End-of-Day report
Timeframe: Montag 02-02-2026 18:00 - Dienstag 03-02-2026 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
News
Aktive Ausnutzung von Sicherheitslücken in Ivanti Endpoint Manager Mobile (CVE-2026-1281, CVE-2026-1340)
Zwei kürzlich behobene Sicherheitslücken in Ivanti Endpoint Manager Mobile (CVE-2026-1281 und CVE-2026-1340, siehe dazu unsere Warnung vom 31.01.2026 sowie eine technische Analyse der Sicherheitsexpert:innen von Watchtowr) werden bereits von Bedrohungsakteuren ausgenutzt. Laut Ivanti selbst ist die Untersuchung der bisher bekannten Vorfälle noch im Gange und verlässliche technische Indikatoren liegen noch nicht vor.
https://www.cert.at/de/aktuelles/2026/2/aktive-ausnutzung-von-sicherheitslucken-in-ivanti-endpoint-manager-mobile-cve-2026-1281-cve-2026-1340
Hackers exploit critical React Native Metro bug to breach dev systems
Hackers are targeting developers by exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native to deliver malicious payloads for Windows and Linux.
https://www.bleepingcomputer.com/news/security/hackers-use-critical-react-native-metro-bug-to-breach-dev-systems/
Iron Mountain: Data breach mostly limited to marketing materials
Iron Mountain, a leading data storage and recovery services company, says that a recent breach claimed by the Everest extortion gang is limited to mostly marketing materials.
https://www.bleepingcomputer.com/news/security/iron-mountain-data-breach-mostly-limited-to-marketing-materials/
Attackers Harvest Dropbox Logins Via Fake PDF Lures
A malware-free phishing campaign targets corporate inboxes and asks employees to view "request orders," ultimately leading to Dropbox credential theft.
https://www.darkreading.com/cloud-security/attackers-harvest-dropbox-logins-fake-pdf-lures
Detecting and Monitoring OpenClaw (clawdbot, moltbot)
Last week, a new AI agent framework was introduced to automate "live". It targets office work in particular, focusing on messaging and interacting with systems. The tool has gone viral not so much because of its features, which are similar to those of other agent frameworks, but because of a stream of security oversights in its design.
https://isc.sans.edu/diary/rss/32678
Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
A security audit of 2,857 skills on ClawHub has found 341 malicious skills across multiple campaigns, according to new findings from Koi Security, exposing users to new supply chain risks. ClawHub is a marketplace designed to make it easy for OpenClaw users to find and install third-party skills.
https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html
APT28 Leverages CVE-2026-21509 in Operation Neusploit
In January 2026, Zscaler ThreatLabz identified a new campaign in-the-wild, tracked as Operation Neusploit, targeting countries in the Central and Eastern European region. In this campaign, the threat actor leveraged specially crafted Microsoft RTF files to exploit CVE-2026-21509 and deliver malicious backdoors in a multi-stage infection chain.
https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit
Neue Runde für den Dauerbrenner: Phishing-SMS im Namen von FinanzOnline
Wirklich zum Stillstand kam die Betrugsmasche ohnehin nie, aktuell ist aber eine Welle von besonderem Ausmaß zu beobachten. Es geht um die fast schon klassischen Phishing-SMS im Namen von FinanzOnline, die vor einem Ablaufen der Registrierung warnen. In Wahrheit haben es Kriminelle auf die Kontakt- und Bankdaten ihrer Opfer abgesehen.
https://www.watchlist-internet.at/news/phishing-sms-finanzonline/
WhatsApp Encryption, a Lawsuit, and a Lot of Noise
It-s not every day that we see mainstream media get excited about encryption apps! For that reason, the past several days have been fascinating, since we-ve been given not one but several unusual stories about the encryption used in WhatsApp.
https://blog.cryptographyengineering.com/2026/02/02/whatsapp-encryption-a-lawsuit-and-a-lot-of-noise/
The art of the invisible key: Passkey global breakthrough
Introduction Passkeys now protects billions of accounts, redefining how the world signs in through stronger, more secure authentication without a password. Yet this global movement runs deeper.
https://www.cyberark.com/resources/threat-research-blog/the-art-of-the-invisible-key-passkey-global-breakthrough
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom-s toolkit
Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors.
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Vulnerabilities
Sicherheitsupdate: Unbefugte Zugriffe auf WatchGuard Firebox vorstellbar
Angreifer können auf Firebox-Firewalls von WatchGuard zugreifen. Reparierte Fireware-OS-Version stehen zum Download bereit.
https://www.heise.de/news/Sicherheitsupdate-Unbefugte-Zugriffe-auf-WatchGuard-Firebox-vorstellbar-11163128.html
Critical vLLM Flaw Exposes Millions of AI Servers to Remote Code Execution
A newly disclosed security flaw has placed millions of AI servers at risk after researchers identified a critical vulnerability in vLLM, a widely deployed Python package for serving large language models. The issue, tracked as CVE-2026-22778 (GHSA-4r2x-xpjr-7cvv), enables remote code execution (RCE) by submitting a malicious video URL to a vulnerable vLLM API endpoint. The vulnerability affects vLLM versions 0.8.3 through 0.14.0 and was patched in version 0.14.1.
https://thecyberexpress.com/cve-2026-22778-vllm-rce-malicious-video-link/
ZDI-26-043: (0Day) npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-0775.
http://www.zerodayinitiative.com/advisories/ZDI-26-043/
Micropatches released for Microsoft Excel Remote Code Execution Vulnerability (CVE-2025-62203)
November 2025 Windows Updates brought a patch for CVE-2025-62203, a remote code execution vulnerability in Microsoft Excel that could allow a remote attacker to have their malicious code executed on users computer upon opening an Excel file. The vulnerability was discovered and reported to Microsoft by Quan Jin with DBAPPSecurity.
https://blog.0patch.com/2026/02/micropatches-released-for-microsoft.html
Security updates for Tuesday
Security updates have been issued by AlmaLinux (fence-agents, gcc-toolset-15-binutils, golang-github-openprinting-ipp-usb, iperf3, kernel, kernel-rt, openssl, osbuild-composer, php:8.2, python3, util-linux, and wireshark), Debian (clamav and xrdp), Fedora (gimp and openttd), Mageia (docker-containerd), Oracle (gimp:2.8, golang-github-openprinting-ipp-usb, grafana-pcp, image-builder, iperf3, kernel, openssl, osbuild-composer, php, php:8.2, php:8.3, python3.9, util-linux, and wireshark), SUSE (cockpit-subscriptions, elemental-register, elemental-toolkit, glibc, gpg2, logback, openssl-1_1, python-urllib3, ucode-amd, and unbound), and Ubuntu (inetutils, libpng1.6, mysql-8.0, mysql-8.4, openjdk-17, openjdk-17-crac, openjdk-21, openjdk-21-crac, openjdk-25, openjdk-25-crac, openjdk-8, openjdk-lts, and thunderbird).
https://lwn.net/Articles/1057047/
Jetzt updaten! Angreifer übernehmen SmarterMail-Instanzen als Admin
Alle drei mittlerweile in SmarterMail 100.0.9511 geschlossenen Sicherheitslücken (CVE-2026-23760), CVE-2026-24423, CVE-2025-52691) sind mit dem Bedrohungsgrad -kritisch- eingestuft. Alle vorigen Ausgaben sollen verwundbar sein. Der US-Sicherheitsbehörde CISA zufolge nutzen Angreifer die ersten beiden Schwachstellen bereits aus.
https://heise.de/-11163471
Improper file access permission settings in Mitsubishi Small-Capacity UPS Shutdown Software FREQSHIP-mini for Windows
https://jvn.jp/en/jp/JVN64883963/
Kubernetes CVE-2026-24514: ingress-nginx Admission Controller denial of service
https://github.com/kubernetes/kubernetes/issues/136680
Kubernetes CVE-2026-24513: ingress-nginx auth-url protection bypass
https://github.com/kubernetes/kubernetes/issues/136679
Kubernetes CVE-2026-24512: ingress-nginx rules.http.paths.path nginx configuration injection
https://github.com/kubernetes/kubernetes/issues/136678
Kuberenetes CVE-2026-1580: ingress-nginx auth-method nginx configuration injection***
https://github.com/kubernetes/kubernetes/issues/136677