• Microsoft has published three out-of-band (OOB) updates so far in January 2026. One of these updates was released to address a vulnerability, CVE-2026-21509, affecting Microsoft Office that has been reportedly exploited in the wild. 
• Additional OOB updates have been published to resolve operational issues experienced following installation of the updates released as part of the standard Microsoft Patch Tuesday process.

CVE-2026-21509 was published to address a security feature bypass vulnerability affecting Microsoft Office. This vulnerability was rated as “Important” and received a CVSS 3.1 score of 7.8. This vulnerability is considered “local,” meaning that it must be triggered by an attacker with access to an affected system, or by convincing a victim to open a malicious Office document that triggers the vulnerability. It has also been added to the CISA Known Exploited Vulnerabilities (KEV) list. Microsoft reports that this vulnerability cannot be triggered via the Preview Pane in Microsoft Office. Microsoft has also released mitigation guidance for CVE-2026-21509 as part of this advisory.  

In response to these vulnerability disclosures, Talos is releasing a new SNORT® ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65823-65830.  

The following Snort3 rules are also available: 301384-301387. 

The following ClamAV signature has been released to detect activity associated with this vulnerability: 

• Rtf.Exploit.CVE_2026_21509-10059214-0 

Cisco Talos Blog – ​Read More

• Cisco Talos has identified a new campaign by UAT-8099, active from late 2025 to early 2026, that is targeting vulnerable Internet Information Services (IIS) servers across Asia with a specific focus on victims in Thailand and Vietnam. 
• Analysis confirms significant operational overlaps between this activity and the WEBJACK campaign. This includes critical indicators of compromise including malware hashes, command and control (C2), and victimology. 
• UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers. 
• New variants of BadIIS now hardcode the target region directly into the malware, offering customized features for each specific variant. These customizations include exclusive file extensions, corresponding dynamic page extensions, directory indexing configurations, and the ability to load HTML templates from local files. 
• A Linux Executable and Linkable Format (ELF) variant of BadIIS was uploaded to VirusTotal on Oct. 1, 2025. The malware includes proxy mode, injector mode, and search engine optimization (SEO) fraud mode, similar to what Talos described in the previous UAT-8099 blog.

---

UAT-8099 new activity 

Cisco Talos observed new activity from UAT-8099 spanning from August 2025 through early 2026. Analysis of Cisco’s file census and DNS traffic indicates that compromised IIS servers are located across India, Pakistan, Thailand, Vietnam, and Japan, with a distinct concentration of attacks in Thailand and Vietnam. Furthermore, this activity significantly overlaps with the WEBJACK campaign; we have identified high-confidence correlations across malware hashes, C2 infrastructure, victimology, and the promoted gambling sites.

While the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS servers, their operational strategy has evolved significantly. First, this latest campaign marks a shift in their black hat SEO tactics toward a more specific regional focus. Second, the actor increasingly leverages red team utilities and legitimate tools to evade detection and maintain long-term persistence.

Infection chain 

Upon gaining initial access, the threat actor executes standard reconnaissance commands, such as whoami and tasklist, to gather system information. Following this, they deploy VPN tools and establish persistence by creating a hidden user account named “admin$”. UAT-8099 has further expanded their arsenal with the several new tools below: 

• Sharp4RemoveLog: A .NET utility designed to clear all Windows event logs, effectively erasing forensic traces 
• CnCrypt Protect: A Chinese-language file-protection utility. In this intrusion activity, it is abused to hide malicious files and facilitate dynamic-link library (DLL) redirection. This tool has been linked to previous IIS attacks since 2024, including SEO fraud campaigns targeting Vietnam and China, as well as the WEBJACK campaign. 
• OpenArk64: An open source anti-rootkit. The threat actor uses its kernel-level access to terminate security product processes that are otherwise protected from deletion. 
• GotoHTTP: An online remote control tool. The threat actor uses VBscript to deploy this tool and let them remote control the compromised server. Talos provides more detail in the following section.  

