information Disclosure Vulnerability	Exploitation Unlikely	No	5.5
CVE-2026-20939	Windows File Explorer Information Disclosure Vulnerability	Exploitation Unlikely	No	5.5
CVE-2026-20822	Windows Graphics Component Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20804	Windows Hello Tampering Vulnerability	Exploitation Unlikely	No	7.7
CVE-2026-20852	Windows Hello Tampering Vulnerability	Exploitation Less Likely	No	7.7
CVE-2026-20929	Windows HTTP.sys Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20825	Windows Hyper-V Information Disclosure Vulnerability	Exploitation Less Likely	No	4.4
CVE-2026-20816	Windows Installer Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20849	Windows Kerberos Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20833	Windows Kerberos Information Disclosure Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-20818	Windows Kernel Information Disclosure Vulnerability	Exploitation Unlikely	No	6.2
CVE-2026-20838	Windows Kernel Information Disclosure Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-20809	Windows Kernel Memory Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20859	Windows Kernel-Mode Driver Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20875	Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability	Exploitation Less Likely	No	7.5
CVE-2026-20854	Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.5
CVE-2026-20869	Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.0
CVE-2026-20858	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20865	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20877	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20918	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-20923	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20924	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20861	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20866	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20867	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-20873	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20874	Windows Management Services Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20862	Windows Management Services Information Disclosure Vulnerability	Exploitation Unlikely	No	5.5
CVE-2026-20837	Windows Media Remote Code Execution Vulnerability	Exploitation Less Likely	No	7.8
CVE-2024-55414	Windows Motorola Soft Modem Driver Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.8
CVE-2026-20936	Windows NDIS Information Disclosure Vulnerability	Exploitation Unlikely	No	4.3
CVE-2026-20840	Windows NTFS Remote Code Execution Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20922	Windows NTFS Remote Code Execution Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20824	Windows Remote Assistance Security Feature Bypass Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-20832	Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20828	Windows rndismp6.sys Information Disclosure Vulnerability	Exploitation Less Likely	No	4.6
CVE-2026-20843	Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability	Exploitation More Likely	No	7.8
CVE-2026-20868	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.8
CVE-2026-20856	Windows Server Update Service (WSUS) Remote Code Execution Vulnerability	Exploitation Less Likely	No	8.1
CVE-2026-20927	Windows SMB Server Denial of Service Vulnerability	Exploitation Unlikely	No	5.3
CVE-2026-20919	Windows SMB Server Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20921	Windows SMB Server Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20926	Windows SMB Server Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20934	Windows SMB Server Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20848	Windows SMB Server Elevation of Privilege Vulnerability	Exploitation Unlikely	No	7.5
CVE-2026-20834	Windows Spoofing Vulnerability	Exploitation Less Likely	No	4.6
CVE-2026-20931	Windows Telephony Service Elevation of Privilege Vulnerability	Exploitation Unlikely	No	8.0
CVE-2026-20876	Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability	Exploitation Less Likely	No	6.7
CVE-2026-20938	Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8
CVE-2026-20819	Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability	Exploitation Less Likely	No	5.5
CVE-2026-20935	Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability	Exploitation Less Likely	No	6.2
CVE-2026-20853	Windows WalletService Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.4
CVE-2026-20870	Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability	Exploitation Less Likely	No	7.8

Metasploit Wrap-Up 01/09/2026

Rapid7 Blog

9 January 2026 at 18:07

RISC-V Payloads

This week brings more RISC-V payloads from community member bcoles. One provides a new adapter which allows RISC-V payloads to be converted to commands and delivered as a Metasploit fetch-payload. The second is a classic bind shell, offering the user interactive connectivity to the target host. Both of these go a long way in improving Metasploit’s support for RISC-V systems.

Annual Wrap Up

With a new year comes a new annual wrap up. Earlier this week, the Metasploit project posted the annual wrap up covering notable changes from 2025.

New module content (4)

Taiga tribe_gig authenticated unserialize remote code execution

Authors: rootjog and whotwagner

Type: Exploit

Pull request: #20700 contributed by whotwagner

Path: multi/http/taiga_tribe_gig_unserial

AttackerKB reference: CVE-2025-62368

Description: This adds a new module for authenticated deserialization vulnerability in Taiga.io (CVE-2025-62368). The module sends malicious data to exposed API, which performs unsafe deserialization, leading to remote code execution.

Python Site-Specific Hook Persistence

Author: msutovsky-r7

Type: Exploit

Pull request: #20692 contributed by msutovsky-r7

Path: multi/persistence/python_site_specific_hook

Description: This adds a persistence module which leverages Python's startup mechanism, where some files can be automatically processed during the initialization of the Python interpreter. Someof those files are startup hooks (site-specific, dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import will be executed automatically. This creates a persistence mechanism if an attacker has established access to the target machine with sufficient permissions.

Add Linux RISC-V command payload adapters

Authors: bcoles bcoles@gmail.com

Type: Payload (Adapter)

Pull request: #20734 contributed by bcoles

Description: This extends fetch payloads for RISC-V targets.

Linux Command Shell, Bind TCP Inline

Authors: bcoles bcoles@gmail.com and modexp

Type: Payload (Single)

Pull request: #20733 contributed by bcoles

Path: linux/riscv32le/shell_bind_tcp

Description: This adds a new payload: a bind shell for Linux RISC-V targets.

Bugs fixed (2)

#20370 from msutovsky-r7 - Fixes an issue that occurred when negotiating the SMB version and the server uses an unknown dialect. Now, the login function will throw an exception and exit gracefully.
#20744 from ptrstr - This fixes a bug in unix/webapp/wp_reflexgallery_file_upload where the current year and month were being hardcoded in the request. This caused the server to reject the exploit if there was no folder in wp-content/uploads for that specific year and month. Now the year and month are configurable datastore options.

Documentation added (1)

#20831 from DataExplorerX - This adds link to issues in Metasploit Framework Github repository.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Beyond the Device: Exploring the New Security Risks of Interconnected IoT at CES 2026

Rapid7 Blog

By:Deral Heiland

9 January 2026 at 10:11

Attending CES over the last several years has provided me with a valuable opportunity to observe how rapidly IoT technology continues to evolve across consumer and enterprise domains. This was my fourth year attending CES and I have seen a continued growth and advancement across multiple technology categories, from mobile devices and wearables, to AI-driven automation and robotics, to connected infrastructure.

This year’s show floor highlighted how deeply embedded “smart” technology has become within our everyday systems. As an IoT security researcher, what stood out to me most was not just the pace of innovation, but how increasingly interconnected these technologies have become, often relying on shared backend services, cloud platforms, and automated decision-making. These trends highlight the importance of examining not only individual devices, but the broader trust relationships and infrastructure architectures that support them.

AI-driven automation is no longer experimental

It was clear at CES 2026 that AI-driven automation is no longer experimental, it has become operational. Throughout automation, robotics, and transportation technology, decision-making processes are increasingly being delegated to backend AI systems that consume device telemetry and trigger real-world actions. From a security perspective, this marks a primary shift where trust relationships that were once local are now centralized, automated, and capable of impacting all devices within a larger ecosystem. The challenge moving forward doesn’t just involve securing devices; we will have to secure the data these devices produce, plus ensure that data is not altered or corrupted in a way that would impact all devices under the control of the backend AI systems.

Robotics innovation demands urgent security action

One of the more striking areas of progress has been in robotics, particularly in dexterity and fine motor control. Seeing robots play the piano or fold cloth highlighted how far robotic manipulation has come. Moving beyond their old rigid, pre-programmed motion toward a more adaptive interaction with our physical world. While we are still years away from anything resembling The Jetsons, these demonstrations show clear forward momentum. Before increasingly capable and autonomous robots become more deeply integrated into our world, we need to seriously address how to build security into the underlying technology. It’s also critical to maintain and secure the vast amount of data they will gather.

Mobile and wearable technologies are “always on”

During CES this year, I also observed advances in mobile technology and wearables. While these devices have long been a staple of the show and continue to evolve incrementally each year, the growing integration of AI has noticeably expanded their capabilities. Features such as continuous sensing and adaptive behavior introduce new questions around security and privacy that go beyond traditional mobile threat models. As these technologies increasingly find their way into the hands of employees, they also raise important considerations for organizational security posture. This shift prompts a larger question CISOs should ask themselves: have our organization’s mobile device policies evolved alongside these technologies, or are they still grounded in smartphone-only assumptions from a decade ago?

For example, one of the most concerning mobile device technologies I observed was a device designed for use in corporate meetings that could automatically take notes, transcribe discussions, and translate conversations in real time. While such capabilities can clearly improve productivity and collaboration, especially in global organizations, they also introduce new security and privacy considerations. A device that is continuously listening, processing speech, and potentially transmitting data to backend cloud systems raises questions about where sensitive conversations are stored, how long that data is retained, and who ultimately has access to it. When such technologies are introduced into meeting rooms or business workflows, they essentially become an always-on sensor within the organization, and its presence may not be fully accounted for in most organizations with existing acceptable use policies. This highlights the need for organizations to reassess how emerging mobile and wearable technologies could impact their data protection, confidentiality, and overall security posture.

Conclusion: Building a new infrastructure of trust

My observations from CES 2026 clearly illustrate that the evolution of IoT has moved us beyond securing individual devices. The true security challenge now lies within the highly interconnected ecosystems, centralized AI-driven automation, and "always-on" data collection that underpin our increasingly "smart" world. The operationalization of AI and the rapid progress in robotics introduce centralized trust relationships and vast new data streams that are not yet matched by adequate security considerations.

This shift presents an urgent call to action for organizations. It’s time to aggressively reassess acceptable use and data protection policies to account for continuously sensing wearables, autonomous machinery, and the security of the backend services that control them all. The future of security is no longer just about protecting the perimeter; it is about securing the entire infrastructure of trust, data integrity, and automated decision-making that powers the next generation of technology.

Ni8mare and N8scape flaws among multiple critical vulnerabilities affecting n8n

Rapid7 Blog

By:Rapid7

8 January 2026 at 16:25

Overview

On November 18, 2025, a patched release was published for a critical unauthenticated file read vulnerability in n8n, a popular piece of automation software. The advisory for this vulnerability, CVE-2026-21858, was subsequently published on January 7, 2026; the vulnerability holds a CVSS score of 10.0. If a server has a custom configured web form that implements file uploads with no validation of content type, an attacker can overwrite an internal JSON object to read arbitrary files and, in some cases, establish remote code execution. This vulnerability has been dubbed “Ni8mare” by the finders.

The finders, Cyera, published a technical blog post about the vulnerability on January 7, 2026, and a separate technical analysis and proof-of-concept (PoC) exploit were published by third-party security researcher Valentin Lobstein the same day. The Cyera writeup demonstrates CVE-2026-21858, while the third-party exploit also leverages CVE-2025-68613, an authenticated expression language injection vulnerability in n8n, for remote code execution. Additional authenticated vulnerabilities, tracked as CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, and CVE-2026-21877 can be chained with the unauthenticated vulnerability CVE-2026-21858 for code execution or arbitrary file write on specific affected versions of n8n.

