Active Exploitation of Critical Enterprise Software Vulnerabilities Added to CISA KEV
Multiple critical, unauthenticated remote code execution and authentication-bypass vulnerabilities in widely deployed enterprise products were reported as actively exploited and, in several cases, added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. SmarterTools SmarterMail is being targeted in ransomware activity via CVE-2026-24423, an unauthenticated RCE caused by missing authentication on the ConnectToHub API (/api/v1/settings/sysadmin/connect-to-hub), where an attacker-controlled server can return JSON containing a CommandMount value that drives arbitrary command execution; the issue affects versions prior to v100.0.9511. Separately, SolarWinds Web Help Desk is affected by CVE-2025-40551 (CVSS 9.8), a deserialization of untrusted data flaw in the AjaxProxy component enabling remote, unauthenticated command execution; CISA added it to KEV amid in-the-wild exploitation and set an accelerated patch deadline for US federal agencies.
In parallel, Fortinet environments using FortiCloud SSO face authentication-bypass risk from CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, which can allow an attacker with a FortiCloud account to log into organizations’ FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb if SSO is enabled; Kaspersky published SIEM correlation rules to detect related suspicious logins and admin actions. Samsung MagicInfo 9 Server (digital signage management) was also reported with a trio of severe flaws affecting versions prior to 21.1090.1, including CVE-2026-25202 (hardcoded credentials, CVSS 9.8) and CVE-2026-25201 (unauthenticated arbitrary file upload leading to RCE, CVSS 8.8), creating risk of server takeover and potential network compromise; the article does not indicate KEV inclusion or confirmed exploitation for these MagicInfo issues.
Timeline
Feb 6, 2026
CISA warns SmarterMail flaw is exploited in ransomware attacks
CISA warned that ransomware actors are actively exploiting CVE-2026-24423 in SmarterMail and added the flaw to the KEV catalog. The agency ordered federal agencies to patch, mitigate, or discontinue use of affected systems by February 26, 2026.
Feb 5, 2026
Kaspersky publishes SIEM rules for FortiCloud SSO exploitation detection
Kaspersky released a downloadable SIEM correlation-rule package to help detect abuse of FortiCloud SSO authentication-bypass vulnerabilities affecting multiple Fortinet products. The guidance recommended threat hunting back to December 2025 and tuning detections for suspicious admin actions and post-login behavior.
Feb 5, 2026
Samsung releases MagicInfo9 Server update 21.1090.1
Samsung released version 21.1090.1 or later to fix three high-severity MagicInfo9 Server vulnerabilities affecting all prior versions. The flaws included hardcoded database credentials, unauthenticated file upload leading to RCE, and unauthenticated HTML upload leading to stored XSS and possible admin takeover.
Feb 3, 2026
CISA adds SolarWinds WHD flaw to KEV catalog
CISA added CVE-2025-40551, a critical SolarWinds Web Help Desk remote code execution vulnerability, to its Known Exploited Vulnerabilities catalog, citing active exploitation in the wild. The agency also set a remediation deadline for U.S. federal civilian agencies.
Jan 30, 2026
SmarterTools releases SmarterMail Build 9526 with additional critical fixes
After addressing CVE-2026-24423, SmarterTools released SmarterMail Build 9526 with fixes for additional critical issues. The update followed reports of exploitation of a separate authentication bypass issue that could reset the administrator password without verification.
Jan 28, 2026
SolarWinds releases Web Help Desk fix for CVE-2025-40551
SolarWinds released Web Help Desk version 2026.1 to address CVE-2025-40551, a critical unauthenticated deserialization flaw in the AjaxProxy component. The bug could allow remote code execution and full control of affected servers.
Jan 15, 2026
SmarterTools patches SmarterMail RCE flaw in Build 9511
SmarterTools fixed CVE-2026-24423, a critical unauthenticated remote code execution flaw in SmarterMail, in Build 9511. The vulnerability allowed command execution through the ConnectToHub API by redirecting the instance to a malicious HTTP server.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
1 months ago
CISA Expands KEV Catalog With Actively Exploited Enterprise Software Flaws
CISA added 14 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog across two updates, citing evidence of active exploitation against widely used enterprise products from Fortinet, Microsoft, Adobe, Cisco, JetBrains, PaperCut, Kentico, Quest, and Zimbra. The newly listed flaws include issues in FortiClient EMS, Adobe Acrobat Reader, Microsoft Windows Common Log File System Driver, Microsoft Exchange Server, Host Process for Windows Tasks, Microsoft Visual Basic for Applications, JetBrains TeamCity, PaperCut NG/MF, Kentico Xperience, Quest KACE SMA, Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager, including privilege escalation, credential exposure, sensitive information disclosure, and cross-site scripting weaknesses. Reporting tied several of the vulnerabilities to real-world intrusion activity and ransomware operations. Microsoft said threat actor **Storm-1175** used `CVE-2023-21529` to deliver **Medusa ransomware**, while `CVE-2023-27351` has been linked to **Lace Tempest** deployments of **Cl0p** and **LockBit**. Defused Cyber also reported exploitation attempts against `CVE-2026-21643`, and CISA said federal civilian agencies must remediate the newly added flaws on deadlines running from late April into May 2026 under Binding Operational Directive requirements, while private-sector defenders were urged to prioritize the KEV entries for patching and exposure reduction.
4 days ago
CISA Flags Actively Exploited Microsoft Configuration Manager RCE (CVE-2024-43468)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2024-43468** to its Known Exploited Vulnerabilities (KEV) catalog after determining the flaw is being **actively exploited in the wild**. The vulnerability is a **critical (CVSS 9.8) SQL injection** in *Microsoft Configuration Manager* (ConfigMgr/SCCM) that can allow an **unauthenticated remote attacker** to achieve **remote code execution** by sending specially crafted requests, enabling command execution on the ConfigMgr server and/or its underlying site database with **high/`SYSTEM`-level impact**. CISA set a remediation deadline of **March 5** for U.S. Federal Civilian Executive Branch agencies under its Binding Operational Directive requirements; public reporting noted Microsoft’s advisory had previously assessed exploitation as “less likely,” and Microsoft had not (as of reporting) publicly detailed the threat actors or scope of exploitation. The issue was originally patched by Microsoft in **October 2024** after being reported by **Synacktiv**, and proof-of-concept exploit code was later published (including by Synacktiv), lowering the barrier to weaponization. Separate CISA KEV updates the same week also drove patching urgency across other widely deployed products (including **SolarWinds Web Help Desk** and multiple **Apple** platforms for a reportedly “extremely sophisticated” targeted attack), reinforcing that organizations should treat KEV additions as a high-confidence signal to accelerate patching and exposure reduction—particularly for internet-reachable management tooling like ConfigMgr that can provide broad administrative control if compromised.
1 months ago