All posts by Rapid7

Chrysalis, Notepad++, and Supply Chain Risk: What it Means, and What to Do Next

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/tr-chrysalis-notepad-supply-chain-risk-next-steps

When Rapid7 published its analysis of the Chrysalis backdoor linked to a compromise of Notepad++ update infrastructure, it raised understandable questions from customers and security teams. The investigation showed that attackers did not exploit a flaw in the application itself. Instead, they compromised the hosting infrastructure used to deliver updates, allowing a highly targeted group to selectively distribute a previously undocumented backdoor associated with the Lotus Blossom APT.

Subsequent reporting from outlets including BleepingComputer, The Register, SecurityWeek, and The Hacker News has helped clarify the scope of the incident. What’s clear is that this was a supply chain attack against distribution infrastructure, not source code. The attackers maintained access for months, redirected update traffic selectively, and limited delivery of the Chrysalis payload to specific targets, helping them stay hidden and focused on espionage rather than mass compromise.

What does the Notepad++ incident mean?

This incident highlights how modern supply chain attacks have evolved. Rather than targeting application code, attackers abused shared hosting infrastructure and weaknesses in update verification to quietly deliver malware. The broader takeaway is that supply chain risk now extends well beyond build systems and repositories. Update mechanisms, hosting providers, and distribution paths have become attractive targets, especially when they sit outside an organization’s direct control.

Was Notepad++ itself compromised?

Based on public statements from the Notepad++ maintainer and independent reporting, there is no evidence that the application’s source code or core development process was compromised. The risk stemmed from the update delivery infrastructure, reinforcing that even trusted software can become a delivery mechanism when upstream systems are abused.

Who was behind the Chrysalis backdoor & Notepad++ attack?

Rapid7 was the first to publish attribution linking this activity to Lotus Blossom, a Chinese state-aligned advanced persistent threat (APT) group. Based on our analysis, we assess with moderate confidence that this group is responsible for the Notepad++ infrastructure compromise and the deployment of the Chrysalis backdoor.

Lotus Blossom has been active since at least 2009 and is known for long-running espionage campaigns targeting government, telecommunications, aviation, critical infrastructure, and media organiations, primarily across Southeast Asia, and more recently, Latin America.

The tactics, tooling, and infrastructure used in this campaign – including the abuse of update infrastructure, the use of selective targeting, and the deployment of custom malware, are consistent with the group’s historical tradecraft. As with any attribution, this conclusion is based on observed behaviors and intelligence correlations, not a single, definitive indicator.

What should organizations do right now?

Based on what we know today, there are several immediate actions organizations should take:

  • Check and update Notepad++ installations. Ensure any instances are running the latest version, which includes improved certificate and signature verification.

  • Review historical telemetry. Even though attacker infrastructure has been taken down, organizations should scan logs and environments going back to October 2025 for indicators of compromise associated with this campaign.

  • Hunt, don’t just scan. This activity was selective and low‑volume. Absence of alerts does not guarantee absence of compromise.

  • Use available intelligence. Rapid7 Intelligence Hub customers have access to the Chrysalis campaign intelligence, along with follow‑up indicators provided by partners such as Kaspersky, to support targeted hunting across endpoints and network telemetry.

Why does this matter beyond Notepad++?

This incident is a case study in how trust is exploited in modern environments. The attackers didn’t rely on zero days or noisy malware. They abused update workflows, hosting relationships, and assumptions about trusted software. That same approach applies across countless tools and platforms used daily inside enterprise environments.

It also reinforces a broader trend we’ve seen over the last year: attackers are patient, selective, and focused on long‑term access rather than immediate impact. That has implications for detection strategies, incident response planning, and supply chain risk management.

What does this mean for software supply chain security?

For defenders, this incident reinforces several lessons:

  • Supply chain security must include distribution and hosting infrastructure, not just source code.

  • Update mechanisms should enforce strong signature and metadata validation by default.

  • Shared hosting environments represent an often overlooked risk, especially for widely deployed tools.

  • Trust in software must be continuously validated, not assumed.

The Chrysalis incident is not just about a single tool or a single campaign. It reflects a broader shift in how advanced threat actors think about access, persistence, and trust. Software supply chains are no longer just a development concern. They are an operational and security concern that extends into hosting providers, update mechanisms, and the assumptions organizations make about what is “safe.”

As attackers continue to favor selective targeting and long‑term access over noisy, large‑scale compromise, defenders need to adapt accordingly. That means moving beyond basic scanning, validating trust continuously, and treating update and distribution infrastructure as part of the attack surface.

Learn more: Watch the full Chrysalis debrief webinar

If you’d like to hear directly from the researchers behind this discovery, watch the full Chrysalis: Inside the Supply Chain Compromise of Notepad++ webinar, now available on BrightTALK. In this detailed session, Christian Beek (Senior Director, Threat Analytics) and Steve Edwards (Director, Threat Intel & Detection Engineering) walk through the full attack chain, from initial compromise to malware behavior, attribution to Lotus Blossom, and what organizations can do right now to assess exposure and strengthen supply chain security. [Watch Now]

Kelly Hiscoe Recognized Among CRN 2026 Channel Chiefs for Innovation and Impact

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/c-kelly-hiscoe-recognized-crn-2026-channel-chiefs-innovation-impact

In 2026, security teams are still grappling with the challenges posed by expanding attack surfaces and persistent resource constraints. Together with the rapid onset of AI-driven threats, security leaders are weathering this ‘perfect storm’ by seeking consolidation of their technology stacks – favoring trusted partnerships that truly understand their unique ecosystems.

To elevate security partners from mere service providers to essential, trusted security advisors, it is vital to help customers achieve a comprehensive view of their IT environments. This includes a clear understanding of their risk profiles and a cohesive approach to continuous detection, response, and compliance, says Kelly Hiscoe, Sr. Director, Global Partner Programs & Experience.

Kelly brings to Rapid7 more than 17 years of experience in cybersecurity channel ecosystems. And after being named to CRN’s Women of the Channel list in 2020, 2024, and 2025, CRN has honored her as a Channel Chief for 2026.

She has consistently led her teams to design competitive programs, drive operational excellence, and enhance the partner experience from the ground-up. Here’s what makes her tick, and how Kelly (and Rapid7) are thinking about the channel in 2026 and beyond.

A channel philosophy rooted in shared responsibility

Kelly’s approach to the channel is grounded in the simple belief that true success is built through shared ownership. Rather than being confined to a single team, channel success must be woven into a company’s DNA: reflected in its processes, tools, and most importantly, how sales teams consistently engage with partners.

For Kelly, this means a company-wide commitment to engaging and collaborating with partners, in a way that, at its heart, exists to help customers achieve their goals. That’s what “Channel-first” means, and what Rapid7 aims to reflect.

Refreshing Rapid7’s partner ecosystem

In February 2025, Rapid7 launched its reimagined PACT Partner Program, and Kelly led the global team responsible for that launch. The revamped program was designed to equip partners with the tools, training, and resources needed to address evolving global security challenges together. 

Key enhancements included a modernized Partner Portal that enables real-time collaboration and automation, as well as tailored engagement programs and specializations, plus the launch of the Rapid7 Partner Academy. Since its debut, the Academy has seen more than 2,000 partner learners earn over 3,700 certifications. Rapid7’s partners consistently highlight its clarity, relevance, and impact in deepening cybersecurity expertise.

Looking ahead: Helping partners navigate 2026

As consolidation continues and competition in the market grows, partners are facing more challenges than ever in navigating that complexity and standing out amid the noise. Kelly remains focused on helping partners align with vendors that deliver clear, customer-centric value, comprehensive coverage across the expanding attack surface, and predictable engagement models. You can read Kelly’s full CRN Channel Chief details here.

Critical Ivanti Endpoint Manager Mobile (EPMM) zero-day exploited in the wild (CVE-2026-1281 & CVE-2026-1340)

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/etr-critical-ivanti-endpoint-manager-mobile-epmm-zero-day-exploited-in-the-wild-eitw-cve-2026-1281-1340

Overview

On January 29, 2026, Ivanti disclosed two new critical vulnerabilities affecting Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340. The vendor has indicated that exploitation in the wild has already occurred prior to disclosure. This has been echoed by CISA who added CVE-2026-1281 to their Known Exploited Vulnerabilities (KEV) catalog shortly after the vendor disclosure. As an indication of how critical this development is, CISA has given a “due date” of only 3 days (Due Feb 1, 2026) for organizations, such as federal agencies, to remediate the vulnerabilities before the affected devices must be removed from a network.

While CVE-2026-1281 has been confirmed as exploited in the wild as a zero day, it is unclear if CVE-2026-1340 has also, or if this vulnerability was found separately to CVE-2026-1281. The two critical vulnerabilities are summarized below.

CVE

CVSSv3

CWE

CVE-2026-1281

9.8 (Critical)

Improper Control of Generation of Code (CWE-94)

CVE-2026-1340

9.8 (Critical)

Improper Control of Generation of Code (CWE-94)

Both CVE-2026-1281 and CVE-2026-1340 are described identically by the vendor; they are code injection issues, allowing a remote unauthenticated attacker to execute arbitrary code on an affected device. Based on the vendor’s guidance, the attackers can provide Bash commands as part of a malicious HTTP GET request to the endpoints that service either the “In-House Application Distribution” feature (i.e. /mifs/c/appstore/fob/) or the “Android File Transfer Configuration” feature (i.e. /mifs/c/aftstore/fob/), resulting in arbitrary OS command execution on the target. 

