Early Warning
CVE-2026-31431 impacts shared-kernel Linux environments where untrusted or low-privilege users can run code. It turns any local user account into root via a reliable, tiny exploit. No races or custom offsets needed.
The vulnerability affects an estimated 82 % of modern JavaScript web applications using React 19 or frameworks built on RSC. Successful exploitation typically yields immediate access to environment variables, database credentials, cloud metadata endpoints, and the ability to establish reverse shells.
CWP (Control Web Panel), formerly known as CentOS Web Panel, versions prior to 0.9.8.1205 contain a critical vulnerability that allows unauthenticated remote attackers to execute arbitrary code on the target system.
A critical vulnerability has been identified in the default installation and configuration of Gladinet CentreStack and TrioFox. This flaw, classified as an unauthenticated Local File Inclusion (LFI) vulnerability, enables unauthorized access to system files.
The vulnerability affects specific versions of Juniper’s ScreenOS, a network operating system used in various Juniper firewall products. The flaw allows remote attackers to exploit the system by entering an unspecified password during SSH or TELNET sessions, potentially granting them administrative access. This could lead to unauthorized actions being performed on the network devices, compromising the security and integrity of the network.
CVE-2025-48384 is a vulnerability in Git, a widely used distributed version control system. When a config entry is written with a trailing CR, it is not quoted, leading to the loss of the CR when the config is read later. If a symlink exists that points to this altered path and the submodule contains an executable post-checkout hook, the script may execute unintentionally after the checkout process.
CVE-2019-9621 is a server-side request forgery (SSRF) vulnerability found in several versions of the Zimbra Collaboration Suite (ZCS), an enterprise-class email, calendar, and collaboration platform. Exploiting this SSRF flaw can expose internal resources or lead to remote code execution as shown by the researcher.
CVE-2023-0386 is a vulnerability in the Linux kernel OverlayFS subsystem. A low-privileged local user could obtain elevated capabilities, potentially exploiting the system further with root privileges.
CVE-2024-12987 is a critical OS Command Injection vulnerability in DrayTek routers. Exploitation can result in full host system take over and lateral movement on the victim’s subnet.
Armis Early Warning: CVE-2024-11120 – Critical OS Command Injection vulnerability affecting EOL GeoVision IoT devices. Learn about the risks, exploitation, and mitigation strategies for this threat.
CVE-2024-4885 is a critical unauthenticated RCE vulnerability in Progress WhatsUp Gold. Learn about the vulnerability, its impact, and how Armis Centrix™ for Early Warning provided 223 days of advance protection.
High-Severity Chrome Mojo Sandbox Bypass CVE-2025-2783 was actively exploited. Learn about the vulnerability, its impact, and how Armis Centrix™ for Early Warning provided 75 days of advance protection.
This document details CVE-2022-43939, a critical authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server, and how Armis Centrix™ for Early Warning provided 693 days early warning of its exploitation.
CVE-2020-2883 is a critical deserialization vulnerability in Oracle WebLogic Server allowing remote code execution, publicly disclosed in April 2020 but recently re-emphasized by CISA, and detected early by Armis Centrix™ for Early Warning.
The Black Basta leak exposed approximately 200,000 internal chat messages from the notorious ransomware group, revealing their operational tactics, exploited vulnerabilities, and extensive global reach across 84 countries.
On February 21, 2025, Dubai-based cryptocurrency exchange Bybit suffered a $1.5 billion theft of digital assets, attributed to North Korea’s Lazarus Group, highlighting escalating state-sponsored cyberattacks.
Threat actors are exploiting a chain of vulnerabilities (CVE-2025-0108,CVE-2024-9474 and CVE-2025-0111) in Palo Alto Networks firewalls to gain unauthorized, root-level access.
CVE-2024-21413 is a critical security vulnerability in Microsoft Outlook classified as an “Improper Input Validation Vulnerability”.
Armis Labs’ investigation into DeepSeek Coder revealed that reliance on AI-generated code without proper oversight can introduce critical vulnerabilities, such as the use of known vulnerable libraries and coding practices leading to issues like SQL injection and buffer overflows.
CVE-2023-48365 is a critical pre-authentication remote code execution (RCE) vulnerability affecting Qlik Sense Enterprise for Windows.
