CISA Warns of Active Exploitation in Apache ActiveMQ Jolokia API Vulnerability

CISA added a high-severity Apache ActiveMQ vulnerability (CVE-2026-34197) to its KEV catalog due to active exploitation that allows attackers to run arbitrary OS commands via the Jolokia API. The flaw is particularly dangerous when chained with CVE-2024-32114, which enables unauthenticated remote code execution in certain versions.

**If you're running Apache ActiveMQ, upgrade to version 5.19.4 or 6.2.3 ASAP. Atackers are actively exploiting this right now. While you're at it, make sure your ActiveMQ console is not exposed to the internet, change any default admin:admin credentials, and disable the Jolokia endpoint entirely if you don't need it.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-warns-of-active-exploitation-in-apache-activemq-jolokia-api-vulnerability-i-v-s-d-e/gD2P6Ple2L

Critical nginx-ui Vulnerability CVE-2026-33032 Under Active Exploitation

nginx-ui patched a critical authentication bypass (CVE-2026-33032) in its MCP integration that allows unauthenticated attackers to take over Nginx services and intercept traffic. The flaw is actively exploited in the wild and affects over 2,600 internet-exposed instances.

**Make sure your nginx-ui instances are isolated from the internet and accessible from trusted networks only. Then update nginx-ui to version 2.3.4 or later to patch CVE-2026-33032, and change the IP whitelist default from allow-all to deny-all so only trusted addresses can reach the management interface.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-nginx-ui-vulnerability-cve-2026-33032-under-active-exploitation-8-1-q-l-8/gD2P6Ple2L

ShowDoc Document Management Platform Targeted by Active RCE Exploitation

ShowDoc is facing active exploitation of a critical unauthenticated remote code execution vulnerability (CVE-2025-0520) caused by improper file upload validation. Attackers are using this flaw to deploy web shells and gain full control over unpatched servers.

**If you're running ShowDoc, update it to version 2.8.7 or higher immediately. This flaw has been patched since 2020 but attackers are actively exploiting unpatched instances. Then check your image upload folders for any suspicious PHP files that shouldn't be there, and make sure ShowDoc is not exposed to the internet.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/showdoc-document-management-platform-targeted-by-active-rce-exploitation-9-h-s-m-4/gD2P6Ple2L

CPUID Website Compromised to Distribute STX RAT Malware via CPU-Z and HWMonitor

CPUID's official website was compromised to distribute the STX RAT infostealer through poisoned download links for popular tools like CPU-Z and HWMonitor. The attack used DLL sideloading and masquerading to bypass security defenses and target organizations across multiple global sectors.

**If you downloaded CPU-Z, HWMonitor, or PerfMonitor between April 9–10, 2026, assume your system is compromised. Immediately change all your passwords (especially those saved in your browser), enable multi-factor authentication everywhere, and run a full security scan or reinstall your OS. Going forward, always verify software downloads by checking file signatures and hashes against the vendor's official published values before running any installer.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cpuid-website-compromised-to-distribute-stx-rat-malware-via-cpu-z-and-hwmonitor-y-5-e-q-i/gD2P6Ple2L

Marimo Python Notebook RCE Exploited Hours After Disclosure

Marimo patched a critical RCE vulnerability (CVE-2026-39987) that was exploited within 10 hours of disclosure to steal cloud credentials and SSH keys. The flaw allows unauthenticated attackers to gain full interactive shell access via a WebSocket authentication bypass.

**If you're running Marimo notebooks, update to version 0.23.0 immediately and rotate any credentials (AWS keys, SSH keys, database passwords, API secrets) that were stored on or accessible from that system. If you can't update right away, block access to the /terminal/ws endpoint or put the notebook behind a reverse proxy with authentication and never expose notebook platforms directly to the internet.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/marimo-python-notebook-rce-exploited-hours-after-disclosure-5-z-x-w-k/gD2P6Ple2L

Adobe Reader Zero-Day Exploited in Targeted Fingerprinting Campaign

A zero-day actively exploited vulnerability in Adobe Reader's JavaScript engine allows attackers to exfiltrate system data and potentially execute remote code via malicious PDF files.