As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant. An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information. This is in addition to the privileged position an attacker will have on the EPMM device itself, which may allow for lateral movement within the compromised network.
Given the nature of the product, EPMM is a high-profile target. It has been repeatedly targeted by zero-day vulnerabilities in the past. In 2023 the product was exploited in the wild via CVE-2023-35078, and again in 2025 via an exploit chain of CVE-2025-4427 and CVE-2025-4428. As of January 30, 2026, a public working proof-of-concept exploit for remote code execution is available. Organizations running EPMM are urged to act quickly and follow the vendor guidance to remediate these issues.

Threat hunting 

The following vendor supplied regular expression can be used to search the HTTP daemon’s log files for evidence of potential exploitation of CVE-2026-1281 and CVE-2026-1340:

^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404

Mitigation guidance

A vendor supplied update is available to remediate both vulnerabilities.

The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.0.x patch:

  • Versions 12.7.0.0 and below

  • Versions 12.6.0.0 and below

  • Versions 12.5.0.0 and below

The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.1.x patch:

  • Versions 12.6.1.0 and below

  • Versions 12.5.1.0 and below

Customers are advised to update to the latest remediated version of EPMM, on an emergency basis outside of normal patching cycles, as exploitation in-the-wild is already occurring.

For the latest mitigation guidance for Ivanti EPMM, please refer to the vendor’s security advisory. In addition to remediation, the vendor has provided additional threat hunting guidance.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-1281 and CVE-2026-1340 with authenticated vulnerability checks expected to be available in today’s (Jan 30) content release. Note that the “Potential” category must be enabled in the scan template to run the checks.

Updates

  • January 30, 2026: Added reference to the watchTowr technical analysis and proof-of-concept exploit.

Multiple Critical SolarWinds Web Help Desk Vulnerabilities: CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554

Overview

On January 28, 2026, SolarWinds published an advisory for multiple new vulnerabilities affecting their Web Help Desk product. Web Help Desk is an IT help desk ticketing and asset management software solution. Of the six new CVEs disclosed in the advisory, four are critical, and allow a remote attacker to either achieve unauthenticated remote code execution (RCE) or bypass authentication. 

As of this writing, there is currently no known in-the-wild exploitation occurring. However, we expect this to change as and when technical details become available. Notably, this product has been featured on CISA’s Known Exploited Vulnerabilities (KEV) list twice in the past, circa 2024, indicating that it is a target for real-world attackers.

The six vulnerabilities are summarized below.

CVE

CVSSv3

CWE

CVE-2025-40551

9.8 (Critical)

Deserialization of Untrusted Data (CWE-502)

CVE-2025-40552

9.8 (Critical)

Weak Authentication (CWE-1390)

CVE-2025-40553

9.8 (Critical)

Deserialization of Untrusted Data (CWE-502)

CVE-2025-40554

9.8 (Critical)

Weak Authentication (CWE-1390)

CVE-2025-40536

8.1 (High)

Protection Mechanism Failure (CWE-693)

CVE-2025-40537

7.5 (High)

Use of Hard-coded Credentials (CWE-798)

Technical overview

Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution. RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.

The other two critical vulnerabilities, CVE-2025-40552 and CVE-2025-40554, are authentication bypasses that allow a remote unauthenticated attacker to execute actions or methods on a target system which are intended to be gated by authentication. Based upon the vendor supplied CVSS scores for these two authentication bypass vulnerabilities, the impact is equivalent to the two RCE deserialization vulnerabilities, likely meaning they can also be leveraged for RCE.

In addition to the four critical vulnerabilities, two high severity vulnerabilities were also disclosed. CVE-2025-40536 is an access control bypass vulnerability, allowing an attacker to access functionality on the target system that is intended to be restricted to authenticated users. Separately, CVE-2025-40537 may, under certain conditions, allow access to some administrative functionality on the target system due to the existence of hardcoded credentials. 

Mitigation guidance

A vendor supplied update is available to remediate all six vulnerabilities: CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554, CVE-2025-40536, and CVE-2025-40537. The following product versions are affected:

  • SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below.

Customers are advised to update to the latest Web Help Desk version, 2026.1, on an urgent basis outside of normal patching cycles.

For the latest mitigation guidance for SolarWinds Web Help Desk, please refer to the vendor’s security advisory.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose customers can assess their exposure to CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 and CVE-2025-40554 with remote vulnerability checks expected to be available in today’s (28 Jan) content release.

From Signals to Strategy: What Security Teams Must Prepare for in 2026

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/it-signals-into-strategy-security-teams-must-prepare-in-2026

The 2026 Security Predictions webinar reinforced a simple but uncomfortable truth. The forces shaping cyber risk are not new, but they are converging faster and with greater impact than many organizations are ready for. Geopolitics, insider risk, and threat intelligence have long influenced cyber operations. What has changed is the extent to which they directly affect everyday security decisions.

Geopolitical risk is now an operational concern

Cyber operations have always reflected geopolitical realities. Nation-states have used cyber capabilities for espionage, surveillance, and disruption for decades. Historically, these activities focused on governments, critical infrastructure, or defense sectors.

That line has faded.

Today, private organizations are increasingly targeted as proxies. Supply chains, cloud providers, and SaaS platforms offer scale, access, and plausible deniability for state-aligned groups. Many of these campaigns are not designed for immediate disruption. Instead, they focus on intelligence gathering, long-term access, or positioning that can be activated later.

For security teams, this shift creates a new challenge. Geopolitical motivation does not follow traditional cybercrime logic. Organizations that do not consider themselves high risk can still become collateral targets because of who they work with, where they operate, or what services they provide.

Geopolitical awareness can no longer sit outside the SOC. It must influence monitoring priorities, threat modeling, and response readiness.

Looking ahead: Action plan for 2026

Security teams should track geopolitical developments and understand how global events influence attacker behavior. Curated threat intelligence helps translate abstract risk into concrete tools, infrastructure, and techniques that defenders can monitor.

Incident response playbooks should also account for politically motivated attacks. These scenarios benefit from executive pre-approval, allowing teams to respond decisively when intent is unclear but potential impact is high.

Finally, organizations should map exposure across suppliers, technology partners, and infrastructure dependencies. Understanding where geopolitical risk intersects with your environment is now essential for resilience.

Insider threats are becoming a primary breach driver

Insider threats are not a new problem, but their role in breaches continues to grow. Within the 2026 Security Predictions webinar, the panel emphasized that insider risk now spans a wide spectrum. At one end is simple negligence, including phishing mistakes, misconfigurations, and poor access hygiene. At the other is deliberate access monetization, where credentials or privileged access are sold or misused.

Several factors are accelerating this trend. Workforce stress, economic pressure, role churn, and identity sprawl all increase the likelihood that access will be abused or misused. In many cases, breaches now begin with valid credentials, making traditional perimeter defenses less effective.

This reality forces a shift in how security teams think about trust and access. Valid access no longer means safe access.

Looking ahead: Action plan for 2026

Security teams should establish behavior baselines across users and roles to identify anomalous activity early. Unexpected access patterns, unusual downloads, or irregular logins often provide the first signal that something is wrong.

Just as important is fostering a speak-up culture. Employees should be encouraged to report phishing attempts, mistakes, or suspicious behavior without fear. Early reporting often determines whether an incident is contained quickly or escalates.

Privilege models also require regular review. Least privilege must be continuous, not static. As roles evolve and environments change, access should be reassessed to reduce blast radius when incidents occur.

Context is becoming the decisive advantage

Threat intelligence and detection capabilities have advanced rapidly, but volume alone does not improve outcomes. Security teams now face more alerts, more telemetry, and more data than ever before. The challenge is deciding what matters.

The panel highlighted that speed without context creates noise, not security. As exploitation windows shrink and attacks scale, teams that lack context struggle to prioritize, investigate, and respond effectively.

Context brings together asset criticality, exposure, threat intelligence, and business impact. Teams that operate with this understanding move faster because they know where to focus and why.

This shift also changes how security leaders communicate value. Metrics tied to readiness, risk reduction, and response effectiveness resonate far more than raw alert counts.

Looking ahead: Action plan for 2026

Security leaders should align SecOps and executive stakeholders around shared dashboards and context-rich briefings. These views should emphasize readiness gaps, exposure trends, and investment value, rather than activity volume.

Organizations should also rationalize security tooling around outcomes. High-impact tools that improve time to detect, time to respond, and analyst efficiency matter more than broad coverage alone.

Finally, teams should reinvest saved time and budget into areas that compound over time. Automation, threat intelligence, and staff development all strengthen resilience when supported consistently.

Preparing for what comes next

The webinar made it clear that success in 2026 will depend on integration, awareness, and context. Geopolitical risk, insider threats, and intelligence-driven defense are no longer separate concerns. They intersect daily inside modern security operations.

Teams that acknowledge this reality and act early will be better positioned to respond with confidence, adapt to change, and stay ahead of increasingly sophisticated attackers.

Missed the live session? Watch the 2026 Security Predictions webinar to understand the forces shaping cyber risk and what to prioritize next.

Rapid7 MDR Integrates Microsoft Defender Signals to Create Tangible Security Outcomes

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/dr-microsoft-defender-to-tangible-security-outcomes-with-rapid7-mdr

Organizations increasingly rely on Microsoft as their foundational productivity and security technology provider. As these environments grow in scale and complexity, security leaders are responsible for operationalizing the vast signals traversing their Microsoft stack in order to anticipate and preempt threats. At the same time, those efforts must deliver measurable security outcomes and clear return on investment.