In total there are five CVEs that n8n users should be aware of:

CVE Number	Published Date	CVSS	Description	Leveraged in PoC?
CVE-2026-21858 (Ni8mare)	01/07/2026	10.0 (NVD score)	Certain form-based workflows are vulnerable to improper file handling that can result in arbitrary file read. When exploited, attackers can establish administrator-level access to n8n.	Yes
CVE-2026-21877	01/07/2026	9.9 (NVD score)	Under certain conditions, authenticated n8n users may be able to cause untrusted code to be executed by the n8n service.	No
CVE-2025-68613	12/19/2025	8.8 (NVD score)	A vulnerability in n8n’s expression evaluation system allows authenticated users to execute arbitrary system commands through crafted expressions in workflow parameters.	Yes
CVE-2025-68668 (N8scape)	12/26/2025	9.9 (NVD score)	A sandbox bypass vulnerability exists in the n8n Python Code node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n in the context of the service user.	No
CVE-2025-68697	12/26/2025	5.4 (NVD score)	In self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This permits reading and writing files on the host.	No

Technical overview

CVE-2026-21858: “Unauthenticated File Access via Improper Webhook Request Handling”

This is the primary access vector for the n8n exploit chain and holds a maximum CVSS score of 10.0. It is a critical unauthenticated file read vulnerability that occurs when custom web forms implement file uploads without validating the content type. By exploiting this flaw, an attacker can overwrite an internal JSON object to read arbitrary files from the server. This capability may be leveraged to forge an administrator session token and exploit subsequent authenticated vulnerabilities for code execution.

CVE-2025-68613: “Remote Code Execution via Expression Injection”

This vulnerability is characterized as an authenticated expression language injection flaw. While it requires an established session to exploit, it can be chained with CVE-2026-21858 to achieve remote code execution. It affects n8n versions starting at 0.211.0 and below 1.20.4. Attackers can leverage this flaw by injecting malicious expression language commands once they have gained a foothold as an administrator.

CVE-2025-68668: “Arbitrary Command Execution in Pyodide based Python Code node”

Affecting n8n versions between 1.0.0 and 2.0.0, this is an authenticated vulnerability used for secondary exploitation. Depending on the specific configuration of the affected version, it allows an attacker to execute arbitrary OS commands. Because it requires authentication, it is used on a case-by-case basis after an initial breach has compromised the management interface.

CVE-2025-68697: “Legacy Code node enables file read/write in self-hosted n8n”

CVE-2025-68697 is an authenticated vulnerability that facilitates arbitrary file read/write in the context of the n8n process when exploited. Per the advisory, systems are vulnerable when the Code node runs in legacy (non-task-runner) JavaScript execution mode. CVE-2025-68697 specifically impacts n8n versions ranging from 1.2.1 up to 2.0.0, though n8n version 1.2.1 and higher automatically prevents read/write access to the `.n8n` directory by default. As a result, exploitation of CVE-2025-68697 is likely to require a more bespoke strategy for each specific target, making it a less likely vulnerability to be exploited as a secondary chained bug with CVE-2026-21858.

CVE-2026-21877: “RCE via Arbitrary File Write”

This vulnerability has a CVSS score of 9.9 and affects both self-hosted and cloud versions of n8n. It allows for remote code execution within n8n versions 0.123.0 through 1.121.3. Although it is an authenticated vulnerability, its high severity stems from its ability to grant an attacker full system control once they have bypassed initial authentication using the CVE-2026-21858 file read flaw.

Mitigation guidance

Organizations running self-hosted instances of n8n should prioritize upgrading to a version at or above 1.121.0 immediately to remediate the unauthenticated initial access vulnerability CVE-2026-21858.

According to the vendor, the following versions are affected:

CVE-2026-21858: Versions at or above 1.65.0 and below 1.121.0.
CVE-2025-68613: Versions at or above 0.211.0 and below 1.20.4.
CVE-2025-68668: Versions at or above 1.0.0 and below 2.0.0.
CVE-2025-68697: Versions at or above 1.2.1 and below 2.0.0.
CVE-2026-21877: Versions at or above 0.123.0 and below 1.121.3.

For the latest mitigation guidance, please refer to the vendor’s security advisories.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2026-21858, CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, CVE-2026-21877 with vulnerability checks available in the January 9th content release.

Updates

January 8, 2026: Initial publication.
January 12, 2026: Updated Rapid7 customers section to confirm checks shipped on January 9, 2026.

Key Takeaways and Top Cybersecurity Predictions for 2026

Rapid7 Blog

By:Rapid7

7 January 2026 at 09:24

As the threat landscape keeps shifting, security teams are being asked to do more than react. They are expected to look ahead, connect the dots, and make decisions in environments that change faster every year. That challenge was at the heart of Rapid7’s 2026 Security Predictions webinar, where our experts reflected on what the past year revealed about attacker behavior, defender priorities, and the realities of running a modern SOC.

The conversation looked back just long enough to spot the patterns that matter, then turned forward to the forces shaping 2026. Geopolitics, insider risk, and the need for context-driven defense all surfaced repeatedly. The takeaway was simple but important. Attackers are adapting quickly, and security teams need to adapt with the same urgency.

Below are the key takeaways from the discussion, along with the top predictions shaping the year ahead.

Key takeaways from the discussion

The threat landscape is no longer isolated

One of the strongest themes from the webinar was how interconnected today’s risks have become. Cyber activity does not exist in a vacuum. Geopolitical tensions, economic pressure, workforce challenges, and technological acceleration all feed directly into attacker behavior.

Security teams can no longer separate cyber risk from broader business and global risk. Decisions made outside the SOC, from supplier choices to workforce strategy, increasingly influence exposure and attack paths.

Identity and access remain the most reliable attack paths

Despite continued investment in perimeter defenses, attackers are still finding success through compromised credentials, misused access, and human error. The webinar panel reinforced that identity-based compromise remains one of the most consistent and scalable techniques used by threat actors.

This means defenders must treat identity, behavior, and access governance as core detection and response signals, not secondary controls.

Speed without context creates noise, not security

The rise of AI-driven attacks and automation has increased the volume and pace of activity security teams must process. However, the panel stressed that faster alerts alone do not improve outcomes.

Without understanding which assets matter, which exposures are exploitable, and which alerts represent real risk, teams risk moving quickly in the wrong direction. Context is now essential for effective prioritization and response.

The top cybersecurity predictions for 2026

1. Geopolitical fault lines will redraw the cyber battlefield

In 2026, geopolitical tensions will continue to spill into the digital domain, with private organizations increasingly caught in the middle. State-aligned and state-tolerated groups will target critical supply chains, service providers, and global enterprises as proxy targets, blending espionage with economic disruption.

For security teams, this means geopolitical risk must be factored into threat modeling, vendor assessments, and incident response planning. Even organizations far from traditional conflict zones may find themselves impacted by campaigns tied to global tensions.

2. Insider threats will dominate breach root causes

The panel highlighted that many of tomorrow’s breaches will not start with attackers breaking in, but with access already in place. Insider threats, driven by simple negligence, compromised credentials, or monetized access selling, will continue to rise.

Economic stress, workforce changes, and growing access complexity all contribute to this trend. As a result, organizations must focus more on access hygiene, behavior monitoring, and creating environments where employees can report mistakes early without fear.

3. Context will become the new currency of cyber performance

As attacks scale and exploitation windows shrink, the ability to understand what matters most will define successful security operations. The panel emphasized that visibility alone is no longer enough.

Security teams that integrate exposure management, detection, and response will outperform those relying on disconnected tools and alert-heavy workflows. Context-rich defense allows teams to triage faster, investigate smarter, and respond based on real business risk rather than alert volume.

What this means for security teams heading into 2026

The predictions shared during the webinar point to a future where success depends less on adding more tools and more on using intelligence, context, and automation effectively. Security teams that can unify visibility, prioritize risk, and act decisively will be better positioned to keep pace with increasingly adaptive attackers.

The message from the panel was clear. 2026 will reward teams that focus on understanding their environment, aligning security efforts with real-world risk, and preparing for threats shaped by forces far beyond the SOC.

Watch the 2026 Security Predictions webinar to hear directly from Rapid7’s experts on what’s shaping the threat landscape and how security teams should prepare.

Metasploit 2025 Annual Wrap-Up

Rapid7 Blog

5 January 2026 at 15:31

Hard to believe it's that time again, and that Metasploit Framework will see the dawn of another Annual Wrap-Up (and a New Year). All of the metrics and modules you see here would in large part not be possible without the dedicated community members who care about the Framework and its mission on all the days of the year. It is their hard work and dedication that makes it look like magic, and sometimes, it feels like it too. A heartfelt thank you to all of our researchers and contributors, you're what makes Metasploit Framework so resilient.

This year brought its share of notable vulnerabilities, substantial framework improvements, and continued evolution of the project. Whether you submitted a module, filed an issue, or helped triage a bug, your contributions have kept Metasploit relevant and powerful. So without further ado, let's dive into the highlights from 2025.

Persistence Overhaul

One of the year's significant infrastructure improvements came from community contributor h00die, who spearheaded a massive refactor of Metasploit's persistence modules. The project, tracked in issue #20374, involved reorganizing dozens of persistence modules from their scattered locations across the framework into a dedicated persistence directory under exploits. This wasn't just housekeeping—h00die created a standardized persistence mixin that brought consistency to how modules handle installation, cleanup, and option handling. The refactor touched over 30 modules spanning Linux, Windows, OSX, and multi-platform techniques, modernizing each one with proper check methods, MITRE ATT&CK references, and standardized options like WritableDir. The work also laid the groundwork for a persistence suggester module that can automatically recommend viable persistence techniques based on session characteristics.

The sheer scope of this effort can't be overstated. Breaking the work into manageable chunks, h00die systematically converted modules from the old post-exploitation style to proper exploit modules with the new persistence mixin, handling everything from cron jobs and SSH keys to Windows registry modifications and service installations. The standardization means that all persistence modules now share common behaviors, produce cleanup scripts in a consistent format, and integrate cleanly with the rest of the framework. It's the kind of unglamorous but essential work that improves the entire framework's usability and maintainability, and we're grateful to h00die for taking on such an ambitious project and seeing it through.

AD CS Vulnerable Certificate Template Detection and Exploitation Additions

This year, Metasploit expanded its Active Directory Certificate Services (AD CS) coverage by adding detection and exploitation support for certificate templates vulnerable to ESC9, ESC10, and ESC16. Checks for these misconfigured certificate templates were integrated into the existing ldap_esc_vulnerable_template module, allowing users to easily identify misconfigured templates during assessments.

To complement this detection capability, we introduced the new esc_update_ldap_object module, which enables reliable exploitation of these vulnerable templates to escalate privileges. ESC9, ESC10, and ESC16 share a common pattern: each requires control of a user account with write privileges over another user that is permitted to enroll in the vulnerable template. While exploiting these techniques with other tools typically involves multiple manual and error-prone steps, the new module streamlines the entire workflow. Users configure the required datastore options, run the module, and receive a certificate that can be used to escalate privileges within the domain.

As part of this effort, we also introduced the ldap_object_attribute module, which provides standard CRUD operations for manipulating LDAP objects in Active Directory. This module — along with existing functionality such as shadow_credentials and get_ticket — is used internally by esc_update_ldap_object to abstract away low-level LDAP interactions and simplify exploitation.

This work included comprehensive documentation covering the configuration of templates vulnerable to ESC9, ESC10, and ESC16, as well as detailed instructions for exploiting each technique using the new module.

Active Directory Improvements

Related to our AD CS improvements, came new low-level functionality for interacting with Active Directory (AD) Domain Controllers over LDAP. Over the past couple of years, Metasploit has seen multiple modules added that facilitate AD attack workflows including Shadow Credentials, RBCD, Unconstrained Delegation, etc. Like the AD CS attacks, many of these techniques are reliant on access control to some degree. Over the summer, Metasploit introduced new functionality to facilitate checking for these types of attacks. This new library provides Active Directory specific functionality, most notably, the ability to remotely evaluate security descriptors to determine whether a particular user or group has a specific access right. This has already been incorporated into the following modules to either enable or improve the existing detection capabilities.

auxiliary/admin/ldap/shadow_credentials
auxiliary/admin/ldap/rbcd
auxiliary/admin/ldap/ad_cs_cert_template
auxiliary/gather/ldap_esc_vulnerable_cert_finder

For module authors, the library provides a composable API for determining if an object grants a particular permission to an optional SID. The SID can be either a user or group, and when omitted is automatically set to the authenticating user, i.e. to check if the current connection has the permissions.

