On February 6, 2026, BeyondTrust released security advisory BT26-02, disclosing a critical pre-authentication Remote Code Execution (RCE) vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. Assigned CVE-2026-1731 and a near-maximum CVSSv4 score of 9.9, the flaw allows unauthenticated, remote attackers to execute arbitrary operating system commands in the context of the site user by sending specially crafted requests. The vulnerability affects Remote Support (RS) versions 25.3.1 and prior, as well as Privileged Remote Access (PRA) versions 24.3.4 and prior.
While BeyondTrust automatically patched SaaS instances on February 2, 2026, self-hosted customers remain at risk until manual updates are applied. The issue was discovered by researchers at Hacktron AI using AI-enabled variant analysis; they identified approximately 8,500 on-premises instances exposed to the internet that could be susceptible to this straightforward exploitation vector.
While BeyondTrust has not reported active exploitation of CVE-2026-1731 in the wild, the platform’s immense footprint makes it a high-priority target for sophisticated adversaries. BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75% of the Fortune 100. This ubiquity has attracted state-sponsored actors in the past; notably, the Chinese hacking group "Silk Typhoon" weaponized previous zero-day flaws (CVE-2024-12356 and CVE-2024-12686) to breach the U.S. Treasury Department and access sensitive data related to sanctions, triggering emergency directives from CISA. Rapid7 research later revealed that the exploitation of CVE-2024-12356 actually required chaining it with a critical, then-unknown SQL injection vulnerability in an underlying PostgreSQL tool (CVE-2025-1094). Given this history of targeted attacks against such a widely used platform, these tools remain a critical attack vector that demands immediate defensive action.
Mitigation guidance
A vendor-provided patch is available to remediate CVE-2026-1731 in on-premise deployments.
BeyondTrust Remote Support (RS):
Versions 25.3.1 and prior are affected by CVE-2026-1731.
CVE-2026-1731 is fixed in 25.3.2 and later.
BeyondTrust Privileged Remote Access (PRA):
Versions 24.3.4 and prior are affected by CVE-2026-1731.
CVE-2026-1731 is fixed in 25.1.1 and later.
Please read the vendor advisory for the latest guidance.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2026-1731 on Remote Support and Privileged Remote Access using authenticated checks available in the Feb 9 content release.
Updates
February 11, 2026: Updated Rapid7 customers section to confirm checks were available on February 9.
When Rapid7 published its analysis of the Chrysalis backdoor linked to a compromise of Notepad++ update infrastructure, it raised understandable questions from customers and security teams. The investigation showed that attackers did not exploit a flaw in the application itself. Instead, they compromised the hosting infrastructure used to deliver updates, allowing a highly targeted group to selectively distribute a previously undocumented backdoor associated with the Lotus Blossom APT.
Subsequent reporting from outlets including BleepingComputer, The Register, SecurityWeek, and The Hacker News has helped clarify the scope of the incident. What’s clear is that this was a supply chain attack against distribution infrastructure, not source code. The attackers maintained access for months, redirected update traffic selectively, and limited delivery of the Chrysalis payload to specific targets, helping them stay hidden and focused on espionage rather than mass compromise.
What does the Notepad++ incident mean?
This incident highlights how modern supply chain attacks have evolved. Rather than targeting application code, attackers abused shared hosting infrastructure and weaknesses in update verification to quietly deliver malware. The broader takeaway is that supply chain risk now extends well beyond build systems and repositories. Update mechanisms, hosting providers, and distribution paths have become attractive targets, especially when they sit outside an organization’s direct control.
Was Notepad++ itself compromised?
Based on public statements from the Notepad++ maintainer and independent reporting, there is no evidence that the application’s source code or core development process was compromised. The risk stemmed from the update delivery infrastructure, reinforcing that even trusted software can become a delivery mechanism when upstream systems are abused.
Who was behind the Chrysalis backdoor & Notepad++ attack?
Rapid7 was the first to publish attribution linking this activity to Lotus Blossom, a Chinese state-aligned advanced persistent threat (APT) group. Based on our analysis, we assess with moderate confidence that this group is responsible for the Notepad++ infrastructure compromise and the deployment of the Chrysalis backdoor.