If you’re reading this, you already know what’s at stake. But I’ll say it louder for the folks in the back: As more of your environment consolidates onto Microsoft, the attack surface evolves – and without fully operationalizing that ecosystem, risk grows alongside it.
We are excited to announce the availability of Rapid7 MDR for Microsoft – a preemptive threat detection, investigation, and response service that brings together Rapid7’s global SOC, our market-leading SIEM technology, and deeper bi-directional Microsoft Defender integrations. The service helps security and IT teams maximize their investments, reduce cost and complexity, respond decisively to threats, and improve their security posture and resilience.

Extend the power of your stack

Microsoft Defender provides broad visibility across modern environments – from endpoint and identity to cloud and email. That visibility leads many organizations to a fine line, where it can either mean rich, actionable insight for some security teams, and overwhelming signal volume and missed alerts for others. Rapid7 helps organizations build a clear picture from the rich telemetry by bringing these Microsoft signals together with our native telemetry. And by incorporating exposure and asset risk directly into investigations, our SOC is empowered to anticipate likely breach paths and intervene earlier in the attack lifecycle. Combining your Microsoft security stack with our preemptive MDR ultimately helps you:

  • Maximize the return on your existing Microsoft investments

  • Reduce the cost and operational burden associated with managing a SIEM

  • Gain the confidence that threats will be contained and neutralized

  • Improve the long-term posture and resilience of your security program

Capabilities that drive real-world outcomes

Leaning into Rapid7’s proven record as a leader in managed detection and response, MDR for Microsoft combines powerful AI-SOC technology with expert human service delivery to help Microsoft-centric organizations achieve measurable security outcomes. In IDC’s recent Business Value of Rapid7 MDR study, customers achieved a 422% three-year ROI, identified threats 87% faster, and reduced the likelihood of a major security event by 54%. MDR for Microsoft delivers these same results through capabilities designed to operationalize and protect Microsoft environments at scale, including:

  • Risk-aware analysis that stops attacks earlier: By pairing enterprise vulnerability risk management with analysis of live threat activity, the service preemptively identifies the attack paths most likely to be exploited – empowering efficient analyst evaluation with a clear understanding of underlying asset context.

  • Dedicated cybersecurity advisor extends your team: Your advisor leverages their practitioner experience to provide regular threat briefings, environment-hardening advice, program governance, and health checks – helping drive long-term maturity without adding headcount.

  • Decisive response backed by deep forensics and unlimited IR: Remote containment, endpoint forensics powered by our open-source DFIR framework –  Velociraptor – and unlimited incident response ensure threats are stopped quickly, and fully investigated and neutralized before our team rests.

  • Unlimited log ingestion delivers predictable value: Remove SIEM cost constraints and ensure complete visibility so investigations are never limited by data volume or surprise overage fees.

  • Bi-Directional Defender integration that reduces friction: Endpoint alerts and analyst actions stay synchronized between Rapid7 and Microsoft consoles, keeping systems aligned while laying the foundation for broader integrations across additional Microsoft security vectors.

  • Always-on, expert-led SOC coverage: Our 24x7x365 global SOC continuously monitors and investigates activity across Microsoft and non-Microsoft environments, ensuring threats are identified and acted on as soon as they emerge.

  • Full transparency into SOC activity and outcomes: With direct access to the SIEM and investigation workflows, your team can ride sidecar on investigations, run your own queries, upskill internal teams, and clearly see the outcomes being delivered by the Rapid7 SOC over time.

Additional value-drivers included in the service are unlimited SOAR automation, standard 13-month data retention with the ability to extend, proactive threat hunting, and AI-assisted investigation workflows, delivering a comprehensive MDR experience that scales with your environment and outpaces attackers.

Make the most of Microsoft Defender with Rapid7

As Microsoft continues to serve as the backbone of modern environments, the ability to translate security signals into consistent action becomes increasingly critical. MDR for Microsoft is designed to help security leaders move confidently from visibility to outcomes – pairing the strength of Microsoft Defender with Rapid7’s proven expertise, preemptive risk-awareness, and resilience-building capabilities. The result is a security program that not only sees more, but responds faster, operates with greater confidence, and proves its value as environments continue to scale.

If you’d like to see how MDR for Microsoft can help you operationalize your Microsoft security stack, request a demo or reach out to your Rapid7 account team to continue the conversation.

Ni8mare and N8scape flaws among multiple critical vulnerabilities affecting n8n

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/etr-ni8mare-n8scape-flaws-multiple-critical-vulnerabilities-affecting-n8n

Overview

On November 18, 2025, a patched release was published for a critical unauthenticated file read vulnerability in n8n, a popular piece of automation software. The advisory for this vulnerability, CVE-2026-21858, was subsequently published on January 7, 2026; the vulnerability holds a CVSS score of 10.0. If a server has a custom configured web form that implements file uploads with no validation of content type, an attacker can overwrite an internal JSON object to read arbitrary files and, in some cases, establish remote code execution. This vulnerability has been dubbed “Ni8mare” by the finders. 

The finders, Cyera, published a technical blog post about the vulnerability on January 7, 2026, and a separate technical analysis and proof-of-concept (PoC) exploit were published by third-party security researcher Valentin Lobstein the same day. The Cyera writeup demonstrates CVE-2026-21858, while the third-party exploit also leverages CVE-2025-68613, an authenticated expression language injection vulnerability in n8n, for remote code execution. Additional authenticated vulnerabilities, tracked as CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, and CVE-2026-21877 can be chained with the unauthenticated vulnerability CVE-2026-21858 for code execution or arbitrary file write on specific affected versions of n8n.

In total there are five CVEs that n8n users should be aware of:

CVE Number

Published Date

CVSS

Description

Leveraged in PoC?

CVE-2026-21858 (Ni8mare)

01/07/2026

10.0 (NVD score)

Certain form-based workflows are vulnerable to improper file handling that can result in arbitrary file read. When exploited, attackers can establish administrator-level access to n8n.

Yes

CVE-2026-21877

01/07/2026

9.9 (NVD score)

Under certain conditions, authenticated n8n users may be able to cause untrusted code to be executed by the n8n service.

No

CVE-2025-68613

12/19/2025

8.8 (NVD score)

A vulnerability in n8n’s expression evaluation system allows authenticated users to execute arbitrary system commands through crafted expressions in workflow parameters.

Yes

CVE-2025-68668 (N8scape)

12/26/2025

9.9 (NVD score)

A sandbox bypass vulnerability exists in the n8n Python Code node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n in the context of the service user.

No

CVE-2025-68697

12/26/2025

5.4 (NVD score)

In self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This permits reading and writing files on the host.

No

Technical overview

CVE-2026-21858: “Unauthenticated File Access via Improper Webhook Request Handling”

This is the primary access vector for the n8n exploit chain and holds a maximum CVSS score of 10.0. It is a critical unauthenticated file read vulnerability that occurs when custom web forms implement file uploads without validating the content type. By exploiting this flaw, an attacker can overwrite an internal JSON object to read arbitrary files from the server. This capability may be leveraged to forge an administrator session token and exploit subsequent authenticated vulnerabilities for code execution.

CVE-2025-68613: “Remote Code Execution via Expression Injection”

This vulnerability is characterized as an authenticated expression language injection flaw. While it requires an established session to exploit, it can be chained with CVE-2026-21858 to achieve remote code execution. It affects n8n versions starting at 0.211.0 and below 1.20.4. Attackers can leverage this flaw by injecting malicious expression language commands once they have gained a foothold as an administrator.

CVE-2025-68668: “Arbitrary Command Execution in Pyodide based Python Code node”

Affecting n8n versions between 1.0.0 and 2.0.0, this is an authenticated vulnerability used for secondary exploitation. Depending on the specific configuration of the affected version, it allows an attacker to execute arbitrary OS commands. Because it requires authentication, it is used on a case-by-case basis after an initial breach has compromised the management interface.

CVE-2025-68697: “Legacy Code node enables file read/write in self-hosted n8n”

CVE-2025-68697 is an authenticated vulnerability that facilitates arbitrary file read/write in the context of the n8n process when exploited. Per the advisory, systems are vulnerable when the Code node runs in legacy (non-task-runner) JavaScript execution mode. CVE-2025-68697 specifically impacts n8n versions ranging from 1.2.1 up to 2.0.0, though n8n version 1.2.1 and higher automatically prevents read/write access to the `.n8n` directory by default. As a result, exploitation of CVE-2025-68697 is likely to require a more bespoke strategy for each specific target, making it a less likely vulnerability to be exploited as a secondary chained bug with CVE-2026-21858.

CVE-2026-21877: “RCE via Arbitrary File Write”

This vulnerability has a CVSS score of 9.9 and affects both self-hosted and cloud versions of n8n. It allows for remote code execution within n8n versions 0.123.0 through 1.121.3. Although it is an authenticated vulnerability, its high severity stems from its ability to grant an attacker full system control once they have bypassed initial authentication using the CVE-2026-21858 file read flaw.

Mitigation guidance

Organizations running self-hosted instances of n8n should prioritize upgrading to a version at or above 1.121.0 immediately to remediate the unauthenticated initial access vulnerability CVE-2026-21858.

According to the vendor, the following versions are affected:

  • CVE-2026-21858: Versions at or above 1.65.0 and below 1.121.0.

  • CVE-2025-68613: Versions at or above 0.211.0 and below 1.20.4.

  • CVE-2025-68668: Versions at or above 1.0.0 and below 2.0.0.

  • CVE-2025-68697: Versions at or above 1.2.1 and below 2.0.0.

  • CVE-2026-21877: Versions at or above 0.123.0 and below 1.121.3.

