Tag
#ransomware
54 posts tagged #ransomware.
-
Analysis · May 20, 2026 · Colten Anderson
Your attack surface isn't just port 443
CVE-2023-46604 is a perfect-10 RCE in Apache ActiveMQ. The exploit isn't a web request; it's a single message to the broker on port 61616, a port most web-focused scanning and firewalling never considers. The broker then fetches a remote XML file and runs whatever's in it.
-
Analysis · May 20, 2026 · Colten Anderson
Insecure deserialization isn't a Java problem. Ask Ruby's YAML.load.
CVE-2022-47986 is a pre-auth RCE in IBM Aspera Faspex from a single call to YAML.load on data an unauthenticated user controls. It's the Ruby version of the deserialization footgun, and ransomware crews used it to move onto Linux.
-
Analysis · May 20, 2026 · Colten Anderson
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
-
Analysis · May 20, 2026 · Colten Anderson
A 2020 bug leaked VPN passwords. The orgs that survived had MFA.
CVE-2020-3259 lets an unauthenticated attacker read Cisco ASA memory, sometimes including VPN credentials in cleartext. Akira ransomware used it for initial access years after the patch. The control that turned a leaked password into a non-event was multi-factor authentication.
-
Analysis · May 20, 2026 · Colten Anderson
The unlocked side door on your Cisco VPN was the default group nobody configured
CVE-2023-20269 let attackers brute-force Cisco ASA VPN credentials and establish unauthorized sessions, both by abusing default connection profiles that ship enabled. Akira and LockBit used it for initial access. The fix is patching plus hardening the defaults you never touched.
-
Analysis · May 20, 2026 · Colten Anderson
22,000 servers ransomed in days: the CyberPanel control-panel wipeout
Two CVSS-10 pre-auth RCEs in CyberPanel let the PSAUX ransomware crew encrypt roughly 22,000 internet-exposed servers in late October 2024. Hosting control panels run as root and face the internet by design, which is exactly why one bug becomes a fleet-wide event.
-
Analysis · May 20, 2026 · Colten Anderson
The ransomware that brought a signed driver to switch off the rule against unsigned drivers
In 2020, RobbinHood became the first ransomware seen shipping a legitimately-signed GIGABYTE driver, exploiting it to disable Windows driver-signature enforcement, then loading its own unsigned driver to kill security software from the kernel. The four GIGABYTE CVEs are why.
-
Field Note · May 20, 2026 · Colten Anderson
Jenkins CVE-2024-23897: from 'limited file read' to your secret key
The KEV entry calls it 'limited read access to certain files.' On a Jenkins controller, the files include the cryptographic key that turns read into remote code execution. Here's how to check, patch, and what to rotate if you were exposed.
-
Analysis · May 20, 2026 · Colten Anderson
Compromise one MSP's RMM, ransom a thousand businesses: the Kaseya pattern
Kaseya VSA is remote-monitoring software MSPs use to manage thousands of client machines. That reach is why it keeps getting attacked, and why in 2021 REvil used it to push ransomware to roughly 1,500 downstream businesses in a single weekend.
-
Analysis · May 20, 2026 · Colten Anderson
The Linux firewall bug your users can reach because you gave them a private root
CVE-2024-1086 is an nf_tables use-after-free that hands a local user root. The reason an unprivileged user can touch the kernel's packet-filtering engine at all is unprivileged user namespaces, and turning those off defuses a whole class of these bugs at once.
-
Analysis · May 20, 2026 · Colten Anderson
The most dangerous server in the hospital is the one nobody can name
Mirth Connect moves patient records between systems and runs with high privileges, and a lot of installs sit on the open internet. CVE-2023-43208 is an unauthenticated RCE in it, and it's a patch bypass: the first fix used a denylist, and a researcher walked around it.
-
Analysis · May 20, 2026 · Colten Anderson
Lorenz ransomware's way in was the phone system
In 2022, Lorenz ransomware breached corporate networks through a Mitel MiVoice Connect appliance, the VoIP system, using CVE-2022-29499 as a zero-day. Telephony and unified-comms appliances are edge servers running web code, and almost nobody treats them that way.
-
Analysis · May 20, 2026 · Colten Anderson
Your ERP is on the internet, and it's the system that cuts the checks
Security programs treat ERP as 'internal.' Oracle E-Business Suite exposes web modules to the internet by design, and CVE-2022-21587 turned one into unauthenticated code execution on the system that runs payroll, purchase orders, and the general ledger.
