⚠️ Cisco Catalyst SD-WAN – Authenticated Privilege Escalation to Root (CVSS 7.8, CISA KEV)  CISA has added CVE-2026-20245 to its KEV catalogue following evidence of active exploitation. A command injection flaw in the CLI of Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond), caused by insufficient validation of user-supplied input. By uploading a crafted file, an authenticated local attacker with netadmin privileges can execute arbitrary commands and elevate to root.  Affected: Cisco Catalyst SD-WAN Controller, Manager, and Validator, regardless of device configuration.  Mitigation: Cisco recommends upgrading to the fixed software documented in the Catalyst SD-WAN Security Advisory, and verifying the configuration of edge devices. Before upgrading, run request admin-tech on each control component to preserve potential indicators of compromise, then monitor per Cisco's advisory.  Modat Magnify Query: product="Cisco Catalyst SD-WAN Manager" OR product="Cisco Catalyst SD-WAN Controller"  The platform: magnify.modat.io/  Reference: sec.cloudapps.cisco.com/secu…  #threatintel #vulnerability #CVE202620245 #Cisco #SDWAN #PrivEsc #infosec #ModatMagnify

⚠️ Oracle PeopleSoft PeopleTools – Unauthenticated RCE (CVSS 9.8)  Oracle has issued a Security Alert for CVE-2026-35273, a vulnerability in the Environment Management component of PeopleSoft Enterprise PeopleTools. The flaw is remotely exploitable without authentication and, if successfully exploited, can result in remote code execution and full compromise of the affected system.  Affected versions: PeopleSoft Enterprise PeopleTools 8.61 and 8.62  Mitigation: Apply the patches referenced in Oracle's Security Alert. Restrict network access to PeopleSoft environments and limit exposure to trusted users where possible.  Modat Magnify Query: web.html~"Please click here to PeopleSoft logon page"  The platform: magnify.modat.io/  Reference: oracle.com/security-alerts/a…  #threatintel #vulnerability #CVE202635273 #Oracle #PeopleSoft #RCE #infosec #Critical #ModatMagnify

⚠️ LiteLLM – Command Injection via MCP Preview Endpoints (CVSS 8.7, CISA KEV)  CISA has added CVE-2026-42271 to its KEV catalogue. The vulnerability affects LiteLLM, a widely deployed AI gateway proxy.  Two preview endpoints could be tricked into running attacker-supplied commands directly on the proxy host. Because they only required a valid API key with no permission check, any authenticated user could execute arbitrary commands on the server.  Affected versions: LiteLLM 1.74.2 up to (not including) 1.83.7  Mitigation: Upgrade to LiteLLM 1.83.7 or later. Federal agencies must remediate by June 22, 2026. Restrict and audit API key issuance, and limit proxy exposure to trusted users only.  Modat Magnify Query: product="LiteLLM API" OR product="LiteLLM"  The platform: magnify.modat.io/  #threatintel #vulnerability #CVE202642271 #LiteLLM #CommandInjection #RCE #infosec #KEV #ModatMagnify

𝐌𝐨𝐝𝐚𝐭 𝐌𝐂𝐏 𝐢𝐬 𝐇𝐞𝐫𝐞  You can query Modat Magnify directly from Claude, Cursor, or any MCP-compatible AI tool. No manual pivoting between tabs, no glue scripts, no switching context. Your agents pivot on device fingerprints, IP, DNS, certificate data and more, natively! The same signals every research team uses.  Read the documentation: magnify.modat.io/docs/model-… 𝐖𝐚𝐭𝐜𝐡 𝐭𝐡𝐞 𝐟𝐮𝐥𝐥 𝐰𝐚𝐥𝐤𝐭𝐡𝐫𝐨𝐮𝐠𝐡:  youtube.com/watch?v=UGoSQ0Q3… 𝐓𝐡𝐞 𝐏𝐥𝐚𝐭𝐟𝐨𝐫𝐦: magnify.modat.io/  #Pivoting #MCP #Modat #ThreatHunting #CyberSecurity #ModatMagnify

PSA-2026-05-18  ⚠️ Drupal – Upcoming Highly Critical Security Release  The Drupal has issued PSA-2026-05-18 warning of a highly critical core vulnerability affecting all supported Drupal 10 and 11 branches. Technical details remain undisclosed, but exploits may emerge within hours or days after release.  Emergency patching is advised for May 20, 2026 (17:00–21:00 UTC).  Affected branches include: 
• 11.3.x / 11.2.x 
• 10.6.x / 10.5.x  End-of-life Drupal 8.9 and 9.5 branches will also receive best-effort patches due to the potential severity of the issue.  Mitigation: Update to the latest supported Drupal patch release and prepare for emergency patching during the security window.  Modat Magnify Query: 
technology="Drupal"  The platform:  magnify.modat.io/  Reference: drupal.org/psa-2026-05-18  #threatintel #vulnerability #Drupal #infosec #Critical #zeroday #ModatMagnify

CVE-2026-42945  ⚠️ NGINX – Heap Overflow / Possible RCE Actively Exploited in the Wild (CVSS 9.2)  A heap-based buffer overflow in ngx_http_rewrite_module affects NGINX Open Source and NGINX Plus ≤1.30.0. Crafted HTTP requests can trigger worker crashes and potentially lead to remote code execution on systems with ASLR disabled.  The flaw requires specific rewrite/if/set directives using unnamed PCRE captures ($1, $2) with replacement strings containing “?”. The vulnerability is actively being exploited in the wild.  Mitigation: Patch immediately to Nginx 1.31.0 or 1.30.1.  Modat Magnify Query:  technology="Nginx"  The platform:  magnify.modat.io/  #threatintel #vulnerability #CVE202642945 #NGINX #RCE #DoS #infosec #Critical #ModatMagnify

CVE-2026-44578  ⚠️ Next.js – WebSocket Upgrade SSRF (CVSS 8.6)  A server-side request forgery vulnerability in Next.js allows unauthenticated attackers to force self-hosted instances to make internal HTTP requests via the WebSocket upgrade handler.  By sending a crafted absolute-form HTTP request with Upgrade: websocket headers, attackers can access internal services, cloud metadata endpoints, admin panels, and internal APIs reachable from the Next.js server on port 80. Successful exploitation may expose cloud credentials, API keys, secrets, and configuration data.  Affected: Next.js 13.4.13 , 14.x, 15.x <15.5.16, 16.0.0–16.2.4  Mitigation: Upgrade immediately to 15.5.16 or 16.2.5.   Modat Magnify Query:  technology="Next.js"  The platform:  magnify.modat.io/  #threatintel #vulnerability #CVE202644578 #Nextjs #SSRF #WebSocket #CloudSecurity #infosec #Critical #ModatMagnify

CVE-2025-49113 / CVE-2025-68461  ⚠️ Roundcube Webmail – Actively Exploited RCE & XSS (CISA KEV)  CISA has added CVE-2025-49113 and CVE-2025-68461 to its KEV catalogue following confirmation of active in-the-wild exploitation targeting Roundcube Webmail.  CVE-2025-49113 (CVSS 9.9) is a deserialization vulnerability that allows authenticated attackers to achieve remote code execution via improper validation of the _from parameter.  CVE-2025-68461 is a cross-site scripting flaw exploitable through the SVG animate tag, enabling malicious script execution.  Patch immediately (1.6.12 / 1.5.12 ).  Modat Magnify Query: 
web.title~"Roundcube Webmail"  The platform: 
magnify.modat.io/  #threatintel #vulnerability #CVE202549113 #CVE202568461 #Roundcube #RCE #XSS #CISA #KEV #infosec #ModatMagnify

CVE-2026-25253  ⚠️ OpenClaw (Moltbot / Clawdbot) – 1-Click RCE via Token Exfiltration  A high-severity vulnerability (CVSS 8.8) has been disclosed in OpenClaw allowing remote code execution with a single click.  The flaw is a logic issue where the Control UI blindly trusts a gatewayUrl supplied via query string and auto-connects over WebSocket, leaking the stored gateway token to attacker-controlled infrastructure.  By abusing cross-site WebSocket hijacking and privileged operator scopes, attackers can disable safety approvals, escape the container, and execute arbitrary commands directly on the host even when the gateway is bound to localhost only.   Modat previously identified exposed Clawdbot/Moltbot control panels, with numbers now even higher. You can read the full blog here modat.io/post/moltbot-unmask…   Fixed in: v2026.1.29 
Action: Patch immediately and rotate gateway tokens.  Modat Magnify Query: 
web.title~"Clawdbot Control" OR web.title~"OpenClaw Control" OR web.title~"Moltbot Control"  The platform: 
magnify.modat.io/  #threatintel #vulnerability #CVE202625253 #OpenClaw #Moltbot #Clawdbot #RCE #AIsecurity #infosec #ModatMagnify

Latest Research: Moldbot Unmasked: A Global Deployment Analysis      🔗 Read the full research modat.io/post/moldbot-unmask…    Findings:   
    🔓 mDNS Broadcasts Leak: Our findings indicate that Moltbot instances are routinely exposing far more information via mDNS than expected, posing a significant configuration risk for global infrastructure.      🌍 Global Exposure: Moltbot exposure spans 53 countries, with a high density in the U.S.       📊 The Numbers:  1,487 hosts announced Moltbot services via mDNS    635 publicly accessible Web Control Panels       📂 Credential & Identity Leakage     Moldbot open directory listings related found with sensitive artifacts that go far beyond basic metadata:   Encrypted Identity Files: Signal, Telegram, and WhatsApp identity data    Secrets: Registration secrets and agent runtime metadata        👇full article   modat.io/post/moldbot-unmask… #cybersecurity #modatmagnify #dataleaks #moltbot #clawdbot #threatintel #visibility