For the latest mitigation guidance, please refer to the vendor’s security advisories.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command and InsightVM customers can assess exposure to CVE-2026-21858, CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, and CVE-2026-21877 with vulnerability checks expected to be available in the January 9, 2026 content release.

Updates

  • January 8, 2026: Initial publication.

Key Takeaways and Top Cybersecurity Predictions for 2026

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/it-key-takeaways-top-cybersecurity-predictions-2026

As the threat landscape keeps shifting, security teams are being asked to do more than react. They are expected to look ahead, connect the dots, and make decisions in environments that change faster every year. That challenge was at the heart of Rapid7’s 2026 Security Predictions webinar, where our experts reflected on what the past year revealed about attacker behavior, defender priorities, and the realities of running a modern SOC.

The conversation looked back just long enough to spot the patterns that matter, then turned forward to the forces shaping 2026. Geopolitics, insider risk, and the need for context-driven defense all surfaced repeatedly. The takeaway was simple but important. Attackers are adapting quickly, and security teams need to adapt with the same urgency.

Below are the key takeaways from the discussion, along with the top predictions shaping the year ahead.

Key takeaways from the discussion

The threat landscape is no longer isolated

One of the strongest themes from the webinar was how interconnected today’s risks have become. Cyber activity does not exist in a vacuum. Geopolitical tensions, economic pressure, workforce challenges, and technological acceleration all feed directly into attacker behavior.

Security teams can no longer separate cyber risk from broader business and global risk. Decisions made outside the SOC, from supplier choices to workforce strategy, increasingly influence exposure and attack paths.

Identity and access remain the most reliable attack paths

Despite continued investment in perimeter defenses, attackers are still finding success through compromised credentials, misused access, and human error. The webinar panel reinforced that identity-based compromise remains one of the most consistent and scalable techniques used by threat actors.

This means defenders must treat identity, behavior, and access governance as core detection and response signals, not secondary controls.

Speed without context creates noise, not security

The rise of AI-driven attacks and automation has increased the volume and pace of activity security teams must process. However, the panel stressed that faster alerts alone do not improve outcomes.

Without understanding which assets matter, which exposures are exploitable, and which alerts represent real risk, teams risk moving quickly in the wrong direction. Context is now essential for effective prioritization and response.

The top cybersecurity predictions for 2026

1. Geopolitical fault lines will redraw the cyber battlefield

In 2026, geopolitical tensions will continue to spill into the digital domain, with private organizations increasingly caught in the middle. State-aligned and state-tolerated groups will target critical supply chains, service providers, and global enterprises as proxy targets, blending espionage with economic disruption.

For security teams, this means geopolitical risk must be factored into threat modeling, vendor assessments, and incident response planning. Even organizations far from traditional conflict zones may find themselves impacted by campaigns tied to global tensions.

2. Insider threats will dominate breach root causes

The panel highlighted that many of tomorrow’s breaches will not start with attackers breaking in, but with access already in place. Insider threats, driven by simple negligence, compromised credentials, or monetized access selling, will continue to rise.

Economic stress, workforce changes, and growing access complexity all contribute to this trend. As a result, organizations must focus more on access hygiene, behavior monitoring, and creating environments where employees can report mistakes early without fear.

3. Context will become the new currency of cyber performance

As attacks scale and exploitation windows shrink, the ability to understand what matters most will define successful security operations. The panel emphasized that visibility alone is no longer enough.

Security teams that integrate exposure management, detection, and response will outperform those relying on disconnected tools and alert-heavy workflows. Context-rich defense allows teams to triage faster, investigate smarter, and respond based on real business risk rather than alert volume.

What this means for security teams heading into 2026

The predictions shared during the webinar point to a future where success depends less on adding more tools and more on using intelligence, context, and automation effectively. Security teams that can unify visibility, prioritize risk, and act decisively will be better positioned to keep pace with increasingly adaptive attackers.

The message from the panel was clear. 2026 will reward teams that focus on understanding their environment, aligning security efforts with real-world risk, and preparing for threats shaped by forces far beyond the SOC.

Watch the 2026 Security Predictions webinar to hear directly from Rapid7’s experts on what’s shaping the threat landscape and how security teams should prepare.

MongoBleed CVE-2025-14847: Critical Memory Leak in MongoDB Allowing Attackers to Extract Sensitive Data

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/etr-mongobleed-cve-2025-1484-critical-memory-leak-in-mongodb-allowing-attackers-to-extract-sensitive-data

Overview

On December 19, 2025, MongoDB Inc. disclosed a critical new vulnerability, CVE-2025-14847, which has since been dubbed MongoBleed. This vulnerability is a high-severity unauthenticated memory leak affecting MongoDB, one of the world’s most popular document-oriented databases. While initially identified as a data exposure flaw, the severity is underscored by the fact that it allows attackers to bypass authentication entirely to extract sensitive information directly from server memory. On December 26, 2025, public proof-of-concept (PoC) exploit code was published and on December 29th, 2025 exploitation in-the-wild has been confirmed.

While CVE-2025-14847 is rated as a high-severity vulnerability, CVSS 8.7, its impact is critical. Successful exploitation allows a remote, unauthenticated attacker to “bleed” uninitialized heap memory from the database server by manipulating Zlib-compressed network packets. This memory often contains high-value secrets such as cleartext credentials, authentication tokens, and sensitive customer data from other concurrent sessions. Because the vulnerability returns “uninitialized heap memory,” an attacker cannot target specific credentials or data records with precision; they must instead rely on repeated exploitation attempts and chance to capture sensitive information.

The vulnerability specifically affects MongoDB servers configured to use the Zlib compression algorithm for network messages, which is a common configuration in many production environments. It affects a wide range of versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. Older, End-of-Life (EOL) versions are also believed to be vulnerable but will not receive official patches, leaving users of legacy systems at significant continued risk.

As of this writing, the public PoC has been successfully verified by Rapid7 Labs. Unlike scenarios where valid exploits are initially scarce, the exploit for MongoBleed is functional and reliable.

Organizations running self-managed MongoDB instances are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles. Given the nature of the leak, simply patching is insufficient; organizations are advised to also rotate all database and application credentials that may have been exposed prior to remediation.

Mitigation guidance

CVE-2025-14847 affects a wide range of versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. Older, End-of-Life (EOL) versions are also believed to be vulnerable but will not receive official patches, leaving users of legacy systems at significant continued risk. Organizations managing their own MongoDB instances should prioritize upgrading to the fixed versions released by the vendor (e.g., 8.0.4, 7.0.16, 6.0.20, etc.) immediately. This is the only complete remediation for the vulnerability. 

If an immediate upgrade is not feasible, or if the organization is running an End-of-Life (EOL) version that will not receive a patch, the risk can be effectively mitigated by disabling the Zlib network compressor in the server configuration. This prevents the specific memory allocation path used by the exploit.

In addition, because CVE-2025-14847 allows for the exfiltration of credentials and session tokens from server memory, patching alone is insufficient to ensure security. Administrators should assume that any secrets residing in the database memory prior to patching may have been compromised; therefore, all database passwords, API keys, and application secrets should be rotated immediately after the vulnerability is remediated. 

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-14847 with a vulnerability check expected to be available in today’s (Dec 29) content release.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-14847, including a Suricata rule. 

Rapid7 observations

Rapid7 Labs has become aware of a new exploitation tool that streamlines the extraction of sensitive data from vulnerable MongoDB instances. This utility introduces a graphical user interface that allows an attacker to either batch-dump 10MB of memory or monitor the extraction process via a live visual feed. Rapid7 Labs has confirmed the tool operates as described, as demonstrated in the video below.

Click to view in new tab

Detection and Hunting

Velociraptor 

Velociraptor published a Linux.Detection.CVE202514847.MongoBleed hunting artifact written by Eric Capuano designed to detect indicators related to CVE-2025-14847 memory leakage activity. This artifact enables defenders to proactively identify suspicious network or process behaviors consistent with mangled Zlib protocol abuse.

Updates

  • December 29, 2025: Initial publication

  • December 29, 2025: “Rapid7 Observations” section added with video

  • December 29, 2025: Added exploitation confirmation

CVE-2025-37164: Critical unauthenticated RCE affecting Hewlett Packard Enterprise OneView

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/etr-cve-2025-37164-critical-unauthenticated-rce-affecting-hewlett-packard-enterprise-oneview

Overview

On December 17, 2025, Hewlett Packard Enterprise (HPE) published an advisory for CVE-2025-37164, a CVSS 10.0 vulnerability in HPE OneView. The vulnerability, which was reported to HPE by security researcher Nguyen Quoc Khanh, facilitates unauthenticated remote code execution (RCE) on versions of HPE OneView before 11.0. Defenders are advised to prioritize upgrading to version 11.0 or applying the emergency hotfixes (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) as soon as possible.

OneView sits at a privileged control plane for enterprise infrastructure, so successful exploitation isn’t just about establishing remote code execution, it’s about gaining centralized control over servers, firmware, and lifecycle management at scale. The real concern here is exposure and trust assumptions. Management platforms are often deployed deep inside the network with broad privileges and minimal monitoring because they’re ‘supposed’ to be trusted. When an unauthenticated RCE shows up in that layer, defenders need to treat it as an assumed-breach scenario, prioritize patching immediately, and review access paths and segmentation.

Hotfix analysis

Rapid7 Labs has begun an initial analysis of the vendor-supplied hotfix HPE_OneView_CVE_37164_Z7550-98077.bin. This hotfix applies a new HTTP rule to the appliance’s webserver to block access to a specific REST API endpoint. This endpoint is /rest/id-pools/executeCommand. Initial inspection of the appliance code indicates this endpoint is reachable without authentication. Rapid7 Labs assesses with a high degree of confidence that this is the access vector for triggering the vulnerability and achieving remote code execution.