-
Analysis · May 20, 2026 · Colten Anderson
A soft hyphen reopened a bug PHP closed in 2012
CVE-2024-4577 is a patch bypass of a 12-year-old PHP-CGI flaw. The 2012 fix sanitized the input. Windows then helpfully rewrote a soft hyphen back into a real one, after the check, and handed the attacker their command-line argument anyway.
-
Analysis · May 20, 2026 · Colten Anderson
DeadBolt skipped the network intrusion and just encrypted the NAS directly
Most ransomware has to break in, escalate, and spread before it encrypts anything. DeadBolt found internet-exposed QNAP NAS devices, exploited a Photo Station bug, and encrypted the files in place. On a NAS, the device is the data, and that changes the whole attack.
-
Analysis · May 20, 2026 · Colten Anderson
Why ransomware crews love a backup server twice over
CVE-2022-36537 is a ZK Framework bug that handed attackers ConnectWise R1Soft backup servers. A backup server is the perfect ransomware target for two reasons at once: it can push code to everything it protects, and destroying it removes the one thing that lets a victim refuse to pay.
-
Analysis · May 20, 2026 · Colten Anderson
The other half of the ScreenConnect chain just got a 2026 deadline
CVE-2024-1709 got the CVSS 10 and the headlines in February 2024. The path-traversal half that actually lands code execution, CVE-2024-1708, only got its own KEV deadline on April 28, 2026. Two years late, same chain.
-
Analysis · May 20, 2026 · Colten Anderson
The attacker installed a second antivirus to crash your first one
CVE-2024-38094 is a 7.2. It requires authentication. Most teams filed it below the criticals. It was still the entry point for a two-week, full-domain compromise, and the cleanup tactic was installing rogue antivirus to make the real EDR fall over.
-
Analysis · May 20, 2026 · Colten Anderson
2021 was open season on SonicWall's appliances, remote access and email alike
In 2021, SonicWall's SMA/SRA remote-access appliances and its Email Security product were both hit by zero-day exploitation, by ransomware crews and APTs. Seven of those CVEs are in the catalog, several used before patches existed.
-
Analysis · May 20, 2026 · Colten Anderson
Akira's favorite front door is a SonicWall SSL-VPN, and it's fast
Three SonicWall bugs, CVE-2024-40766, CVE-2024-53704, and CVE-2025-23006, feed the same outcome: Akira ransomware through the SSL-VPN. In one campaign, the time from SonicWall access to encrypted files was 55 minutes. Several of these bugs walk past MFA.
-
Analysis · May 20, 2026 · Colten Anderson
SysAid customers got the patch the same week they learned they were already breached
CVE-2023-47246 was a SysAid zero-day before it was a CVE. The Cl0p operator Lace Tempest, fresh off MOVEit, was writing webshells to Tomcat and deploying ransomware while the vendor was still writing the advisory. When the attacker has the bug first, detection matters as much as patching.
-
Analysis · May 20, 2026 · Colten Anderson
Ransomware crews keep hitting Veeam for the same two reasons
Four Veeam Backup & Replication CVEs feed the same playbook. Attackers target the backup server because it can destroy your recovery option and because it holds the credentials to everything it backs up. CVE-2024-40711 took Akira and Fog from access to ransomware fast.
-
Analysis · May 20, 2026 · Colten Anderson
The backup agent on every server was ALPHV's way in
Veritas Backup Exec's agent listens on every machine it backs up. Three 2021 CVEs in it, CVE-2021-27876, 27877, and 27878, let ALPHV/BlackCat affiliates get in. Backup infrastructure isn't just a destruction target; its agents are an attack surface on every host.
-
Analysis · May 20, 2026 · Colten Anderson
ESXi handed out admin to a group named 'ESX Admins' and never checked who made it
CVE-2024-37085 is an auth bypass where domain-joined ESXi grants full control to any member of a group called 'ESX Admins,' without verifying the group is legitimate. At least four ransomware crews used it to encrypt hypervisors. ESXi 7.0 isn't getting a patch.
-
Analysis · May 20, 2026 · Colten Anderson
The virtualization control plane keeps getting RCE'd, and ESXiArgs showed why that matters
vCenter and ESXi run your entire virtual estate. A run of pre-auth RCEs in vCenter (CVE-2021-21972, 21975, 21985, 22005) and the ESXi OpenSLP bugs (CVE-2019-5544, CVE-2020-3992) that fed the ESXiArgs ransomware wave show why the management layer is a crown-jewel target.
-
Analysis · May 20, 2026 · Colten Anderson
Five hours from public PoC to live exploitation on your monitoring server
CVE-2024-6670 is an unauthenticated SQL injection in WhatsUp Gold. The exploit went public at 5pm UTC; Trend Micro saw the first real attack by 10pm. The tool that watches your whole network became the way in.