Subsequently, the threat actor deploys two archive files containing the latest version of the BadIIS malware. Notably, the file names of these archives are correlated with the specific geographic regions targeted by the BadIIS malware; for example, “VN” denotes Vietnam and “TH” denotes Thailand.

C:/Users/admin$/Desktop/TH.zip 
C:/Users/admin$/Desktop/VN.zip 

 Following the publication of our previous research, Cisco Security products have widely flagged the “admin$” account name. In response, if this name is blocked, the threat actor  creates a new user account named “mysql$” to maintain access and sustain the BadIIS SEO fraud service.

Using the newly created account, the threat actor redeploys the updated BadIIS malware to the compromised machines. Notably, this marks a strategic shift from broad, global targeting to specific regional focus. This is evidencedby the directory naming conventions for the malware and its scripts, which use identifiers such as “VN” for Vietnam and “newth” for Thailand.

C:/Users/mssql$/Desktop/VN/fasthttp.dll  
C:/Users/mssql$/Desktop/VN/cgihttp.dll  
C:/Users/mssql$/Desktop/VN/install.bat  
C:/Users/mssql$/Desktop/VN/uninstall.bat  
C:/Users/mssql$/Desktop/newth/iis32.dll  
C:/Users/mssql$/Desktop/newth/iis64.dll  
C:/Users/mssql$/Desktop/newth/install.bat  
C:/Users/mssql$/Desktop/newth/uninstall.bat  

Additionally, Talos observed the UAT-8099 threat actor attempting to create alternative hidden accounts to maintain persistence. The specific commands used to create these accounts and execute subsequent actions are detailed in Figures 3a, 3b, and 3c.

Abuse of the GotoHTTP remote control tool 

Talos has observed several instances where UAT-8099 uses a web shell to execute PowerShell commands, which subsequently download and run a malicious VBScript. This script is designed to deploy the GotoHTTP tool and exfiltrate the “gotohttp.ini” configuration file to the C2 server. This enables the threat actor to obtain the connection ID and password necessary to remotely control the infected server.

The malicious script contains multiple functions, each annotated by the threat actor using Simplified Chinese and Pinyin comments. We provide a detailed analysis of these functions below.

The code begins by initializing key parameters, including the download and upload URLs, file paths, and the expected file size of “gotohttp.exe”. Notably, this initialization section is marked with the comment “dingyichangliang” (定义常量), which translates to “Define Constants.”

The first functional block is marked with the comment “xiazaiwenjian” (下载文件), which translates to “Download File.” In this section, the code utilizes an HTTP GET request to download the GotoHTTP tool, saving it to the public folder as “xixixi.exe”.

The second and third function blocks are marked with the comments “jianchawenjian” (检查文件) and “jianchawenjian” (检查文件大小), translating to “Check File” and “Check File Size,” respectively. In these sections, the code verifies the integrity of the downloaded GotoHTTP tool by ensuring the file size exceeds the threshold defined in the previous block. If the validation fails, the script sends an error message to the C2 server, reporting either“xiazaishibai” (下载失败 – Download Failed) or “daxiaobudui” (大小不对 – Incorrect Size).

The fourth and fifth function blocks are marked with the comments “zhixingwenjian” (执行文件) and “jianchajieguo” (检查结果), translating to “Execute File” and “Check Result,” respectively. In these sections, the code executes the GotoHTTP tool in a hidden window without waiting for the process to terminate. Notably, the code uses Chr(34) to represent quotation marks, as indicated by the comments. This technique is employed to avoid syntax errors caused by improper escaping; using Chr(34) allows the insertion of the double-quote character without breaking the code structure. 

Following a five-second sleep delay, the script attempts to upload the “gotohttp.ini” file to the C2 server. If the file is missing, it sends the error message “gotohttp.ini bucunzai” (gotohttp.ini 不存在 – gotohttp.ini does not exist).

The last function blocks are marked with the comment “qingli” (清理), translating to “Clean.”. This section will clean up all the COM objects.

Two new BadIIS malware to target specific region 

Since September 2025, Talos has observed two new variants of BadIIS appearing in the wild, both utilized for SEO fraud. While other vendors have observed these malware, this section provides a deep analysis based on our reverse engineering and infection chain assessment. We have determined that UAT-8099 customizes these new cluster BadIIS to target specific regions. The first cluster, which we have named BadIIS IISHijack, derives its name from the original malware file name. The second cluster, BadIIS asdSearchEngine, is named after the PDB strings observed within the sample.

E:原生DLLSearchEngineReleaseSearchEngine.pdb
C:UsersqwesourcereposDll1dasdx64ReleaseDll1dasd.pdb 

BadIIS IISHijack primarily targets victims in Vietnam. This variant explicitly embeds the country code within its source code and creates a specific directory named when the malware drops into the victim’s machine.

BadIIS asdSearchEngine malware focuses on targets in Thailand or users with Thai language preferences. By using the CHttpModule::OnBeginRequest handler, the malware hijacks incoming HTTP traffic and analyzes headers such as “User-Agent” and “Referer” to determine its next move. A key addition to this version is the use of the “Accept-Language” header to verify the target region.

When an infected IIS server receives a request, the malware first filters the file path. If the path contains an extension on its exclusion list, it ignores the request to preserve static resources. Next, it checks the “User-Agent” to see if the visitor is a search engine crawler (e.g., Googlebot, sogu, 360spider, or Baiduspider). If confirmed, the crawler is redirected to an SEO fraud site. However, if the visitor is a standard user and the malware verifies that the “Accept-Language” field indicates Thai, it injects HTML containing a malicious JavaScript redirect into the response.  

We have identified three distinct variants within this BadIIS cluster. While they share the core workflow described above, each possesses unique features, which are detailed in the following section. Moreover, to evade detection, some specific variants employ XOR encryption (key 0x7A) to obfuscate their C2 configuration and malicious HTML content.

Exclusive multiple extensions variant 

While many variants employ extensive exclusion lists, the specific extensions targeted can differ between them. For the purpose of this analysis, we will use a representative example to illustrate the general functionality and strategy. Before executing its malicious payload, the new BadIIS variant inspects the URL path for specific file extensions. This filtering mechanism serves three strategic objectives:  

• The extensions (.png, .jpg, .css, .js, .woff, .ttf, .eot, and .otf) are critical for a website’s appearance, layout, and interactive features. If the BadIIS were to indiscriminately redirect or tamper with requests for these essential assets, the website would quickly appear broken to users and administrators. 
• The BadIIS likely uses filtering based on document type extensions (.pdf, .txt, .xml, .json, .doc, .docx, .xls, and .xlsx) and web-related files extensions (.manifest, .appcache, .webmanifest, .robots, and .sitemap) to focus its malicious injections (e.g., hidden links, keywords, malicious scripts) or redirect specifically on HTML pages or other content types that contribute to SEO rankings or user interaction, while leaving static assets untouched. 
• The archive extensions (.zip, .rar, .7z, .tar, .gz) are filtered so that the BadIIS can conserve resources.

Dynamic page extension/directory index variant 

Another variant of BadIIS adds a validation function that checks if a requested path corresponds to a dynamic page extension or a directory index. This determines whether the request is routed to the malware’s dynamic processing flow.

We assess that the threat actor, UAT-8099, implemented this feature to prioritize SEO content targeting while maintaining stealth. Since SEO poisoning relies on injecting JavaScript links into pages that search engines crawl, the malware focuses on dynamic pages (e.g., default.aspx, index.php) where these injections are most effective. Furthermore, by restricting hooks to other specific file types, the malware avoids processing incompatible static files, thereby preventing the generation of suspicious server error logs. 

Load HTML templates variant 

The last variant of BadIIS contains a sophisticated HTML template generation system that dynamically creates web content. It has a content generator that can load templates from disk or use embedded fallbacks, then performs extensive placeholder replacement with random data, dates, and URL-derived content.

If there are no files found in the host, the BadIIS generates a response using an embedded HTML template, populating a date placeholder with the local system time. Notably, the variable names within this HTML template are written in Chinese Pinyin. Below, Talos provides detailed translations of these variables. Analyzing these names allows us to accurately determine how the dynamic template leverages keywords to facilitate SEO fraud.

Head section 

• <title>{biaoti}</title>: The browser tab title; substituted from {biaoti} (“标题”, title). 
• <meta name="description" content="{shoudongmiaoshu}">: SEO description; {shoudongmiaoshu} (“手动描述”, manual description). 
• <meta name="keywords" content="{guanjianci}">: SEO keywords; {guanjianci} (“关键词”, keywords).  

Body section 

• <h1>Welcome to {biaoti}</h1>: Main heading, repeats the title. 
• <p>{shoudongmiaoshu}</p>: A paragraph with the manual description. 
• <p>Current URL: {gudinglianjie}</p>: Shows the fixed/current link; {gudinglianjie} (“固定链接”, permalink). 
• <p>Date: {riqi}</p>: The date; {riqi} (“日期”, date). 
• <p>Contact: {suijirenming1}</p>: A contact name; {suijirenming1} (“随机人名”, random person name). 
• <div>{suijiduanluo1}</div>: A block of content; {suijiduanluo1} (“随机段落”, random paragraph).

The keywords that UAT-8099 intends to promote are directly embedded within the BadIIS malware. BadIIS utilizes these keywords to populate page titles and generate HTML content, thereby facilitating SEO fraud. The screenshot below captures a representative sample of these keywords; however, the complete list embedded within the malware is significantly more extensive.

Linux BadIIS variant found on VirusTotal 

Talos also identified an ELF variant of BadIIS submitted to VirusTotal that exhibits functionality identical to the samples described in Talos’ previous blog post that includes the proxy, injector, and SEO fraud modes. Furthermore, the malware’s hardcoded C2 servers share the same domain we previously documented. Based on these indicators, we assess with high confidence that this malware is attributable to UAT-8099. 

Below is the targeted URL path pattern, which is identical to the pattern in our previous UAT-8099 post.

news|cash|bet|gambling|betting|casino|fishing|deposit|bonus|sitemap|app|ios|video|games|xoso|dabong|nohu

While the behavior and URL path signature match our previous report, there is a key difference between this ELF BadIIS variant and the older BadIIS. Unlike the previous version, which targeted numerous search engines, this variant targets only three. The target search engines are shown as follows.

User-agent	Referer
Googlebot	google
Bingbot	bing
Yahoo!	yahoo

Coverage 

ClamAV detections are also available for this threat: 

• Win.Malware.Tedy-10059198-0  
• Win.Trojan.Crypter-10059205-0  
• Win.Trojan.BadIIS-10059191-0  
• Unix.Trojan.BadIIS-10059196-0  
• Win.Trojan.IISHijack-10059197-0  
• Win.Malware.Remoteadmin-10059206-0  
• Win.Packed.Zpack-10059207-0  
• Txt.Trojan.BadIIS-10059202-0 

The following Snort Rules (SIDs) detect and block this threat: 

• Snort2: 65712, 65713, 65710, 65711, 65708, 65709, 65707, 65706. 
• Snort3: 301378, 301377, 301376, 65707, 65706 

Indicators of compromise (IOCs) 

The IOCs for this threat are available at our GitHub repository here. 

Cisco Talos Blog – ​Read More

Running a SOC today means constant trade-offs: too many alerts, not enough people, strict SLAs, and attacks that keep getting smarter. Most leaders aren’t asking for “the next cool product” but a proof that something actually cuts time, risk, and workload in real environments like theirs. 

Thousands of organizations already rely on ANY.RUN to reduce analyst load, resolve phishing cases faster, cut unnecessary escalations, and speed up detection so incidents are contained before they reach the business. 

Here we are bringing that evidence together. Let’s look at the results from different industries, how teams use ANY.RUN across Tier 1/2/3, and why it became a core part of their SOC operations, so if you’re still hesitating, you can see exactly what teams like yours are achieving with it. 

What Real Teams Achieve with ANY.RUN: Proven Results Across Industries 

When you look across banks, MSSPs, transport companies, and healthcare providers, the pattern is the same: once ANY.RUN becomes part of daily SOC operations, teams move faster, reduce noise, and prevent incidents earlier. 

Here are the outcomes customers report consistently: 

• 94% of users report faster phishing and malware triage in real SOC workflows. 

• 76% faster phishing triage for a healthcare MSSP (from 30–40 minutes down to 4–7 minutes). 

• 50%+ reduction in malware investigation and IOC extraction time. 

• Tier-1 closure rates rising from ~20% to around 70% after giving Tier 1 full behavioral evidence. 

• 30–55% fewer false escalations thanks to richer context and verdict confidence. 

• 21 minutes average MTTR reduction in SOCs that integrated ANY.RUN into their workflows. 

• 15 seconds MTTD for phishing and malware threats which allows analysts to accelerate their SIEM/SOAR investigations. 

• Insights from ANY.RUN’s solutions helped SOC and MSSP teams stop hundreds of ransomware attempts before they ever touched production systems. 

MSSP Success Case: Faster Threat Analysis Without Expanding the Team 

Expertware is a European MSSP with over 18 years of experience, providing SOC services to organizations across banking, insurance, retail, telecom, and other industries. Their cyber intelligence operations team supports multiple customers at once, where speed and depth of analysis directly impact SLAs. 

Challenge 

Before adopting ANY.RUN’s Interactive Sandbox, malware investigations required manually building and maintaining reverse-engineering environments. This slowed response times, limited visibility into full attack chains, and made it harder to scale analysis across multiple customers without adding workload. 

Outcome 

Expertware standardized a single analysis cycle centered on interactive execution and fast intelligence sharing: 

• Execute and observe: Suspicious files and phishing samples are detonated to expose full behavior and multi-stage chains. 

• Analyze in depth: Analysts interact with malware in real time to uncover obfuscation, memory-only stages, and C2 infrastructure. 

• Extract and share: Indicators and findings are mapped, documented, and shared across SOC and IR teams to speed decisions. 

This approach removed the need for custom VMs and reduced friction across investigations. 

Results 

• Over 50% reduction in malware investigation and IOC extraction time 

• Faster turnaround on customer incidents without increasing staff 

• Clear visibility into full kill chains, including fileless and memory-based stages 

• Easier collaboration through shared, interactive analysis reports 

• Improved SLA performance by resolving cases earlier in the workflow 

Healthcare MSSP Success Case: Faster Phishing Triage Without SLA Risk 

A mid-sized MSSP specializing in healthcare supports hospitals, clinics, and labs across thousands of endpoints. Operating in a highly regulated environment, the SOC had to balance strict SLAs, audit requirements, and a growing volume of phishing and malware alerts. 

Challenge 

As the customer base expanded, Tier 1 and Tier 2 teams were overwhelmed. Multi-stage phishing emails with redirects, QR codes, and CAPTCHA checks often took 30–40 minutes per case, driving escalations, slowing response, and putting SLA commitments at risk. 

Outcome 

The MSSP standardized a single operational triage cycle combining sandbox execution, threat intelligence, and detection feeds: 

• Early execution with the Interactive Sandbox cuts phishing triage by 76%, reducing analysis from 30–40 minutes to 4–7 minutes, while giving Tier 1 full visibility into real malware behavior. 

• Richer context through Threat Intelligence Lookup improves decision confidence, driving 34% fewer false escalations and enabling Tier 1 closure rates to rise from 20% to 70%. 

• Live intelligence via Threat Intelligence Feeds keeps detections current as attacker infrastructure rotates, resulting in faster MTTR and fewer false positives across automated workflows. 

