Critical Kali Forms WordPress Plugin Vulnerability Exploited in the Wild A severe Remote Code Execution (RCE) vulnerability in Kali Forms, a popular WordPress plugin with over 10,000 active installations, has been actively exploited following its public disclosure. The flaw, tracked in versions up to and including 2.4.9, allows unauthenticated attackers to execute arbitrary code on vulnerable websites, leading to potential full site takeovers. ### Timeline of the Vulnerability - March 2, 2026: The RCE flaw was reported via a bug bounty program. - March 5, 2026: Wordfence Premium, Care, and Response users received firewall protection. - March 20, 2026: The vendor released Kali Forms 2.4.10, patching the issue. Exploitation began the same day. - April 4, 2026: Free Wordfence users gained firewall protection. - April 4–10, 2026: Peak exploitation activity was observed. ### Technical Root Cause The vulnerability stems from improper input validation in the plugin’s `prepare_post_data()` function, which processes user-supplied form data. Attackers can manipulate placeholders (e.g., `{entryCounter}`) to inject malicious PHP function names, which are then executed via `call_user_func()`. A common attack vector involves forcing `wp_set_auth_cookie()` to bypass authentication and gain admin access. ### Active Exploitation & Attack Patterns Security monitoring detected over 312,200 exploit attempts targeting the flaw, with attacks peaking between April 4–10, 2026. Attackers sent automated requests to `admin-ajax.php`, leveraging manipulated form submissions to trigger RCE. Key attacking IPs included: - 209.146.60.26 (152,000+ blocked requests) - 49.156.40.126 (50,000+) - 124.248.183.139 (26,000+) ### Impact & Mitigation The vulnerability enables unauthenticated RCE, allowing attackers to compromise websites, steal data, or deploy malware. Users were urged to update to Kali Forms 2.4.10 immediately to mitigate risk. Exploitation remains ongoing, with threat actors continuing to scan for unpatched instances.

Critical RCE Vulnerability in GNU InetUtils telnetd Exposes 800,000 Systems A severe remote code execution (RCE) vulnerability, CVE-2026-24061, has been identified in the GNU InetUtils telnetd component, affecting approximately 800,000 exposed instances worldwide. The flaw, rated Critical (CVSS 9.8), allows unauthenticated attackers to execute arbitrary commands with root privileges on vulnerable systems. The vulnerability stems from inadequate input validation in the telnetd service, enabling threat actors to craft malicious payloads that compromise systems. Proof-of-concept exploits have already been demonstrated, increasing the risk of widespread attacks. Since telnetd often runs with elevated privileges on legacy systems, successful exploitation grants full control over affected infrastructure. Data from the Shadowserver Foundation’s Accessible Telnet Report reveals that exposed instances span multiple geographies and networks, with many systems running unpatched versions for extended periods. While safe vulnerability-specific scanning remains unavailable, organizations can use Shadowserver’s report to identify at-risk systems by cross-referencing their infrastructure against publicly accessible telnet services. Immediate remediation steps include disabling telnetd on public-facing systems, implementing network segmentation, and upgrading to patched versions of GNU InetUtils. For systems where telnetd cannot be removed, restricting access via firewall rules and monitoring for exploitation attempts is recommended. The combination of widespread exposure, exploit availability, and delayed patching makes this a high-priority threat for affected organizations.