Originally reported by The Hacker News, SANS ISC, CISA KEV
TL;DR
Critical zero-day in Dell RecoverPoint exploited since 2024, VoIP phones exposed to RCE, VS Code extensions vulnerable, and AI assistants weaponized as C2 proxies.
CISA added CVE-2026-22769 to KEV catalog with confirmed exploitation since mid-2024, and multiple critical RCE vulnerabilities are actively being exploited.
Google Mandiant and Google Threat Intelligence Group disclosed that Chinese threat cluster UNC6201 has been exploiting CVE-2026-22769 in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability carries a maximum CVSS score of 10.0 and stems from hard-coded credentials that allow unauthenticated remote attackers to gain root-level access to the underlying operating system. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply mitigations by March 11, 2026.
Cybersecurity researchers identified CVE-2026-2329, a critical unauthenticated stack-based buffer overflow in Grandstream GXP1600 series VoIP phones. The vulnerability scores 9.3 on the CVSS scale and could allow attackers to seize complete control of affected devices through remote code execution. The flaw represents a significant risk to enterprise communication infrastructure, particularly given the widespread deployment of these devices in business environments.
Researchers discovered multiple vulnerabilities across four widely-used Visual Studio Code extensions: Live Server, Code Runner, Markdown Preview Enhanced, and another unnamed extension. Collectively installed over 125 million times, these extensions contain flaws that could enable threat actors to steal local files and execute code remotely. The discovery highlights supply chain risks in developer tooling ecosystems where millions of users automatically trust and install third-party extensions.
The Cybersecurity and Infrastructure Security Agency added four vulnerabilities to its KEV catalog, indicating active exploitation in the wild. Beyond the Dell RecoverPoint flaw, the list includes CVE-2026-2441, a use-after-free vulnerability in Google Chrome with a CVSS score of 8.8. Federal agencies must patch these vulnerabilities according to CISA's Binding Operational Directive 22-01 timeline.
Notepad++ released version 8.9.2 to address security gaps exploited by Chinese threat actors who hijacked the software's update mechanism to deliver targeted malware. Maintainer Don Ho implemented a "double lock" design with enhanced verification processes to prevent future exploitation of the update channel. The incident demonstrates how legitimate software update mechanisms continue to be attractive targets for supply chain attacks.
Cybersecurity researchers demonstrated that AI assistants with web browsing capabilities, including Microsoft Copilot and xAI Grok, can be abused as command-and-control relays for malware operations. This technique allows attackers to blend malicious communications with legitimate enterprise AI usage, potentially evading detection systems that monitor traditional C2 channels. The research raises concerns about the security implications of AI assistants with internet access in corporate environments.
CISA also flagged CVE-2021-22175, a server-side request forgery vulnerability in GitLab that occurs when requests to internal networks for webhooks are enabled. Despite being disclosed in 2021, the vulnerability's addition to the KEV catalog indicates ongoing active exploitation, emphasizing the importance of patching older vulnerabilities that remain attractive to threat actors.
Originally reported by The Hacker News, SANS ISC, CISA KEV