-
Analysis · May 20, 2026 · Colten Anderson
Microsoft said 'no known exploitation.' The exploit may have been three months old.
When Microsoft patched CVE-2024-26169 in March 2024, the advisory said it wasn't aware of attacks. Symantec later found a Black Basta exploit tool built weeks earlier. The technique it used, an IFEO Debugger key, is one you can detect even when you can't patch in time.
-
Analysis · May 10, 2026 · Colten Anderson
Zyxel patched CVE-2024-11667 in September. They named it in November
The fix shipped on September 3, 2024. The CVE assignment came eleven weeks later, after Helldown was already in production networks. The customers who patched on time still got compromised.
-
Analysis · May 10, 2026 · Colten Anderson
SimpleHelp CVE-2024-57727: a seven-day patch and a sixteen-month leak
SimpleHelp shipped a fix in seven days from full disclosure. Then they posted it to a forum. Ransomware affiliates have been pulling hashed admin credentials out of unpatched servers ever since.
-
Analysis · May 8, 2026 · Colten Anderson
Cleo shipped a fix in October. Cl0p was bypassing it by December.
CVE-2024-50623 was patched in 5.8.0.21 on October 27. By December 3, Huntress had a working PoC against fully patched hosts and Cl0p was running it in production. This is the fifth MFT vendor in five years to hand Cl0p the same playbook.
-
Analysis · May 8, 2026 · Colten Anderson
Five critical Fortinet CVEs in 28 months is not a streak of bad luck
Three heap overflows, two auth bypasses, all pre-auth, all ransomware-linked. The pattern in FortiOS and FortiProxy is structural, and patching alone has not been enough to remove attacker access.
-
Analysis · May 8, 2026 · Colten Anderson
Three root shells in seven months. All from the same firewall.
CVE-2024-3400, CVE-2024-0012, and CVE-2024-9474 gave attackers unauthenticated root on Palo Alto firewalls twice in 2024. The pattern isn't bad luck. It's the architecture.
-
Analysis · May 8, 2026 · Colten Anderson
The researcher who reported two Windows bugs to Microsoft was exploiting a third
CVE-2025-26633 turns MMC's localization feature into a code execution vector. EncryptHub exploited it as a zero-day while simultaneously disclosing other vulnerabilities to Microsoft for credit.
-
Analysis · May 8, 2026 · Colten Anderson
Broadcom turned an ESXi zero-day into a patch-access crisis
CVE-2025-22225 was exploited for over a year before Broadcom patched it. Then perpetual license holders couldn't download the fix.
-
Analysis · May 8, 2026 · Colten Anderson
Ivanti Connect Secure: the perimeter that keeps breaking
Five KEV-listed Ivanti Connect Secure bugs in fifteen months, all ransomware-tagged, all on the unauthenticated path. The pledge bought goodwill. The code did not change.
-
Analysis · May 6, 2026 · Colten Anderson
Citrix shipped CitrixBleed again
Citrix shipped the same pre-auth memory disclosure bug class it patched in 2023. Same binary, same attack surface, same session token leakage. Its own post-patch guidance still doesn't invalidate the tokens attackers actually steal.
-
Analysis · May 6, 2026 · Colten Anderson
CrushFTP chose the narrative over its customers
CrushFTP tried to keep a CVSS 9.8 auth bypass quiet. The disclosure mess that followed, two CVEs, public PoC code, and CEO threats, helped attackers move faster.
-
Analysis · May 6, 2026 · Colten Anderson
Fortinet encrypted your config backups with 'Mary had a littl' for six years
Every FortiGate encrypted config backups with the same AES key for years. Akira ransomware automated the decryption. Fortinet keeps shipping this class of bug.
-
Analysis · May 6, 2026 · Colten Anderson
SAP NetWeaver was owned for ten weeks before anyone said anything
Five threat groups were already inside SAP NetWeaver when the emergency patch shipped. One confirmed victim reported multi-billion dollar profit impact. SAP's initial workaround guidance was later marked 'Do Not Use.'
-
Analysis · May 6, 2026 · Colten Anderson
Six zero-days in three years: the CLFS pattern Microsoft can't outrun
Microsoft patched a CLFS zero-day on April 8 but left Windows 10 without a fix for five weeks. Two unrelated ransomware groups were already using it. It was the sixth CLFS zero-day since 2022.
-
Analysis · May 5, 2026 · Colten Anderson
Oracle blamed its customers for a zero-day it hadn't patched
Oracle's first public statement during active Cl0p exploitation told customers the breach was their fault for not applying a patch that didn't exist. The correction came Saturday night, behind a paywall.
