Weekly Exploit Roundup

Generated 2026-02-03T08:00:12.703025+00:00 (UTC)

1. Patch Tuesday and the Enduring Challenge of Windows’ Backwards Compatibility
   Source: Rapid7 Cybersecurity Blog | Published: 2026-01-28T17:04:41+00:00 | Score: 29.584
   Introduction If you received an email with the subject “I LOVE YOU” and an attachment called “LOVE-LETTER-FOR-YOU.TXT”, would you open it? Probably not, but back in the year 2000, plenty of people did exactly that. The internet learned a hard lesson about the disproportionate power available to a university dropout with some VBScript skills, and millions of ordinary people suffered the anguish of deleted family photos or even reputational damage as the worm propagated itself across their entire Outlook address book. In the quarter century since ILOVEYOU rampaged across global networks, cybersecurity has moved from a niche topic to an “everyone” problem, and many users are wary of all sorts of threats. In recent years, the increasing ubiquity and urgency of AI adoption across the business landscape has attracted the attention of both security researchers and threat actors. Of course, recency bias and shiny object fixation are real. Even as AI and automation continue to drive down time t
2. Critical Ivanti Endpoint Manager Mobile (EPMM) zero-day exploited in the wild (CVE-2026-1281 & CVE-2026-1340)
   Source: Rapid7 Cybersecurity Blog | Published: 2026-01-30T16:14:40+00:00 | Score: 25.888
   Overview On January 29, 2026, Ivanti disclosed two new critical vulnerabilities affecting Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340 . The vendor has indicated that exploitation in the wild has already occurred prior to disclosure. This has been echoed by CISA who added CVE-2026-1281 to their Known Exploited Vulnerabilities (KEV) catalog shortly after the vendor disclosure. As an indication of how critical this development is, CISA has given a “due date” of only 3 days (Due Feb 1, 2026) for organizations, such as federal agencies, to remediate the vulnerabilities before the affected devices must be removed from a network. While CVE-2026-1281 has been confirmed as exploited in the wild as a zero day, it is unclear if CVE-2026-1340 has also, or if this vulnerability was found separately to CVE-2026-1281 . The two critical vulnerabilities are summarized below. ⠀ CVE CVSSv3 CWE CVE-2026-1281 9.8 (Critical) Improper Control of Generation of Code ( CWE-94 ) CVE-2026-1340
3. Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released
   Source: The Hacker News | Published: 2026-01-30T04:43:00+00:00 | Score: 23.645
   Ivanti has rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, one of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog.
   The critical-severity vulnerabilities are listed below –

   CVE-2026-1281 (CVSS score:

4. Multiple Critical SolarWinds Web Help Desk Vulnerabilities: CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554
   Source: Rapid7 Cybersecurity Blog | Published: 2026-01-28T14:53:08+00:00 | Score: 23.219
   Overview On January 28, 2026, SolarWinds published an advisory for multiple new vulnerabilities affecting their Web Help Desk product. Web Help Desk is an IT help desk ticketing and asset management software solution. Of the six new CVEs disclosed in the advisory, four are critical, and allow a remote attacker to either achieve unauthenticated remote code execution (RCE) or bypass authentication. As of this writing, there is currently no known in-the-wild exploitation occurring. However, we expect this to change as and when technical details become available. Notably, this product has been featured on CISA’s Known Exploited Vulnerabilities (KEV) list twice in the past, circa 2024, indicating that it is a target for real-world attackers. The six vulnerabilities are summarized below. CVE CVSSv3 CWE CVE-2025-40551 9.8 (Critical) Deserialization of Untrusted Data ( CWE-502 ) CVE-2025-40552 9.8 (Critical) Weak Authentication ( CWE-1390 ) CVE-2025-40553 9.8 (Critical) Deserialization of Untr
5. Metasploit Wrap-Up 01/30/2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-01-30T21:11:27+00:00 | Score: 23.035
   FreeBPX Content Galore This week brings 3 new pieces of module content for targeting FreePBX. All three chain multiple vulnerabilities together, starting with CVE-2025-66039. This initial vulnerability allows unauthenticated users to bypass the authentication process to interact with FreePBX. From this point, the different modules leverage either a SQL injection vulnerability (CVE-2025-61675) or a file upload vulnerability (CVE-2025-61678) to obtain remote code execution. New module content (7) FreePBX endpoint SQLi to RCE Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20857 contributed by msutovsky-r7 Path: unix/http/freepbx_custom_extension_rce AttackerKB reference: CVE-2025-61675 Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with a SQLi, CVE-2025-61675, which allows for a cron job to be added to the cron_job table of the database to allow for Remote Code Execution. FreePBX firmware file upload Authors: Noah
6. Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
   Source: Threat Intelligence | Published: 2026-01-27T14:00:00+00:00 | Score: 21.678
   Introduction The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness. In this blog post, we provide details on CVE-2025-8088 and the typical exploit chain, highlight exploitation by financially motivated and state-sponsored espionage actors, and provide IOCs to help defenders detect and hunt for the activity described in this post. To protect against this threat, we urge organizations
7. Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS
   Source: Threat Intelligence | Published: 2026-01-30T14:00:00+00:00 | Score: 19.921
   Introduction Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion. As detailed in our companion report, 'Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft' , these campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions. This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, these intrusions rely on the effectiveness of social engineering to bypass identity controls and pivot into cloud-based software-as-a-service (SaaS) environments. This post provides actionable hardening , logging , and detection recommendations to help organizations protect against these threats. Organizations responding to an active incident should focus on
8. OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
   Source: The Hacker News | Published: 2026-02-02T16:28:00+00:00 | Score: 18.638
   A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link.
   The issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026. It has been described as a token exfiltration vulnerability that leads to
9. SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score
   Source: The Hacker News | Published: 2026-01-30T07:09:00+00:00 | Score: 18.217
   SmarterTools has addressed two more security flaws in SmarterMail email software, including one critical security flaw that could result in arbitrary code execution.
   The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0.
   "SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API
10. SolarWinds Fixes Four Critical Web Help Desk Flaws With Unauthenticated RCE and Auth Bypass
    Source: The Hacker News | Published: 2026-01-29T09:00:00+00:00 | Score: 17.558
    SolarWinds has released security updates to address multiple security vulnerabilities impacting SolarWinds Web Help Desk, including four critical vulnerabilities that could result in authentication bypass and remote code execution (RCE).
    The list of vulnerabilities is as follows –

    CVE-2025-40536 (CVSS score: 8.1) – A security control bypass vulnerability that could allow an unauthenticated

End of report.