Lotus Blossom has been active since at least 2009 and is known for long-running espionage campaigns targeting government, telecommunications, aviation, critical infrastructure, and media organiations, primarily across Southeast Asia, and more recently, Latin America.
The tactics, tooling, and infrastructure used in this campaign - including the abuse of update infrastructure, the use of selective targeting, and the deployment of custom malware, are consistent with the group’s historical tradecraft. As with any attribution, this conclusion is based on observed behaviors and intelligence correlations, not a single, definitive indicator.
What should organizations do right now?
Based on what we know today, there are several immediate actions organizations should take:
Check and update Notepad++ installations. Ensure any instances are running the latest version, which includes improved certificate and signature verification.
Review historical telemetry. Even though attacker infrastructure has been taken down, organizations should scan logs and environments going back to October 2025 for indicators of compromise associated with this campaign.
Hunt, don’t just scan. This activity was selective and low‑volume. Absence of alerts does not guarantee absence of compromise.
Use available intelligence. Rapid7 Intelligence Hub customers have access to the Chrysalis campaign intelligence, along with follow‑up indicators provided by partners such as Kaspersky, to support targeted hunting across endpoints and network telemetry.
Why does this matter beyond Notepad++?
This incident is a case study in how trust is exploited in modern environments. The attackers didn’t rely on zero days or noisy malware. They abused update workflows, hosting relationships, and assumptions about trusted software. That same approach applies across countless tools and platforms used daily inside enterprise environments.
It also reinforces a broader trend we’ve seen over the last year: attackers are patient, selective, and focused on long‑term access rather than immediate impact. That has implications for detection strategies, incident response planning, and supply chain risk management.
What does this mean for software supply chain security?
For defenders, this incident reinforces several lessons:
Supply chain security must include distribution and hosting infrastructure, not just source code.
Update mechanisms should enforce strong signature and metadata validation by default.
Shared hosting environments represent an often overlooked risk, especially for widely deployed tools.
Trust in software must be continuously validated, not assumed.
The Chrysalis incident is not just about a single tool or a single campaign. It reflects a broader shift in how advanced threat actors think about access, persistence, and trust. Software supply chains are no longer just a development concern. They are an operational and security concern that extends into hosting providers, update mechanisms, and the assumptions organizations make about what is “safe.”
As attackers continue to favor selective targeting and long‑term access over noisy, large‑scale compromise, defenders need to adapt accordingly. That means moving beyond basic scanning, validating trust continuously, and treating update and distribution infrastructure as part of the attack surface.
Learn more: Watch the full Chrysalis debrief webinar
If you’d like to hear directly from the researchers behind this discovery, watch the full Chrysalis: Inside the Supply Chain Compromise of Notepad++ webinar, now available on BrightTALK. In this detailed session, Christian Beek (Senior Director, Threat Analytics) and Steve Edwards (Director, Threat Intel & Detection Engineering) walk through the full attack chain, from initial compromise to malware behavior, attribution to Lotus Blossom, and what organizations can do right now to assess exposure and strengthen supply chain security. [Watch Now]
On January 29, 2026, Ivanti disclosed two new critical vulnerabilities affecting Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340. The vendor has indicated that exploitation in the wild has already occurred prior to disclosure. This has been echoed by CISA who added CVE-2026-1281 to their Known Exploited Vulnerabilities (KEV) catalog shortly after the vendor disclosure. As an indication of how critical this development is, CISA has given a “due date” of only 3 days (Due Feb 1, 2026) for organizations, such as federal agencies, to remediate the vulnerabilities before the affected devices must be removed from a network.
While CVE-2026-1281 has been confirmed as exploited in the wild as a zero day, it is unclear if CVE-2026-1340 has also, or if this vulnerability was found separately to CVE-2026-1281. The two critical vulnerabilities are summarized below.
Both CVE-2026-1281 and CVE-2026-1340 are described identically by the vendor; they are code injection issues, allowing a remote unauthenticated attacker to execute arbitrary code on an affected device. Based on the vendor's guidance, the attackers can provide Bash commands as part of a malicious HTTP GET request to the endpoints that service either the “In-House Application Distribution” feature (i.e. /mifs/c/appstore/fob/) or the “Android File Transfer Configuration” feature (i.e. /mifs/c/aftstore/fob/), resulting in arbitrary OS command execution on the target.
