On Feb 10th, Ivanti published CVE-2026-1603 to NIST disclosing an authentication bypass in Ivanti Endpoint Manager that allowed a "remote unauthenticated attacker to leak specific stored credential data". Three days later WatchTowr Labs discovered and disclosed a hard-coded logintype key that if exploited, bypassed authentication mechanisms allowing an attacker privileged access on an affected device. On March 9th the flaw was confirmed as being actively exploited in the wild when the CVE was added to CISA’s Known Exploited Vulnerabilities Catalog (KEV).
Authenticating with this logintype allows future compromise of user sessions and access of arbitrary data on the Endpoint Manager host. Subsequently, Ivanti updated their Security Advisory to claim the vulnerability required an “authenticated user” to bypass authorization.
Given confirmed active exploitation and public disclosure, Beazley Security believes that additional threat actors will continue to leverage this flaw to gain unauthorized access unpatched Ivanti systems. Organizations operating Ivanti Endpoint Manager systems should review systems for signs of compromise and patch immediately.
Product | Affected Versions | Fixed Versions | Availability |
|---|---|---|---|
Ivanti Endpoint Manager (EPM) | 2024 SU4 SR1 and prior | 2024 SU5 | Available no |
Affected organizations that are unable to immediately patch should ensure strict network access controls are in place. Any organization with a publicly exposed Ivanti EPM product should immediately rotate passwords and access for all EPM accounts, as well as audit authentication logs for any unexplained access.
Ivanti has released fixes for all supported versions of the Ivanti Endpoint Manager in their Ivanti License System portal which requires login.
While Ivanti stated it was unaware of customer exploitation prior to public disclosure, CISA confirmed active exploitation of CVE-2026-1603 in the wild as of March 9, 2026, when the vulnerability was added to its KEV catalog.
Ivanti has not published specific indicators of compromise tied to active exploitation of this vulnerability, however Beazley Security recommends organizations monitor for the following indicators:
Unusual or unexpected access attempts against Ivanti EPM services
Unexpected or anomalous administrative actions within the EPM console, such as unauthorized user creations
Unexpected or suspicious outbound connections originating from the EPM server
We believe that outside of WAF logs that could identify this specific parameter being passed to an EPM instance, little can be discerned to identify compromises of publicly accessible Ivanti EPM systems running vulnerable software versions.
WatchTowr disclosed that CVE-2026-1906’s authentication bypass is an undocumented logintype parameter with a value of 64 provided as a POST request to the /RemoteControlAuth/api/Auth endpoint in Ivanti EPM bypasses regular authenticated attempts.
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
03/09/2026 Update: Cisco has issued an update to their initial post identifying several more CVEs that affect Cisco Catalyst SD-WAN and Manager systems (CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129, CVE-2026-20133). The CVEs range from medium to critical severity, and Cisco has confirmed that there are no workarounds other than updating any affected products. Please review the Patching guidance below for actionable information.
On February 25th, Cisco disclosed a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager systems. The flaw allows an unauthenticated attacker with network access to the SD-WAN peering service to bypass authentication and establish unauthorized control-plane connections.
Successful exploitation enables an attacker to provision a rogue peer into the SD-WAN fabric and may allow the attacker to obtain elevated access to the affected controller. Cisco Talos has confirmed active exploitation of this vulnerability by a sophisticated threat actor, with evidence of malicious activity dating back to 2023. The vulnerability, now tracked as CVE-2026-20127, was confirmed as a zero-day following investigations in late 2025.
Given confirmed active exploitation and public disclosure, Beazley Security believes that additional threat actors will begin to weaponize this flaw. Organizations operating Cisco Catalyst SD-WAN systems, especially those with externally accessible peering services, should review systems for signs of compromise and patch immediately.
03/09/2026 Update: The table has been updated with asterisks identifying changes from the original publication based on additional CVE releases.
Product | Affected Versions | Fixed Versions |
|---|---|---|
Cisco Catalyst SD-WAN Release | 20.9 | 20.9.8.2 |
* Cisco Catalyst SD-WAN Release | 20.11 | 20.12.6.1 |
* Cisco Catalyst SD-WAN Release | 20.12 | 20.12.5.3 20.12.6.1 |
*Cisco Catalyst SD-WAN Release | 20.13 | 20.15.4.2 |
*Cisco Catalyst SD-WAN Release | 20.14 | 20.15.4.2 |
Cisco Catalyst SD-WAN Release | 20.15 | 20.15.4.2 |
*Cisco Catalyst SD-WAN Release | 20.16 | 20.18.2.1 |
Cisco Catalyst SD-WAN Release | 20.18 | 20.18.2.1 |
According to Cisco’s official advisory, organizations running versions earlier than 20.9, or versions 20.11, 20.13, 20.14, and 20.16 (which have reached End of Software Maintenance) should migrate to a supported fixed release immediately.
