Weekly Exploit Roundup

Generated 2026-02-24T08:00:13.712034+00:00 (UTC)

1. CVE-2026-2329: Critical Unauthenticated Stack Buffer Overflow in Grandstream GXP1600 VoIP Phones (FIXED)
   Source: Rapid7 Cybersecurity Blog | Published: 2026-02-18T14:00:00+00:00 | Score: 23.393
   Overview Rapid7 Labs conducted a zero-day research project against the Grandstream GXP1600 series of Voice over Internet Protocol (VoIP) phones. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-2329. A remote attacker can leverage CVE-2026-2329 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. A vendor supplied firmware update , version 1.0.7.81, is available to fully remediate CVE-2026-2329. The vulnerability is present in the device's web-based API service, and is accessible in a default configuration. As all models in the GXP1600 series share a common firmware image, the vulnerability affects all six models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. CVE-2026-2329 has a CVSSv4 score of 9.3 (Critical) , and a Common Weakness Enumeration (CWE) of CWE-121: Stack-based Buffer Overflow . Impact To demonstrate the impact of this vulnerability,
2. Metasploit Wrap-Up 02/20/2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-02-20T22:00:06+00:00 | Score: 23.059
   Hacking Churches and Backdooring Emacs This release packs some solid exploit module additions! Two new unauthenticated RCE modules are a major win: the StoryChief WordPress plugin exploit (CVE-2025-7441) targets a webhook validation flaw allowing arbitrary file uploads, while the ChurchCRM exploit (CVE-2025-62521) abuses the installation wizard to inject PHP code for persistent access. Both establish Meterpreter sessions. On the persistence front, there's a creative Emacs extension module that plants malicious Lisp code for shell callbacks whenever Emacs launches; a fun take on an unconventional attack surface. Along with Emacs, a new Windows persistence using the old, gold registry; this time the UserInit one, to get Administrator shells when any user logs in. To wrap-up, now you can spread automation nightmares with the new n8n auxiliary module, allowing you to extract sessions of other logged users (even admins). New module content (5) n8n arbitrary file read Authors: dor attias and
3. Critical Grandstream Phone Vulnerability Exposes Calls to Interception
   Source: SecurityWeek | Published: 2026-02-21T12:00:00+00:00 | Score: 21.476
   The flaw tracked as CVE-2026-2329 can be exploited without authentication for remote code execution with root privileges. The post Critical Grandstream Phone Vulnerability Exposes Calls to Interception appeared first on SecurityWeek .
4. CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog
   Source: The Hacker News | Published: 2026-02-21T07:21:00+00:00 | Score: 19.438
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added two security flaws impacting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
   The vulnerabilities in question are listed below –

   CVE-2025-49113 (CVSS score: 9.9) – A deserialization of untrusted data vulnerability that allows remote code

5. From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
   Source: Threat Intelligence | Published: 2026-02-17T14:00:00+00:00 | Score: 17.178
   Written by: Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr., Rich Reece Introduction Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines , tracked as CVE-2026-22769 , with a CVSSv3.1 score of 10.0 . Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT. The initial access vector for these incidents was not confirmed, but UNC6201 is known to target edge appliances (such as VPN concentrators) for initial access. There are notable overlaps between UNC6201 and UNC5221, which has been used synonymously with the actor publicly reported as Silk Typhoon, although GTIG does not currently consider the two clusters t
6. The Phone is Listening: A Cold War–Style Vulnerability in Modern VoIP
   Source: Rapid7 Cybersecurity Blog | Published: 2026-02-18T14:15:00+00:00 | Score: 15.9
   I don’t know about you, but when I think about “critical vulnerabilities,” I usually picture ransomware, data theft, or maybe a server falling over at 2 a.m. while someone frantically searches Slack for the last good backup. What I don’t picture is a scene straight out of a Cold War spy film. CVE-2026-2329: Setting the scene Dimly lit office. After hours. The city skyline glowing through the glass. Two executives leaning over a polished conference table, whispering about an acquisition. A red light blinking softly on the desk phone. Everything feels normal… Except it isn’t. Researchers at Rapid7 have disclosed CVE-2026-2329 , a critical unauthenticated stack-based buffer overflow in the Grandstream GXP1600 series of VoIP phones. Let me take a moment to explain why that sentence, while technical and slightly dry on the surface, should make you sit up a little straighter. At its core, this is a classic memory corruption issue. The kind many of us learned from in our early exploitation
7. Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024
   Source: The Hacker News | Published: 2026-02-18T10:32:00+00:00 | Score: 15.39
   A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024, according to a new report from Google Mandiant and Google Threat Intelligence Group (GTIG).
   The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials
8. CISA Flags Four Security Flaws Under Active Exploitation in Latest KEV Update
   Source: The Hacker News | Published: 2026-02-18T06:52:00+00:00 | Score: 15.28
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
   The list of vulnerabilities is as follows –

   CVE-2026-2441 (CVSS score: 8.8) – A use-after-free vulnerability in Google Chrome that could allow a remote attacker to potentially exploit heap

9. CISA: BeyondTrust RCE flaw now exploited in ransomware attacks
   Source: BleepingComputer | Published: 2026-02-20T17:02:25+00:00 | Score: 15.112
   Hackers are actively exploiting the CVE-2026-1731 vulnerability in the BeyondTrust Remote Support product, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns. […]
10. BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration
    Source: The Hacker News | Published: 2026-02-20T15:45:00+00:00 | Score: 14.973
    Threat actors have been observed exploiting a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products to conduct a wide range of malicious actions, including deploying VShell and 
    The vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), allows attackers to execute operating system commands in the context of the

End of report.