Mitigation guidance

According to HPE, CVE-2025-37164 affects HPE OneView versions below 11.0, version 5.20 through version 10.20, unless a security hotfix (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) has been applied.

For the latest mitigation guidance for HPE OneView, please refer to the vendor’s security advisory.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-37164 with an unauthenticated vulnerability check expected to be available in today’s (December 18) content release.

Updates

  • December 18, 2025: Initial publication.

Critical vulnerabilities in Fortinet CVE-2025-59718, CVE-2025-59719 exploited in the wild

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/etr-critical-vulnerabilities-in-fortinet-cve-2025-59718-cve-2025-59719-exploited-in-the-wild

Overview

A recently disclosed pair of vulnerabilities affecting Fortinet devices—CVE-2025-59718 and CVE-2025-59719—are drawing urgent attention after confirmation of their active exploitation in the wild. The vulnerabilities carry a critical CVSSv3 score and allow an unauthenticated remote attacker to bypass authentication using a crafted SAML message, ultimately gaining administrative access to the device. Current information indicates that the two CVEs have the same root cause and are differentiated by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager.

While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it is automatically enabled when a device is registered to FortiCare via the GUI, unless an administrator explicitly opts out. This behavior significantly increases the likelihood of exposure across registered deployments. Arctic Wolf has confirmed active exploitation and CVE-2025-59718 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 16.

Observed attacks show threat actors authenticating as the admin user and immediately downloading the system configuration file, which often contains hashed credentials. As a result, any organization with indicators of compromise must assume credential exposure and respond accordingly. A vendor patch is available, and organizations can also take immediate defensive action by disabling FortiCloud SSO administrative login while remediation efforts are underway.

Rapid7 observations

As of December 17, 2025, Rapid7 has observed CVE-2025-59718 exploitation attempts being performed against honeypots. Furthermore, a proof-of-concept exploit that resembles the observed honeypot requests has been posted to GitHub. These exploits are in the process of being validated against confirmed vulnerable targets.

Mitigation guidance

On December 9th, 2025, Fortinet published an advisory that outlines remediation steps for CVE-2025-59718 and CVE-2025-59719. According to Fortinet, the following versions are affected, and the fixed versions for each main release branch are also listed.

Fortinet’s advisory states that CVE-2025-59718 affects the following products and versions:

  • FortiOS

    • 7.6 branch: versions 7.6.0 through 7.6.3 are affected, upgrade to 7.6.4 or above.

    • 7.4 branch: versions 7.4.0 through 7.4.8 are affected, upgrade to 7.4.9 or above.

    • 7.2 branch: versions 7.2.0 through 7.2.11 are affected, upgrade to 7.2.12 or above.

    • 7.0 branch: versions 7.0.0 through 7.0.17 are affected, upgrade to 7.0.18 or above.

  • FortiProxy

    • 7.6 branch: versions 7.6.0 through 7.6.3 are affected, upgrade to 7.6.4 or above.

    • 7.4 branch: versions 7.4.0 through 7.4.10 are affected, upgrade to 7.4.11 or above.

    • 7.2 branch: versions 7.2.0 through 7.2.14 are affected, upgrade to 7.2.15 or above.

    • 7.0 branch: versions 7.0.0 through 7.0.21 are affected, upgrade to 7.0.22 or above.

  • FortiSwitchManager

    • 7.2 branch: versions 7.2.0 through 7.2.6 are affected, upgrade to 7.2.7 or above.

    • 7.0 branch: versions 7.0.0 through 7.0.5 are affected, upgrade to 7.0.6 or above.

Fortinet’s advisory states that CVE-2025-59719 affects the following product and versions:

  • FortiWeb

    • 8.0 branch: version 8.0.0 is affected, upgrade to 8.0.1 or above.

    • 7.6 branch: versions 7.6.0 through 7.6.4 are affected, upgrade to 7.6.5 or above.

    • 7.4 branch: versions 7.4.0 through 7.4.9 are affected, upgrade to 7.4.10 or above.

For the latest mitigation guidance, please refer to the Fortinet security advisory.

Rapid7 customers

Exposure Command, InsightVM and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess their exposure to CVE-2025-59718 and CVE-2025-59719 with vulnerability checks expected to be available in the December 17 content release.

Updates

  • December 17, 2025: Initial publication

Test for React2Shell with Application Security using New Functionality

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/pt-react2shell-testing-new-application-security-functionality-appsec-dast

Following disclosure of the React2Shell vulnerability (CVE-2025-55182), a maximum-severity Remote Code Execution (RCE) in React Server Components (RSC) a.k.a. the Flight protocol, security teams are assessing exposure and validating fixes. React and ecosystem vendors have released patches; exploitation in the wild has been reported, so rapid validation matters.

What is React2Shell? 

React2Shell is an unauthenticated RCE flaw caused by insecure Flight payload deserialization in server-side React/RSC implementations (including popular frameworks like Next.js). It carries a CVSS 10.0 rating and affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 as well as Next.js versions 15.0.0-15.1.6 and 16.0.0-16.0.6 prior to recent patches. You can read more about it in this detailed CVE overview blog post.  

In this detailed writeup, we will share how our customers can specifically test for React2Shell with Rapid7’s Application Security solution.

Testing for React2Shell with application security

With our dynamic application security testing (DAST) solution, customers can assess the risk of their applications. Rapid7 allows you to configure various attacks of your applications to identify response behaviors that make your applications more vulnerable to attacks. These attacks are run during scans that you can customize based on your needs. In this case, we’ve extended our RCE attack module to include a check for React2Shell.

What does this mean? Customers can now run an Attack Injection using the RCE, which includes an attack type for React2Shell. Our React2Shell vulnerability detection will simulate an attacker on your website. This is a benign attack which will not execute any code and only shows that RCE is possible. Rapid7 will validate the exploitability of the application and the associated risk. 

How to run a React2Shell attack in the Rapid7 DAST

You can scan for this new RCE attack using either the new Arbitrary Code Execution attack template we have created or by creating your own custom attack template and selecting the RCE module. We have added some steps for you to follow below:

Default attack template option:

Choose the Arbitrary Code Execution attack template in your scan configuration: 

Arbitrary-code-execution-attack-template.png
Default Arbitrary Code Execution attack template with RCE attack module

Custom attack template option:

custom-Attack-Template-RCE-module.png
Custom Attack Template with RCE module

Run a scan

Choosing the scan configuration you made earlier, scan against your selected app(s).

Scan results – React2Shell RCE finding

Now that you have run your scan, you can review the results to see if your app(s) have any findings. These will include remediation advice that you can follow.

3-Scan-results-React2Shell-RCE-finding.png

Manage attack templates

You can now manage your attack templates by navigating to the appropriate section and selecting the Arbitrary Code Execution attack template as below. 

manage-attack-templates-rapid7.png
Manage attack templates

What’s next?

Patch immediately, upgrade React to 19.0.1, 19.1.2, or 19.2.1 (or newer). For Next.js, the recommended action is to update to the following respective patched versions: 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, or later*. You should seek to remediate this vulnerability on an urgent basis, outside of normal patch cycles and consider temporary web application firewall (WAF) rules for Flight endpoints while patching. If you’re looking to validate any fixes you have implemented, feel free to run a validation scan with our application security tool to verify the fixes are correct.

* For Next.js, the recommendation from Nextjs is to update to the following respective patched versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, or later. However, we have identified that versions 15.0.5 and 15.1.9 have a different critical vulnerability and would recommend against using them.

Voices of the Experts: What to Expect from Our Predictions Webinar

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/it-experts-voices-2026-predictions-webinar-teaser

Every year, Rapid7 brings together some of the most experienced minds in cybersecurity to pause, zoom out, and take stock of where the threat landscape is heading. Last year’s predictions webinar sparked lively debate among practitioners, leaders, and researchers alike, and many of those early warnings were proven accurate.

We talked about expanding attack surfaces, the acceleration of zero-day exploitation, and the shifting role of SecOps teams navigating unpredictable regulatory and operational pressure. We explored how AI was beginning to shape attacker behavior and how defenders could prepare for a world where speed and context matter more than ever. Looking back, the real takeaway was not just the predictions themselves. It was how quickly the landscape shifted around them.

This year’s predictions webinar builds on that momentum. The conversation feels different now. Threat actors have adapted. Business environments have tightened. Defenders are operating with more constraints and higher expectations than at any point in recent memory. That is exactly why our experts are once again stepping up to share what they are seeing, what is keeping them curious, and what they believe security teams should be paying closer attention to as we head into 2026.

A panel shaped by diverse vantage points

One of the strengths of this session is the range of perspectives represented on the panel.

Philip Ingram, Former Senior Military Intelligence Officer at Grey Hare Media, brings a global geopolitical lens that connects cyber activity with real-world tensions and state-aligned movements. His vantage point helps translate complex geopolitical signals into practical considerations for security teams.

Raj Samani, SVP and Chief Scientist at Rapid7, offers deep insight into attacker behavior, AI-driven disruption, and the evolving threat landscape. His work tracking threat actor tradecraft and the mechanics of cybercrime economies gives him a unique perspective on how attacks scale and shift over time.

Sabeen Malik, VP of Global Government Affairs and Public Policy at Rapid7, brings a policy and regulatory perspective that is essential for understanding how global mandates and governance trends influence security operations. Her insights shed light on the intersection of cyber risk, legislative pressure, and organizational responsibility.