CVE-2021-44207 is a critical security vulnerability identified in Acclaim Systems’ USAHERDS application, specifically in versions up to 7.4.0.1.
CVE-2024-1212 is a critical security vulnerability identified in Progress Kemp LoadMaster, a widely used load balancer and application delivery controller.
CVE-2021-41277 is a Local File Inclusion (LFI) vulnerability discovered in the GeoJSON API of Metabase, a widely used open-source business intelligence and analytics platform.
Armis dives into the 15 most exploited vulnerabilities reported by CISA, providing an overview of each CVE, and offering insights into the types of attacks, exploitation patterns, and how long they’ve been active.
CVE-2024-40711 is a critical remote code execution vulnerability affecting Veeam Backup & Replication (VBR) servers, which attackers are actively exploiting in ransomware attacks.
CVE-2019-1069, also known as the Task Scheduler Elevation of Privilege Vulnerability, was identified in Microsoft Windows Task Scheduler.
CVE-2016-3714 is a critical vulnerability in ImageMagick that allows remote code execution due to insufficient input filtering. ImageMagick is a popular software suite for creating, editing, and converting bitmap images.
The exploit requires 10,000 attempts and specific conditions related to the GNU C Library (glibc), making widespread exploitation unlikely.
This is an easily exploitable unauthenticated remote code execution vulnerability affecting NextGen HealthCare’s Mirth Connect data integration platform.
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.
Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.
D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability.
Microsoft SmartScreen Prompt contains a security feature bypass vulnerability that allows an attacker to bypass the Mark of the Web (MotW) feature.
Microsoft Windows Print Spooler service contains a privilege escalation vulnerability.
CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page.
Check Point Quantum Security Gateways contains an unspecified information disclosure vulnerability.
Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.
Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability.
Flash Alert
The disclosure of CVE-2026-21858 (“Ni8mare”) in the n8n workflow automation platform has been widely characterized as a critical, unauthenticated remote code execution vulnerability with a CVSS score of 10.0. While technically accurate, this framing obscures an important reality: exploitation requires network reachability to the n8n instance.
CrowdStrike is actively working with customers impacted by the defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack.
All
CVE-2026-31431 impacts shared-kernel Linux environments where untrusted or low-privilege users can run code. It turns any local user account into root via a reliable, tiny exploit. No races or custom offsets needed.
The disclosure of CVE-2026-21858 (“Ni8mare”) in the n8n workflow automation platform has been widely characterized as a critical, unauthenticated remote code execution vulnerability with a CVSS score of 10.0. While technically accurate, this framing obscures an important reality: exploitation requires network reachability to the n8n instance.
The vulnerability affects an estimated 82 % of modern JavaScript web applications using React 19 or frameworks built on RSC. Successful exploitation typically yields immediate access to environment variables, database credentials, cloud metadata endpoints, and the ability to establish reverse shells.
CWP (Control Web Panel), formerly known as CentOS Web Panel, versions prior to 0.9.8.1205 contain a critical vulnerability that allows unauthenticated remote attackers to execute arbitrary code on the target system.
A critical vulnerability has been identified in the default installation and configuration of Gladinet CentreStack and TrioFox. This flaw, classified as an unauthenticated Local File Inclusion (LFI) vulnerability, enables unauthorized access to system files.
The vulnerability affects specific versions of Juniper’s ScreenOS, a network operating system used in various Juniper firewall products. The flaw allows remote attackers to exploit the system by entering an unspecified password during SSH or TELNET sessions, potentially granting them administrative access. This could lead to unauthorized actions being performed on the network devices, compromising the security and integrity of the network.
CVE-2025-48384 is a vulnerability in Git, a widely used distributed version control system. When a config entry is written with a trailing CR, it is not quoted, leading to the loss of the CR when the config is read later. If a symlink exists that points to this altered path and the submodule contains an executable post-checkout hook, the script may execute unintentionally after the checkout process.
CVE-2019-9621 is a server-side request forgery (SSRF) vulnerability found in several versions of the Zimbra Collaboration Suite (ZCS), an enterprise-class email, calendar, and collaboration platform. Exploiting this SSRF flaw can expose internal resources or lead to remote code execution as shown by the researcher.
