Category: Vulnerability Intelligence

Taiwan’s TWCERT/CC disclosed two high-severity vulnerabilities affecting ThreatSonar Anti-Ransomware versions earlier than 4.0.0: an arbitrary file deletion issue via path traversal (CVE-2026-5966) and a privilege escalation flaw enabling OS command injection executed as root (CVE-2026-5967). Both issues require authentication and specific operational access (web or shell). TWCERT/CC recommends installing the vendor patch identified as version 20260302. Read more

Taiwan’s TWCERT/CC issued an urgent alert citing SecurityScorecard’s STRIKE team research into “Operation WrtHug,” a sustained campaign targeting ASUS small office/home office routers worldwide. The activity is reported to abuse known, publicly disclosed OS command-injection vulnerabilities—including issues referenced alongside CVE-2023-39780—focused on the AiCloud service. TWCERT/CC says compromised routers may be backdoored and incorporated into a large global infected network used for follow-on cyber threat activity and espionage, with STRIKE reporting identification of more than 50,000 infected IP devices over the past six months. The advisory urges immediate firmware updates, replacement of end-of-life (EoL) models that cannot be patched, and consultation of ASUS product security advisories for official mitigation steps. Read more

Taiwan’s TWCERT/CC is urging organizations to urgently patch a high-severity Windows Server Update Services (WSUS) vulnerability, CVE-2025-59287 (CVSS 9.8), after U.S. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog and Dutch NCSC-NL also confirmed real-world exploitation. The flaw enables unauthenticated remote code execution as SYSTEM via a deserialization trigger, but only impacts Windows Server systems where the WSUS server role is enabled. TWCERT/CC also cited Huntress reporting attacker scanning for exposed WSUS ports 8530/8531 and delivering malicious requests, with post-exploitation activity potentially involving PowerShell-based payload execution and data discovery/exfiltration. Read more

Taiwan’s TWCERT/CC warns that a high-risk MongoDB Server vulnerability, CVE-2025-14847 (CVSS v4: 8.7), is under active exploitation and can leak sensitive data from server memory. The issue—dubbed “MongoBleed” by researchers—stems from incorrect handling of the reported length of zlib-decompressed messages, which can cause uninitialized heap memory residues to be included in responses. TWCERT/CC notes that more than 87,000 internet-exposed MongoDB servers could be at risk, and that CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on 2025-12-29, signaling elevated urgency for enterprises and government agencies. Read more

A joint CISA and FBI advisory details how the CL0P ransomware group (also tracked as TA505) exploited a previously unknown SQL injection flaw (CVE-2023-34362) in Progress Software’s MOVEit Transfer managed file transfer (MFT) product to implant a web shell (“LEMURLOOT”) and exfiltrate data from underlying databases. The advisory frames MOVEit as the latest example of a broader TA505 pattern: targeting internet-facing MFT platforms with zero-day exploits (Accellion FTA in 2020–2021, GoAnywhere MFT in early 2023, and MOVEit in May 2023) to conduct large-scale theft and extortion—often emphasizing data exfiltration over encryption. Read more