For example, check if the object grants the read and write property permissions with:

adds_obj_grants_permissions?(@ldap, obj, SecurityDescriptorMatcher::Allow.all(%i[RP WP]))

Code Cleanup At Scale

Beyond new features and modules, 2025 also saw substantial code quality improvements thanks to community contributor bcoles, who took on the often-thankless task of resolving RuboCop violations across the codebase. Throughout the year, bcoles systematically worked through older modules, cleaning up style inconsistencies, fixing syntax violations, and converting outdated property types to proper boolean values in auxiliary scanners and exploit modules. This kind of incremental maintenance work—fixing redundant parentheses here, resolving style violations there—doesn't make for flashy headlines, but it keeps the codebase maintainable and makes life easier for everyone working in the framework. Code quality matters, and we're grateful to bcoles for putting in the work to keep Metasploit's technical debt in check.

Payload Improvements

It may be a fun fact, or perhaps tribal knowledge that an “exploit” to Metasploit is a module that delivers a payload. All the great exploit content this year would be nothing without corresponding payloads to deliver and we make sure that those get plenty of our time as well. The following changes in particular are highly impactful and may have gone unnoticed while the flashier exploits received all the attention.

Windows Meterpreter Improvements

The biggest updates for the Windows Meterpreter revolve around two major improvements: the first is the upgrade to ReflectiveDLLInjection, made by Alex (xaitax) Hagenah, for which we express our gratitude for improving this area of the Metasploit Framework that requires a high level of attention to detail. This update introduces full, production-ready ARM64 support and a comprehensive architectural modernization of the whole library. These changes open the door to future support for a native ARM64 Meterpreter on Windows. Additionally, Metasploit split the standard API extension for Windows this year. This was actually the design used in the original Meterpreter implementation and we’ve reconsidered the monolithic approach. This improvement is one of the multiple steps we have in the pipeline to improve the evasion capabilities for our Windows Meterpreter. The standard API library now allows the user to load only specific subcomponents of the extension (for example, the component for network or file-system interaction), reducing the memory footprint for memory scanners. To leverage this new functionality, set AutoLoadStdapi to False, and then load one or more extensions manually, e.g. load stdapi_fs. To maintain backwards compatibility, a single stdapi extension is also still available and can be loaded with load stdapi.

Fetch Payload Improvements

The first milestone was the introduction of fileless execution for Linux fetch payloads, enabling payloads to run directly from memory using anonymous files. This advancement greatly enhances operational stealth by minimizing forensic traces and avoiding file-based detection, with careful attention to safe, opt-in behavior and collaborative code refinement. Following this, the FETCH_PIPE option streamlined payload deployment into a single, compact command. This improvement enhanced both usability and evasion, while also supporting larger, more complex command payloads (such as fileless execution) to be executed even with reduced command size. Additionally, fetch payload support has expanded to seven additional CPU architectures: aarch64, armbe, armle, mipsbe, mipsle, ppc, and ppc64le. This significantly broadens Metasploit's reach across embedded and legacy systems. Both features are thoroughly tested and future-proof, making the framework more versatile and powerful.

New Architectures Basic Support

This year, we have also updated the framework to support new basic payloads. We have introduced the exec payload for Windows ARM64 (provided by Alex (xaitax) Hagenah), reverse shell for RISC-V 32 and 64 bit, and Loongarch64 (both provided by bcoles).

COMING SOON

As much as we try, everything doesn’t always fit into one year. With that in mind, we wanted to highlight some upcoming features that we’re particularly excited to complete in the coming months.

Malleable C2

The malleable c2 will allow the user to specify with a .profile scribing how the HTTP requests between meterpreter and metasploit-framework should look like, allowing metasploit to hide the distinctive traffic generated by the session communication.

Direct Syscall in Metsrv

We have updated the Meterpreter core (metsrv) to remove common static signatures, such as specific strings and function imports, making it harder to detect.

PoolParty for 32-bit systems

Additional work to port the poolparty injection on native 32 bit system, Huge thanks to xHector1337 for taking over the research and extension of the code injection for the new architecture.

SCCM Modules

This year, Metasploit added two modules for targeting SCCM instances and recovering the Network Access Account credentials. These modules differ in how they perform the authentication. The first, auxiliary/admin/sccm/get_naa_credentials accepts credentials from the operator and will use them to authenticate and run the attack on demand. This pairs nicely with the auxiliary/admin/dcerpc/samr_account module when the operator can create a new machine account. However, when that’s not an option, Metasploit still has you covered with the auxiliary/server/relay/relay_get_naa_credentials variant that enables relaying NTLM authentication from an SMB server. These attack workflows were demonstrated at Black Hat and DEF CON over the summer and we anticipate they’ll remain useful in the future.

Module Highlights

CVE-2025-9316, CVE-2025-11700 N-able N-Central XXE – N-able N-Central is a popular Remote Monitoring and Management (RMM) platform. These two vulnerabilities, when combined, enable Metasploit to read local files without authenticating. This can be used to obtain a number of sensitive backup files from the application itself, or anything else on the host system. XXE attacks are a less common vulnerability, at least in Metasploit-land but this is a fantastic example of how impactful they can be.
CVE-2025-22457 Ivanti Connect Secure Unauthenticated RCE – Ivanti RCEs are always valuable and this module shows that memory corruption lives on in 2025. Not only is this exploit unauthenticated and reliable, it is a great example of how ROP chains can be used.
CVE-2024-55555 Invoice Ninja RCE – This particular module leverages a PHP deserialization vulnerability within the application. While this vulnerability requires knowledge of the APP_KEY, successful exploitation could have significant financial implications. As an added bonus, this module came with a new library adding support for Laravel Framework-specific cryptography methods.
CVE-2024-55556 InvoiceShelf RCE – Everyone loves a good pairing, and this module continues h00die-gr3y’s work on invoicing software, showing that they’re useful for receiving more than just payments.
LDAP Password Disclosure – This module has been around for a while, but received some new features in 2025 for targeting Active Directory Domain Controllers. The first added support for LAPSv1 and v2, enabling the module to recover the local admin account on systems. Later in the year, a second improvement added support for gMSA accounts. This module also pairs nicely with the new SMB to LDAP NTLM Relay module we added this year as well.
Microsoft SharePoint ToolPane Unauthenticated RCE (CVE-2025-53770 and CVE-2025-53771)
Exploit module for CVE-2025-32433 (Erlang/OTP)

SMB Relay Expansion

This year, Metasploit significantly leveled up its relaying capabilities, transforming the framework’s only SMB to SMB relay capability into a powerful engine for lateral movement. Traditionally, SMB relaying was often the domain of standalone external tools, but through the dedicated work of the Metasploit team, these workflows are now seamlessly integrated into the framework

Community Stats Recap

A huge thank you from the entire Metasploit team to all 66 contributors in 2025. Your contributions and ideas are what continue to improve this tool every year. Notably, 41 of these were first-time contributors who added new code.

Here are some stats for 2025:

Number of new modules: 139
Number of new bug fixes: 133
Number of new enhancements: 115
Number of new documentations: 19
Number of new payload enhancements: 18

Contributors in 2025 (ordered by count)

bcoles
h00die
Chocapikk
h00die-gr3y
Takahiro-Yoko
h4x-x0r
smashery
vognik (new in 2025)
jvoisin
xHector1337 (new in 2025)
jmartin-tech
mariomontecatine (new in 2025)
blue0x1 (new in 2025)
nakkouchtarek (new in 2025)
molecula2788
xaitax
happybear-21 (new in 2025)
e2002e
fabpiaf (new in 2025)
mekhalleh
JohannesLks (new in 2025)
BitTheByte (new in 2025)
todb
00nx (new in 2025)
DevBuiHieu (new in 2025)
SweilemCodes (new in 2025)
arpitjain099 (new in 2025)
L-codes
Zeecka (new in 2025)
aaryan-11-x
whotwagner
lafried (new in 2025)
sebaspf (new in 2025)
hantwister (new in 2025)
tastyrce (new in 2025)
easymoney322 (new in 2025)
gardnerapp
TheBigStonk (new in 2025)
0xAryan (new in 2025)
sempervictus
szymonj99
Mathiou04
vultza (new in 2025)
enty8080 (new in 2025)
SaiSakthidar (new in 2025)
Zedeldi (new in 2025)
stfnw (new in 2025)
mmacfadden (new in 2025)
daffainfo (new in 2025)
HamzaSahin61 (new in 2025)
survivant (new in 2025)
uhei
EchoSl0w (new in 2025)
jeffmcjunkin
BenoitDePaoli (new in 2025)
randomstr1ng
2tunnels (new in 2025)
rodolphopivetta (new in 2025)
RakRakGaming (new in 2025)
Desiree05 (new in 2025)
Wopseeion (new in 2025)
jphamgithub (new in 2025)
H4k1l (new in 2025)
fishBone000 (new in 2025)
xl4635 (new in 2025)

What’s New in Rapid7 Products & Services: H2 2025 in Review

Rapid7 Blog

By:Margaret Wei

29 December 2025 at 09:57

Over the last six months we’ve delivered significant advancements across the Command Platform, as well as received recognition as a Leader in Exposure Management and Managed Detection and Response (MDR) analyst reports. From launching new AI-driven capabilities - including our new next-gen SIEM Incident Command - to introducing real-time visibility into organizational risk with enhanced dashboarding, we continued to innovate in ways that support faster, more confident decision making. Explore the highlights of what we’ve been up to below.

Exposure Management: Prioritize risk across your attack surface

Rapid7 named a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms

Rapid7 was recognized as a Leader in the inaugural 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms (EAP). We believe this reflects our ability to help customers continuously understand, prioritize, and reduce risk across their hybrid environments. Exposure Command brings unified visibility, attacker-aware prioritization, and guided remediation together in one platform, enabling teams to make faster, more confident decisions with validated, business-aligned risk insights. Check out our recent blog post to learn more.

Remediate vulnerabilities faster with AI-generated Risk Intelligence

Prioritizing remediation is difficult when teams are flooded with CVEs and lack actionable context about real-world risk. We introduced AI-generated risk intelligence within Remediation Hub to help teams focus on the vulnerabilities that matter most and drive faster, more consistent risk reduction by distilling exploitability, business impact, toxic combinations, and patchability into clear summaries and guided actions. Check out our recent blog post to learn more.

⠀

Rapid7-AI-Generated-Remediation-Summary-Remediation-Hub.png — AI-generated Remediation Summary in Remediation Hub

Gain real-time visibility and communicate progress with the Exposure Management Dashboard

To effectively plan, track, and communicate exposure reduction, teams need a clear, real-time view of their security posture. The new Exposure Management Dashboard provides this view with an at-a-glance snapshot of asset coverage, exposure trends, and remediation progress — ideal for quarterly planning cycles and board-level reporting. Exportable views make it easy to justify investment decisions, demonstrate measurable improvements, and show how tool consolidation is strengthening your security program. Learn more in our recent blog.

⠀

Exposure Management Dashboard, built to give you a real-time view of organizational risk

Validate real cloud exposures with Public Exposure Validation

When cloud configurations drift or controls degrade, it’s critical to know which assets are actually exposed to the public internet. Public Exposure Validation confirms externally reachable cloud resources using real external scans, reducing noise and eliminating theoretical findings.

Teams gain clearer visibility into true attack paths, shorten investigation cycles, and validate that remediation efforts are closing real gaps. This strengthens their posture with evidence, not assumptions. Learn more in our recent blog.

