Weekly Threat Awareness ReportFortiWeb Auth Bypass in KEV · Windows .LNK Spoofing · AI Agentic Ransomware
Perimeter and endpoint both feature this week: a critical FortiWeb path-traversal flaw that hands attackers full administrative control is already in the CISA KEV catalog, and a Windows .LNK spoofing bug is being weaponized by multiple APT groups. A SharePoint deserialization RCE rounds out the CVEs. On the campaign side, the China-linked WP-SHELLSTORM webshell brokerage is draining CMS and enterprise Java infrastructure at industrial scale, and Sysdig has documented the first confirmed case of AI-orchestrated agentic ransomware.
Vaughn Thomas
Compliance Engineer & Threat Researcher · SOClogix Cyber Group
About the Analyst
Vaughn Thomas is SOClogix's Compliance Engineer and principal threat researcher, operating at the intersection of regulatory compliance and active adversary tradecraft. Each week, Vaughn synthesizes intelligence from dark web forums, vendor security advisories, CISA KEV updates, Shodan/Censys exposure data, and real-time telemetry from SOClogix's managed client network - spanning healthcare, financial services, defense industrial base, manufacturing, and local government - to produce actionable threat awareness briefings written for security teams and executive stakeholders at every level. Vaughn actively tracks over 200 threat actor groups and contributes threat sharing intelligence to multiple ISAC communities. His analysis deliberately bridges raw technical findings and business risk so compliance teams and CISOs can act, not just read.
200+
Threat groups tracked
50+
Intel feeds monitored
3 yrs
Threat research tenure
Top Mentioned CVEs
Most frequently referenced vulnerabilities across this week's intelligence corpus.
CVE-2025-55182CVE-2025-8088CVE-2025-53770CVE-2026-31431CVE-2025-53771CVE-2026-21509CVE-2025-59718CVE-2025-59287CVE-2025-66478CVE-2025-59719CVEs Affecting Client Assets
Vulnerabilities identified this week with direct relevance to common enterprise environments. Two are under active exploitation, and one is already listed in CISA KEV.
CVE-2025-64446 New this week Actively exploited CISA KEVFortinet FortiWeb - Path Traversal Authentication Bypass
Relative Path Traversal (CWE-23) · Unauthenticated · Web request · In CISA KEV
A critical flaw in Fortinet FortiWeb, the vendor's web application firewall, lets attackers bypass authentication and execute administrative commands through specially crafted web requests. The root cause is a relative path traversal that tricks the appliance into accessing files and directories outside its intended scope. Successful exploitation grants complete administrative control of the device, letting an attacker steal data, disrupt operations, or turn the firewall itself into a launchpad for deeper network intrusion. It is actively exploited in the wild, already listed in the CISA Known Exploited Vulnerabilities catalog, with public exploit code on GitHub and tradecraft overlapping actors such as RomCom and Volt Typhoon. Affected releases span FortiWeb 7.0.0-7.0.11, 7.2.0-7.2.11, 7.4.0-7.4.9, 7.6.0-7.6.4, and 8.0.0-8.0.1.
Recommended Actions
- Patch immediately to a fixed FortiWeb release; treat this as an emergency change given KEV status
- Remove FortiWeb management interfaces from public internet exposure and restrict to trusted networks
- Hunt for unauthorized admin accounts, config changes, and anomalous requests to management paths
- Rotate admin credentials and API keys on any appliance that was internet-exposed before patching
CVE-2025-9491 New this week Actively exploitedMicrosoft Windows - .LNK UI-Misrepresentation Remote Code Execution
UI Misrepresentation · Requires user interaction · Public PoC on GitHub
A high-severity flaw in how Windows handles .LNK shortcut files lets remote attackers execute arbitrary code. The bug is a UI misrepresentation: an attacker embeds hazardous content inside a shortcut while the standard Windows interface still renders it as harmless, deceiving the user into launching it. On execution, the attacker's code runs with the same permissions as the user who opened the shortcut, opening the door to data theft, malware installation, full system takeover, and lateral movement. Exploitation requires a victim to open a crafted shortcut or trigger a malicious webpage, but the flaw is already actively exploited with a public proof-of-concept on GitHub and is being leveraged by sophisticated APT groups including APT3, Lazarus Group, and Mustang Panda.
