// #active-exploitation
4 articles
Oracle WebLogic CVE-2024-21182 Added to CISA KEV — Federal Deadline June 4 as Ransomware Payloads Observed
CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalogue on 1 June, citing confirmed active exploitation of the Oracle WebLogic Server unauthenticated remote attack vulnerability. Honeypot data shows attackers delivering Cobalt Strike beacons and ransomware payloads via the T3/IIOP protocol attack path. Federal civilian agencies must remediate by 4 June.
Windows Netlogon CVE-2026-41089 (CVSS 9.8): Unauthenticated Domain Controller RCE Now Actively Exploited
Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation of CVE-2026-41089 on 29 May — a stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) that allows unauthenticated remote code execution on domain controllers. CVSS 9.8. A public PoC is available. Patch domain controllers as an emergency priority.
Citrix NetScaler CVE-2026-3055 Exploitation Escalates — Fortinet Confirms Large-Scale Attacks on Internet-Facing ADC
Fortinet's threat intelligence team has confirmed large-scale active exploitation of CVE-2026-3055, the Citrix NetScaler SAML IDP memory overread vulnerability (CVSSv4 9.3) patched in March. More than 65 days after the patch was available, thousands of internet-facing NetScaler ADC appliances remain unpatched and are being targeted by automated exploitation frameworks.
Marimo AI Notebook RCE CVE-2026-39987 Exploited at Scale — 662 Events in Three Days, NKAbuse Malware Deployed
CVE-2026-39987 (CVSS 9.3) in the Marimo Python notebook has been weaponised at scale, with Sysdig recording 662 exploitation events over three days and attackers completing credential theft within minutes of gaining access. The unauthenticated WebSocket RCE is being used to deploy NKAbuse, a multi-platform malware using the NKN peer-to-peer network for command and control. Upgrade to Marimo 0.23.0 immediately.