Together, they create a multi-dimensional picture of what is coming next. Not hype. Not speculation. Instead, grounded observations from experts who see attacker behavior unfold from very different angles.

What we learned from last year 

Last year’s session made one thing clear: the forces shaping cyber risk are not isolated. They are interconnected, and they are accelerating.

We saw that:

  • Attackers were closing the gap between vulnerability disclosure and exploitation.

  • Identity-based compromise continued to outpace traditional malware.

  • Economic and operational pressures made it harder for security teams to keep up.

  • Global events had tangible ripple effects on what attackers chose to target next.

Those insights helped set a realistic direction for 2025. Only twelve months later, the ground has shifted again. AI-assisted exploitation, insider-driven breaches, geopolitical instability, and expanding exposure surfaces are changing both attacker priorities and defender responsibilities.

This webinar is not a rehash. It is a recalibration, grounded in what is actually happening across the threat landscape right now.

Themes our experts will explore

While the predictions themselves will be revealed live during the session, we can share a few of the themes shaping this year’s discussion.

  • How global tensions are redefining cyber risk for private organizations, even those far from the front lines

  • Why identity, behavior, and access are becoming the most reliable early indicators of compromise

  • Where AI is helping and hurting defenders, and how attackers are using automation and tooling to accelerate the earliest stages of intrusion

  • Why context and prioritization are becoming essential as vulnerability volumes and exploitation speeds continue to rise

  • How security teams can get ahead of exposure, not just react to it, through more integrated and risk-aware workflows

These are not abstract conversations. They reflect the real operational and strategic challenges security teams face every day.

Why you will not want to miss it

Whether you are leading a security program or defending in the trenches, this session will help you:

  • Understand the forces shaping attacker strategy
    Identify the signals that matter most for early detection

  • Anticipate the operational pressures teams will face in 2026

  • Prioritize investments, workflows, and practices that support resilience

You will walk away with a clearer sense of where to focus, what to watch for, and how to prepare your team for what comes next, without getting lost in noise or speculation.

Join the conversation

This webinar is one of our most anticipated sessions of the year. If you have not registered yet, now is the perfect time to save your spot and hear directly from the experts shaping the conversation around what 2026 will look like for security teams everywhere.

Register here

React2Shell (CVE-2025-55182) – Critical unauthenticated RCE affecting React Server Components

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/etr-react2shell-cve-2025-55182-critical-unauthenticated-rce-affecting-react-server-components

Overview

On December 3, 2025, Meta disclosed a new vulnerability, CVE-2025-55182, which has since been dubbed React2Shell. A second CVE identifier, CVE-2025-66478, was assigned and published to track the vulnerability in the context of Next.js. However this second CVE has since been rejected as a duplicate of CVE-2025-55182, as the root cause in all cases is the same and should be referred to with a single common CVE identifier.

CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React, a very popular library for building modern web applications. This new vulnerability has a CVSS rating of 10.0, which is the maximum rating possible and indicates the highly critical nature of the issue. Successful exploitation of CVE-2025-55182 allows a remote unauthenticated attacker to execute arbitrary code on an affected server via malicious HTTP requests.

The vulnerability affects React applications that support React Server Components. While the vulnerability affects the React Server Components feature, server applications may still be vulnerable even if the application does not explicitly implement any React Server Function endpoints but does support React Server Components. Additionally many popular frameworks based on React, such as Next.js, are also affected by this vulnerability.

A separate advisory was published by Vercel, the vendor for Next.js. This advisory tracks the impact of CVE-2025-55182 as it applies to the Next.js framework, and provides information for Next.js users to remediate the issue. 

As of December 4, 2025, there is no known public exploit code available at this time. Several exploits have been published claiming to exploit CVE-2025-55182, however they have not been successfully verified as actually exploiting this vulnerability. This has been noted in the original finders website, react2shell.com. Therefore, broad exploitation has not yet begun, however once a viable public exploit becomes available we expect this to change.

Organizations who use React, or the affected downstream frameworks, are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles and before broad exploitation begins.

Mitigation guidance

CVE-2025-55182 affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following React packages:

A vendor supplied update for the above packages is available in versions 19.0.1, 19.1.2, and 19.2.1. Users of affected React packages are advised to update the latest remediated version on an urgent basis.

Downstream frameworks that depend on React are also affected, this includes (but is not limited to):

For the latest mitigation guidance for React, please refer to the React security advisory. For the latest mitigation guidance specific to Next.js, please refer to the Vercel security advisory.

Rapid7 customers

Exposure Command, InsightVM and Nexpose

Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2025-55812 with an unauthenticated check expected to be available in today’s (December 4) content release. Note that the “Potential” check type must be enabled before running the scan to successfully assess for the vulnerability.

From Policy to Practice: Why Cyber Resilience Needs a Reboot

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/it-policy-to-practice-cyber-resilience-needs-reboot-experts

In cybersecurity today, regulation is everywhere, but resilience isn’t keeping pace.

In this episode of Experts on Experts: Commanding Perspectives, Craig Adams chats with Sabeen Malik, VP of Public Policy & Government Affairs at Rapid7, about what’s broken (and what’s promising) in today’s regulatory landscape.

Sabeen pulls from her experience across diplomacy, operations, and government relations to highlight where policy too often fails to account for how risk actually works. From insider threats to government shutdowns, it’s a sharp, timely look at how security leaders should approach strategy, structure, and compliance going into 2026.

Key themes:

  • The growing trust gap between public, private, and institutional actors

  • Why insider threats are a cultural problem, not just a controls one

  • Where UK and US guidance is falling short on resilience

  • What small and midsized businesses are still missing

  • Why AI, exposure, and threat governance need to be connected

Whether you’re thinking about AI use cases or modern regulation fatigue, this episode offers a much-needed reset.

Watch the full video.

Onboard at Cloud Speed with Rapid7 and AWS IAM Delegation

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/cds-onboard-at-cloud-speed-with-rapid7-aws-iam-delegation

Every great product experience starts with a smooth beginning. But in the world of cloud security, onboarding can sometimes feel like an obstacle course. Detailed fine-grained Identity and Access Management (IAM) configurations, lengthy deployment steps, and manual permission setups can turn what should be an exciting first impression into a tedious chore.

That’s changing. Rapid7 has enhanced the onboarding experience for Exposure Command and InsightCloudSec by integrating with AWS IAM temporary delegation – a new AWS capability that lets customers approve deployment access directly in the AWS console. The result? A faster, simpler, and more secure path to getting up and running in the cloud.

Why onboarding matters – and why it often fails  

The first minutes with a new platform matter. It’s the difference between “this is amazing” and “I’ll come back to it later.”

In cloud environments, setup usually involves multiple AWS services – compute, storage, networking, access management – all of which must be configured precisely to maintain security. Traditionally, customers have had to manually create IAM roles, adjust trust relationships, and fine-tune permissions just to let a partner solution like Rapid7 deploy resources.

It’s not just time-consuming; it’s error-prone. Misconfigured roles can cause deployment failures or unnecessary security risk. Support teams spend hours walking customers through the process, and the friction delays time-to-value. When scaling across dozens or hundreds of AWS accounts, those delays multiply fast.

Meet AWS IAM temporary delegation: What it is and why it matters

AWS IAM temporary delegation simplifies the entire setup journey. It allows trusted partners like Rapid7 to automate deployment securely – but only after the customer grants explicit, time-bound approval.

Here’s how it works: When you initiate onboarding from within Rapid7’s interface, you’re redirected to the AWS console. There, you can review the exact permissions Rapid7 is requesting and how long access will last. Once approved, AWS provides Rapid7 with temporary credentials to complete the setup. After the time window expires, that access ends automatically.

No long-term IAM keys, no manual role creation, and no guesswork. Customers stay in control, with full visibility and auditability. It’s automation with accountability built in.

How Rapid7 is putting this into action

With the latest release, Rapid7 has integrated this capability directly into Exposure Command and InsightCloudSec, creating a guided onboarding experience that happens almost entirely inside the Rapid7 interface.

Here’s the new flow:

  1. Customers configure deployment options in Rapid7’s InsightCloudSec environment.
  2. A temporary delegation request appears via an AWS console pop-up.
  3. An authorized AWS user reviews and approves the request.
  4. Rapid7 automatically deploys the necessary resources on the customer’s behalf.

This streamlined workflow eliminates dozens of manual steps and reduces onboarding time from hours to minutes. It’s faster, simpler, and still fully aligned with AWS’s strict security model. 

Speed, simplicity, and security

This integration hits the sweet spot between automation and trust:

  • Speed: Customers can start realizing value from Rapid7’s cloud security solutions in minutes instead of days.

  • Simplicity: The UI-driven process means no wrestling with IAM policies or JSON templates.

  • Security: Access is temporary and permission-scoped. Customers retain complete oversight through the AWS console and CloudTrail logs.

For organizations with compliance or security governance requirements, this is the ideal balance: operational efficiency without compromising control.

Beyond onboarding: What this says about Rapid7 and AWS alignment

This update isn’t just about faster onboarding. It’s a glimpse into Rapid7’s broader partnership with AWS. Rapid7 has long been an AWS Advanced Tier Partner, building integrations that help customers manage security across cloud-native environments. From leveraging AWS telemetry in MXDR to integrating with AWS services like CloudTrail and GuardDuty, Rapid7’s platform has been designed to meet customers where they already operate within AWS.

By adopting AWS IAM temporary delegation early, Rapid7 reinforces its commitment to cloud-first innovation and shared responsibility principles. Customers get the assurance that their onboarding, deployment, and operations all align with AWS security best practices. 