**If you use Adobe Reader, open it right now and disable JavaScript by going to Edit > Preferences > JavaScript and uncheck "Enable Acrobat JavaScript". This blocks the exploit's main attack path. Until Adobe releases a patch, don't open any PDF files from unknown or unexpected sources, and if you must view untrusted PDFs, use a browser-based viewer like Chrome or Edge instead of Adobe Reader. Always verify the source of PDF files before opening them.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/adobe-reader-zero-day-exploited-in-targeted-fingerprinting-campaign-v-j-p-4-b/gD2P6Ple2L

Flowise AI Platform Targeted by Active Exploitation of Critical RCE Flaw

Flowise is facing active exploitation of CVE-2025-59528, a critical vulnerability that allows attackers to execute arbitrary JavaScript and take full control of AI workflow servers.

**If you're running Flowise, this is urgent. Your tool is being attacked. Make sure Flowise is isolated from the internet unless absolutely necessary, and update to version 3.0.6 ASAP. Until you can update, restrict access to trusted IPs only. After isolating or patching (whichever comes first), rotate all API tokens and credential.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/flowise-ai-platform-targeted-by-active-exploitation-of-critical-rce-flaw-c-6-9-l-n/gD2P6Ple2L

36 Malicious npm Packages Target Guardarian Infrastructure via Strapi Plugins

A coordinated supply chain attack involving 36 malicious npm packages targeted the cryptocurrency platform Guardarian to steal database credentials and wallet keys. The campaign exploited Redis and Docker vulnerabilities to deploy persistent, fileless backdoors on production Strapi CMS servers.

**If you use Strapi, immediately audit your node_modules for any of these 36 malicious packages: legitimate Strapi plugins are always scoped under @strapi/, so any unscoped strapi-plugin-* package should be treated as suspicious and removed. If any were installed, assume full compromise: rotate all credentials, secrets, and keys, revoke database and API tokens, and investigate your environment for reverse shells or unauthorized cron jobs.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/36-malicious-npm-packages-target-guardarian-infrastructure-via-strapi-plugins-0-y-5-g-3/gD2P6Ple2L

Fortinet Issues Emergency Hotfix for Actively Exploited FortiClient EMS Zero-Day

Fortinet has released emergency hotfix for an actively exploited critical zero-day vulnerability (CVE-2026-35616) in FortiClient EMS that allows unauthenticated attackers to bypass API security and run arbitrary commands.

**If you use FortiClient EMS versions 7.4.5 or 7.4.6, apply Fortinet's emergency hotfix ASAP. It's being actively exploited andcan give attackers full control of your endpoint management server. While you're at it, check your EMS API logs for any signs of unauthorized access or unusual command execution that might indicate you've already been compromised.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/fortinet-issues-emergency-hotfix-for-actively-exploited-forticlient-ems-zero-day-p-2-q-w-2/gD2P6Ple2L

TrueConf Zero-Day Exploited in Targeted Government Attacks

China-nexus attackers exploited a zero-day vulnerability (CVE-2026-3502) in TrueConf's update mechanism to deploy the Havoc C2 framework across Southeast Asian government networks. The flaw allows attackers who compromise an on-premises server to push malicious updates to all connected clients without verification.

**If you use TrueConf for videoconferencing, update all Windows clients to version 8.5.3 immediately. Also check your systems for signs of compromise. Look for files like poweriso.exe or iscsiexe.dll in unexpected folders, and make sure any trueconf_windows_update.exe file has a valid digital signature before allowing it to run.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/trueconf-zero-day-exploited-in-targeted-government-attacks-9-4-c-x-v/gD2P6Ple2L