👀 Seeing who’s poking Ivanti Connect Secure?

GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.

We broke down the infra + what defenders should do next. 👇
https://www.labs.greynoise.io/grimoire/2026-01-29-inside-the-infrastructure-whos-scanning-for-ivanti-connect-secure/

☕ & #threatintel - Two campaigns (100x spike!) are hitting Ivanti Connect Secure; one loud (34K sessions from Romania/Moldova), one stealthy (~6K distributed IPs). Both target a pre-exploitation endpoint for CVE-2025-0282. https://www.labs.greynoise.io/grimoire/2026-01-29-inside-the-infrastructure-whos-scanning-for-ivanti-connect-secure/

‼️ SolarWinds Web Help Desk RCE Hit by Multiple Critical Security Flaws; CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

CVSS: All 9.8
CVEs Published: January 28th, 2026

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40552: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40554: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Advisories:

https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://nvd.nist.gov/vuln/detail/CVE-2025-40552
https://nvd.nist.gov/vuln/detail/CVE-2025-40553
https://nvd.nist.gov/vuln/detail/CVE-2025-40554

SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/

SolarWinds has released security updates to patch critical authentication
bypass and remote command execution vulnerabilities in its Web Help Desk IT
help desk software.

The authentication bypass security flaws (tracked as CVE-2025-40552 and
CVE-2025-40554) patched today by SolarWinds were reported by watchTowr's Piotr
Bazydlo and can be exploited by remote unauthenticated threat actors in
low-complexity attacks.

Bazydlo also found and reported a critical remote code execution (RCE) flaw
(CVE-2025-40553) stemming from an untrusted data deserialization weakness that
can enable attackers without privileges to run commands on vulnerable hosts.
A second RCE vulnerability (CVE-2025-40551) reported by Horizon3.ai security
researcher Jimi Sebree can also enable unauthenticated attackers to execute
commands remotely.

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

🚨 2 critical authentication bypass and remote command execution vulnerabilities in Solarwinds WHD have been disclosed.

Vulnerability detection scripts can be found below:
CVE-2025-40552:
https://github.com/rxerium/rxerium-templates/blob/main/2025/CVE-2025-40552.yaml

CVE-2025-40554:
https://github.com/rxerium/rxerium-templates/blob/main/2025/CVE-2025-40554.yaml

At the time of writing there are no signs of active exploitation in the wild but it is strongly recommended that you patch as per Solarwind's security advisory:
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm

‼️ SolarWinds Web Help Desk RCE Hit by Multiple Critical Security Flaws; CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

CVSS: All 9.8
CVEs Published: January 28th, 2026

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40552: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVE-2025-40554: SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Advisories:

https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://nvd.nist.gov/vuln/detail/CVE-2025-40552
https://nvd.nist.gov/vuln/detail/CVE-2025-40553
https://nvd.nist.gov/vuln/detail/CVE-2025-40554

SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/

SolarWinds has released security updates to patch critical authentication
bypass and remote command execution vulnerabilities in its Web Help Desk IT
help desk software.

The authentication bypass security flaws (tracked as CVE-2025-40552 and
CVE-2025-40554) patched today by SolarWinds were reported by watchTowr's Piotr
Bazydlo and can be exploited by remote unauthenticated threat actors in
low-complexity attacks.

Bazydlo also found and reported a critical remote code execution (RCE) flaw
(CVE-2025-40553) stemming from an untrusted data deserialization weakness that
can enable attackers without privileges to run commands on vulnerable hosts.
A second RCE vulnerability (CVE-2025-40551) reported by Horizon3.ai security
researcher Jimi Sebree can also enable unauthenticated attackers to execute
commands remotely.

📦 That WinRAR "Free Trial" You Never Paid For? Hackers Are Exploiting It Right Now 🚨
A WinRAR vulnerability patched last July (CVE-2025-8088) is still being actively exploited by Russian APTs, Chinese threat actors, and cybercrime gangs six months later. The path traversal flaw lets attackers slip malicious files into your system when you extract seemingly innocent archives. If you're still using WinRAR, update immediately or switch to 7-Zip.