As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant. An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information. This is in addition to the privileged position an attacker will have on the EPMM device itself, which may allow for lateral movement within the compromised network. Given the nature of the product, EPMM is a high-profile target. It has been repeatedly targeted by zero-day vulnerabilities in the past. In 2023 the product was exploited in the wild via CVE-2023-35078, and again in 2025 via an exploit chain of CVE-2025-4427 and CVE-2025-4428. As of January 30, 2026, a public working proof-of-concept exploit for remote code execution is available. Organizations running EPMM are urged to act quickly and follow the vendor guidance to remediate these issues.
Threat hunting
The following vendor supplied regular expression can be used to search the HTTP daemon’s log files for evidence of potential exploitation of CVE-2026-1281 and CVE-2026-1340:⠀
A vendor supplied update is available to remediate both vulnerabilities.
The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.0.x patch:
Versions 12.7.0.0 and below
Versions 12.6.0.0 and below
Versions 12.5.0.0 and below
The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.1.x patch:
Versions 12.6.1.0 and below
Versions 12.5.1.0 and below
Customers are advised to update to the latest remediated version of EPMM, on an emergency basis outside of normal patching cycles, as exploitation in-the-wild is already occurring.
For the latest mitigation guidance for Ivanti EPMM, please refer to the vendor’s security advisory. In addition to remediation, the vendor has provided additional threat hunting guidance.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-1281 and CVE-2026-1340 with authenticated vulnerability checks expected to be available in today's (Jan 30) content release. Note that the "Potential" category must be enabled in the scan template to run the checks.
Updates
January 30, 2026: Added reference to the watchTowr technical analysis and proof-of-concept exploit.
On January 28, 2026, SolarWinds published an advisory for multiple new vulnerabilities affecting their Web Help Desk product. Web Help Desk is an IT help desk ticketing and asset management software solution. Of the six new CVEs disclosed in the advisory, four are critical, and allow a remote attacker to either achieve unauthenticated remote code execution (RCE) or bypass authentication.
As of this writing, there is currently no known in-the-wild exploitation occurring. However, we expect this to change as and when technical details become available. Notably, this product has been featured on CISA’s Known Exploited Vulnerabilities (KEV) list twice in the past, circa 2024, indicating that it is a target for real-world attackers.
Update #1: On February 3, 2026, the unsafe deserialization vulnerability, CVE-2025-40551, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.
Update #2: On February 12, 2026, the access control bypass vulnerability, CVE-2025-40536, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.
Technical overview
Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution. RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.
The other two critical vulnerabilities, CVE-2025-40552 and CVE-2025-40554, are authentication bypasses that allow a remote unauthenticated attacker to execute actions or methods on a target system which are intended to be gated by authentication. Based upon the vendor supplied CVSS scores for these two authentication bypass vulnerabilities, the impact is equivalent to the two RCE deserialization vulnerabilities, likely meaning they can also be leveraged for RCE.
In addition to the four critical vulnerabilities, two high severity vulnerabilities were also disclosed. CVE-2025-40536 is an access control bypass vulnerability, allowing an attacker to access functionality on the target system that is intended to be restricted to authenticated users. Separately, CVE-2025-40537 may, under certain conditions, allow access to some administrative functionality on the target system due to the existence of hardcoded credentials.
SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below.
Customers are advised to update to the latest Web Help Desk version, 2026.1, on an urgent basis outside of normal patching cycles.
For the latest mitigation guidance for SolarWinds Web Help Desk, please refer to the vendor’s security advisory.
Rapid7 customers
Exposure Command, InsightVM and Nexpose customers can assess their exposure to CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 CVE-2025-40554 with remote vulnerability checks available in the Jan 28 content release.
Updates
January 28, 2026: Added reference to the Horizon3.ai technical analysis.
January 29, 2026: Updated coverage information
February 3, 2026: Updated Overview to add a reference to CVE-2025-40551 being added to the CISA KEV list.
February 13, 2026: Updated Overview to add a reference to CVE-2025-40536 being added to the CISA KEV list.