Keep external visibility accurate with Dynamic EASM Discovery

Accurate external discovery depends on seeds that reflect what’s truly exposed. But static seed lists can quickly become outdated. Dynamic EASM Discovery continuously pulls domains and public IP ranges from authoritative sources such as MarkMonitor, NetBox, and Rapid7 AppSec, ensuring your discovery scope stays current without manual upkeep.

This eliminates blind spots, keeps external inventories aligned with real-world change, and strengthens CTEM outcomes by grounding scope, discovery, and prioritization in real-time data rather than spreadsheets. See our recent blog on Dynamic EASM Discovery to learn more.

Detection and Response: Transform your SOC operations

Rapid7 named a Leader in the 2025 Frost Radar™ for Managed Detection and Response

In addition to being named a Leader in Exposure Assessment, we’re proud to share that we have also received this recognition for Managed Detection and Response with Frost & Sullivan recognizing Rapid7 as a Leader in the 2025 Frost Radar™ for MDR, based on innovation and growth in a field of 120 evaluated vendors. The report highlights:

Rapid7’s AI-driven triage accuracy of 99.93%, which helps security teams close benign alerts and reclaim 200+ SOC hours per week
Our unified platform combining MDR with exposure management, threat hunting, and active remediation
180+ third-party integrations across endpoint, network, cloud, and identity

This recognition reinforces Rapid7’s commitment to proactive, outcome-driven security and delivering continuous innovation, transparent AI, and measurable value to customers. Learn more.

IDC publishes its Business Value of Rapid7 MDR Study

IDC recently published its Business Value of Rapid7 MDR study, highlighting how customers can achieve a 422% three-year ROI, a 5-month payback period, and an impressive range of additional security outcomes delivered through Rapid7 Managed Detection and Response. The study found that Rapid7 MDR significantly reduced the chances of major security incidents and improved the speed to identify threats for customers – translating to both risk reduction and cost savings. Learn more about the study in our blog or download the full report.

New third party event sources available for Rapid7 SOC management

For organizations to stay secure, they need visibility across their entire attack surface. With recent third party event source expansions, our Rapid7 SOC can now manage PAN Cortex XDR, Okta Identity, and Google Security Command Center alerts as a part of our MDR and Managed Threat Complete offerings. This reinforces our defense-in-depth approach, in which Rapid7 collects, correlates, and maps native and third party telemetry to the MITRE ATT&CK framework, providing expanded visibility and greater protection across your entire attack surface. Learn more about SOC-supported third-party event sources here.

Introducing Incident Command

In July we announced our new AI-powered, next-gen SIEM, Incident Command. Designed to transform how security teams manage investigations and response, Incident Command automates manual tasks and guides analysts through complex workflows — accelerating triage, providing real-time recommended actions, and unifying critical context across alerts and incidents.

Backed with generative AI, our next-gen SIEM helps teams reduce mean time to respond (MTTR), improve consistency, and scale security operations without adding headcount. Learn more about what Incident Command can do for your team here.

⠀

The Incident Command Home Page brings critical SOC analyst tools together into a singular, actionable view

Rapid7 recognized for the 7th consecutive year in Gartner® Magic Quadrant™ for SIEM

Rapid7 has been recognized in the 2025 Gartner^® Magic Quadrant™ for Security Information and Event Management (SIEM), proof of our continued focus on helping security teams work smarter, respond faster, and stay ahead of evolving threats. This year’s report explores how SIEMs are transforming to meet the demands of modern, hybrid environments with greater automation, stronger analytics, and improved efficiency across security operations. We believe our inclusion underscores our commitment to delivering speed, transparency, and extensibility with our next-gen SIEM. Read the report for more insights.

InsightGovCloud: Trusted security for federal agencies

Rapid7 achieves FedRAMP authorization for InsightGovCloud platform

Our achievement of FedRAMP Authorization to Operate (ATO) underscores our commitment to delivering secure, trusted cloud security solutions for federal agencies. The InsightGovCloud Platform provides government customers with vetted capabilities for vulnerability management, cloud security posture, and threat detection, meeting the rigorous standards required to protect sensitive federal environments, while enabling faster, more efficient security operations. Learn more.

Rapid7 Labs: Uplevel your defenses with our latest cybersecurity intelligence and research findings

New research: Q3 2025 Threat Landscape Report

Our Threat Landscape Report provides an analysis of global adversary behavior drawn from Rapid7’s MDR operations, vulnerability intelligence, and threat research. Our latest Q3 2025 report outlines key trends that are shaping today’s threat environment - including AI-assisted attacks and the rapid operationalization of new vulnerabilities - offering clear guidance to help security teams anticipate emerging risks and strengthen defenses in an increasingly fast-evolving landscape. Read the report here.

Emergent threat response: Real-time guidance for critical threats

Rapid7’s Emergent Threat Response (ETR) program from Rapid7 Labs delivers fast, expert analysis and first-rate security content for the highest-priority security threats. In H2 2025, Rapid7’s ETR team provided expert analysis, content, and mitigation guidance for a variety of notable vulnerabilities, including:

CVE-2025-37164: Critical unauthenticated RCE affecting Hewlett Packard Enterprise OneView
CVE-2025-59718 and CVE-2025-59719: Critical vulnerabilities in Fortinet exploited in the wild
CVE-2025-55182 (React2Shell): Critical unauthenticated RCE affecting React Server Components
CVE-2025-64446: Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild
CVE-2025-20333, CVE-2025-20362, CVE-2025-20363: Multiple critical vulnerabilities affecting Cisco products
CVE-2025-10035: Critical unauthenticated RCE in GoAnywhere MFT
CVE-2025-53770: Zero-day exploitation in the wild of Microsoft SharePoint servers

Follow along here to see the latest emergent threat guidance from our team.

Technical assessments of CVEs in AttackerKB

Rapid7 researchers also publish additional vulnerability assessments in AttackerKB to help customers and the community understand and prioritize notable CVEs. Notable contributions from the back-half of 2025 include:

CVE-2025-20362 and CVE-2025-20333 - Cisco ASA unauthenticated RCE chain
CVE-2025-10035 - Fortra GoAnywhere MFT unauthenticated RCE
CVE-2025-58034 - Fortinet FortiWeb command injection
CVE-2025-12480 - Gladinet CentreStack RCE via access control bypass

Stay tuned for more!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

MongoBleed CVE-2025-14847: Critical Memory Leak in MongoDB Allowing Attackers to Extract Sensitive Data

Rapid7 Blog

By:Rapid7

29 December 2025 at 09:16

Overview

On December 19, 2025, MongoDB Inc. disclosed a critical new vulnerability, CVE-2025-14847, which has since been dubbed MongoBleed. This vulnerability is a high-severity unauthenticated memory leak affecting MongoDB, one of the world's most popular document-oriented databases. While initially identified as a data exposure flaw, the severity is underscored by the fact that it allows attackers to bypass authentication entirely to extract sensitive information directly from server memory. On December 26, 2025, public proof-of-concept (PoC) exploit code was published and on December 29th, 2025 exploitation in-the-wild has been confirmed.

While CVE-2025-14847 is rated as a high-severity vulnerability, CVSS 8.7, its impact is critical. Successful exploitation allows a remote, unauthenticated attacker to "bleed" uninitialized heap memory from the database server by manipulating Zlib-compressed network packets. This memory often contains high-value secrets such as cleartext credentials, authentication tokens, and sensitive customer data from other concurrent sessions. Because the vulnerability returns "uninitialized heap memory," an attacker cannot target specific credentials or data records with precision; they must instead rely on repeated exploitation attempts and chance to capture sensitive information.

The vulnerability specifically affects MongoDB servers configured to use the Zlib compression algorithm for network messages, which is a common configuration in many production environments. It affects a wide range of versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. Older, End-of-Life (EOL) versions are also believed to be vulnerable but will not receive official patches, leaving users of legacy systems at significant continued risk.

As of this writing, the public PoC has been successfully verified by Rapid7 Labs. Unlike scenarios where valid exploits are initially scarce, the exploit for MongoBleed is functional and reliable.

Organizations running self-managed MongoDB instances are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles. Given the nature of the leak, simply patching is insufficient; organizations are advised to also rotate all database and application credentials that may have been exposed prior to remediation.

Mitigation guidance

CVE-2025-14847 affects a wide range of versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. Older, End-of-Life (EOL) versions are also believed to be vulnerable but will not receive official patches, leaving users of legacy systems at significant continued risk. Organizations managing their own MongoDB instances should prioritize upgrading to the fixed versions released by the vendor (e.g., 8.0.4, 7.0.16, 6.0.20, etc.) immediately. This is the only complete remediation for the vulnerability.

If an immediate upgrade is not feasible, or if the organization is running an End-of-Life (EOL) version that will not receive a patch, the risk can be effectively mitigated by disabling the Zlib network compressor in the server configuration. This prevents the specific memory allocation path used by the exploit.

In addition, because CVE-2025-14847 allows for the exfiltration of credentials and session tokens from server memory, patching alone is insufficient to ensure security. Administrators should assume that any secrets residing in the database memory prior to patching may have been compromised; therefore, all database passwords, API keys, and application secrets should be rotated immediately after the vulnerability is remediated.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-14847 with a vulnerability check expected to be available in today's (Dec 29) content release.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-14847, including a Suricata rule.

Rapid7 observations

Rapid7 Labs has become aware of a new exploitation tool that streamlines the extraction of sensitive data from vulnerable MongoDB instances. This utility introduces a graphical user interface that allows an attacker to either batch-dump 10MB of memory or monitor the extraction process via a live visual feed. Rapid7 Labs has confirmed the tool operates as described, as demonstrated in the video below.

Detection and Hunting

Velociraptor

Velociraptor published a Linux.Detection.CVE202514847.MongoBleed hunting artifact written by Eric Capuano designed to detect indicators related to CVE-2025-14847 memory leakage activity. This artifact enables defenders to proactively identify suspicious network or process behaviors consistent with mangled Zlib protocol abuse.

Updates

December 29, 2025: Initial publication
December 29, 2025: "Rapid7 Observations" section added with video
December 29, 2025: Added exploitation confirmation

Metasploit Wrap-Up 12/19/2025

Rapid7 Blog

19 December 2025 at 16:02

React2Shell Payload Improvements

Last week Metasploit released an exploit for the React2Shell vulnerability, and this week we have made a couple of improvements to the payloads that it uses. The first improvement affects all Metasploit modules. When an exploit is used, an initial payload is selected using some basic logic that effectively would make a selection from the first available in alphabetical order. Now Metasploit will prefer a default of x86 Meterpreters for Windows systems (since 32-bit payloads work on both 32-bit and 64-bit versions of Windows) and x64 Meterpreters for all other platforms including Linux. In the context of React2Shell, this means the payload now defaults to x64 for Linux instead of AARCH64.

Another improvement that only affects this exploit was the change of the default payload to one leveraging Node.js which is more likely to be present than the wget binary that was required. These defaults should hopefully help users get started with this high-impact exploit with more ease, but of course any compatible payload can still be selected.

Stay tuned for the Metasploit annual wrap-up and roadmap announcement coming up!

New module content (2)

N-able N-Central Authentication Bypass and XXE Scanner

Authors: Valentin Lobstein chocapikk@leakix.net and Zach Hanley (Horizon3.ai)

Type: Auxiliary

Pull request: #20713 contributed by Chocapikk

Path: scanner/http/nable_ncentral_auth_bypass_xxe

AttackerKB reference: CVE-2025-11700

Description: This adds an auxiliary module that exploits two CVEs affecting N-able N-Central. CVE-2025-9316, an Unauthenticated Session Bypass and CVE-2025-11700 a XXE (XML External Entity) vulnerability. The module combines both vulnerabilities to achieve unauthenticated file read on affected N-Central instances (versions < 2025.4.0.9).

Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE

Author: Tarek Nakkouch

Type: Exploit

Pull request: #20749 contributed by nakkouchtarek

Path: multi/http/grav_twig_ssti_sandbox_bypass_rce

AttackerKB reference: CVE-2025-66301

Description: This adds an exploit module for a Server-Side Template Injection (SSTI) vulnerability (CVE-2025-66294) in Grav CMS, versions prior to 1.8.0-beta.27 , that allows bypassing the Twig sandbox to achieve remote code execution. To inject the malicious payload into a form's process section, this module leverages CVE-2025-66301, a broken access control flaw in the /admin/pages/{page_name} endpoint.

Enhancements and features (2)

#20424 from cdelafuente-r7 - Updates how vulnerabilities and services are reported by adding a resource field to both models. It also add a parents field to make layered services possible. An optional resource field can now be provided and the existing service field has been updated to also accept an option hash.
#20771 from zeroSteiner - Updates Metasploit's default payload selection logic to preference x86 payloads over AARCH64 payloads.
#20773 from jheysel-r7 - This updates the exploit for React2Shell with a better default payload.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

CVE-2025-37164: Critical unauthenticated RCE affecting Hewlett Packard Enterprise OneView

Rapid7 Blog

By:Rapid7

18 December 2025 at 12:45

Overview

On December 17, 2025, Hewlett Packard Enterprise (HPE) published an advisory for CVE-2025-37164, a CVSS 10.0 vulnerability in HPE OneView. The vulnerability, which was reported to HPE by security researcher Nguyen Quoc Khanh, facilitates unauthenticated remote code execution (RCE) on versions of HPE OneView before 11.0. Defenders are advised to prioritize upgrading to version 11.0 or applying the emergency hotfixes (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) as soon as possible.

OneView sits at a privileged control plane for enterprise infrastructure, so successful exploitation isn’t just about establishing remote code execution, it’s about gaining centralized control over servers, firmware, and lifecycle management at scale. The real concern here is exposure and trust assumptions. Management platforms are often deployed deep inside the network with broad privileges and minimal monitoring because they’re ‘supposed’ to be trusted. When an unauthenticated RCE shows up in that layer, defenders need to treat it as an assumed-breach scenario, prioritize patching immediately, and review access paths and segmentation.

Update #1: A Rapid7 technical analysis of CVE-2025-37164 has been published on AttackerKB, and a Metasploit module is now available.

Update #2: On January 7, 2026, CVE-2025-37164 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.

Hotfix analysis

Rapid7 Labs has begun an initial analysis of the vendor-supplied hotfix HPE_OneView_CVE_37164_Z7550-98077.bin. This hotfix applies a new HTTP rule to the appliance’s webserver to block access to a specific REST API endpoint. This endpoint is /rest/id-pools/executeCommand. Initial inspection of the appliance code indicates this endpoint is reachable without authentication. Rapid7 Labs assesses with a high degree of confidence that this is the access vector for triggering the vulnerability and achieving remote code execution.

Mitigation guidance

According to HPE, CVE-2025-37164 affects HPE OneView versions below 11.0, version 5.20 through version 10.20, unless a security hotfix (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) has been applied.

For the latest mitigation guidance for HPE OneView, please refer to the vendor’s security advisory.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-37164 with an unauthenticated vulnerability check expected to be available in today's (December 18) content release.

Updates

December 18, 2025: Initial publication.
December 19, 2025: Updated to link to the new Rapid7 technical analysis and Metasploit module for CVE-2025-37164.
January 8, 2026: Updated Overview to add a reference to the CISA KEV list.

Critical vulnerabilities in Fortinet CVE-2025-59718, CVE-2025-59719, CVE-2026-24858 exploited in the wild

Rapid7 Blog

By:Rapid7

17 December 2025 at 16:00

Overview

Update for CVE-2026-24858: On January 27, 2026, Fortinet disclosed CVE-2026-24858, a critical unauthenticated vulnerability allowing authentication bypass via Fortinet’s cloud SSO. Confirmed as a net-new vulnerability rather than a patch bypass, it has been observed under active zero-day exploitation. The issue affects FortiAnalyzer, FortiManager, FortiOS, and FortiProxy. However, because Fortinet has deployed a fix to the cloud environment, a client-side patch is not required to prevent exploitation. Please refer to the ‘Mitigation guidance’ section for further details.

A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device. Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager.

While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out. This behavior significantly increases the likelihood of exposure across registered deployments. Arctic Wolf has confirmed active exploitation and CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 16.

Observed attacks show threat actors authenticating as the admin user and immediately downloading the system configuration file, which often contains hashed credentials. As a result, any organization with indicators of compromise must assume credential exposure and respond accordingly.

Rapid7 observations

Rapid7 initially observed CVE-2025-59718 exploitation attempts against honeypots on December 17, 2025, alongside a proof-of-concept exploit on GitHub resembling those requests. Update as of January 16, 2026, Rapid7 has identified threat actors actively exploiting authentication bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 on vulnerable FortiGate devices exposed to the public internet.

Mitigation guidance

CVE-2025-59718 and CVE-2025-59719:

Fortinet has published an advisory that lists fixed versions for CVE-2025-59718 and CVE-2025-59719.

CVE-2026-24858:

According to Fortinet’s advisory, a patch deployed to their own FortiCloud SSO infrastructure on January 26, 2026 has remediated the vulnerability. However, patched software is available for customers, since the cloud-side fix introduces breaking changes to the FortiCloud SSO login protocol. Because of this, fixed versions are listed, along with IoCs from exploitation in the wild.
Per Fortinet, FortiAnalyzer, FortiManager, FortiOS, and FortiProxy are confirmed to be affected, and a vendor investigation is ongoing (as of January 27, 2026) to determine if FortiWeb and FortiSwitchManager are affected.
For the latest information, please refer to the official Fortinet advisory for CVE-2026-24858.

Rapid7 customers

Exposure Command, InsightVM and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess their exposure to CVE-2025-59718 and CVE-2025-59719 with authenticated vulnerability checks available in the December 17 content release.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-59718 and CVE-2025-59719, including indicators of compromise (IOCs).

Updates

December 17, 2025: Initial publication.
December 17, 2025: Coverage updated.
December 18, 2025: Added Intelligence Hub section.
January 16, 2026: Active exploitation observed.

January 26, 2026: Added information about the January, 2026 advisory blog post and the new recommended mitigation steps.
January 27, 2026: Added information about CVE-2026-24858.

Test for React2Shell with Application Security using New Functionality

Rapid7 Blog

By:Rapid7

17 December 2025 at 14:06

Following disclosure of the React2Shell vulnerability (CVE-2025-55182), a maximum-severity Remote Code Execution (RCE) in React Server Components (RSC) a.k.a. the Flight protocol, security teams are assessing exposure and validating fixes. React and ecosystem vendors have released patches; exploitation in the wild has been reported, so rapid validation matters.

What is React2Shell?

React2Shell is an unauthenticated RCE flaw caused by insecure Flight payload deserialization in server-side React/RSC implementations (including popular frameworks like Next.js). It carries a CVSS 10.0 rating and affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 as well as Next.js versions 15.0.0-15.1.6 and 16.0.0-16.0.6 prior to recent patches. You can read more about it in this detailed CVE overview blog post.

In this detailed writeup, we will share how our customers can specifically test for React2Shell with Rapid7’s Application Security solution.

Testing for React2Shell with application security

With our dynamic application security testing (DAST) solution, customers can assess the risk of their applications. Rapid7 allows you to configure various attacks of your applications to identify response behaviors that make your applications more vulnerable to attacks. These attacks are run during scans that you can customize based on your needs. In this case, we’ve extended our RCE attack module to include a check for React2Shell.

What does this mean? Customers can now run an Attack Injection using the RCE, which includes an attack type for React2Shell. Our React2Shell vulnerability detection will simulate an attacker on your website. This is a benign attack which will not execute any code and only shows that RCE is possible. Rapid7 will validate the exploitability of the application and the associated risk.

How to run a React2Shell attack in the Rapid7 DAST

You can scan for this new RCE attack using either the new Arbitrary Code Execution attack template we have created or by creating your own custom attack template and selecting the RCE module. We have added some steps for you to follow below:

Default attack template option:

Choose the Arbitrary Code Execution attack template in your scan configuration:

⠀

Default Arbitrary Code Execution attack template with RCE attack module

Custom attack template option:

Run a scan

Choosing the scan configuration you made earlier, scan against your selected app(s).

Scan results - React2Shell RCE finding

Now that you have run your scan, you can review the results to see if your app(s) have any findings. These will include remediation advice that you can follow.

⠀

Manage attack templates

You can now manage your attack templates by navigating to the appropriate section and selecting the Arbitrary Code Execution attack template as below.

⠀

What’s next?

Patch immediately, upgrade React to 19.0.1, 19.1.2, or 19.2.1 (or newer). For Next.js, the recommended action is to update to the following respective patched versions: 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, or later*. You should seek to remediate this vulnerability on an urgent basis, outside of normal patch cycles and consider temporary web application firewall (WAF) rules for Flight endpoints while patching. If you’re looking to validate any fixes you have implemented, feel free to run a validation scan with our application security tool to verify the fixes are correct.

* For Next.js, the recommendation from Nextjs is to update to the following respective patched versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, or later. However, we have identified that versions 15.0.5 and 15.1.9 have a different critical vulnerability and would recommend against using them.

Dynamic EASM Discovery: Continuous Discovery for a Changing Attack Surface

Rapid7 Blog

By:Ed Montgomery

17 December 2025 at 09:06

Staying ahead of what’s exposed, automatically.

The modern enterprise doesn’t stand still. New domains are registered, acquisitions bring inherited infrastructure, cloud workloads spin up and down daily, and somewhere in the middle of it all, your visible footprint on the internet external attack surface keeps expanding.

For CISOs, this constant motion makes one CTEM step particularly difficult: discovery. You can’t validate what you can’t see and manual inventory updates can’t keep up with the pace of digital change.

That’s why Rapid7 is introducing dynamic EASM discovery for Surface Command, a new capability that automatically identifies and tracks every part of your external attack surface. By continuously ingesting known domain and IP information from your environment and related management tools, Surface Command ensures your visibility is always accurate, always current, and always ready for validation.

Figure 1: Dynamic Seeds feature in the Rapid7 Command Platform

From static inventories to continuous confidence

Traditional External Attack Surface Management (EASM) tools rely on static “seed lists”, known IPs, domains, or networks used to start discovery scans. But as organizations evolve, those seeds quickly become stale, leaving blind spots that attackers can exploit.

Dynamic EASM discovery replaces static inputs with live intelligence. Surface Command, Rapid7’s attack surface management (ASM) solution, now automatically gathers seed data from across your ecosystem, including DNS records, network services, and asset repositories and feeds it directly into the Rapid7 Command Platform. Asset, vulnerability, automation, control, threat, and enrichment data are ingested into our Command Platform through Connectors.

The result: a continuously updated, validated view of your internet-facing footprint.

No spreadsheets. No manual uploads. No surprises.

Why this matters for CTEM step 2: Discovery

Continuous threat exposure management (CTEM) is the discipline of constantly discovering, prioritizing, validating, and mobilizing against risk. Most organizations excel at discovery and prioritization but validation often lags behind.

Discovery is where confidence becomes measurable:

Did the exposure we fixed actually disappear?
Is our attack surface shrinking or just shifting?
Are we making progress we can prove?

Dynamic EASM discovery strengthens step 2, discovery by ensuring your exposure data reflects the real, live environment. Every time a cloud resource changes or a new asset appears, Surface Command automatically revalidates what’s known versus what’s newly exposed.