Cisco has released software updates addressing CVE-2026-20127 and applying the vendor provided patches to affected Cisco SD-WAN controller and manager systems is the recommended course of action to reduce risk.
Beyond patching, organizations should consider reviewing Cisco’s SD-WAN hardening guide including steps to:
Inventory and audit expected peer networks within SD-WAN infrastructure.
Reduce internet exposure by locking SD-WAN controller peering services down to known and authorized peer networks.
Restrict access to SD-WAN controller and management planes to a dedicated administrative network.
Affected organizations that are unable to immediately patch should ensure strict network access controls are in place around SD-WAN controllers, related peering services, and check audit logs any signs of compromise.
03/09/2026 Update: Cisco has provided an upgrade path tool for upgrading Cisco Catalyst SD-WAN Instances. The initial links below to the software download center are accurate and provide updated patches.
At the time of writing, Cisco has released fixes for all supported versions of their Catalyst SD- Wan solution except for 20.9 which is estimated to be released February 27, 2026. Please see the Affected System and Products section above in this report for additional information.
Cisco’s original advisory provides this guidance document for obtaining software fixes and the vendor also hosts a software download center requiring login.
Alternatively, customers can contact Cisco’s Technical Assistance Center (TAC) to request additional software upgrade support.
A detailed Cisco SD-WAN threat hunting guide has been compiled by multiple agencies which includes post-exploitation activity and can be found here.
Cisco Talos has also provided validation checks that can be performed within SD-Wan logging:
Peer type mismatches for your environment, especially vManage peering types if not expected as exampled in the log below:
Feb 20 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-
NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanage peer-
system-ip:1.1.1.10 public-ip:<unexpected IP> public-port:12345 domain-id:1 site-id:1005
Peering connections from unexpected or unrecognized IP addresses
Peering connections established outside of expected windows your environment
Logs showing indicators of CVE-20222-20775 exploitation - username path traversal
strings (E.g. /../../ or /\n&../\n&../).
Unexpected reboots, and upgraded versions reverting to previous software versions
Evidence of log and history clearing
On March 1st, Cisco published additional remediation and collection guidance to help identify affected and potentially compromised devices.
03/09/2026 Update: The newly disclosed CVEs are listed below with their associated CVE scores and details:
CVE-2026-20122 - (7.1): An API vulnerability in Cisco Catalyst SD-WAN Manager allows for authenticated remote attackers with read-only credentials to overwrite arbitrary files on the host system.
CVE-2026-20126: - (7.8): An REST API authentication vulnerability in Cisco Catalyst SD-WAN Manager allows for unauthenticated local attackers to gain root privileges on the host system.
CVE-2026-20128 - (5.5):
The Cisco SD-WAN Manager's Data Collection Agent (DCA) has a vulnerability that allows an unauthenticated local attacker to access user privileges on SD-WAN Manager instances so long as the user has vmanage credentials on the system.
CVE-2026-20129 - (9.8):
An API authentication vulnerability in Cisco SD-WAN Manager allows an unauthenticated remote attacker to gain access to the netadmin role.
CVE-2026-20133 - (7.5): The Cisco Catalyst SD-WAN Manager allows an unauthenticated remote attacker to read "sensitive information" on the host system due to insufficient file system access restrictions.
CVE-2026-20127 is reported as a critical vulnerability within the peering authentication flow of Cisco Catalyst SD-WAN components, affecting the control connection peering mechanism that establishes trust relationships between SD-WAN components.
The flaw allows an unauthenticated attacker to establish rogue peer connections originating from attacker-controlled infrastructure. If successfully exploited, the rogue peer is given an IP address within the SD-WANs network, allowing a threat actor access to the SD-WAN management and control plane. With adequate privileges to the SD-WAN controller, an attacker can further leverage NETCONF to manipulate and alter configurations within the SD- WAN network.
Cisco Talos has reported that CVE-2026-20127 was observed to be abused in combination with CVE-2022-20775, an older local privilege escalation vulnerability affecting Cisco SD-Wan software. The threat actor, tracked as UAT-8616 reportedly performed a software downgrade to a vulnerable version of software, exploited CVE-2022-20775 via the CLI to obtain root access, and then restored back to original versioning to persist root access.