• Continuous monitoring of active attacks affecting 15,000+ organizations enables early detection of the latest threats. 

Results 

Since we implemented new solutions, every investigation now comes with evidence and threat data, from MITRE tags to screenshots. This made reporting faster and extra work fell off our shoulders.

• 76% reduction in phishing triage time (from 30–40 minutes down to 4–7 minutes) 

• Higher Tier-1 closure rates with fewer escalations to Tier 2 

• Stronger SLA stability across multiple healthcare customers 

• Audit-ready investigations with clear execution evidence and context 

• A shift from reactive response to proactive, repeatable defense  

Banking Success Case: Faster Analysis, Stronger Security Outcomes 

A Brussels-based investment bank (750 employees) runs cybersecurity with a lean team of 12, where people often switch between threat analysis and incident response depending on what’s happening. 

Challenge 

When the Head of Cybersecurity joined, the security setup was “messier” than expected, and the team was getting swamped with alerts daily. Improving efficiency meant fixing the workflow, and a malware sandbox quickly became a top priority. 

Outcome 

The number of ransomware and credential stealing attempts we have prevented thanks to the sandbox is already in the hundreds.

After integrating ANY.RUN as part of a broader workflow overhaul, results showed up almost immediately. In the first week, the team was able to process alerts and threat analysis at least twice as fast, helping avoid incident response and recovery costs through timely actions. 

Results  

• 2× faster alert processing and threat analysis (visible in the first week) 

• Better understanding of malware behavior through VM control (browsing websites, downloading, executing files) 

• A faster, more practical approach than running custom-built VMs on isolated machines that take significant preparation 

• Prevented hundreds of ransomware and credential-stealing attempts over time 

• Stopped a supplier email attack by detonating the email, opening a password-protected ZIP, identifying a loader, and seeing it download and initiate ransomware in the VM, then blocking the email across the organization and warning other departments 

Transport Company Success Case: Real-Time Visibility into Active Cyber Attacks 

A multinational transport company operating across North America, Latin America, and Europe relies heavily on email to communicate with clients, contractors, and suppliers. With a 30-person security team, staying ahead of active attacks required a threat hunting approach that scaled without adding manual work. 

Challenge 

Attacker infrastructure changes rapidly, making static indicators and public reports outdated within days. Manually tracking phishing campaigns, malware activity, and CVEs relevant to the transport industry consumed time and made prioritization difficult. 

Outcome 

The team standardized a continuous threat hunting cycle that turns fresh execution data into detections: 

• Confirm reality with an interactive sandbox: Detonate suspicious samples to capture behavior and extract high-confidence artifacts. 

• Expand to campaign scope: Subscribe to TI Lookup’s Search Updates, pivot across related IOCs/IOAs/IOBs, domains, hosts, and historical activity. 

• Operationalize fast: Use TI Feeds to push validated indicators into existing security workflows so detections stay current. 

Results 

• Near real-time visibility → faster decisions while attacks are still active. 

• Quicker IOC/IOA/IOB discovery → shorter time to contain relevant threats. 

• Less manual research → more capacity without extra headcount. 

• Clear active vs. expired prioritization → steadier SLAs, fewer wasted cycles. 

• Fresher detection updates → fewer repeat incidents as infrastructure rotates. 

Trusted by Security Teams Worldwide 

ANY.RUN is a part of daily security operations across industries where mistakes are expensive and downtime isn’t an option. 

Today, organizations rely on ANY.RUN in real production environments across: 

• 3,102 IT & technology companies 

• 1,778 financial institutions 

• 1,354 manufacturing organizations 

• 919 healthcare providers 

• 1,059 government entities 

• 460 energy companies 

• 347 transportation & logistics businesses 

This trust shows up consistently in independent reviews: 

• 4.7 / 5 on G2 — praised for speed, visibility, and day-to-day usability 

• 4.8 / 5 on Gartner Peer Insights — recognized for real-world impact on SOC performance 

This broad adoption across regulated, high-risk industries reinforces one thing: 
ANY.RUN scales not just technically, but operationally; across teams, regions, and security maturity levels. 

