Early Warning
CVE-2020-2883 is a critical deserialization vulnerability in Oracle WebLogic Server allowing remote code execution, publicly disclosed in April 2020 but recently re-emphasized by CISA, and detected early by Armis Centrix™ for Early Warning.
The Black Basta leak exposed approximately 200,000 internal chat messages from the notorious ransomware group, revealing their operational tactics, exploited vulnerabilities, and extensive global reach across 84 countries.
On February 21, 2025, Dubai-based cryptocurrency exchange Bybit suffered a $1.5 billion theft of digital assets, attributed to North Korea’s Lazarus Group, highlighting escalating state-sponsored cyberattacks.
Threat actors are exploiting a chain of vulnerabilities (CVE-2025-0108, CVE-2024-9474, and CVE-2025-0111) in Palo Alto Networks firewalls to gain unauthorized, root-level access.
CVE-2024-21413 is a critical security vulnerability in Microsoft Outlook classified as an “Improper Input Validation Vulnerability”.
Armis Labs’ investigation into DeepSeek Coder revealed that reliance on AI-generated code without proper oversight can introduce critical vulnerabilities, such as the use of known vulnerable libraries and coding practices leading to issues like SQL injection and buffer overflows.
CVE-2023-48365 is a critical pre-authentication remote code execution (RCE) vulnerability affecting Qlik Sense Enterprise for Windows.
CVE-2021-44207 is a critical security vulnerability identified in Acclaim Systems’ USAHERDS application, specifically in versions up to 7.4.0.1.
CVE-2024-1212 is a critical security vulnerability identified in Progress Kemp LoadMaster, a widely used load balancer and application delivery controller.
Armis examines Salt Typhoon, a sophisticated Chinese state-sponsored threat actor that has conducted high-profile cyberespionage campaigns targeting U.S. telecommunications providers and political communication systems. Known for its stealthy techniques and ties to the Ministry of State Security, this group exemplifies the escalating risks posed to critical infrastructure by advanced persistent threats.
CVE-2021-41277 is a Local File Inclusion (LFI) vulnerability discovered in the GeoJSON API of Metabase, a widely used open-source business intelligence and analytics platform.
Armis dives into the 15 most exploited vulnerabilities reported by CISA, providing an overview of each CVE, and offering insights into the types of attacks, exploitation patterns, and how long they’ve been active.
CVE-2024-40711 is a critical remote code execution vulnerability affecting Veeam Backup & Replication (VBR) servers, which attackers are actively exploiting in ransomware attacks.
CVE-2019-1069, also known as the Task Scheduler Elevation of Privilege Vulnerability, was identified in Microsoft Windows Task Scheduler.
CVE-2016-3714 is a critical vulnerability in ImageMagick that allows remote code execution due to insufficient input filtering. ImageMagick is a popular software suite for creating, editing, and converting bitmap images.
The exploit requires 10,000 attempts and specific conditions related to the GNU C Library (glibc), making widespread exploitation unlikely.
This is an easily exploitable unauthenticated remote code execution vulnerability affecting NextGen HealthCare’s Mirth Connect data integration platform.
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.
Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.
D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability.
Microsoft SmartScreen Prompt contains a security feature bypass vulnerability that allows an attacker to bypass the Mark of the Web (MotW) feature.
Microsoft Windows Print Spooler service contains a privilege escalation vulnerability.
CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page.
Check Point Quantum Security Gateways contains an unspecified information disclosure vulnerability.
Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.
Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability.
All
CVE-2020-2883 is a critical deserialization vulnerability in Oracle WebLogic Server allowing remote code execution, publicly disclosed in April 2020 but recently re-emphasized by CISA, and detected early by Armis Centrix™ for Early Warning.
The Black Basta leak exposed approximately 200,000 internal chat messages from the notorious ransomware group, revealing their operational tactics, exploited vulnerabilities, and extensive global reach across 84 countries.
On February 21, 2025, Dubai-based cryptocurrency exchange Bybit suffered a $1.5 billion theft of digital assets, attributed to North Korea’s Lazarus Group, highlighting escalating state-sponsored cyberattacks.
Threat actors are exploiting a chain of vulnerabilities (CVE-2025-0108, CVE-2024-9474, and CVE-2025-0111) in Palo Alto Networks firewalls to gain unauthorized, root-level access.
CVE-2024-21413 is a critical security vulnerability in Microsoft Outlook classified as an “Improper Input Validation Vulnerability”.
Armis Labs’ investigation into DeepSeek Coder revealed that reliance on AI-generated code without proper oversight can introduce critical vulnerabilities, such as the use of known vulnerable libraries and coding practices leading to issues like SQL injection and buffer overflows.
CVE-2023-48365 is a critical pre-authentication remote code execution (RCE) vulnerability affecting Qlik Sense Enterprise for Windows.
CVE-2021-44207 is a critical security vulnerability identified in Acclaim Systems’ USAHERDS application, specifically in versions up to 7.4.0.1.
CVE-2024-1212 is a critical security vulnerability identified in Progress Kemp LoadMaster, a widely used load balancer and application delivery controller.
Armis examines Salt Typhoon, a sophisticated Chinese state-sponsored threat actor that has conducted high-profile cyberespionage campaigns targeting U.S. telecommunications providers and political communication systems. Known for its stealthy techniques and ties to the Ministry of State Security, this group exemplifies the escalating risks posed to critical infrastructure by advanced persistent threats.
CVE-2021-41277 is a Local File Inclusion (LFI) vulnerability discovered in the GeoJSON API of Metabase, a widely used open-source business intelligence and analytics platform.
Armis dives into the 15 most exploited vulnerabilities reported by CISA, providing an overview of each CVE, and offering insights into the types of attacks, exploitation patterns, and how long they’ve been active.
CVE-2024-40711 is a critical remote code execution vulnerability affecting Veeam Backup & Replication (VBR) servers, which attackers are actively exploiting in ransomware attacks.
CVE-2019-1069, also known as the Task Scheduler Elevation of Privilege Vulnerability, was identified in Microsoft Windows Task Scheduler.
CVE-2016-3714 is a critical vulnerability in ImageMagick that allows remote code execution due to insufficient input filtering. ImageMagick is a popular software suite for creating, editing, and converting bitmap images.
CrowdStrike is actively working with customers impacted by the defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack.
The exploit requires 10,000 attempts and specific conditions related to the GNU C Library (glibc), making widespread exploitation unlikely.
This is an easily exploitable unauthenticated remote code execution vulnerability affecting NextGen HealthCare’s Mirth Connect data integration platform.
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.
Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.
D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability.
Microsoft SmartScreen Prompt contains a security feature bypass vulnerability that allows an attacker to bypass the Mark of the Web (MotW) feature.
Microsoft Windows Print Spooler service contains a privilege escalation vulnerability.
CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page.
Check Point Quantum Security Gateways contains an unspecified information disclosure vulnerability.
Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.
Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability.