Hawkra Threat Dashboard

Active Exploits & Threat Groups

The Cybersecurity and Infrastructure Security Agency (CISA) has added two significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation by threat actors. The first, CVE-2026-22719, is a command injection vulnerability in Broadcom's VMware Aria Operations, a platform used for managing complex cloud and virtualized environments. Successful exploitation allows an attacker to execute arbitrary commands on the server, posing a severe risk to enterprise infrastructure. The second, CVE-2026-21385, is a memory corruption flaw affecting multiple Qualcomm chipsets. Given the ubiquitous nature of Qualcomm hardware in mobile devices and IoT, this vulnerability provides a widespread attack surface for compromising endpoints at a fundamental level.

A broad coalition of sophisticated threat actors, primarily state-sponsored, are linked to the active exploitation of these vulnerabilities. These groups leverage the flaws for Execution tactics, enabling them to run malicious code on compromised systems as a foothold for further operations. Notable actors include APT29 (Cozy Bear), Lazarus Group, Dragonfly, Mustang Panda, and OilRig. The large number of distinct advanced persistent threat (APT) groups utilizing these exploits underscores their high value and effectiveness in current campaigns, necessitating immediate patching by affected organizations.

New Vulnerabilities

A significant number of critical vulnerabilities have been disclosed, nearly all with a CVSS score of 9.8. Multiple flaws impact widely used WordPress plugins, including an authentication bypass in the All-in-One Microsoft 365 & Entra ID SSO Login plugin (CVE-2026-2628) and an improper privilege management issue in the User Registration & Membership plugin (CVE-2026-1492). These vulnerabilities place a vast number of websites at risk of complete takeover. Additionally, several critical SQL injection vulnerabilities were identified in smaller web applications, such as the Simple Food Order System and Personnel Property Equipment System, which could lead to database compromise. For enterprise environments, remote code execution vulnerabilities in the IDExpert Windows Logon Agent (CVE-2026-2999, CVE-2026-3000) present a direct threat to network security.

Analysis of Exploit Prediction Scoring System (EPSS) data reveals a sharp increase in the likelihood of exploitation for several vulnerabilities. CVE-2026-27180 and CVE-2026-27174 have both seen their EPSS scores jump to over 60%, indicating a high probability of active exploitation in the near future. These significant movements serve as a critical early warning for defenders, highlighting the need to prioritize patching for these specific vulnerabilities to preemptively mitigate risk.

In the News

• A hacktivist collective known as the Department of Peace has reportedly leaked sensitive contract data belonging to the U.S. Department of Homeland Security and Immigration and Customs Enforcement.
• The Iranian-affiliated threat group Handala Hack claimed responsibility for a cyber attack targeting an airport in the United Arab Emirates.
• Cloudflare's latest threat report detailed a record-breaking 31.4 Tbps Distributed Denial-of-Service (DDoS) attack, signaling a shift toward industrialized cyber threats.