Vulnerabilities

Adobe Acrobat Reader Zero-Day Exploited for 5+ Months — No Patch, No CVE, No Attribution

An unpatched Adobe Acrobat Reader zero-day has been exploited in the wild since at least November 2025, with no CVE assigned, no CVSS score, and no vendor remediation available. Delivery is via malicious PDF files consistent with spear-phishing or watering hole deployment. The extended exploitation window — over five months — without detection by commercial EDR or sandbox products suggests the exploit chain incorporates deliberate anti-analysis techniques, likely sandbox fingerprinting or context-aware payload detonation. The vulnerability was identified on March 26 by researcher Haifei Li via EXPMON's public sandbox interface (see companion story below), not through Adobe's own telemetry or any commercial threat intelligence feed. The prolonged operational security and absence of public attribution argue against commodity criminal use and are more consistent with a nation-state or sophisticated espionage actor deploying selectively against high-value targets. For a financial institution, the risk is straightforward: PDF is a ubiquitous business document format, and Acrobat Reader is installed on effectively every corporate endpoint. Until Adobe ships a patch, defensive posture should focus on Reader isolation controls (Protected Mode enforcement, application sandboxing) and, where workflow permits, routing external PDFs through cloud-based preview or rendering services that don't execute native Reader code.

Five months of undetected exploitation on one of the most widely deployed desktop applications on earth, caught by a researcher's public sandbox project. That's a sobering data point about the gap between detection architecture assumptions and reality. Watch for Adobe's advisory timeline — the absence of a CVE this late is unusual and may indicate a complex disclosure process.

Editorial

the adobe acrobat reader zero-day is today's headline, but the real story is the detection model that found it: a public research sandbox, not adobe's own telemetry, not a commercial EDR vendor, not a threat intel firm. five months of active exploitation with no CVE, no patch, and no attribution — that's not a vulnerability disclosure timeline, that's a systemic detection gap. for any organization that treats vendor advisories as the starting gun for response, this is a reminder that the gun may never fire. leadership should be asking: what's our exposure to threats that exist below the vendor visibility waterline, and how are we instrumenting for that?

UNC6783 deserves disproportionate attention relative to its news cycle footprint. google GTIG formally tracking a scattered spider-adjacent group that targets BPOs and helpdesks via live chat is a direct threat model for any financial institution with outsourced customer-facing operations — which is all of them. live chat is a trust channel, not a hardened one, and the attack surface here isn't technical so much as organizational: your third-party BPO's SOC maturity is now your perimeter. meanwhile, the marimo notebook RCE (10 hours from disclosure to weaponized exploit) and the react server components public exploit (six months post-KEV, EPSS 0.86) continue to compress the window between "known" and "owned" — the former for exposed dev tooling, the latter for production web infrastructure that probably hasn't been patched because nobody read the KEV listing in october.

Critical

Malware

EXPMON Public Sandbox Discovery Exposes Limits of Commercial Detection on Adobe Zero-Day

This is companion coverage to the Adobe Acrobat Reader zero-day above, focused on the discovery mechanism. EXPMON — a research-oriented public sandbox optimized for advanced file-based exploit detection — caught the zero-day via a suspicious PDF submission after it had evaded commercial detection infrastructure for approximately five months. The analytical takeaway is that the exploit specifically defeated the sandbox and EDR products that most enterprises rely on as their primary file-based threat detection layer. The fact that a crowd-sourced research platform outperformed commercial telemetry at scale is not unprecedented but is worth internalizing: detection coverage for sophisticated file-format exploits remains structurally weaker than the vendor marketing suggests, particularly when threat actors invest in environment-aware payload logic.

2026-04-09

1 source

Help Net Security

Vulnerabilities

React Server Components RCE Gets Public Exploit Six Months After KEV Listing

CVE-2025-55182

CVE-2025-55182 affects React Server Components versions 19.0.0 through 19.2.0, carrying an EPSS of 0.863 — roughly the top 14% of all scored CVEs by exploitation probability. A public exploit (EDB-52506) is now available via Exploit-DB, but the CISA KEV remediation deadline was December 2025, meaning active exploitation was confirmed at least four months before this PoC surfaced publicly. The timeline strongly implies the exploit was circulating privately and CISA's listing was based on observed in-the-wild activity, not a published proof of concept. The NVD record is conspicuously incomplete — no CVSS, no CWE, no attack vector metadata — which is atypical for a KEV-listed vulnerability and likely reflects delayed NVD processing rather than low severity. Any Next.js App Router or RSC-based application running React 19.x in an internet-facing or cloud deployment should be verified as patched. The deployment footprint here is substantial given how aggressively the Next.js ecosystem has adopted the App Router and server components paradigm since React 19's release.

2026-04-08

1 source

+ CVE-2025-55182

Exploit-DB

Notable

Malware

UNC6783: Financially Motivated BPO-Targeting Group Formally Tracked by Google GTIG

LAPSUS$ Scattered Spider UNC6783 Proton

Google Threat Intelligence Group has designated UNC6783 as a distinct financially motivated threat cluster targeting business process outsourcers and large enterprises via live chat channels, potentially linked to the 'Raccoon' persona. The group's TTPs parallel LAPSUS$ and Scattered Spider — social engineering of helpdesk and customer-facing staff to gain initial access or trigger unauthorized actions — but the live chat vector is a meaningful evolution that bypasses voice-based vishing detection controls. For financial institutions, BPO exposure is a critical supply chain risk. The sector extensively outsources fraud operations, KYC, customer support, and identity verification — all functions where a socially engineered helpdesk agent can authorize credential resets or MFA bypasses with devastating downstream impact. The formalization of UNC6783 as a separate cluster from Scattered Spider suggests Google is seeing enough differentiated infrastructure or personnel to justify a split, though the groups likely share the broader English-speaking, social-engineering-first operational playbook.

Review BPO vendor security requirements now — specifically whether MFA bypass via helpdesk is possible without out-of-band verification against authoritative HR systems. The live chat vector exploits the customer service incentive structure directly and is harder to detect than voice-based vishing. This cluster appears to be part of a loose confederation sharing TTPs if not tooling.

Vulnerabilities

Marimo Python Notebook Pre-Auth RCE Exploited Within Ten Hours of Disclosure

CVE-2026-33017

A pre-authentication RCE in the marimo open-source Python notebook platform (GHSA-2679-6mx9-h9xc) was weaponized within ten hours of disclosure on April 8. The vulnerability is an unauthenticated terminal WebSocket endpoint that yields a full interactive shell on any exposed instance — no credentials required. The ten-hour exploitation timeline confirms automated scanning is already targeting this endpoint class. Risk is gated entirely on exposure: internal-only deployments behind network controls are not meaningfully affected, but any internet-facing or cloud-hosted marimo instance should be treated as compromised until patched. The broader concern is notebook platforms as an attack surface class — Jupyter, JupyterHub, marimo, Zeppelin — which are persistently undervalued from a security posture perspective because they're perceived as internal research tooling, while in practice they frequently run in cloud environments with liberal ingress rules and embedded production credentials.

Flag this to data science and quant infrastructure owners. The real question isn't whether anyone runs marimo specifically — it's whether any notebook platform is reachable without authentication from outside the corporate network. Surprisingly common in 'temporary' cloud research environments that never got decommissioned.

Briefs

Ransomware

Scattered Spider Claims Eurail Breach: 300K Records from December 2025 Incident

Scattered Spider claims responsibility for December Eurail breach affecting 300,000 customer records.

Scattered Spider Attor

Malware

Weekly Roundup: CVE-2022-41678 Carries EPSS 0.94 with No KEV Listing — Worth a Manual Review

Threat roundup covering hybrid P2P botnet, legacy Apache RCE, and 18 related stories across multiple ransomware actors.

CVE-2022-41678 CVE-2024-32114 CVE-2025-40039 CVE-2026-23226 CVE-2026-34197 Akira BianLian DragonForce LockBit Lumma Stealer Qilin RansomHub UNC6783 Akira ConnectWise LockBit 3.0 Lumma Stealer MEDUSA Qilin RansomHub

Social Engineering

Active Phishing Campaigns Targeting German Finance and Manufacturing Sectors

Active phishing campaign targeting German financial and manufacturing sectors with threat intelligence IoCs.

Malware

BITTER Espionage Group Linked to Hack-for-Hire Targeting Middle East Journalists

Hack-for-hire operation in Middle East attributed to South Asian cyber espionage group BITTER with technical IoCs.

BITTER

Malware

ClipBanker Trojan Distributed via Trojanized Proxifier Downloads Targeting Developer Population

Technical analysis of ClipBanker malware with multi-stage infection chain targeting crypto and banking credentials.

Malware

Fake Windows Support Scam Delivers Password-Stealing Malware

Malware analysis of fake Windows support website campaign delivering password-stealing malware with detection artifacts.

Reg

Vulnerabilities

Jumbo Website Manager RCE Proof-of-Concept Disclosed

Remote code execution vulnerability in Jumbo Website Manager with technical proof-of-concept disclosed.

Ransomware

Guide: Leveraging Annual Threat Intelligence Reports in Incident Response

Methodology guide for incident responders on leveraging annual threat intelligence reports during investigations.

Qilin Mimikatz Qilin Responder

Privacy

Meta Employee Under Investigation for Exfiltrating 30K Private User Images

Meta employee allegedly exfiltrated 30,000 private user images in insider threat incident.

Geopolitical

BITTER Campaign Targets MENA Journalists (Companion Coverage)

Hack-for-hire operation targeting Middle East and North Africa journalists attributed to Bitter group.

Credentials

Physical Security Lapse: Credentials Exposed via Sticky Notes at Fitness Facility

Physical security investigation reveals credential exposure via sticky notes at fitness facility with organizational lessons.

SysUpdate UPPERCUT

Geopolitical

ICS/OT

Adobe Acrobat Reader Zero-Day Exploited for 5+ Months — No Patch, No CVE, No Attribution

Editorial

Critical

EXPMON Public Sandbox Discovery Exposes Limits of Commercial Detection on Adobe Zero-Day

React Server Components RCE Gets Public Exploit Six Months After KEV Listing

Notable

UNC6783: Financially Motivated BPO-Targeting Group Formally Tracked by Google GTIG

Marimo Python Notebook Pre-Auth RCE Exploited Within Ten Hours of Disclosure

Briefs

Scattered Spider Claims Eurail Breach: 300K Records from December 2025 Incident

Weekly Roundup: CVE-2022-41678 Carries EPSS 0.94 with No KEV Listing — Worth a Manual Review

Active Phishing Campaigns Targeting German Finance and Manufacturing Sectors

BITTER Espionage Group Linked to Hack-for-Hire Targeting Middle East Journalists

ClipBanker Trojan Distributed via Trojanized Proxifier Downloads Targeting Developer Population

Fake Windows Support Scam Delivers Password-Stealing Malware

Jumbo Website Manager RCE Proof-of-Concept Disclosed

Guide: Leveraging Annual Threat Intelligence Reports in Incident Response

Meta Employee Under Investigation for Exfiltrating 30K Private User Images

BITTER Campaign Targets MENA Journalists (Companion Coverage)

Physical Security Lapse: Credentials Exposed via Sticky Notes at Fitness Facility

Elastic Shares Defensive Lessons from 2026 Cyber Defense Exercise

Open Source Sustainability and Security Challenges

NSFW AI App Breach Exposes 70K User Prompts and PII

Kubernetes Architectural Vulnerability Analysis

ICS/OT Equipment Advisory (CISA)

ICS/OT Equipment Advisory (CISA)

ICS/OT Equipment Advisory (CISA)