-
Analysis · May 5, 2026 · Colten Anderson
BeyondTrust RS/PRA hit again. Same endpoint, same bug class, 15 months later.
The researcher who found CVE-2026-1731 did it by asking one question about the December 2024 fix: did the same pattern exist elsewhere? It did. Third critical BeyondTrust RCE in 15 months, confirmed ransomware, CISA gave you 3 days.
-
Analysis · May 5, 2026 · Colten Anderson
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.0 unauthenticated RCE in Cisco FMC was exploited as a zero-day for 36 days. Here's what the upgrade actually looks like.
-
Analysis · May 5, 2026 · Colten Anderson
Exchange's deserialization problem didn't start in 2023. It still isn't fixed.
A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers. The bug isn't the story. The patching economics are.
-
Analysis · May 5, 2026 · Colten Anderson
GoAnywhere MFT gets its third critical RCE in three years
Storm-1175 was exploiting CVE-2025-10035 two days before Fortra even shipped the hotfix to customers. Under 24 hours from initial access to ransomware. GoAnywhere's third year in a row.
-
Analysis · May 5, 2026 · Colten Anderson
Cl0p chained an Oracle EBS SSRF into a mass extortion campaign. Your patch window is 21 days.
CVE-2025-61884 is a pre-auth SSRF in Oracle E-Business Suite that Cl0p weaponized into a full RCE chain hitting 100+ organizations. Here's what patching EBS actually looks like under a KEV deadline.
-
Analysis · May 5, 2026 · Colten Anderson
PaperCut's other bug just became a ransomware vector again
CVE-2023-27351, the auth bypass that lived in CVE-2023-27350's shadow, is back. Storm-1175 is deploying Medusa ransomware through it with sub-24-hour exploitation tempo. CISA added it to KEV in April 2026. If you patched the RCE in 2023 and moved on, check whether the auth bypass actually closed.
-
Analysis · May 5, 2026 · Colten Anderson
React2Shell turned every Next.js App Router deployment into a pre-auth RCE target
Lachlan Davidson reported CVE-2025-55182 to Meta on a Friday. By the following Thursday, ransomware groups were deploying payloads within one minute of initial access. A 200-byte POST, CVSS 10, 137,000 exposed instances, and most developers never knew their frontend had server-side attack surface.
-
Analysis · May 5, 2026 · Colten Anderson
SharePoint's two-week window: patched servers were still exploitable
Organizations that patched SharePoint on July 9 did everything right and were still vulnerable. Microsoft's first fix was incomplete, and ransomware operators had the gap memorized.
-
Analysis · May 5, 2026 · Colten Anderson
SmarterMail fixed a CVSS 10 and told no one for two months
CVE-2025-52691 is a pre-auth RCE in SmarterMail's file upload API. SmarterTools patched it silently in October 2025 with no CVE, no advisory, and release notes that said 'critical security fixes.' watchTowr found the silent fix two months later. Here's why that matters.
-
Analysis · May 5, 2026 · Colten Anderson
48 hours from patch to exploitation: CVE-2026-23760 and the window that doesn't exist anymore
SmarterMail's patch shipped January 15. Attackers decompiled the .NET assemblies, found the fix, built a working exploit, and were inside production systems by January 17. Then they breached SmarterTools itself.
-
Analysis · May 5, 2026 · Colten Anderson
SmarterMail's ConnectToHub API gave attackers SYSTEM in a single POST request
CVE-2026-24423 is an unauthenticated RCE in SmarterMail's ConnectToHub API. No credentials, no interaction, CVSS 9.8, confirmed ransomware. One of three critical SmarterMail CVEs in ten days. Here's what happened and what to do about it.
-
Analysis · May 5, 2026 · Colten Anderson
TeamCity's path traversal took two years to reach KEV. That's a long time to leave a CI server exposed.
CVE-2024-27199, a path traversal in JetBrains TeamCity On-Premises, was patched in March 2024 and exploited by BianLian ransomware within days. CISA added it to KEV in April 2026 with a May 4 federal deadline. If you're still below 2023.11.4, this is two years overdue.
-
Analysis · Apr 30, 2026 · Colten Anderson
CVE-2026-41940 isn't just a cPanel bug. It's a design assumption that shipped for a decade.
A CRLF injection in cPanel's session writer gave attackers unauthenticated root in four requests. The fix landed. The architecture question hasn't. Updated May 4 with exploitation scale: 44,000+ hosts compromised, ransomware, botnet, and state-sponsored campaigns confirmed.