In response to active exploitation, the U.S. Cyber Security and Infrastructure Security Agency (CISA) has issued emergency directive 26-03 requiring impacted agencies to apply Cisco provided updates by February 27th, 2026.
Beazley Security recommends that affected organizations check for signs of compromise, and upgrade to fixed versions of SD-WAN Controller or SD-WAN Manager software immediately.
This Cisco SD-WAN hardening guide can also be referenced for configuring SD-WAN fabric and implementations to best practices.
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients. If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf
https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf
https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
Microsoft's February 2026 Patch Tuesday addresses several critical security vulnerabilities, with six zero-day flaws reported as actively exploited in the wild before patches were made available to the public. The disclosed vulnerabilities affect built in Windows components including Windows Shell, MSHTML, Microsoft Word, Windows Notepad, Desktop Window Manager, Remote Desktop Services, and Remote Access Connection Manager.
These zero-day flaws enable attackers to bypass security features, with potential to trick users into executing malicious code with minimal user interaction through phishing attacks and other social engineering methods.
With exploitation campaigns widespread and public proof-of-concept code circulating, Beazley Security strongly recommends organizations patch these vulnerabilities immediately.
Affected Product | MS CVE Advisory | CVSS Score |
|---|---|---|
Windows Shell | 8.8 | |
MSHTML Platform | 8.8 | |
Microsoft Word | 7.8 | |
Desktop Window Manager | 7.8 | |
Remote Desktop Services | 7.8 | |
Remote Access Connection Manager | 6.2 |
*This table does not include all vulnerabilities from Microsoft’s February Patch Tuesday disclosure but highlights critical flaws either under active or imminent exploitation.
A comprehensive list of vulnerability disclosures can be found via Microsoft’s Security Update Guide.
Beazley Security strongly recommends applying February 2026 updates as soon as possible to help protect affected systems. Additionally, the following steps can be taken to help reduce risk:
Restrict user privileges on endpoints to limit impact of privilege escalation
Monitor for suspicious activity across endpoints and ensure endpoint protection defenses are up to date
Screen email attachments with secure email gateways and other file-sharing systems for malicious files and links
Affected organizations should accelerate deployment of February 2026 security updates to their environments, prioritizing CVEs known to be under active exploitation as listed in the “Affected Systems and Products” section above.
A comprehensive list of fixes can be found by reviewing Microsoft’s Patch Tuesday release notes.
Of the six zero-days reported to be under active exploitation, the three with the highest CVSS scores are:
CVE-2026-21510 (8.8) – Affects the Windows shell, threat actors successfully luring targeted users into clicking on a malicious link could bypass Microsoft SmartScreen to install malware
CVE-2026-21513 (8.8) – Affects the MSHTML framework, threat actors successfully luring targeted users into clicking on a malicious HTML or lnk file could bypass Microsoft security features to install malware
CVE-2026-21514 (7.8) – Affects Microsoft 365 and Microsoft Office, threat actors successfully luring targeted users into opening a malicious Office file could bypass security mitigations to install malware
Of those three, CVE-2026-21510 is reported by Google Threat Intelligence to be “under widespread, active exploitation”. All three require user interaction, and the nature of each vulnerability is a strong indication that the current exploit waves are phishing or malicious email types of campaigns.
These vulnerabilities are particularly dangerous as they are likely to be weaponized by threat actors to conduct phishing and social engineering attacks. Their “one click” exploitability through malicious links or attachments makes them ideal for large scale phishing and malware delivery campaigns that target users within enterprise environments.
Beazley Security is monitoring and conducting threat hunts across MDR environments to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by these attacks and need support, please contact our Incident Response team.
Microsoft: Windows Shell Security Feature Bypass Vulnerability CVE-2026-21510
Microsoft: MSHTML Framework Security Feature Bypass Vulnerability (CVE-2026-21513)
Microsoft: Microsoft Word Security Feature Bypass Vulnerability (CVE-2026-21514)
Microsoft: Desktop Window Manager Elevation of Privilege Vulnerability (CVE-2026-21519)
Microsoft: Windows Remote Desktop Services Elevation of Privilege Vulnerability (CVE-2026-21533)
Microsoft: Windows Remote Access Connection Manager Denial of Service Vulnerability (CVE-2026-21525)
Microsoft: Windows Notepad App Remote Code Execution Vulnerability (CVE-2026-20841)
Update: 2/13/2026: Active exploitation of this vulnerability has been reported in the wild following public disclosure of proof of concept code. Threat actors have been observed deploying remote management tools for persistence after exploitation, and conducting further lateral movement into victim environments.