That means your CTEM cycle is never out of sync with reality, and your reports to leadership reflect verified reductions in risk, not assumptions.

Connecting visibility to outcomes

Dynamic EASM discovery doesn’t just simplify inventory management, it accelerates progress across the CTEM lifecycle:

Discovery: Continuously ingesting data expands your external visibility.
Prioritization: Integrated context links assets to business impact and threat intelligence.
Validation: Continuous seed refresh confirms exposures are resolved and risk is reducing.
Mobilization: Validated insights flow into ITSM and automation workflows for closure.

For security leaders, this translates to clear, measurable progress: a smaller attack surface, shorter exposure windows, and data that executives can trust.

An attacker’s view you can trust

External visibility is only useful if it’s reliable. With dynamic EASM discovery, Surface Command provides a real-time, attacker’s-eye view of your organization’s public-facing assets, domains, subdomains, IPs, and network services; all validated against live data.

This level of automation gives CISOs three distinct advantages:

Fewer blind spots - Automatically capture new and transient assets the moment they appear.
Proven accuracy - Validate that remediation efforts have actually closed exposures.
Faster decisions - Operate on verified intelligence instead of lagging asset data.

Validation becomes continuous, evidence-based, and defensible.

Executive clarity through proof

Boards don’t want more alerts, they want proof that investments in security are paying off. Dynamic EASM Discovery helps CISOs demonstrate that progress with concrete, validated metrics:

Total external assets tracked over time
Exposure reduction percentages by business unit
Remediation velocity measured in real, verified outcomes

When the question comes, “are we actually reducing risk?”

Surface Command gives you evidence, not estimates.

Simplified operations, stronger security

Dynamic EASM discovery is built into Rapid7’s Command Platform, eliminating the manual effort that once slowed exposure management. Security and IT teams can focus on reducing risk instead of reconciling data sources, while automation keeps inventories and dashboards perpetually up to date.

In practice, that means:

Reduced administrative overhead
Elimination of stale or duplicate records
Seamless integration with other Command Platform services for unified CTEM execution

What used to take hours of manual input now happens automatically, at the speed your business evolves.

Continuous validation made simple

Attack surface expansion doesn't stop, and neither should your visibility. With dynamic EASM discovery, Rapid7 ensures that the foundation of your CTEM program, discovery, is always grounded in current, accurate data.

It’s continuous assurance for a world that doesn’t stand still. This is in early access now, and generally available in January, 2026.

Explore Surface Command

See how Dynamic EASM Discovery keeps your external visibility live, validated, and ready for action.

Contact your Rapid7 account team or click here to initiate a no commitment trial today.

Try the new dynamic EASM discovery self-guided product tour

SantaStealer is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums

Rapid7 Blog

By:Milan Spinka

15 December 2025 at 05:02

Update from December 16, 2025: Shortly after publishing this blog post, we have observed a message from the official SantaStealer telegram channel announcing the release of the stealer. This means the stealer is now deemed production-ready by the developers and can be expected in the wild. Below is a screenshot of the original message in Russian as well as our translation to English.

Figure 0: A message announcing the release of SantaStealer in Russian (left) and our translation to English (right)

Summary

Rapid7 Labs has identified a new malware-as-a-service information stealer being actively promoted through Telegram channels and on underground hacker forums. The stealer is advertised under the name “SantaStealer” and is planned to be released before the end of 2025. Open source intelligence suggests that it recently underwent a rebranding from the name “BluelineStealer.”

The malware collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of applications, and aims to operate entirely in-memory to avoid file-based detection. Stolen data is then compressed, split into 10 MB chunks, and sent to a C2 server over unencrypted HTTP.

While the stealer is advertised as “fully written in C”, featuring a “custom C polymorphic engine” and being “fully undetected,” Rapid7 has found unobfuscated and unstripped SantaStealer samples that allow for an in-depth analysis. These samples can shed more light on this malware’s true level of sophistication.

Discovery

In early December 2025, Rapid7 identified a Windows executable triggering a generic infostealer detection rule, which we usually see triggered by samples from the Raccoon stealer family. Initial inspection of the sample (SHA-256 beginning with 1a27…) revealed a 64-bit DLL with over 500 exported symbols (all bearing highly descriptive names such as “payload_main”, “check_antivm” or “browser_names”) and a plethora of unencrypted strings that clearly hinted at credential-stealing capabilities.

While it is not clear why the malware authors chose to build a DLL, or how the stealer payload was to be invoked by a potential stager, this choice had the (presumably unintended) effect of including the name of every single function and global variable not declared as static in the executable’s export directory. Even better, this includes symbols from statically linked libraries, which we can thus identify with minimal effort.

The statically linked libraries in this particular DLL include:

cJSON, an “ultralightweight JSON parser”
miniz, a “single C source file zlib-replacement library”
sqlite3, the C library for interfacing with SQLite v3

Another pair of exported symbols in the DLL are named notes_config_size and notes_config_data. These point to a string containing the JSON-encoded stealer configuration, which contains, among other things, a banner (“watermark”) with Unicode art spelling “SANTA STEALER” and a link to the stealer Telegram channel, t[.]me/SantaStealer.

Figure 1: A preview of the stealer’s configuration

Figure 2: A Telegram message from November 25th advertising the rebranded SantaStealer

Figure 3: A Telegram message announcing the rebranding and expected release schedule

Visiting SantaStealer’s Telegram channel, we observed the affiliate web panel, where we were able to register an account and access more information provided by the operators, such as a list of features, the pricing model, or the various build configuration options. This allowed us to cross-correlate information from the panel with the configuration observed in samples, and get a basic idea of the ongoing evolution of the stealer.

Apart from Telegram, the stealer can be found advertised also on the Lolz hacker forum at lolz[.]live/santa/. The use of this Russian-speaking forum, the top-level domain name of the web panel bearing the country code of the Soviet Union (su), and the ability to configure the stealer not to target Russian-speaking victims (described later) hints at Russian citizenship of the operators — not at all unusual on the infostealer market.

Figure 4: A list of features advertised in the web panel

As the above screenshot illustrates, the stealer operators have ambitious plans, boasting anti-analysis techniques, antivirus software bypasses, and deployment in government agencies or complex corporate networks. This is reflected in the pricing model, where a basic variant is advertised for $175 per month, and a premium variant is valued at $300 per month, as captured in the following screenshot.

Figure 5: Pricing model for SantaStealer (web panel)

In contrast to these claims, the samples we have seen until now are far from undetectable, or in any way difficult to analyze. While it is possible that the threat actor behind SantaStealer is still developing some of the mentioned anti-analysis or anti-AV techniques, having samples leaked before the malware is ready for production use — complete with symbol names and unencrypted strings — is a clumsy mistake likely thwarting much of the effort put into its development and hinting at poor operational security of the threat actor(s).

Interestingly, the web panel includes functionality to “scan files for malware” (i.e. check whether a file is being detected or not). While the panel assures the affiliate user that no files are shared and full anonymity is guaranteed, one may have doubts about whether this is truly the case.

Figure 6: Web panel allows to scan files for malware.

Some of the build configuration options within the web panel are shown in Figures 7 through 9.

Figure 7: SantaStealer build configuration

Figure 8: More SantaStealer build configuration options

Figure 9: SantaStealer build configuration options, including CIS countries detection

One final aspect worth pointing out is that, rather unusually, the decision whether to target countries in the Commonwealth of Independent States (CIS) is seemingly left up to the buyer and is not hardcoded, as is often the case with commercial infostealers.

Technical analysis of SantaStealer

Having read the advertisement of SantaStealer’s capabilities by the developers, one might be interested in seeing how they are implemented on a technical level. Here, we will explore one of the EXE samples (SHA-256 beginning with 926a…), as attempts at executing the DLL builds with rundll32.exe ran into issues with the C runtime initialization. However, the DLL builds (such as SHA-256 beginning with 1a27…) are still useful for static analysis and cross-referencing with the EXE.

At the moment, detecting and tracking these payloads is straightforward, due to the fact that both the malware configuration and the C2 server IP address are embedded in the executable in plain text. However, if SantaStealer indeed does turn out to be competitive and implements some form of encryption, obfuscation, or anti-analysis techniques (as seen with Lumma or Vidar) these tasks may become less trivial for the analyst. A deeper understanding of the patterns and methods utilized by SantaStealer may be beneficial.

Figure 10: Code in the send_upload_chunk exported function references plaintext strings

The user-defined entry point in the executable corresponds to the payload_main DLL export. Within this function, the stealer first checks the anti_cis and exec_delay_seconds values from the embedded config and behaves accordingly. If the CIS check is enabled and a Russian keyboard layout is detected using the GetKeyboardLayoutList API, the stealer drops an empty file named “CIS” and ends its execution. Otherwise, SantaStealer waits for the configured number of seconds before calling functions named check_antivm, payload_credentials, create_memory_based_log and creating a thread running the routine named ThreadPayload1 in the DLL exports.

The anti-VM function is self-explanatory, but its implementation differs across samples, hinting at the ongoing development of the stealer. One sample checks for blacklisted processes (by hashing the names of running process executables using a custom rolling checksum and searching for them in a blacklist), suspicious computer names (using the same method) and an “analysis environment,” which is just a hard-coded blacklist of working directories, like “C:\analysis” and similar. Another sample checks the number of running processes, the system uptime, the presence of a VirtualBox service (by means of a call to OpenServiceA with "VBoxGuest") and finally performs a time-based debugger check. In either case, if a VM or debugger is detected, the stealer ends its execution.

Next, payload_credentials attempts to steal browser credentials, including passwords, cookies, and saved credit cards. For Chromium-based browsers, this involves bypassing a mechanism known as AppBound Encryption (ABE). For this purpose, SantaStealer embeds an additional executable, either as a resource or directly in section data, which is either dropped to disk and executed (screenshot below), or loaded and executed in-memory, depending on the sample.

Figure 11: Execution of an embedded executable specialized in browser hijacking

The extracted executable, in turn, contains an encrypted DLL in its resources, which is decrypted using two consecutive invocations of ChaCha20 with two distinct pairs of 32-byte key and 12-byte nonce. This DLL exports functions called ChromeElevator_Initialize, ChromeElevator_ProcessAllBrowsers and ChromeElevator_Cleanup, which are called by the executable in that order. Based on the symbol naming, as well as usage of ChaCha20 encryption for obfuscation and presence of many recognizable strings, we assess with moderate confidence that this executable and DLL are heavily based on code from the "ChromElevator" project (https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption), which employs direct syscall-based reflective process hollowing to inject code into the target browser. Hijacking the security context of a legitimate browser process this way allows the attacker to decrypt AppBound encryption keys and thereby decrypt stored credentials.

Figure 12: The embedded EXE decrypts and loads a DLL in-memory and calls its exports.

The next function called from main, create_memory_based_log, demonstrates the modular design of the stealer. For each included module, it creates a thread running the module_thread routine with an incremented numerical ID for that module, starting at 0. It then waits for 45 seconds before joining all thread handles and writing all files collected in-memory into a ZIP file named “Log.zip” in the TEMP directory.

The module_thread routine simply takes the index it was passed as parameter and calls a handler function at that index in a global table, for some reason called memory_generators in the DLL. The module function takes only a single output parameter, which is the number of files it collected. In the so helpfully annotated DLL build, we can see 14 different modules. Besides generic modules for reading environment variables, taking screenshots, or grabbing documents and notes, there are specialized modules for stealing data from the Telegram desktop application, Discord, Steam, as well as browser extensions, histories and passwords.