If teams in finance, healthcare, government, and critical infrastructure rely on it daily, it’s because it delivers results where stakes are highest. 

Why These Results Repeat Across Teams and Industries 

These outcomes show up in very different environments for one reason: high-performing teams don’t treat investigations as one-off incidents. They run a consistent, repeatable way of working that turns uncertainty into clarity fast and keeps that clarity flowing across the whole operation. 

What makes the difference: 

• Decisions are based on evidence, not assumptions 
  Teams don’t wait for “maybe” signals to become obvious. They confirm what’s happening early, so risk doesn’t quietly grow in the background. 

• Context reaches the right people at the right moment 
  Frontline triage gets enough clarity to close routine cases confidently, while deeper work is reserved for what truly needs it. 

• Response stays steady even when attackers change tactics 
  As infrastructure rotates and methods evolve; teams don’t fall back into manual chase mode. They keep coverage current and avoid repeating the same work. 

• Workflows are built for scale, not heroics 
  The process holds up under load, across shifts, and across customers, which is why SLAs stabilize and burnout drops. 

That’s why the same gains keep showing up: faster decisions, less noise, and fewer business-impacting incidents. 

Ready to See What Results Like These Look Like in Your Environment? 

Every SOC operates under different constraints; tools, team size, industry pressure, compliance rules. What doesn’t change is the cost of slow decisions, unnecessary escalations, and incidents that reach the business before they’re contained. 

The teams featured here didn’t rebuild everything from scratch. They focused on shortening time-to-verdict, giving frontline staff better clarity, and keeping detection current as attacks evolved. The result was less noise, steadier SLAs, and fewer incidents turning into business problems. 

If you’re weighing whether a change will actually move the needle, not in theory, but in daily operations, these results show what’s possible when security work becomes faster, clearer, and easier to scale. 

See what faster decisions look like in practice, run your SOC with ANY.RUN. 

About ANY.RUN 

ANY.RUN is a core part of modern security operations, helping teams make faster, more confident decisions across Tier 1, Tier 2, and Tier 3. It fits into existing workflows without friction and strengthens the entire investigation lifecycle; from early validation to deeper analysis and ongoing threat awareness. 

By revealing real attacker behavior, adding context where it’s missing, and keeping detections aligned with how threats actually evolve, ANY.RUN helps SOCs reduce noise, shorten response times, and limit business impact. 

Today, more than 600,000 security specialists and 15,000 organizations worldwide rely on ANY.RUN to accelerate triage, cut unnecessary escalations, and stay ahead of phishing and malware campaigns that don’t stand still. 

FAQ

The post SOC & Business Success with ANY.RUN: Real-World Results & Cases  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Cyble Vulnerability Intelligence researchers tracked 1,031 vulnerabilities in the last week, and nearly 200 already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 72 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 33 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Below are some of the vulnerabilities flagged by Cyble threat intelligence researchers for prioritization by security teams in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2026-21969 is a 9.8-severity vulnerability in Oracle Agile Product Lifecycle Management for Process, specifically in the Supplier Portal component of Oracle Supply Chain. The flaw could enable unauthenticated remote attackers to achieve full system takeover via HTTP without needing credentials or user interaction. 

CVE-2026-22797 is a 9.9-rated authentication bypass vulnerability in the OpenStack keystonemiddleware’s external_oauth2_token component. An authenticated attacker could escalate privileges or impersonate other users by sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id. 

CVE-2026-0501 is a 9.9-severity SQL injection vulnerability in SAP S/4HANA Private Cloud and On-Premise, specifically the Financials General Ledger module, that could allow an authenticated attacker with low privileges to craft SQL queries, potentially enabling them to read sensitive financial data, modify records, or delete backend database content. 