A critical pre-authentication remote code execution vulnerability within BeyondTrust Remote Support and certain versions of Privileged Remote Access Products has now been assigned CVE-2026-1731 with a critical CVSS score of 9.9.
Given the internet-facing nature of these systems, confirmed active exploitation in the wild, and the public availability of proof-of-concept exploit code, Beazley Security strongly recommends that affected organizations running self hosted versions immediately apply patches to vulnerable systems.
On February 4, 2025, Beyond Trust reported in their Customer Portal that a critical vulnerability was discovered affecting the Remote Support (RS) and Privileged Remote Access (PRA) products. At time of writing, there was no CVE assigned and no public information on the vulnerability, but it is being tracked by the vendor as BT26-02. Beyond Trust published more information for customers in a non-public Knowledge Article.
The Remote Support and Privileged Remote Access products facilitate remote access to a wide range of end point types, and these products are typically deployed internet facing by design. As such, a breach of these products can give threat actors not only initial access into an organizations network, but immediate control of internal hosts. Given the urgency communicated by the vendor and the high risk of this type of product being compromised, organizations are urged to update their affected systems as soon as possible.
Product | Affected Version | Fixed Version |
Remote Support (RS) | 25.3.1 and prior | 25.3.2 |
Privileged Remote Access (PRA) | 24.3.4 and prior | 24.3.5 |
Note: Customers running SaaS versions of the software were automatically patched February 2, 2026
For SaaS deployments of Remote Support and Privileged Remote Access, patch BT26-02-RS or BT26-02-PRA has automatically been applied. Customers using hosted or managed versions of these products should already be covered but should also check their servers to verify.
For on-premises solutions, patch BT26-02-RS and BT26-02-PRA have been released to mitigate this vulnerability. Further details can be found within the Knowledge Article Portal.
Active exploitation of CVE-2026-1731 has been observed in the wild following the availability of proof of concept exploit code. According to Arctic Wolf, threat actors have been observed:
Deploying renamed SimpleHelp remote management tool binaries with names including "remote access.exe"
Adding domain accounts via net commands:
net user REDACTED_USERNAME REDACTED_PASSWORD /add /domain
net group \”enterprise admins\” REDACTED_USERNAME /add /domain
net group \”domain admins\” REDACTED_USERNAME /add /domain
Pushing SimpleHelp installations to move laterally across the network with PSexec
CVE-2026-1731 is a command injection flaw within BeyondTrust Remote Support and Privileged Remote Access systems allowing a remote attacker to run remote commands on the software without requiring any authentication.
According to an analysis by Rapid7, the flaw appears to exist in how the application processes requests to its web services, which can be maliciously crafted to embed commands that will be run in the context of the application by attackers.
Specifically, the analysis calls out a flaw in Bash based validation checks within thin-scc-wrapper, a script on the server that checks remote software version numbers and is used when communicating to the application. A malicious 'version number', or command, can be injected within a crafted websocket request resulting in execution of arbitrary OS commands.
Given the critical nature of this pre-authentication remote code execution vulnerability, confirmed active exploitation in the wild, and demonstrated proof-of-concept code, self-hosted customers should patch immediately.
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
On December 9th, text editor application Notepad++ reported an incident where some of their software update infrastructure had been hijacked to deliver sophisticated backdoor malware to specific targets. Rapid7 published some additional analysis on one of the payloads delivered and attributed the campaign to Chinese state sponsored APT group Lotus Blossom.
The attack appears to be highly targeted, as reporting indicates only specific traffic results in malicious packages delivered. Reporting from Kaspersky added that attacker infrastructure was constantly rotated and tailored to attack specific intended targets.
The incident was a man-in-the-middle attack against the update infrastructure, not against Notepad++ code itself. Because the attack compromised the update process, Beazley Security, out of an abundance of caution, recommends affected users delete existing versions of Notepad++ and install fixed versions from scratch as soon as possible.
Product | Affected Version | Fixed Version |
|---|---|---|
Notepad++ | < v.8.8.9 | >= v8.8.9 |
Security fixes were made available at the time of reporting and are available via normal update channels. Because the attack compromised the update process, Beazley Security, out of an abundance of caution, recommends users delete current installs of Notepad++ and install patched versions from scratch as soon as possible.
IOCs have been provided by both Rapid7 and Kaspersky, though their usefulness may be limited as the threat actor has been observed rotating out almost all pieces of infrastructure from C2 servers to malware families and payload hashes.