Figure 13: A list of named module functions in a SantaStealer sample

Finally, after all the files have been collected, ThreadPayload1 is run in a thread. It sleeps for 15 seconds and then calls payload_send, which in turn calls send_zip_from_memory_0, which splits the ZIP into 10 MB chunks that are uploaded using send_upload_chunk.

The file chunks are exfiltrated over plain HTTP to an /upload endpoint on a hard-coded C2 IP address on port 6767, with only a couple special headers:

User-Agent: upload
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary[...]
auth: [...]
w: [...]
complete: true (only on final request)

The auth header appears to be a unique build ID, and w is likely the optional “tag” used to distinguish between campaigns or “traffic sources”, as is mentioned in the features.

Conclusion

The SantaStealer malware is in active development, set to release sometime in the remainder of this month or in early 2026. Our analysis of the leaked builds reveals a modular, multi-threaded design fitting the developers’ description. Some, but not all, of the improvements described in SantaStealer’s Telegram channel are reflected in the samples we were able to analyze. For one, the malware can be seen shifting to a completely fileless collection approach, with modules and the Chrome decryptor DLL being loaded and executed in-memory. On the other hand, the anti-analysis and stealth capabilities of the stealer advertised in the web panel remain very basic and amateurish, with only the third-party Chrome decryptor payload being somewhat hidden.

To avoid getting infected with SantaStealer, it is recommended to pay attention to unrecognized links and e-mail attachments. Watch out for fake human verification, or technical support instructions, asking you to run commands on your computer. Finally, avoid running any kind of unverified code from sources such as pirated software, videogame cheats, unverified plugins, and extensions.

Stay safe and off the naughty list!

Rapid7 Customers

Intelligence Hub

Customers using Rapid7’s Intelligence Hub gain direct access to SantaStealer IOCs, along with ongoing intelligence on new activity and related campaigns. The platform also has detections for a wide range of other infostealers, including Lumma, StealC, RedLine, and more, giving security teams broader visibility into emerging threats.

Indicators of compromise (IoCs)

SantaStealer DLLs with exported symbols (SHA-256)

1a277cba1676478bf3d47bec97edaa14f83f50bdd11e2a15d9e0936ed243fd64
abbb76a7000de1df7f95eef806356030b6a8576526e0e938e36f71b238580704
5db376a328476e670aeefb93af8969206ca6ba8cf0877fd99319fa5d5db175ca
a8daf444c78f17b4a8e42896d6cb085e4faad12d1c1ae7d0e79757e6772bddb9
5c51de7c7a1ec4126344c66c70b71434f6c6710ce1e6d160a668154d461275ac
48540f12275f1ed277e768058907eb70cc88e3f98d055d9d73bf30aa15310ef3
99fd0c8746d5cce65650328219783c6c6e68e212bf1af6ea5975f4a99d885e59
ad8777161d4794281c2cc652ecb805d3e6a9887798877c6aa4babfd0ecb631d2
73e02706ba90357aeeb4fdcbdb3f1c616801ca1affed0a059728119bd11121a4
e04936b97ed30e4045d67917b331eb56a4b2111534648adcabc4475f98456727
66fef499efea41ac31ea93265c04f3b87041a6ae3cd14cd502b02da8cc77cca8
4edc178549442dae3ad95f1379b7433945e5499859fdbfd571820d7e5cf5033c

SantaStealer EXEs (SHA-256)

926a6a4ba8402c3dd9c33ceff50ac957910775b2969505d36ee1a6db7a9e0c87
9b017fb1446cdc76f040406803e639b97658b987601970125826960e94e9a1a6
f81f710f5968fea399551a1fb7a13fad48b005f3c9ba2ea419d14b597401838c

SantaStealer C2s

31[.]57[.]38[.]244:6767 (AS 399486)
80[.]76[.]49[.]114:6767 (AS 399486)

MITRE ATT&CK

Account Discovery (T1087)
Automated Exfiltration (T1020)
Data Compressed (T1002)
Browser Information Discovery (T1217)
Archive Collected Data (T1560)
Data Transfer Size Limits (T1030)
Archive via Library (T1560.002)
Automated Collection (T1119)
Exfiltration Over C2 Channel (T1041)
Clipboard Data (T1115)
Debugger Evasion (T1622)
Email Account (T1087.003)
File and Directory Discovery (T1083)
Credentials In Files (T1552.001)
Credentials from Password Stores (T1555)
Data from Local System (T1005)

Credentials from Web Browsers (T1503)
Financial Theft (T1657)
Credentials from Web Browsers (T1555.003)
Credentials in Files (T1081)
Malware (T1587.001)
Process Discovery (T1057)
Local Email Collection (T1114.001)
Messaging Applications (T1213.005)
Screen Capture (T1113)
Server (T1583.004)
Software Discovery (T1518)
System Checks (T1497.001)
DLL (T1574.001)
System Information Discovery (T1082)
System Language Discovery (T1614.001)
Time Based Evasion (T1497.003)
Virtualization/Sandbox Evasion (T1497)
Deobfuscate/Decode Files or Information (T1140)
Web Protocols (T1071.001)
Private Keys (T1145)
Private Keys (T1552.004)
Dynamic API Resolution (T1027.007)
Steal Application Access Token (T1528)
Steal Web Session Cookie (T1539)
Embedded Payloads (T1027.009)
Encrypted/Encoded File (T1027.013)
File Deletion (T1070.004)
File Deletion (T1107)
Portable Executable Injection (T1055.002)
Process Hollowing (T1055.012)
Process Hollowing (T1093)
Reflective Code Loading (T1620)

Metasploit Wrap-Up 12/12/2025

Rapid7 Blog

12 December 2025 at 15:38

React2shell Module

As you may have heard, on December 3, 2025, the React team announced a critical Remote Code Execution (RCE) vulnerability in servers using the React Server Components (RSC) Flight protocol. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0 and is informally known as "React2Shell". It allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto", "constructor", or "prototype" as module names. We're happy to announce that community contributor vognik submitted an exploit module for React2Shell which landed earlier this week and is included in this week's release.

MSSQL Improvements

Over the past couple of weeks Metasploit has made a couple of key improvements to the framework’s MSSQL attack capabilities. The first (PR 20637) is a new NTLM relay module, auxiliary/server/relay/smb_to_mssql, which enables users to start a malicious SMB server that will relay authentication attempts to one or more target MSSQL servers. When successful, the Metasploit operator will have an interactive session to the MSSQL server that can be used to run interactive queries, or MSSQL auxiliary modules.

Building on this work, it became clear that users would need to interact with MSSQL servers that required encryption as many do in hardened environments. To achieve that objective, issue 18745 was closed by updating Metasploits MSSQL protocol library to offer better encryption support. Now, Metasploit users can open interactive sessions to servers that offer and even require encrypted connections. This functionality is available automatically in the auxiliary/scanner/mssql/mssql_login and new auxiliary/server/relay/smb_to_mssql modules.

New module content (5)

Magento SessionReaper

Authors: Blaklis, Tomais Williamson, and Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #20725 contributed by Chocapikk

Path:multi/http/magento_sessionreaper

AttackerKB reference: CVE-2025-54236

Description: This adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint.

Unauthenticated RCE in React and Next.js

Authors: Lachlan Davidson, Maksim Rogov, and maple3142

Type: Exploit

Pull request: #20760 contributed by sfewer-r7

Path: multi/http/react2shell_unauth_rce_cve_2025_55182

AttackerKB reference: CVE-2025-66478

Description: This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.

WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE

Authors: Peter Thaleikis and Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #20746 contributed by Chocapikk

Path: multi/http/wp_king_addons_privilege_escalation

AttackerKB reference: CVE-2025-8489

Description: This adds an exploit module for CVE-2025-8489, an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability allows unauthenticated attackers to create administrator accounts by specifying the user_role parameter during registration, enabling remote code execution through plugin upload.

Linux Reboot

Author: bcoles bcoles@gmail.com

Type: Payload (Single)

Pull request: #20682 contributed by bcoles

Path:linux/loongarch64/reboot

Description: This extends our payloads support to a new architecture, LoongArch64. The first payload introduced for this new architecture is the reboot payload, which will cause the target system to restart once triggered.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

#20736 from sfewer-r7 - This pull requests updates the exploit/linux/http/fortinet_fortiweb_rce module (added in https://github.com/rapid7/metasploit-framework/pull/20717) to add in support for older version of FortiWeb, versions 6.*, which are no longer under support from the vendor.
#20747 from vognik - This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.

Enhancements and features (1)

#20704 from dwelch-r7 - The module auxiliary/scanner/ssh/ssh_login_pubkey has been removed. Its functionality has been moved into auxiliary/scanner/ssh/ssh_login.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

New Research: Multifunction Printer (MFP) Security Concerns within the Enterprise Business Environment

Rapid7 Blog

By:Deral Heiland

11 December 2025 at 05:57

Multifunction printers (MFPs) do far more than print. They scan, email, fax, store, and authenticate. That convenience comes with risk. Our latest report, Understanding Multifunction Printer (MFP) Security within the Enterprise Business Environment, from Rapid7’s Deral Heiland, Principal Security Researcher (IoT), and Sam Moses, Security Consultant, takes a clear look at where MFPs expand your attack surface and how to reduce that risk.

Why this research matters

MFPs are everywhere, often overlooked, and frequently underprotected. Many organizations deploy them without password changes, patch cycles, or network segmentation. Attackers notice. Because MFPs are attached to networks and can carry sensitive data, compromise can enable credential theft, data leakage, and lateral movement within the network.

The report tracks how long-standing and emerging weaknesses continue to affect MFP security. It highlights common risk areas such as weak authentication and limited patching practices, among others, that leave devices open to misuse or compromise. As these printers have grown more connected and feature-rich, the potential impact of a single vulnerable device has increased, especially when linked to core business systems or identity services.

The study also examines broader exposure trends across the enterprise landscape. Thousands of MFPs remain directly accessible from the internet, and vulnerability data shows that many models have faced serious flaws in recent years. Beyond technical issues, organizational processes like inconsistent patch management and poor decommissioning practices often allow sensitive data and credentials to linger on devices long after their use.

Penetration testing data collected by Rapid7 and Raxis confirms that these risks are not theoretical. Many organizations still deploy MFPs with default settings, leaving them open to credential theft and data access that can help attackers move deeper into the network.

The report introduces Praeda-II, a community tool designed for pentesters, auditors, and IT teams who need fast visibility into vulnerable printers, to identify risks in MFPs across modern models.

See the research

If your organization relies on networked printers, this research offers the insights you need. Read Understanding Multifunction Printer (MFP) Security within the Enterprise Business Environment to learn about key risks and practical steps to strengthen your printer security program.

Geopolitics and Cyber Risk: How Global Tensions Shape the Attack Surface

Rapid7 Blog

By:Jeremy Makowski

11 December 2025 at 05:01

Geopolitics has become a significant risk factor for today’s organizations, transforming cybersecurity into a technical and strategic challenge heavily influenced by state behavior. International tensions and the strategic calculations of major cyber powers, including Russia, China, Iran, and North Korea, significantly shape the current threat landscape. Businesses can no longer operate as isolated entities; they now function as interconnected global ecosystems where employees, suppliers, cloud workloads, supply chains, and data flows intersect across multiple jurisdictions, each with its own unique set of political risks.

A region considered low-risk last month could become a high-risk zone overnight if a diplomatic dispute escalates. An overseas development team could suddenly become vulnerable if that region experiences sanctions, stricter regulations, or state pressure on the workforce.

Many organizations still underestimate this dynamic reality, relying on static risk models that assume relatively stable attack patterns. However, geopolitical decisions and internal vulnerabilities are often the drivers of the most sudden and consequential changes in exposure. For example, the announcement of sanctions can trigger retaliatory cyberattacks, a military buildup can unleash destructive campaigns, and a trade or intellectual property dispute can lead to large-scale espionage.