CVE-2026-22584 is an 8.5-rated code injection vulnerability in Salesforce’s Uni2TS library, affecting MacOS, Windows, and Linux systems, that could allow attackers to leverage executable code in non-executable files. 

CVE-2025-69258 is a 9.8-rated unauthenticated remote code execution (RCE) vulnerability in Trend Micro Apex Central. The flaw could allow an unauthenticated, remote attacker to load an attacker-controlled DLL into a key executable, resulting in the execution of attacker-supplied code under the SYSTEM context on affected installations. 

Among the vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog were CVE-2024-37079, a 9.8-severity Broadcom VMware vCenter Server out-of-bounds write vulnerability, CVE-2026-21509, a 7.8-rated Microsoft Office Security Feature Bypass vulnerability, and CVE-2025-34026, a 9.2-rated Versa Concerto improper authentication vulnerability in the Traefik reverse proxy configuration that could potentially allow an attacker to access administrative endpoints. 

Notable vulnerabilities discussed in open-source communities included CVE-2025-64155, a critical OS command injection vulnerability in Fortinet FortiSIEM, affecting Super and Worker nodes. An unauthenticated remote attacker could exploit the phMonitor service via crafted requests to execute arbitrary commands, potentially enabling full system compromise, including root access through file overwrites and privilege escalation. Cyble has also observed the vulnerability discussed by threat actors on dark web cybercrime forums. 

Another vulnerability getting attention in open-source communities is CVE-2025-12420, dubbed ‘BodySnatcher’, a critical privilege escalation vulnerability in ServiceNow’s AI Platform, specifically involving the Virtual Agent API and Now Assist AI Agents. It could allow unauthenticated remote attackers to impersonate any ServiceNow user, including administrators, by leveraging a hardcoded authentication secret and email-based identity linking, leading to arbitrary actions, such as creating backdoor admin accounts. 

Vulnerabilities Under Discussion on the Dark Web

In addition to CVE-2025-64155, Cyble dark web researchers observed threat actors discussing several other vulnerabilities on dark web and cybercrime forums. They include: 

CVE-2026-23745, a high-severity directory traversal vulnerability in the node-tar library (versions ≤ 7.5.2) for Node.js. The vulnerability stems from improper sanitization of the linkpath in hardlink and symbolic link entries when preservePaths is set to false, which is the default secure behavior. An attacker could exploit this flaw by crafting malicious tar archives to bypass extraction root restrictions, achieving arbitrary file overwrite via hardlinks and symlink poisoning attacks. In CI/CD environments or automated pipelines, successful exploitation could result in remote code execution by overwriting configuration files, scripts, or binaries, though npm remains unaffected because it filters out Link and SymbolicLink tar entries. 

CVE-2026-22812, a high-severity vulnerability in OpenCode, an open-source AI coding agent, affecting versions prior to 1.0.216. The flaw involves multiple weaknesses, including missing authentication for critical functions, exposed dangerous methods, and permissive cross-domain security policies. OpenCode automatically starts an unauthenticated HTTP server that allows any local process or any website via permissive CORS to execute arbitrary shell commands with the user’s privileges. After successful exploitation requiring user interaction, such as visiting a malicious website, attackers could gain complete compromise of confidentiality, integrity, and availability, with high impact across all three security dimensions. 

A threat actor shared a high-severity exploit chain targeting Apple’s WebKit engine on iOS versions before iOS 26. The chain links CVE-2025-43529, a use-after-free flaw, with CVE-2025-14174, a memory corruption issue in the ANGLE Metal renderer. By delivering malicious web content, attackers first achieve code execution within the browser sandbox and then leverage the memory corruption to bypass platform security. Upon successful exploitation via a malicious webpage, attackers can install sophisticated spyware to monitor location, intercept messages, and access the device’s camera and microphone. 

Conclusion 

The number of vulnerabilities affecting high-profile enterprise environments highlights the constant pressure facing security teams, who must respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: Cyble Urges Oracle, OpenStack Fixes appeared first on Cyble.

Cyble – ​Read More