That said, we will include a limited summary of them here to assist with threat hunts.
IoC | Type | Notes |
|---|---|---|
8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e | sha256 | NSIS script |
77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e | sha256 | Encrypted shellcode |
3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad | sha256 | Malicious sideloaded DLL |
0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd | sha256 | Loader Variant |
e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda | sha256 | Loader Variant |
b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 | sha256 | Loader Variant |
fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a | sha256 | Loader Variant |
8e6e505438c21f3d281e1cc257abdbf7223b7f5a | sha1 | NSIS installer |
573549869e84544e3ef253bdba79851dcde4963a | sha1 | NSIS installer |
d7ffd7b588880cf61b603346a3557e7cce648c93 | sha1 | NSIS installer |
6444dab57d93ce987c22da66b3706d5d7fc226da | sha1 | DLL |
2ab0758dda4e71aee6f4c8e4c0265a796518f07d | sha1 | DLL |
f7910d943a013eede24ac89d6388c1b98f8b3717 | sha1 | DLL |
defb05d5a91e4920c9e22de2d81c5dc9b95a9a7c | sha1 | ProShow.exe |
06a6a5a39193075734a32e0235bde0e979c27228 | sha1 | load |
bf996a709835c0c16cce1015e6d44fc95e08a38a | sha1 | script.exe |
ca4b6fe0c69472cd3d63b212eb805b7f65710d33 | sha1 | alien.ini |
821c0cafb2aab0f063ef7e313f64313fc81d46cd | sha1 | |
4c9aac447bf732acc97992290aa7a187b967ee2c | sha1 | |
90e677d7ff5844407b9c073e3b7e896e078e11cd | sha1 | |
api.skycloudcenter[.]com | hostname | C2 |
api.wiresguard[.]com | hostname | C2 |
cdncheck.it[.]com | hostname | C2 |
self-dns.it[.]com | hostname | C2 |
safe-dns.it[.]com | hostname | C2 |
59.110.7[.]32 | IP | C2 |
124.222.137[.]114 | IP | C2 |
45.76.155[.]202 | IP | Malware Host |
45.77.31[.]210 | IP | C2 |
45.32.144[.]255 | IP | C2 |
95.179.213[.]0 | IP | C2 |
The attack itself was limited in scope; a former hosting provider for Notepad++ had a server compromised sometime in June 2025, and the threat actors persisted access until December 2025. In that time the threat actor was selectively redirecting specific targeted users to trojaned, malicious update packages. The attack was narrow to a degree that analysis from Kaspersky indicates as few as a dozen individual machines were specifically targeted. Changes referenced in Notepad++’s patch notes indicate that this man-in-the-middle supply chain attack was possible because of a lack of signature verification in the updater programs and on update server XMLs returned to the client.
Notepad++ has changed hosting providers for their update infrastructure and fixed their update process to include more strict signing certificate checks.
Beazley Security has conducted threat hunts across our MDR environment to detect potential attempts to hijack client Notepad++ installations leveraging the Indicators of Compromise (IOCs) listed in this advisory. Beazley Security MDR will reach out to any impacted organizations and work to contain potential threat actors.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
On January 29th, Ivanti published an advisory concerning two vulnerabilities (tracked as CVE-2026-1281 and CVE-2026-1340) in their Endpoint Manager Mobile (EPMM) product. Both vulnerabilities were listed as remote command injection bugs that allow successful attackers to perform unauthenticated remote code execution (RCE) on an affected device. EPMM is often deployed directly connected to the internet, and as such can provide threat actors with initial access to an organizations network. Ivanti confirmed in their advisory that a “very limited number of customers” had been exploited at time of disclosure. Additionally, CISA added both vulnerabilities to their Known Exploited Vulnerabilities list the same day.
No deep technical details of the bug or public proof-of-concept (PoC) exploits have been published at time of writing, however, Ivanti released patches at the time of disclosure. Beazley Security expects threat actors who are not already in possession of private weaponized exploits to study the patches and deploy their own exploits in the coming days. Beazley Security strongly recommends affected organizations apply the vendor supplied security fixes as soon as possible.
Product | Affected Version | Fixed Version |
|---|---|---|
Ivanti Endpoint Manager Mobile (EPMM) | 12.5.0.0 and prior 12.6.0.0 and prior 12.7.0.0 and prior | RPM 12.x.0.x |
Ivanti Endpoint Manager Mobile (EPMM) | 12.5.1.0 and prior 12.6.1.0 and prior | RPM 12.x.1.x |
No mitigations or workarounds aside from the available security patches have been provided from Ivanti.
Ivanti provided software patches at the time of disclosure for the affected versions listed above. The patches are in RPM package format, and short instructions for where to get the patches and how to install the patch packages can be found in the advisory here. Additionally, Ivanti encourages customers to upgrade to 12.8.0.0 which is to be released in Q1 2026.
Ivanti provided good guidance on searching logs for indicators of attack and successful exploitation. Their recommendations are generic (rather than specific indicators like IPs or injected commands) and were informed by the few verified breaches that happened as a result of these vulnerabilities. Their guidance documentation with generalized indicators can be found here. We will provide a summarized version below.
The vulnerabilities affect two specific features:
In-House Application Distribution, and
Android File Transfer Configuration
Traffic to those endpoints can be reviewed in the Apache Access Log at:
/var/log/httpd/https-access_log
Normal traffic will result in HTTP response codes of 200, while exploit attempts will cause HTTP response codes of 404. More importantly, exploit attempts will show bash commands in the HTTP parameters.
The following regular expression was suggested to assist with log file triage:
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404
Ivanti has also noted that in previous vulnerabilities targeting these systems, it was common for threat actors to attempt persistence post-compromise via:
webshells disguised as HTTP error pages, like 401.jsp
unexpected WAR or JAR files imported to the device
At the time of the disclosure no in-depth technical details were provided by Ivanti; however, their analysis guidance documentation provided enough information to understand the nature of the vulnerabilities. Specifically, the two targeted EPMM systems were: In-House Application Distribution, and Android File Transfer Configuration.
Additionally, it was noted that exploit attempts against those system endpoints will result in 404 error messages in the logs, and to look for bash commands in the HTTP parameters. This hints at a classic case of incoming, attacker-controlled HTTP traffic being passed unfiltered to code that executes injected system commands.
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
On January 27th, Fortinet published an advisory detailing an authentication bypass via an alternate path or channel vulnerability (CVE-2026-24858) affecting FortiOS, FortiManager, and FortiAnalyzer. A threat actor with a valid FortiCloud account and a registered device can abuse this vulnerability to authenticate to other devices registered under different FortiCloud accounts provided FortiCloud SSO is enabled on those target devices. This vulnerability was reported to already be in use by threat actors in-the-wild at the time of discovery. In December 2025, Fortinet had issued a similar advisory related to two FortiCloud single sign-on (SSO) bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) [BSL-A1147] that the Fortinet product security team had internally discovered during a code audit.
The vulnerabilities described in the advisory allowed for unauthenticated bypass of SSO login authentication via crafted SAML sent to FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices when the FortiCloud SSO feature was enabled.
FortiCloud SSO is not enabled by default in factory configurations. However, when an administrator registers a device with FortiCare through the GUI, FortiCloud SSO is automatically enabled unless the “Allow administrative login using FortiCloud SSO” option is explicitly disabled during registration.
As mentioned, Fortinet observed this vulnerability being actively exploited in the wild by two malicious FortiCloud accounts, which were disabled on 2026-01-22. As an immediate mitigation, Fortinet temporarily disabled FortiCloud SSO at the FortiCloud service level on 2026-01-26. The feature was re-enabled on 2026-01-27 with additional restrictions, preventing authentication from devices running vulnerable versions.
Due to this, Beazley Security believes many Fortinet devices may be vulnerable without the administrator’s knowledge. Given the reports of active exploitation of these vulnerabilities in the wild and the significant risk of further compromise once initial access has been gained by a compromised Fortinet device, Beazley Security strongly recommends that affected organizations disable FortiCloud SSO until patches are available and can be applied.