Cybersecurity leaders must therefore integrate geopolitical intelligence directly into their operational decision-making and risk assessment processes, recognizing that political forces, rather than technical errors, are often the primary trigger for increased vulnerability.

Geopolitics as a core driver of cyber risk

Geopolitics plays a decisive role in shaping the scale, direction, and sophistication of cybercriminal and state-sponsored activity, fundamentally altering the threat landscape for organizations worldwide. Geopolitical tensions and sanctions often create conditions in which state-aligned hackers operate with greater freedom, using cyber operations as tools for espionage, economic survival, political retaliation, or strategic influence. Isolated or sanctioned states often turn to cybercrime as an alternative source of revenue.

North Korea, for instance, intensifies financially motivated campaigns, including cryptocurrency theft and extortion, when economic pressure mounts. Iran, facing recurring sanctions and political isolation, tends to respond with retaliatory or disruptive cyber operations targeting sectors and institutions associated with adversarial nations.

China’s cyber activity often peaks during moments of heightened competition over technology and strategic resources, driving expansive espionage campaigns aimed at industries like aerospace, telecommunications, AI, and energy. Russia, meanwhile, escalates disruptive or destructive cyber actions during geopolitical confrontations or military conflicts, leveraging malware, industrial system interference, and coordinated information operations.

These patterns demonstrate how cyber risk extends far beyond technical vulnerabilities: organizations become targets because of their nationality, sector, technology assets, or global partnerships.

How geopolitical tensions influence threat actor behavior

Geopolitical tensions influence the behavior of threat actors by altering their objectives, aggression levels, and operational trade-offs in ways that directly impact global organizations. Russian groups, for example, will shift from covert intelligence collection to overt disruption, employing destructive malware, DDoS attacks, and infrastructure sabotage to exert pressure. Chinese actors are known to intensify long-term espionage and supply-chain infiltration, targeting IP, cloud providers, security firms, and development environments.

Iran responds to sanctions or regional tensions with opportunistic retaliation through data wiping, defacements, and financially motivated attacks. And when facing economic strain, North Korea expands cybercrime, including cryptocurrency theft, extortion, software supply-chain poisoning, and high-level financial fraud.

For organizations, these shifts manifest internally as newly observed attack patterns, such as targeted phishing aimed at political or strategic sectors, the exploitation of vulnerabilities relevant to conflicts, or supply-chain attacks aligned with espionage objectives. The unifying pattern is that geopolitical tensions cause attackers to reprioritize, whereby espionage becomes a means of destruction, revenue generation becomes a national strategy, and symbolic retaliation becomes an operational necessity. Security teams that do not account for these geopolitical triggers risk misjudging the scale, intent, and urgency of incoming threat campaigns.

Indicators that cyber escalation is coming

A cyber escalation is rarely an isolated phenomenon; it is usually accompanied by political and technical warning signs that can herald a wave of attacks. On the political front, organizations should monitor events such as sanctions announcements, diplomatic expulsions, military mobilizations, sudden breakdowns in negotiations, strategic military strikes, or public accusations of espionage. For example, tensions with Russia are often followed by cyber influence campaigns. Retaliatory cyberattacks are also common following the imposition of sanctions on the Islamic Republic of Iran. Increased cyber espionage campaigns coincide with periods of strategic competition with China, and financially motivated attacks intensify after economic pressure is exerted on North Korea.

On a technical level, the first warning signs manifest in one or more of the following ways:

An increase in sector-specific phishing attacks linked to political events
The reactivation of known command and control infrastructures
The formation of new politically-motivated hacktivist collectives
Access intermediaries launching campaigns to sell access points in sectors linked to ongoing conflicts

Internally, organizations may sometimes observe unusual activity from cybersecurity teams, such as unexpected code updates from maintenance managers located in politically sensitive regions, vendor outages correlated with geopolitical developments, or authentication anomalies linked to regions near ongoing crises. The most important pattern to recognize is convergence: when political escalation, external surveillance, and internal anomalies appear within the same time frame, organizations must assume that threat conditions have shifted from background noise to active risk and immediately adopt a strengthened defensive posture.

Adjusting defensive posture during geopolitical instability

Harden identity infrastructure against state-grade threats.

Identity has become a frontline asset in geopolitical conflict. In today’s environment, the boundaries between hacktivism, cybercrime, and state-sponsored activities are increasingly blurred, with governments at times guiding or amplifying these operations. Credential compromise is often the entry point that enables these broader campaigns. To mitigate this risk, organizations should enforce universal, phishing-resistant MFA, regularly review and tightly govern privileged roles, particularly in sensitive geographies, and adopt just-in-time access to minimize standing privileges. These measures materially reduce exposure and strengthen resilience against sophisticated, geopolitically motivated threat actors.

Conduct targeted threat hunts

Russia — Russian threat actors place a strong emphasis on disruption and destruction, particularly during periods of geopolitical conflict. They commonly deploy wiper malware that deletes or corrupts files and often pretend it’s ransomware. Threat hunters should watch for sudden mass file changes, system reboots, or the use of admin-level command-line tools immediately preceding damage. Russia also has advanced capabilities for ICS/OT manipulation, meaning unusual access to industrial controllers or configuration changes can be a strong indicator of potential compromise. Additionally, their operations often support information warfare, so defenders should look for compromised media or government accounts, unauthorized website changes, and targeted spear-phishing attacks tied to political events.

China — China focuses on long-term, stealthy access rather than quick disruption. They are known for supply-chain compromises, so unusual activity from vendor accounts or anomalies in software updates should be investigated. They frequently abuse cloud identity platforms, making it essential to monitor for impossible travel logins, token theft, MFA fatigue, or suspicious OAuth applications. Chinese groups also invest heavily in credential harvesting, often trying to quietly collect usernames, passwords, and tokens over long periods. Threat hunters should look for password spraying, attempts to dump credentials, or lateral movement linked to service or personal accounts that generally don’t access sensitive systems.

Iran — Iranian threat actors tend to be opportunistic and politically reactive, relying heavily on broad phishing campaigns. Organizations should monitor for spikes in failed logins, newly created email forwarding rules, and look-alike phishing domains. Iran also frequently conducts website defacements, so signs such as unexpected CMS admin logins, unauthorized web content changes, or DNS tampering are essential to hunt for. While generally less sophisticated than Russia or China, they can still deploy destructive malware, meaning defenders should watch for scripts or tools that mass-delete or encrypt files, suspicious scheduled tasks, and activity involving commodity RATs or .NET tools.

North Korea — North Korea’s cyber operations are primarily financially motivated, with a strong focus on cryptocurrency theft. Threat hunters should monitor for unauthorized access to wallet systems, unusual outbound connections to cryptocurrency platforms, or abnormal API calls associated with blockchain activity. They also excel at social engineering, especially targeting finance, HR, and engineering staff by posing as recruiters or job candidates. Indicators include suspicious attachments, communication from personal email accounts, or new “contractor” accounts accessing code or financial systems. Once inside a network, their activity is typically driven by exfiltration, so large or stealthy data transfers, especially to cloud storage or foreign VPNs, are significant warning signs.

Reprioritize assets exposed to geopolitical pressure.

Identify systems and identities that become high-value targets during periods of geopolitical tension, especially those associated with sensitive regions or government-linked operations. Immediately harden them with faster patching, tighter segmentation, stricter east–west controls, and increased telemetry to concentrate defenses where state-aligned actors are most likely to strike.

Reduce external exposure on high-value frontiers.

Reduce the attack surface by removing access paths favored by advanced adversaries. Disable legacy VPNs, retire unmonitored jump servers, tighten SSO/IdP trust paths, and eliminate unnecessary remote-admin or broad cloud access routes. Reducing weak entry points raises the cost of initial access for foreign intelligence units.

Harden response capabilities

Incident response teams must prepare for an increased likelihood of destructive or politically motivated attacks. Organizations should test their data destruction and destructive attack plans, validate their disaster recovery timelines, and ensure the restoration of offline or immutable backups. Management must be kept informed of evolving geopolitical risks, and cross-functional teams, including cybersecurity, legal, communications, and operations, must conduct crisis simulation exercises. Rapid response structures, such as crisis management teams, should be ready to be activated to facilitate fast decision-making under pressure. These measures are intended to help ensure that the organization can respond effectively even in the face of significant stress or disruption.

Building a geopolitical cyber attack surface map

Building a geopolitical map of the attack surface enables organizations to anticipate how political conditions may impact cyber risk. This involves understanding how people, technology, and third-party relationships are geographically distributed, and how those distributions intersect with jurisdictions that may impose legal, operational, or conflict-related risks. A robust map also integrates geopolitical assessments with business impact and criticality, enabling organizations to see where instability or state control could affect privileged access, essential services, or sensitive data.

The following steps describe how to perform an attack surface mapping based on geopolitical events. These steps are not derived from any single framework or source; they are a practical blend of best practices for mapping infrastructure, assessing geopolitical exposure, identifying weak points, and prioritizing remediation.

Map Internal Workforce: Create an authoritative inventory of the physical locations of all employees with technical or elevated privileges. Include full-time staff, contractors, and outsourced teams. Use HR, IAM, and staffing records to ensure accuracy and maintain updates as personnel relocate or roles change.
Map Infrastructure: Create a comprehensive list of regions that host your cloud services, data centers, disaster recovery sites, and replication routes. Document which workloads reside where, how traffic moves between regions, and what operational responsibilities each location carries. Capture both primary and failover arrangements.

Map Vendor & Subcontractor: This step requires suppliers to disclose the actual countries where engineering, customer support, managed services, and subcontracted tasks are performed. Validate this information through audits, questionnaires, or contractual obligations. Record each operational footprint, not just corporate registration locations.

Geopolitical Risk Scores: Apply a standardized scoring model to each region (e.g., Matteo Iacoviello Geopolitical Risk (GPR) index, BlackRock Geopolitical Risk Indicator (BGRI), or Bloomberg’s geopolitical risk scores). Inputs may include government stability indicators, international sanctions status, regulatory pressures, history of state intervention, and exposure to espionage or cyber operations. Use a consistent scoring range.

Overlay Business Criticality: Cross-reference each region’s risk score with the operational value of what that region supports. Identify where highly sensitive systems, privileged roles, or essential processes are located in areas with higher risk. Highlight areas where disruption would impact business continuity or security posture.

Identify Regional Strategic Points: Look for dependencies where a single region hosts an excessive number of critical people, systems, or vendors. This includes cloud regions serving multiple core workloads, a subcontractor with a heavily centralized team, or a country where several key staff reside. Flag these for targeted risk discussions.

Prioritize Remediation Measures: Develop a ranked set of actions based on the combined geopolitical and business impact. Potential responses include redistributing workloads across safer regions, shifting privileged roles, tightening access controls, enhancing monitoring for at-risk locations, or preparing contingency plans for rapid relocation or provider transition.

Conclusion

Geopolitics is now a key driver of cyber risk, redefining attacker profiles, motivations, and the organizations targeted and/or affected by collateral damage. Many vulnerabilities in modern businesses stem not from technical misconfigurations, but from the geopolitical interconnectedness of global supply chains, cloud architectures, distributed teams, and open-source ecosystems.

Traditional cybersecurity controls remain essential, but are insufficient on their own as they fail to account for laws, political incentives, national strategies, and human vulnerabilities influenced by the world's most active cyber powers. To manage this reality, organizations must integrate geopolitical analysis into every layer of their security decision-making process, consider geography as a key security variable, and develop the agility to proactively adapt their posture to the evolving global context.

Patch Tuesday - December 2025

Rapid7 Blog