CVE-2026-24858  ⚠️ Fortinet FortiOS / FortiCloud SSO – Actively Exploited Auth Bypass (CISA KEV)   
CISA has added CVE-2026-24858 to its KEV catalogue following confirmation of active in-the-wild exploitation targeting Fortinet products.  The flaw is an authentication bypass (CWE-288) that allows attackers with a FortiCloud account and a registered device to access other tenants’ devices when FortiCloud SSO is enabled, leading to unauthorized admin access, configuration changes, and potential persistence.  Patch immediately.  Modat Magnify Queries: 
os="FortiOS"  product~"Forti"  The platform: 
magnify.modat.io/  #threatintel #vulnerability #CVE202624858 #Fortinet #FortiOS #AuthBypass #CISA #KEV #infosec #ModatMagnify

CVE-2024-37079  ⚠️ VMware vCenter – Actively Exploited Network-Based RCE (CISA KEV)  CISA has added CVE-2024-37079 to its KEV catalogue following confirmation of active in-the-wild exploitation targeting VMware vCenter Server.  The flaw is an out-of-bounds write in the DCE/RPC protocol implementation, allowing unauthenticated attackers with network access to vCenter Server to send specially crafted packets, potentially leading to remote code execution.  Patch immediately.  Modat Magnify Query:  product="VMware vCenter"  The platform:  magnify.modat.io/  #threatintel #vulnerability #CVE202437079 #VMware #vCenter #RCE #CISA #KEV #infosec #ModatMagnify

CVE-2026-21962  ⚠️ Oracle Fusion Middleware – Critical Unauthenticated RCE (CVSS 10.0)  CVE-2026-21962 is a maximum-severity flaw in Oracle Fusion Middleware affecting Oracle HTTP Server and WebLogic Server Proxy Plug-Ins (Apache & IIS). 
Unauthenticated attackers can send crafted HTTP requests to gain full system control, create/modify/delete critical data, and leverage scope change to impact additional enterprise components. First PoCs are already out.  Apply Oracle’s January 2026 Critical Patch Update immediately.  Modat Magnify Query: 
product="Oracle Fusion Middleware"  The platform: 
magnify.modat.io/  #threatintel #vulnerability #CVE202621962 #Oracle #WebLogic #RCE #infosec #ModatMagnify

🚨 Threat Alert: CVE-2025-31324 – Critical SAP NetWeaver RCE Vulnerability 🚨 A newly disclosed flaw in SAP NetWeaver Visual Composer’s Metadata Uploader allows unauthenticated remote code execution via file upload—CVSS score: 10.0 (Critical). This vulnerability is already under active exploitation, with multiple incidents reported. Attackers can upload and execute malicious binaries, leading to complete system compromise. What you need to know: •Attack vector: CWE-434 – Unrestricted File Upload •MITRE tactic: T1190 – Exploit Public-Facing Application •Impact: Total loss of confidentiality, integrity, and availability •Exploitation: No auth required SAP recommends: •Patch immediately •Disable or restrict the Visual Composer component Exploits linked to this or a related flaw have already been observed in the wild. Don’t wait. Try with Modat Magnify → Run this query to check for exposed assets: product="SAP NetWeaver" Start now with upgraded platform access – free until July 1: magnify.modat.io #CVE-2025-31324 #SAPNetWeaver #RemoteCodeExecution #RCE #CyberSecurity #ModatMagnify #VulnerabilityAlert #Infosec #ThreatIntel #CWE434

🚨 New CVE Alert: CVE-2025-22457 @Mandiant confirms active exploitation of a critical Ivanti Connect Secure RCE vulnerability by suspected China-nexus actor UNC5221. Involves custom malware (TRAILBLAZE, BRUSHFIRE) and the SPAWN ecosystem. 📌 CVE: bit.ly/4iTpKdD 📊 136K services found on  magnify.modat.io Basic Query magnify.modat.io/search?quer… Device DNA magnify.modat.io/search?quer… #ModatMagnify #Ivanti #ThreatIntel #UNC5221 #CyberSecurity #APT #DFIR #CVE202522457

Modat Magnify Alert: 
We’ve identified ~2,500 exposed CrushFTP instances worldwide.  According to @Shadowserver ~1,800 may be vulnerable to CVE-2025-2825 (CVSS 9.8) — an auth bypass via HTTP(S) that can be exploited. magnify.modat.io/search?quer…  #ModatMagnify #crushftp #infosec #cve

New Device DNAs just dropped on Modat Magnify:
🖥️ KVM over IP (NanoKVM, JetKVM, PiKVM)
🛠️ BMC (e.g. Supermicro)

Available for Pro users.
→ magnify.modat.io #Cybersecurity #ThreatHunting #ModatMagnify #DFIR