CVE-2023-0386 is a vulnerability in the Linux kernel OverlayFS subsystem. A low-privileged local user could obtain elevated capabilities, potentially exploiting the system further with root privileges.
CVE-2024-12987 is a critical OS Command Injection vulnerability in DrayTek routers. Exploitation can result in full host system take over and lateral movement on the victim’s subnet.
Armis Early Warning: CVE-2024-11120 – Critical OS Command Injection vulnerability affecting EOL GeoVision IoT devices. Learn about the risks, exploitation, and mitigation strategies for this threat.
CVE-2024-4885 is a critical unauthenticated RCE vulnerability in Progress WhatsUp Gold. Learn about the vulnerability, its impact, and how Armis Centrix™ for Early Warning provided 223 days of advance protection.
High-Severity Chrome Mojo Sandbox Bypass CVE-2025-2783 was actively exploited. Learn about the vulnerability, its impact, and how Armis Centrix™ for Early Warning provided 75 days of advance protection.
This document details CVE-2022-43939, a critical authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server, and how Armis Centrix™ for Early Warning provided 693 days early warning of its exploitation.
CVE-2020-2883 is a critical deserialization vulnerability in Oracle WebLogic Server allowing remote code execution, publicly disclosed in April 2020 but recently re-emphasized by CISA, and detected early by Armis Centrix™ for Early Warning.
The Black Basta leak exposed approximately 200,000 internal chat messages from the notorious ransomware group, revealing their operational tactics, exploited vulnerabilities, and extensive global reach across 84 countries.
On February 21, 2025, Dubai-based cryptocurrency exchange Bybit suffered a $1.5 billion theft of digital assets, attributed to North Korea’s Lazarus Group, highlighting escalating state-sponsored cyberattacks.
Threat actors are exploiting a chain of vulnerabilities (CVE-2025-0108,CVE-2024-9474 and CVE-2025-0111) in Palo Alto Networks firewalls to gain unauthorized, root-level access.
CVE-2024-21413 is a critical security vulnerability in Microsoft Outlook classified as an “Improper Input Validation Vulnerability”.
Armis Labs’ investigation into DeepSeek Coder revealed that reliance on AI-generated code without proper oversight can introduce critical vulnerabilities, such as the use of known vulnerable libraries and coding practices leading to issues like SQL injection and buffer overflows.
CVE-2023-48365 is a critical pre-authentication remote code execution (RCE) vulnerability affecting Qlik Sense Enterprise for Windows.
CVE-2021-44207 is a critical security vulnerability identified in Acclaim Systems’ USAHERDS application, specifically in versions up to 7.4.0.1.
CVE-2024-1212 is a critical security vulnerability identified in Progress Kemp LoadMaster, a widely used load balancer and application delivery controller.
CVE-2021-41277 is a Local File Inclusion (LFI) vulnerability discovered in the GeoJSON API of Metabase, a widely used open-source business intelligence and analytics platform.
Armis dives into the 15 most exploited vulnerabilities reported by CISA, providing an overview of each CVE, and offering insights into the types of attacks, exploitation patterns, and how long they’ve been active.
CVE-2024-40711 is a critical remote code execution vulnerability affecting Veeam Backup & Replication (VBR) servers, which attackers are actively exploiting in ransomware attacks.
CVE-2019-1069, also known as the Task Scheduler Elevation of Privilege Vulnerability, was identified in Microsoft Windows Task Scheduler.
CVE-2016-3714 is a critical vulnerability in ImageMagick that allows remote code execution due to insufficient input filtering. ImageMagick is a popular software suite for creating, editing, and converting bitmap images.
CrowdStrike is actively working with customers impacted by the defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack.
The exploit requires 10,000 attempts and specific conditions related to the GNU C Library (glibc), making widespread exploitation unlikely.
This is an easily exploitable unauthenticated remote code execution vulnerability affecting NextGen HealthCare’s Mirth Connect data integration platform.
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.
Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.
D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability.
Microsoft SmartScreen Prompt contains a security feature bypass vulnerability that allows an attacker to bypass the Mark of the Web (MotW) feature.
Microsoft Windows Print Spooler service contains a privilege escalation vulnerability.
CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page.
Check Point Quantum Security Gateways contains an unspecified information disclosure vulnerability.
Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.
Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability.