web shells

ShowDoc flaw under active exploitation as users urged to update

News, Risk, Vendors, Vulnerabilities

April 15, 2026

A critical ShowDoc flaw tracked as CVE-2025-0520 is being actively exploited, with attackers using it to drop web shells on a U.S. honeypot. The bug affects older versions of the software and was fixed in 2020.
CL-UNK-1068 espionage campaign targets critical sectors across Asia

News, Research, Risk

March 10, 2026

Palo Alto Networks Unit 42 reported a years-long CL-UNK-1068 campaign that targeted critical sectors across Asia, using web server exploits, web shells and credential theft tools to steal sensitive files and maintain persistent access.
China-linked Ink Dragon group targets European government networks, Check Point says

Cybercrime, News, Research, Risk

December 17, 2025

Check Point Research says a China-linked hacking cluster known as Ink Dragon has focused on European government targets since July 2025, using web shells, ShadowPad relays and modular tooling including FINALDRAFT to maintain stealthy, long-term access across multiple regions.
Critical Sneeit WordPress plugin RCE actively exploited, security firm reports

Cybercrime, News, Risk, Vendors, Vulnerabilities

December 8, 2025

A critical remote code execution flaw (CVE-2025-6389) in the Sneeit Framework WordPress plugin is being exploited in the wild; Wordfence said attackers have created admin accounts and uploaded web shells. The issue affects versions up to 8.3 and was fixed in 8.4. Separately, VulnCheck observed an ICTBroadcast exploit delivering a DDoS botnet called “frost.”
JPCERT/CC confirms active exploitation of command injection in Array AG gateways

Cybercrime, News, Vendors, Vulnerabilities

December 5, 2025

JPCERT/CC says a command injection vulnerability in Array Networks AG Series gateways has been exploited since August 2025 to drop web shells; Array fixed the flaw in May and users are urged to apply ArrayOS 9.4.5.9 or disable DesktopDirect and block semicolon-containing URLs if they cannot patch immediately.
Australia warns of ongoing BADCANDY attacks on unpatched Cisco IOS XE devices

Cybercrime, News, Risk, Vendors, Vulnerabilities

November 3, 2025

The Australian Signals Directorate warned of ongoing attacks using a Lua-based web shell called BADCANDY that exploits CVE-2023-20198 in unpatched Cisco IOS XE devices, estimated to have affected about 400 devices in Australia since July 2025 and urging patching and hardening measures.
ReliaQuest: Chinese-linked group converted ArcGIS server into long-term backdoor

Cloud, Cybercrime, News, Risk, Vulnerabilities

October 15, 2025

ReliaQuest reported that a state-linked group known as Flax Typhoon modified an ArcGIS Java extension into a web shell, implanted it in backups and used it to run discovery, deploy a SoftEther-based VPN bridge and maintain access for over a year.
Researchers say Chinese-speaking group UAT-8099 uses IIS servers for global SEO fraud

Cybercrime, Research, Risk, Vulnerabilities

October 6, 2025

Researchers say a Chinese-speaking group dubbed UAT-8099 has been exploiting Microsoft IIS servers to run SEO fraud and steal credentials and certificate data, using web shells, Cobalt Strike and a modified BadIIS backdoor across targets in Asia and the Americas.