On November 18, 2025, a patched release was published for a critical unauthenticated file read vulnerability in n8n, a popular piece of automation software. The advisory for this vulnerability, CVE-2026-21858, was subsequently published on January 7, 2026; the vulnerability holds a CVSS score of 10.0. If a server has a custom configured web form that implements file uploads with no validation of content type, an attacker can overwrite an internal JSON object to read arbitrary files and, in some cases, establish remote code execution. This vulnerability has been dubbed “Ni8mare” by the finders.
The finders, Cyera, published a technical blog post about the vulnerability on January 7, 2026, and a separate technical analysis and proof-of-concept (PoC) exploit were published by third-party security researcher Valentin Lobstein the same day. The Cyera writeup demonstrates CVE-2026-21858, while the third-party exploit also leverages CVE-2025-68613, an authenticated expression language injection vulnerability in n8n, for remote code execution. Additional authenticated vulnerabilities, tracked as CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, and CVE-2026-21877 can be chained with the unauthenticated vulnerability CVE-2026-21858 for code execution or arbitrary file write on specific affected versions of n8n.
In total there are five CVEs that n8n users should be aware of:
Certain form-based workflows are vulnerable to improper file handling that can result in arbitrary file read. When exploited, attackers can establish administrator-level access to n8n.
A vulnerability in n8n’s expression evaluation system allows authenticated users to execute arbitrary system commands through crafted expressions in workflow parameters.
A sandbox bypass vulnerability exists in the n8n Python Code node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n in the context of the service user.
In self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This permits reading and writing files on the host.
No
Technical overview
CVE-2026-21858: “Unauthenticated File Access via Improper Webhook Request Handling”
This is the primary access vector for the n8n exploit chain and holds a maximum CVSS score of 10.0. It is a critical unauthenticated file read vulnerability that occurs when custom web forms implement file uploads without validating the content type. By exploiting this flaw, an attacker can overwrite an internal JSON object to read arbitrary files from the server. This capability may be leveraged to forge an administrator session token and exploit subsequent authenticated vulnerabilities for code execution.
CVE-2025-68613: “Remote Code Execution via Expression Injection”
This vulnerability is characterized as an authenticated expression language injection flaw. While it requires an established session to exploit, it can be chained with CVE-2026-21858 to achieve remote code execution. It affects n8n versions starting at 0.211.0 and below 1.20.4. Attackers can leverage this flaw by injecting malicious expression language commands once they have gained a foothold as an administrator.
CVE-2025-68668: “Arbitrary Command Execution in Pyodide based Python Code node”
Affecting n8n versions between 1.0.0 and 2.0.0, this is an authenticated vulnerability used for secondary exploitation. Depending on the specific configuration of the affected version, it allows an attacker to execute arbitrary OS commands. Because it requires authentication, it is used on a case-by-case basis after an initial breach has compromised the management interface.
CVE-2025-68697: “Legacy Code node enables file read/write in self-hosted n8n”
CVE-2025-68697 is an authenticated vulnerability that facilitates arbitrary file read/write in the context of the n8n process when exploited. Per the advisory, systems are vulnerable when the Code node runs in legacy (non-task-runner) JavaScript execution mode. CVE-2025-68697 specifically impacts n8n versions ranging from 1.2.1 up to 2.0.0, though n8n version 1.2.1 and higher automatically prevents read/write access to the `.n8n` directory by default. As a result, exploitation of CVE-2025-68697 is likely to require a more bespoke strategy for each specific target, making it a less likely vulnerability to be exploited as a secondary chained bug with CVE-2026-21858.
CVE-2026-21877: “RCE via Arbitrary File Write”
This vulnerability has a CVSS score of 9.9 and affects both self-hosted and cloud versions of n8n. It allows for remote code execution within n8n versions 0.123.0 through 1.121.3. Although it is an authenticated vulnerability, its high severity stems from its ability to grant an attacker full system control once they have bypassed initial authentication using the CVE-2026-21858 file read flaw.
Mitigation guidance
Organizations running self-hosted instances of n8n should prioritize upgrading to a version at or above 1.121.0 immediately to remediate the unauthenticated initial access vulnerability CVE-2026-21858.
According to the vendor, the following versions are affected:
CVE-2026-21858: Versions at or above 1.65.0 and below 1.121.0.
CVE-2025-68613: Versions at or above 0.211.0 and below 1.20.4.
CVE-2025-68668: Versions at or above 1.0.0 and below 2.0.0.