Sources:
- https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
- https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-8088
- https://www.helpnetsecurity.com/2026/01/28/winrar-vulnerability-exploited-cve-2025-8088/

---

🔓 Critical OpenSSL Flaw Could Let Hackers Take Over Your Computer Via Email 💀

CVE-2025-15467 is a critical 9.8 CVSS remote code execution vulnerability in OpenSSL's CMS and S/MIME message processing. OpenSSL powers encrypted communications across the entire internet, and this flaw allows unauthenticated attackers to execute arbitrary code remotely without any credentials. A working proof-of-concept already exists in the wild, meaning both defenders and attackers have access to it.

Sources:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://www.infosecurity-magazine.com/news/12-openssl-flaws/
- https://openssl-library.org/news/vulnerabilities/
- https://twitter.com/IntCyberDigest/status/2016288593547833778

---

🤦 SolarWinds Ships Critical Vulnerabilities In Their Own Software (Yes, THAT SolarWinds) 🤡

SolarWinds, the company that became the poster child for supply chain attacks after their 2020 breach, just disclosed four critical vulnerabilities in their Web Help Desk product. The flaws include unauthenticated remote code execution and authentication bypass that can be chained together to completely compromise systems without logging in. Five years after congressional hearings and intense security scrutiny, they still shipped this mess.

Sources:
- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
- https://www.helpnetsecurity.com/2026/01/29/solarwinds-web-help-desk-rce-vulnerabilities/
- https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
- https://nvd.nist.gov/vuln/detail/CVE-2025-40552
- https://nvd.nist.gov/vuln/detail/CVE-2025-40553
- https://nvd.nist.gov/vuln/detail/CVE-2025-40554
- https://nvd.nist.gov/vuln/detail/CVE-2025-40551

🟠 CVE-2025-61726 - High (7.5)

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse larg...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-61726/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🚨 2 new vulnerability scripts created for the n8n vulnerabilities disclosed today:

CVE-2026-1470:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-1470.yaml

CVE-2026-0863:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-0863.yaml

Happy hunting.

n8n – CVE-2026-1470 et CVE-2026-0863 : deux nouvelles failles patchées, comment se protéger ? https://www.it-connect.fr/n8n-cve-2026-1470-et-cve-2026-0863-patchs-de-securite/ #ActuCybersécurité #Cybersécurité #Vulnérabilité

🚨 2 new vulnerability scripts created for the n8n vulnerabilities disclosed today:

CVE-2026-1470:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-1470.yaml

CVE-2026-0863:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-0863.yaml

Happy hunting.

n8n – CVE-2026-1470 et CVE-2026-0863 : deux nouvelles failles patchées, comment se protéger ? https://www.it-connect.fr/n8n-cve-2026-1470-et-cve-2026-0863-patchs-de-securite/ #ActuCybersécurité #Cybersécurité #Vulnérabilité

Unveiling the Weaponized Web Shell EncystPHP
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp

FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It
features several advanced capabilities, including remote command execution,
persistence mechanisms, and web shell deployment. Incidents were launched in
early December last year and propagated via exploitation of the FreePBX
vulnerability CVE-2025-64328.

Its malicious activity appears to be associated with the hacker group
INJ3CTOR3, first identified in 2020, which targeted CVE-2019-19006. In 2022,
the threat actor shifted its focus to the Elastix system via CVE-2021-45461.
These incidents begin with the exploitation of a FreePBX vulnerability,
followed by the deployment of a PHP web shell in the target environments. We
assess that this campaign represents recent attack activity and behavior
patterns associated with INJ3CTOR3.

‼️ CVE-2026-0920: Explanation and payload of the recent vulnerability in the LA-Studio Element WordPress plugin.

PoC/Exploit: https://github.com/John-doe-code-a11/CVE-2026-0920

CVSS: 9.8
CVE Published: January 22nd, 2026

Advisory: https://github.com/advisories/GHSA-m3h4-65j5-6j8c

Technical Analysis: https://www.wordfence.com/blog/2026/01/20000-wordpress-sites-affected-by-backdoor-vulnerability-in-la-studio-element-kit-for-elementor-wordpress-plugin/

‼️ CVE-2026-1056: Snow Monkey Forms <= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal

PoC/Exploit: https://github.com/ch4r0nn/CVE-2026-1056-POC

CVSS: 9.8
CVE Published: January 28th, 2026

Advisory: https://github.com/advisories/GHSA-g5p3-f4cq-94v5

Details: The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).