Product | Affected Version | Fixed Version |
|---|---|---|
FortiAnalyzer 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
FortiAnalyzer 7.4 | 7.4.0 through 7.4.9 | Upgrade to upcoming 7.4.10 or above |
FortiAnalyzer 7.2 | 7.2.0 through 7.2.11 | Upgrade to upcoming 7.2.12 or above |
FortiAnalyzer 7.0 | 7.0.0 through 7.0.15 | Upgrade to upcoming 7.0.16 or above |
FortiManager 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
FortiManager 7.4 | 7.4.0 through 7.4.9 | Upgrade to upcoming 7.4.10 or above |
FortiManager 7.2 | 7.2.0 through 7.2.11 | Upgrade to upcoming 7.2.13 or above |
FortiManager 7.0 | 7.0.0 through 7.0.15 | Upgrade to upcoming 7.0.16 or above |
FortiOS 7.6 | 7.6.0 through 7.6.5 | Upgrade to upcoming 7.6.6 or above |
FortiOS 7.4 | 7.4.0 through 7.4.10 | Upgrade to upcoming 7.4.11 or above |
FortiOS 7.2 | 7.2.0 through 7.2.12 | Upgrade to upcoming 7.2.13 or above |
FortiOS 7.0 | 7.0.0 through 7.0.18 | Upgrade to upcoming 7.0.19 or above |
FortiProxy 7.6 | 7.6.0 through 7.6.4 | Upgrade to upcoming 7.6.6 or above |
FortiProxy 7.4 | 7.4.0 through 7.4.12 | Upgrade to upcoming 7.4.13 or above |
FortiProxy 7.2 | 7.2 all versions | Migrate to a fixed release |
FortiProxy 7.0 | 7.0 all versions | Migrate to a fixed release |
Patches have not been released at time of writing, and Beazley Security strongly recommends that patches be immediately applied as soon as they are available for any impacted appliances.
Additionally, Beazley Security Labs recommends disabling the FortiCloud SSO feature until patches are released and applied. To disable FortiCloud SSO admin logins:
Go to System -> Settings -> Switch.
Change "Allow administrative login using FortiCloud SSO" to Off.
Or type the following command in the CLI:
config system global
set admin-forticloud-sso-login disable
end
Fortinet has disabled FortiCloud SSO support for vulnerable device versions as of January 26, 2026. Customers must upgrade to the latest versions for FortiCloud SSO authentication to function. The FortiGuard advisory recommends using their provided upgrade tool to update software on the affected products when the patches become available.
At the time of this writing, FortiGuard Labs has officially released indicators of compromise, in addition there are public reports of exploitation in the wild.
The actor has been observed to have logged in with the following user accounts.
cloud-noc@mail[.]io
cloud-init@mail[.]io
According to FortiGuard Labs the actor has been observed to log in via multiple IP addresses and appears to have switched to use Cloudflare protected IPs.
104.28.244[.]115
104.28.212[.]114
104.28.212[.]115
104.28.195[.]105
104.28.195[.]106
104.28.227[.]106
104.28.227[.]105
104.28.244[.]114
37.1.209[.]19
217.119.139[.]50
Following authentication via SSO, it has been observed that the actor creates a local admin account with one of the following names. We recommend reviewing all admin accounts to look for any unexpected entries.
audit
backup
itadmin
secadmin
support
backupadmin
deploy
itadmin
remoteadmin
security
svcadmin
system
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
On January 23, CISA updated their Known Exploited Vulnerability (KEV) catalog with a critical Local File Inclusion (LFI) vulnerability in Zimbra Collaboration (ZCS). This vulnerability, tracked as CVE-2025-68645 and originally reported on December 22nd, allows unauthenticated remote attackers to include arbitrary files from the WebRoot directory by crafting malicious requests to an endpoint in the RestFilter servlet. This can potentially leak enough information to breach the targeted server and provide threat actors initial access into an organizations network.
A public proof-of-concept (PoCs) exploit is available in GitHub, and the inclusion in CISA’s KEV confirms active exploitation in real-world cyberattacks. Beazley Security Labs highly recommends users adopt the patch immediately.
Product | Affected Version | Fixed Version |
|---|---|---|
Zimbra Collaboration (ZCS) | 10.0–10.0.17 & 10.1.0–10.1.12 | 10.0.18 & 10.1.13 |
Patches are available through Zimbra’s Patch Document which provides step-by-step installation instructions tailored to each supported version.
For 10.0.x instructions follow - 10.0.x Patch Installation
For 10.1.x instructions follow - 10.1.x Patch Installation
There is a public proof-of-concept exploit available on GitHub. That, combined with the advisories from Zimbra and NIST describe a Local File Inclusion (LFI) vulnerability in the /h/rest endpoint of the RestFilter servlet in the Webmail Classic UI.
LFI vulnerabilities are a common bug class and in general allow remote attackers to manipulate local files on a target machine. CVE-2025-68645 appears to leak files from the WebRoot directory, which often contains sensitive configuration information. This information could then be leveraged by an attacker to further compromise the system or exfiltrate additional sensitive data.
The POC is straightforward:
https://<target>/h/rest?javax.servlet.include.servlet_path=<any WebRoot URI>
And the contents of the sensitive WebRoot directory for a typical Zimbra install can be seen here: https://github.com/Zimbra/zm-web-client/tree/develop/WebRoot
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
On January 6th, 2026, CVE-2026-21858 was published by n8n, followed shortly by articles by Dor Attias and Cyera documenting critical flaws in n8n's request parsing. The vulnerability allows an unauthenticated attacker to exfiltrate sensitive data, which can lead to full compromise of the n8n system. If a vulnerable n8n system is directly connected to the internet, this could provide threat actors with initial access to an organizations internal network.
At the time of writing multiple proof-of-concept samples (PoCs) had already been published, meaning widespread exploitation is already underway. N8n had released an update to their software in November, and Beazley Security Labs highly recommends users adopt and deploy immediately.
Product | Affected Versions | Fixed Versions |
|---|---|---|
n8n | >= 1.65.0 | 1.121.0 |
N8n has not provided any mitigation recommendations aside from applying available software updates. If possible, n8n systems should be deployed internally with no inbound connectivity allowed to it from the internet.
N8n released 1.121.0 on November 18, 2025 that addresses this vulnerability. Given the proliferation of PoCs and news reporting of this vulnerability, it is strongly advised that any deployments of n8n are updated immediately.
The vulnerability is due to a bug in the way n8n parses user input from workflows, specifically how the parseRequestBody() function handles Content-Type values. Some of the input control parameters can be changed and maliciously modified by a threat actor, and researchers at Cyera found that the Content-Type header, in conjunction with the req.body.files object, can be used to confuse n8n into reading an arbitrary file on the underlying operating system and reporting its contents back to the attacker.
Cyera also demonstrated that this arbitrary file read and be leveraged to exfiltrate:
the n8n database (a plain text sqlite file), and
the local n8n encryption key (often stored in the same way for containerized deployments)
These two files provide enough data to create valid authentication tokens to enable an attacker to access administrators of n8n. N8n administrators can then create workflows to execute commands on the host system.
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
On December 28, 2025, NIST published a critical file upload vulnerability affecting SmarterTools SmarterMail server. The flaw, documented as CVE-2025-52691, carries a maximum CVSS score of 10 and allows remote unauthenticated attackers the ability to upload malicious files to the mail server, potentially leading to remote code execution.
This vulnerability could enable sensitive data exfiltration, and compromise of the system to facilitate further attacks against affected organizations. Shortly after the vulnerability was published, proof of concept exploit code was also publicly released.
Because mail servers are typically exposed directly to the internet to handle email traffic, Beazley Security recommends organizations patch immediately.
Product | Affected Versions | Fixed Versions |
SmarterTools SmarterMail | Build 9406 and earlier | Build 9413 or later |
No mitigations have been made available at the time of this advisory from SmarterTools, however security updates have been released to address this vulnerability.
Given the internet facing nature of these appliances and criticality of vulnerability, updating to SmarterMail Build 9413 or later is strongly recommended.
Patches addressing CVE-2025-52691 are available in Build 9413 or later. Organizations should install security updates as soon as possible. Release notes have been made available on the SmarterTools website, and new software downloads are made available here.
At the time of this writing, SmarterTools have not officially released any indicators of compromise and there are no public reports of exploitation in the wild. However as the vulnerability allows for malicious file uploads, BSL recommends checking for signs of compromise by reviewing directories hosting the SmarterMail server for unexpected or malicious files, and suspicious posts to SmarterMail hosted web portals. Especially to the following endpoints:
/api/upload
/api/v1/upload
/Interface/Frmx/UploadFile.aspx
/MRS/Upload.ashx
/Services/Upload.ashx
At the time of this writing, SmarterTools have not yet publicly provided technical details regarding this vulnerability, however vulnerability disclosures from CSA Singapore classify CVE-2025-52691 as a critical arbitrary file upload vulnerability within SmarterMail server builds 9406 and earlier.
The vulnerability can be exploited by a remote, unauthenticated attacker and used to upload files to any location on an affected mail server without credentials. As the vulnerability permits uploading files to upload directories, attackers could place malicious executables or webshells that are able to execute under the same privileges of the SmarterMail service which could then be accessed remotely.
Shortly after release of this vulnerability, proof of concept exploit code surfaced on github which appear to attack web components of the SmarterMail server by attempting to place a concept ASPX webshell to these endpoints:
"/api/upload",
"/api/v1/upload",
"/Interface/Frmx/UploadFile.aspx",
"/MRS/Upload.ashx",
"/Services/Upload.ashx"
suggesting the vulnerability might allow files to be uploaded to the system at those locations and then accessed to run commands to further compromise a server.
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.