What this means for customers

If you’re deploying Rapid7 Exposure Command (Advanced or Ultimate) or InsightCloudSec on AWS, here’s what to expect:

  • A guided onboarding experience that automates AWS resource setup.
  • A faster, less error-prone workflow that still keeps you in control.
  • The ability for authorized users to approve temporary access requests directly in the AWS console.

Before onboarding, make sure someone in your organization has the permissions to approve delegation requests. After deployment, review your CloudTrail logs as part of normal governance;  you’ll see every action logged and time-bounded.

Value from day one

Onboarding shouldn’t be a hurdle. And now with AWS IAM Temporary Delegation and Rapid7’s enhanced experience, it no longer is. Together, AWS and Rapid7 have reimagined what “getting started” looks like in the cloud – faster, more intuitive, and just as secure as you need it to be.

It’s one more way Rapid7 is helping organizations unlock value from day one, while staying aligned with AWS’s best practices for identity, access, and automation.

See how easy secure onboarding can be.Explore Rapid7’s listings for Exposure Command and InsightCloudSec straight from the AWS Marketplace.

Introducing Rapid7 Curated Intelligence Rules for AWS Network Firewall

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/cds-rapid7-curated-intelligence-rules-aws-network-firewall

Outsmart attackers with smarter rules

Managing network security in a dynamic cloud environment is a constant challenge. As traffic volume grows and threat actors evolve their tactics, organizations need protection that can scale effortlessly while delivering robust, intelligent defense. That’s where a service like AWS Network Firewall becomes essential, and we’re excited to partner with AWS to make it even more powerful.

What is AWS Network Firewall?

AWS Network Firewall (AWS NWF) is a managed service that provides essential, auto-scaling network protections for Amazon Virtual Private Clouds (VPCs). While its flexible rules engine offers granular control, defining and maintaining the right rules to defend against evolving threats is a complex and resource-intensive task.

Manually creating and updating rules often leads to coverage gaps and creates significant operational overhead. To simplify this process and empower teams to act with confidence, Rapid7 is proud to announce the availability of Curated Intelligence Rules for AWS Network Firewall. As an AWS partner, we convert our curated intelligence on Indicators of Compromise (IOCs) from into high-quality rule groups, delivering expert-vetted threat intelligence directly within your native AWS experience.

Harnessing industry-leading threat intelligence

In the world of threat intelligence, more isn’t always better. Too many low-fidelity alerts generate noise, distract analysts, and leave teams chasing false positives. At Rapid7, our approach is different. We focus on delivering high-fidelity intelligence, enabling customers to zero in on the threats most relevant to their unique environments. 

Rapid7 Curated Intelligence Rules embody this same approach, and are built on three key principles:


Focus on quality over quantity – Rules emphasize meaningful, low-noise detection directly aligned with current, real-world threats, significantly reducing alert fatigue.

Curated global intelligence – Rule sets are powered by high-quality, region-specific data from unique sources, providing unparalleled visibility and context for actionable detections.

Dynamic and self-cleaning rule sets – Threat intelligence is not static. Using Rapid7’s proprietary , rules are automatically retired when an IOC passes a certain threshold, ensuring the delivered intelligence is always fresh, relevant, and current.

We’re launching with two distinct rule sets, each designed to address today’s most pressing threats:

  • Advanced Persistent Threat (APT) campaigns: Targets the subtle and persistent techniques used by state-sponsored and sophisticated threat actors.

  • Ransomware & cybercrime: Focuses on the tools, infrastructure, and indicators associated with financially motivated attacks.

These rule sets are updated daily to ensure you have the most current protections. Furthermore, our intelligence is dynamic. When an IOC passes a certain threshold in our proprietary Decay Scoring system, we remove it from the rule set. This process guarantees that the intelligence you receive is always current and actionable, significantly reducing alert fatigue.

The operational advantage

These Curated Intelligence Rules deliver immediate and tangible value, allowing your team to:

  • Automate threat protection: Reduce overhead with curated, continuously updated detections delivered natively within AWS Network Firewall.

  • Adopt protections faster: Deploy protections powered by Rapid7 Labs intelligence with just a few clicks in the console.

  • Maintain predictable operations: Rely on AWS-validated updates, clear rule group metadata, and transparent per-GB metering.

Common use cases addressed

Our rule sets provide practical defense against a wide range of attack scenarios. You can:

  • Block command and control (C2) communication from known malware families

  • Detect network reconnaissance activity associated with advanced persistent threats

  • Prevent data exfiltration to malicious domains linked to cybercrime groups

  • Identify and stop the download of malware payloads from compromised websites

  • Alert on traffic to newly registered domains used in malicious activities

Get started with Curated Intelligence Rules for AWS NFW today

Ready to enhance your cloud security with curated, actionable intelligence? Add our rule sets to your and strengthen your organization’s defenses in minutes.
››› Visit the listing in the AWS Marketplace to learn more.

The State of Security Today: Setting the Stage for 2026

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/it-security-today-setting-stage-for-2026-predictions-webinar

As we close out 2025, one thing is clear: the security landscape is evolving faster than most organizations can keep up. From surging ransomware campaigns and AI-enhanced phishing to data extortion, geopolitical fallout, and gaps in cyber readiness, the challenges facing security teams today are as varied as they are relentless. But with complexity comes clarity and insight.

This year’s most significant breaches, breakthroughs, and behavioral shifts provide a critical lens through which we can view what’s next. That’s exactly what we’ll explore in our upcoming Security Predictions for 2026 webinar, where Rapid7’s experts will break down where we are now, what to expect next, and how organizations can proactively adapt.

Before we look ahead, let’s take stock of what defined 2025 and what it tells us about the state of cybersecurity today.

Ransomware: Same playbook, more precision

Ransomware remains one of the most consistent and costly threats facing organisations today, but the approach has shifted. According to Rapid7’s Q3 2025 Threat Landscape Report, data extortion continues to dominate, with groups increasingly focused on exfiltration and disruption rather than encryption alone. Over 80% of ransomware cases handled in Q3 involved data theft, often staged and timed to maximise leverage.

Threat actors like RansomHub, BlackSuit, NoEscape, and Scattered Spider continue to refine their operations. Many campaigns are multi-stage and collaborative, with Initial Access Brokers providing footholds that are later sold to ransomware operators. One common thread is a focus on identity and infrastructure abuse – attackers are compromising vSphere environments, exploiting misconfigurations in third-party platforms, and abusing legitimate remote access tools to move laterally before launching extortion phases.

These incidents increasingly target complex organizations with sprawling digital footprints. The result? Weeks of operational downtime, lost revenue, regulatory scrutiny, and enduring brand damage. In this landscape, ransomware is no longer just a malware problem – it’s a business continuity issue, a supply chain risk, and a board-level concern.

The offense is automated: AI goes to work

This year, we saw AI break through hype and land firmly in attackers’ toolkits. Tools like WormGPT, FraudGPT, and DarkBERT gave cybercriminals an entry point to generate convincing phishing emails, polymorphic malware, and credential-harvesting scripts, all without needing advanced coding skills.

In our AI Offense blog, we detailed how these tools lower the barrier to entry and amplify the volume and sophistication of social engineering campaigns. Pair that with deepfakes, cloned voices, and LLM-powered targeting, and security teams now face threats that are faster, cheaper, and harder to detect than ever before.

The takeaway? AI is not a future threat. It is here. And defenders must embrace its potential just as aggressively as attackers have.

The human factor: Still the weakest link

Despite improved tooling, attacker playbooks still rely heavily on people. Our recent exploration of evolving social engineering trends highlighted the rise of Microsoft Teams-based impersonation, remote access tool abuse such as Quick Assist, and multi-stage credential compromise.

The fallout has been widespread. From attacks on major UK retailers to multiple airline disruptions and critical public sector breaches, social engineering is no longer just email phishing. It is phone calls, voice cloning, fake calendars, and chat-based manipulation.

Training helps. But attackers are innovating faster than awareness campaigns can keep up. Security teams need to simulate these threats internally and invest in visibility across identity platforms, because credentials remain the crown jewels.

From awareness to action: Resilience as a mandate

A growing number of incidents in 2025 underscored the readiness gap in many organizations. Our recent blog on preparedness broke down the UK’s National Cyber Security Centre guidance urging companies to revisit their offline contingency planning, including printed IR protocols and analog communications in case digital systems are taken offline.

This call followed a sharp rise in high-impact events, with over 200 nationally significant cyber incidents recorded in the UK alone this year.

The lesson? Cyber resilience is not a nice to have. It is foundational. Detection, backup, and patching are essential, but so is building response plans that assume failure, simulate outages, and bring the entire business to the table.

Join us: Predicting what’s next in 2026

We’ll explore these trends and where they’re heading in much greater depth in our Security Predictions for 2026 webinar, taking place on December 10.

Rapid7’s experts will unpack:

  • Which attacker tactics are here to stay and which are on the rise

  • Where AI, regulation, and infrastructure gaps are creating new exposures

  • How defenders can better prioritise risk and operate in resource-constrained environments

  • What CISOs, SOC leaders, and engineers need to align on in 2026 to stay ahead

This is our biggest global webinar of the year, and it is designed to help security professionals at every level get proactive and stay ahead of what’s next.

Register now and join thousands of security professionals from around the world as we set the stage for 2026. Because when the threat landscape keeps shifting, your best defense is a head start.

CVE-2025-64446: Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild

Overview

On October 6, 2025, the cyber deception company Defused published a proof-of-concept exploit on social media that was captured by one of their Fortinet FortiWeb Manager honeypots. FortiWeb is a Web Application Firewall (WAF) product that is designed to detect and block malicious traffic to web applications. Exploitation of this new vulnerability, now tracked as CVE-2025-64446, allows an attacker with no existing level of access to gain administrator-level access to the FortiWeb Manager panel and websocket command-line interface. Rapid7 has tested the latest FortiWeb version 8.0.2 and observed that the existing public proof-of-concept exploit does not work. However, the exploit does work against earlier versions, including version 8.0.1, which was released in August, 2025. 

Based on the information circulated by Defused, this new vulnerability is claimed to have been exploited in the wild in October, 2025. On November 14, 2025, Fortinet PSIRT published CVE-2025-64446 and an official advisory for the critical vulnerability, which holds a CVSS score of 9.1. Organizations running versions of Fortinet FortiWeb that are listed as affected in the advisory are advised to remediate this vulnerability on an emergency basis, given that exploitation has been occurring since October in targeted attacks, and broad exploitation will likely occur in the coming days. A Metasploit module for CVE-2025-64446 is available here, and security firm watchTowr has published a technical analysis. CISA’s KEV catalog has been updated to include CVE-2025-64446.

It’s unclear whether the FortiWeb release cycle intentionally included a silent patch for this vulnerability or merely coincidentally included changes that broke the existing exploit.

On November 18, 2025, Fortinet published a new advisory for CVE-2025-58034. This new vulnerability is an authenticated command injection affecting FortiWeb. Fortinet has indicated CVE-2025-58034 has also been exploited in-the-wild, and CISA’s KEV catalog has been updated to include this new vulnerability. It is not clear at this time if both CVE-2025-64446 and CVE-2025-58034 have been exploited in-the-wild together as an exploit chain.

This blog post will be updated as new developments arise.

Rapid7 observations

On November 6, 2025, Rapid7 Labs observed that an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum. While it is not clear at this time if this is the same exploit as the one described above, the timing is coincidental.

CVF1.png

Mitigation guidance

On November 14, 2025, Fortinet published an advisory that outlines remediation steps and workaround mitigations for CVE-2025-64446. According to Fortinet, the following versions are affected, and the fixed versions for each main release branch are also listed:

  • Versions 8.0.0 through 8.0.1 are vulnerable, 8.0.2 and above are fixed.
  • Versions 7.6.0 through 7.6.4 are vulnerable, 7.6.5 and above are fixed.
  • Versions 7.4.0 through 7.4.9 are vulnerable, 7.4.10 and above are fixed.
  • Versions 7.2.0 through 7.2.11 are vulnerable, 7.2.12 and above are fixed.
  • Versions 7.0.0 through 7.0.11 are vulnerable, 7.0.12 and above are fixed.

In cases where immediate upgrades are not possible, the advisory states the following: “Disable HTTP or HTTPS for internet facing interfaces. Fortinet recommends taking this action until an upgrade can be performed. If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced.”

Exploitation behavior

When testing the public exploit against a target FortiWeb device, the target application’s differing responses between versions 8.0.1 and 8.0.2 are included below.

Against version 8.0.1, the application returns the following response for a successful exploitation attempt, in which a new malicious local administrator account “hax0r” was created:

HTTP/1.1 200 OK
Date: Thu, 13 Nov 2025 17:57:28 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 1202

{ "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1, "name": "hax0r", "access-profile": "prof_admin", "access-profile_val": "1008", "trusthostv4": "0.0.0.0\/0 ", "trusthostv6": "::\/0 ", "last-name": "", "first-name": "", "email-address": "", "phone-number": "", "mobile-number": "", "hidden": 0, "domains": "root ", "gui-global-menu-favorites": "", "gui-vdom-menu-favorites": "", "sz_dashboard": 8, "sz_gui-dashboard": 7, "type": "local-user", "type_val": "0", "admin-usergrp": "", "admin-usergrp_val": "0", "password": "ENC XXXX", "wildcard": "disable", "wildcard_val": "0", "accprofile-override": "disable", "accprofile-override_val": "0", "fortiai": "disable", "fortiai_val": "0", "sshkey": "", "passwd-set-time": 1763056648, "history-password-pos": 1, "history-password0": "ENC XXXX", "history-password1": "ENC XXXX", "history-password2": "ENC XXXX", "history-password3": "ENC XXXX", "history-password4": "ENC XXXX", "history-password5": "ENC XXXX", "history-password6": "ENC XXXX", "history-password7": "ENC XXXX", "history-password8": "ENC XXXX", "history-password9": "ENC XXXX", "force-password-change": "disable", "force-password-change_val": "0", "feature-info-ver": "" } }

However, against version 8.0.2, the application returns the following “403 Forbidden” response for an unsuccessful exploitation attempt:

HTTP/1.1 403 Forbidden
Date: Thu, 13 Nov 2025 17:28:42 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Content-Length: 199
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Rapid7 customers

Exposure Command, InsightVM and Nexpose

Exposure Command, InsightVM and Nexpose customers can assess their exposure to CVE-2025-64446 with an unauthenticated vulnerability check available in the November 14 content release. Please note that the “SAFE” check mode needs to be disabled while running scans to ensure the check runs successfully.

Customers running FortiWeb release branches 8.0, 7.2, or 7.0 can leverage the existing CVE-2025-64446 check to establish exposure to the medium-severity authenticated vulnerability CVE-2025-58034. Those running FortiWeb release branches 7.6 or 7.4 should manually verify that the 7.6.6 and 7.4.11 patches, respectively, are in place for CVE-2025-58034.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-64446, including a Sigma rule and IOCs of IP addresses attempting to exploit this vulnerability.

Updates

  • November 14, 2025: The blog post has been updated to reflect the newly-published official advisory and CVE identifier, the availability of vulnerability checks and a Metasploit module for customer testing, the CISA KEV addition, and a published technical analysis.

  • November 17, 2025: The Rapid7 customers section has been updated to add Intelligence Hub coverage, and clarify that vulnerability checks were shipped on Nov 14, 2025.

  • November 19, 2025: The Overview section has been updated to reference the newly published vulnerability, CVE-2025-58034. The Rapid7 customers section has been updated to add expected coverage availability for CVE-2025-58034.

  • November 19, 2025: The Rapid7 customers section has been updated with CVE-2025-58034 coverage information for supported FortiWeb release branches.

Rapid7 Named a Leader in the 2025 Gartner Exposure Assessment Platform Magic Quadrant

Post Syndicated from Rapid7 original https://www.rapid7.com/blog/post/em-rapid7-leader-2025-gartner-exposure-assessment-platform-magic-quadrant-mq-eap

We’re proud to share that Rapid7 has been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms (EAP). We believe this recognition underscores our commitment to redefining security operations by embedding continuous, business-aligned exposure management into the core of modern defense strategies.

Our approach: Exposure Command at the core

At the root of Rapid7’s leadership is Exposure Command, our unified exposure management solution, underpinned by complete attack surface visibility, threat-informed risk assessment and integrated automated remediation capabilities.

Key capabilities highlighted in the report include:

  • Unified visibility across environments: Broad attack surface visibility with native support across hybrid infrastructure including on-prem, cloud, containers, and IoT/OT, alongside extensive integrations with third-party security and ITOps tools.

  • Threat-validated prioritization: Prioritization enhanced with real-world exploit intelligence, plus continuous red teaming and ad-hoc penetration testing through comprehensive managed services.

  • Comprehensive, AI-driven remediation: Prebuilt workflows and playbooks, intelligent automation, and dynamic persona-centric reporting.

Why exposure assessment matters more than ever

The security landscape has fundamentally changed. Traditional vulnerability management largely centered around point-in-time scans and CVSS scores can no longer keep pace with the dynamic, hybrid environments that define today’s enterprise. Organizations face an ever-expanding attack surface across cloud, on-prem, SaaS, and OT environments while regulations continue to evolve. 

This means a dramatic expansion in the scope of IT and security leaders from tech-centric systems management and patching to a core pillar of the business at large. As a result, exposure management is no longer about finding more; it’s about finding what matters and acting on it decisively. This aligns directly with Gartner’s CTEM model, which calls for a continuous, outcome-focused cycle of scoping, prioritization, validation, and mobilization.

Why CTEM + EAP are the future of risk reduction

CTEM isn’t just a buzzword and a new acronym, it’s the next evolution of proactive security, acknowledging a core truth: no organization can patch everything, nor should they try.

The goal is validated exposure reduction through five stages:

  1. Business-aligned scoping (e.g., revenue-generating services, critical data systems)

  2. Cross-domain discovery (cloud, identity, SaaS, on-prem, OT)

  3. Threat-informed prioritization with real-world intelligence

  4. Validation via attack-path modeling or adversary emulation (e.g., PTaaS, BAS, AEV)

  5. Mobilization through integrated, repeatable remediation workflows

Gartner suggests CTEM is a way to translate technical vulnerabilities into business-relevant risks and mobilize cross-functional teams in response. EAPs, which Gartner defines as platforms that continuously identify and prioritize exposures across all environments with business and threat context, provide the operational foundation for CTEM.

CTEM 5-Step Cycle

Rapid7’s EAP capabilities allow teams to operationalize CTEM by translating technical findings into business-relevant risk and enabling cross-functional response, bridging the gap between posture and business continuity.

Looking ahead

As exposure management evolves from a siloed security function to an operational imperative, Rapid7 will continue to lead with innovation, transparency, and a relentless focus on customer outcomes. We believe our position as a Leader in the 2025 Gartner® Magic Quadrant™ for Exposure Assessment Platforms is not just a recognition of the work we’ve done but a signal to the market of what’s next. Click here to download the full Report.