CVE-2025-68697: Versions at or above 1.2.1 and below 2.0.0.
CVE-2026-21877: Versions at or above 0.123.0 and below 1.121.3.
For the latest mitigation guidance, please refer to the vendor’s security advisories.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2026-21858, CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, CVE-2026-21877 with vulnerability checks available in the January 9th content release.
Updates
January 8, 2026: Initial publication.
January 12, 2026: Updated Rapid7 customers section to confirm checks shipped on January 9, 2026.
On December 19, 2025, MongoDB Inc. disclosed a critical new vulnerability, CVE-2025-14847, which has since been dubbed MongoBleed. This vulnerability is a high-severity unauthenticated memory leak affecting MongoDB, one of the world's most popular document-oriented databases. While initially identified as a data exposure flaw, the severity is underscored by the fact that it allows attackers to bypass authentication entirely to extract sensitive information directly from server memory. On December 26, 2025, public proof-of-concept (PoC) exploit code was published and on December 29th, 2025 exploitation in-the-wild has been confirmed.
While CVE-2025-14847 is rated as a high-severity vulnerability, CVSS 8.7, its impact is critical. Successful exploitation allows a remote, unauthenticated attacker to "bleed" uninitialized heap memory from the database server by manipulating Zlib-compressed network packets. This memory often contains high-value secrets such as cleartext credentials, authentication tokens, and sensitive customer data from other concurrent sessions. Because the vulnerability returns "uninitialized heap memory," an attacker cannot target specific credentials or data records with precision; they must instead rely on repeated exploitation attempts and chance to capture sensitive information.
The vulnerability specifically affects MongoDB servers configured to use the Zlib compression algorithm for network messages, which is a common configuration in many production environments. It affects a wide range of versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. Older, End-of-Life (EOL) versions are also believed to be vulnerable but will not receive official patches, leaving users of legacy systems at significant continued risk.
As of this writing, the public PoC has been successfully verified by Rapid7 Labs. Unlike scenarios where valid exploits are initially scarce, the exploit for MongoBleed is functional and reliable.
Organizations running self-managed MongoDB instances are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles. Given the nature of the leak, simply patching is insufficient; organizations are advised to also rotate all database and application credentials that may have been exposed prior to remediation.
Mitigation guidance
CVE-2025-14847 affects a wide range of versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. Older, End-of-Life (EOL) versions are also believed to be vulnerable but will not receive official patches, leaving users of legacy systems at significant continued risk. Organizations managing their own MongoDB instances should prioritize upgrading to the fixed versions released by the vendor (e.g., 8.0.4, 7.0.16, 6.0.20, etc.) immediately. This is the only complete remediation for the vulnerability.
If an immediate upgrade is not feasible, or if the organization is running an End-of-Life (EOL) version that will not receive a patch, the risk can be effectively mitigated by disabling the Zlib network compressor in the server configuration. This prevents the specific memory allocation path used by the exploit.
In addition, because CVE-2025-14847 allows for the exfiltration of credentials and session tokens from server memory, patching alone is insufficient to ensure security. Administrators should assume that any secrets residing in the database memory prior to patching may have been compromised; therefore, all database passwords, API keys, and application secrets should be rotated immediately after the vulnerability is remediated.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-14847 with a vulnerability check expected to be available in today's (Dec 29) content release.
Intelligence Hub
Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-14847, including a Suricata rule.
Rapid7 observations
Rapid7 Labs has become aware of a new exploitation tool that streamlines the extraction of sensitive data from vulnerable MongoDB instances. This utility introduces a graphical user interface that allows an attacker to either batch-dump 10MB of memory or monitor the extraction process via a live visual feed. Rapid7 Labs has confirmed the tool operates as described, as demonstrated in the video below.
Click to view in new tab
Detection and Hunting
Velociraptor
Velociraptor published a Linux.Detection.CVE202514847.MongoBleed hunting artifact written by Eric Capuano designed to detect indicators related to CVE-2025-14847 memory leakage activity. This artifact enables defenders to proactively identify suspicious network or process behaviors consistent with mangled Zlib protocol abuse.
Updates
December 29, 2025: Initial publication
December 29, 2025: "Rapid7 Observations" section added with video
December 29, 2025: Added exploitation confirmation
Login