Recommended Actions
- Apply the latest Windows security updates across all endpoints as a priority
- Filter and sandbox inbound .lnk shortcut files at the email and web gateway
- Alert on shortcut files spawning script interpreters (powershell, cmd, wscript, mshta) or unusual child processes
- Reinforce user awareness: shortcuts arriving by email, chat, or download should be treated as executables
CVE-2026-26114 New this weekMicrosoft Office SharePoint - Deserialization Remote Code Execution
Deserialization of Untrusted Data (CWE-502) · Requires authorized user · 10+ IOCs observed
A high-severity flaw in Microsoft Office SharePoint allows an authorized attacker to remotely execute malicious code over the network. It stems from deserialization of untrusted data: when SharePoint processes information sent from the network, it can be tricked into executing harmful instructions embedded in that data rather than treating it as inert content. An attacker who already holds legitimate network access can gain complete control of affected SharePoint servers, enabling data theft, operational disruption, and further malware deployment - a serious risk for the collaboration and document-management workloads organizations run on SharePoint. There is currently no public exploit or named APT activity, and social media mentions are low, but 10 or more Indicators of Compromise suggest researchers are already monitoring for exploitation attempts.
Recommended Actions
- Apply the latest SharePoint Server security updates across all on-prem farms
- Restrict SharePoint access to least privilege - this flaw requires an authorized account to exploit
- Monitor SharePoint worker processes (w3wp.exe) for anomalous child processes and outbound connections
- Ingest the published IOCs into your SIEM/EDR and alert on matches
Active Threats & Campaigns
Threat actor campaigns with available detection rules or indicators of compromise.
WP-SHELLSTORM - WordPress Mass Exploitation Operation
WP-SHELLSTORM is a financially motivated, China-linked webshell access brokerage operation (WABO) running two parallel campaigns from a single, fully exposed operations server. This is a professional cybercrime group: one branch drains CMS platforms at industrial scale, while a second, previously unreported branch quietly breaches enterprise Java infrastructure.
Campaign A weaponizes 27 CVEs across WordPress, Joomla, PrestaShop, Craft CMS, MetInfo, and MaxSite, queuing 1.4M+ domains via FOFA reconnaissance and confirming 5,700+ live webshells, backed by a SNOWLIGHT-stager to VShell C2 delivery chain with kworker-process masquerading. Campaign B, launched a month earlier, is a high-precision breach of enterprise Java infrastructure - Apache Nacos, XXL-Job, and Spring Boot - compromising 11 victims and exfiltrating 613 configurations.
Recommended Actions
- Patch and harden internet-facing CMS installs (WordPress, Joomla, PrestaShop, Craft CMS) and their plugins
- Audit Apache Nacos, XXL-Job, and Spring Boot deployments for exposure, default creds, and unauthorized access
- Hunt for webshells and processes masquerading as kworker; alert on VShell C2 and SNOWLIGHT-stager indicators
- Review exfiltration risk: rotate any credentials and secrets stored in exposed configuration files
Campaign Profile
Operator: China-linked WABO (financial)
Campaign A: 27 CVEs, 1.4M+ domains queued
Confirmed: 5,700+ live webshells
Campaign B: Nacos, XXL-Job, Spring Boot
Toolchain: SNOWLIGHT-stager, VShell C2
Jade Puffer - First Documented AI Agentic Ransomware
The Sysdig Threat Research Team believes it has found the first documented evidence of agentic ransomware, an attack it named "Jade Puffer" in which a large language model orchestrated a complex, targeted intrusion. The LLM swept the compromised server for logins to AI APIs, cloud credentials, cryptocurrency wallets, and database credentials, then generated the ransom note itself - producing a README_RANSOM extortion table containing the demand, a Bitcoin payment address, and a Proton Mail contact.
Jade Puffer did not rely on novel or sophisticated techniques; what makes it notable is how the model organized and executed the attack. It illustrates that the barrier to entry for future ransomware has dropped sharply - campaigns can now be scaled primarily by attacker budget rather than by human capacity to operate them, opening the door to thousands of simultaneous operations run with minimal hands-on effort.
Recommended Actions
- Vault and rotate high-value secrets: AI API keys, cloud credentials, database logins, and wallet keys
- Alert on automated, high-velocity credential discovery and enumeration across servers
- Watch for ransom artifacts such as README_RANSOM files and unexpected extortion notes
- Maintain offline, tested backups and rehearse recovery, since AI lowers the cost of scaling attacks
Vaughn Thomas
Compliance Engineer
SOClogix Cyber Group
200+
Threat groups tracked
50+
Intel feeds monitored
52×
Reports per year
Get Weekly Briefings Free
This Week at a Glance
Get Vaughn's Briefing Every Week
Free weekly threat awareness reports delivered to your inbox. CVEs, active campaigns, and actionable guidance - written for security teams, compliance managers, and executive stakeholders.
Prefer a conversation? Talk to our team about managed security monitoring.