Posts tagged ‘Threat Intelligence’
CVE-2026-41940: Inside the cPanel/WHM Authentication Bypass
Introduction Hosting control panels operate with near-total authority over a server: websites, databases, DNS, email, and the account lifecycle are all driven from one place. That privilege makes them a high-value target—when a control-plane bug appears, compromise can extend far beyond a single site. CVE-2026-41940 is a pre-authentication bypass affecting WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared). In practical terms, it lets a remote, unauthenticated attacker reach administrator-level control without supplying valid credentials. Background: What Is cPanel/WHM? cPanel is a widely deployed, Linux-based hosting panel. WHM is the higher-privileged layer used by resellers and server administrators to…
The Ghost in the Leased Line: Unmasking MuddyWater, Surgical Cyber Arm
In the high-stakes theater of global geopolitics, the most effective weapons aren’t always missiles; sometimes, they are just few lines of code.
Identity Is the New Perimeter. Stryker Just Taught Us That the Hard Way.
A story on how an Iran-linked group wiped tens of thousands of Stryker’s devices A nation-state attack that changes every assumption we had For years, we have treated nation-state threats as a “Tier 1” problem — something reserved for defense contractors and the energy grid. The March 2026 attack on Stryker Corporation by Iran-linked group Handala officially kills that assumption. On March 11, 2026, Stryker’s corporate Microsoft environment was hit. Employees arrived to find their managed devices wiped out overnight through entirely legitimate Intune commands. Handala claimed 200,000+ systems affected; independent reporting confirms that tens of thousands were impacted. Stryker’s…
What is Workspace Security?
“What Is Workspace Security? Learn how Workspace Security, operating within the broader Secure Access Service Edge (SASE) framework, unites advanced security and networking technologies to safeguard users, devices, applications, and data. From enabling Zero Trust principles to incorporating tools like SWG, CASB, ZTNA, DLP, and DEM, explore how Workspace Security helps organizations protect distributed workforces while enabling productivity and collaboration. Discover why Versa is a leader in SASE innovation for modern enterprises.
Securing the Modern Browser: How Versa Remote Browser Isolation Protects an AI-Driven Workforce
Remote Browser Isolation (RBI) is a critical defense against zero-day threats, data loss, and unmanaged device risk. Learn how Versa RBI integrates natively with Unified SASE to secure the browser across your enterprise.
AI-Generated Malware Like VoidLink: Why Architecture, Not Hype, Is the Real Defense — and How Versa SASE Delivers It
Recent reporting on VoidLink, a Linux malware framework reportedly developed almost entirely with the assistance of generative AI, marks a structural shift in the threat landscape. According to coverage in CSO Online, VoidLink’s development cycle, code organization, and modular design strongly suggest AI-assisted creation — compressing what historically required months of coordinated engineering into days of automated iteration. This is where Versa SASE, combined with GenAI usage controls, provides a grounded and enforceable defensive posture.
BrickStorm Malware: Anatomy of a Stealth Linux Backdoor Targeting Modern Infrastructure
BrickStorm is a highly stealthy Linux backdoor designed for long-term, targeted cyber-espionage. Brickstorm is closely associated with Cyber Espionage group UNC5221, which is known for exploiting zero-days vulnerability in network edge appliances like Ivanti, F5 and MiTRE breach. Unlike commodity malware, BrickStorm is deployed post-compromise, operates largely in memory, and uses a modular architecture with custom encrypted command-and-control (C2). Its focus on Linux servers, network appliances, and embedded systems reflects a broader trend: attackers increasingly target infrastructure layers where visibility and detection are weakest.
React2Shell Vulnerability
React2Shell Remote Code Execution in React Server Components Vulnerability The bug dubbed as React2Shell, comprising two CVE’s, mainly CVE-2025-55182 and CVE-2025-66478, allows remote unauthenticated users to gain code execution on servers running vulnerable versions of React RSC or Next.JS App Router via single HTTP request. MITRE Tactic ID Technique Name Initial Access T1109 Exploit Public-Facing Application Execution T1059 Command and Scripting Interpreter Persistence T1505.003 Server Software Component: Web Shell Privilege Escalation T1068 Exploitation for Privilege Escalation Defense Evasion T1070.004 Indicator Removal on Host: File Deletion Next.js now powers a massive share of the modern web — millions of production sites,…
Achieve Zero Blind Spots with Versa’s Complete Branch Security that Protects Guest Wi-Fi and Beyond
Branches are surging back in prominence as hubs for users, applications, and a rapidly expanding IoT ecosystem. In this new branch paradigm, Guest Wi-Fi is no longer a convenience. It’s a non-negotiable requirement across retail, healthcare, hospitality, financial services, and much more. Unfortunately, this shift introduces a new mix of unpredictable user behavior, diverse applications, and thousands of devices to the branch infrastructure. This dramatically increases bandwidth demands and expands the attack surface where guest devices can bring malicious files, launch DNS-based threats, enable data exfiltration, or open compliance and privacy gaps. Industry research shows 70% of performance degradation and…
Versa Threat Research Labs Spotlight – DeskRAT: TransparentTribe’s Latest Weapon for Targeted Espionage
TransparentTribe (also known as APT36), a state sponsored threat actor known for long running cyber espionage against defense and government sectors, has launched a new campaign leveraging a custom Remote Access Trojan (RAT) dubbed DeskRAT. This malware is distributed through phishing emails containing malicious attachments or links that deliver the payload to targeted systems.
Research Lab
Versa Security Bulletin: Update on CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability
By Versa Security Research Team
August 26, 2024
A medium-severity vulnerability was discovered in Versa Director (CVE-2024-39717), and a patch has been released. Impacted customers failed to implement system hardening and firewall guidelines, leaving a management port exposed on the internet.
Industry Insights
CrowdStrike Outage: Latest Updates and Best Practices
By Naganathan S J
Staff Security Engineer - Research
July 19, 2024
Today, CrowdStrike reported a significant outage affecting multiple services, including their Falcon platform. The CrowdStrike team is actively working to resolve the issue and restore full functionality. Users are advised to monitor CrowdStrike’s official status page for real-time updates and follow any recommended actions provided by the company.
Company Updates
Building Context with UEBA relationship graphs, using GraphML
By Sridhar Iyer
May 2, 2024
Versa UEBA incorporates GraphML to generate insights and detect anomalies in user relationship graphs. Anomaly and behavior detections are just the first step. We then need to quickly pivot into building the forensics to inform response and remediation. This can involve determining the origination point of a malicious activity or an attack and building the scope and scale of a potential breach.
Research Lab
Versa Security Bulletin: Palo Alto Networks PAN-OS GlobalProtect Zero-Day Vulnerability under Active Exploitation
By Versa Security Research Team
April 19, 2024
CVEs: CVE-2024-3400; Summary Recently Palo Alto Networks announced a critical vulnerability in their PAN-OS software used in their GlobalProtect VPN Gateway, which is a feature in the PAN-OS Firewall. The discovery and public disclosure of the vulnerability and fixes timeline is currently as follows: Volexity first discovered the PAN-OS attack on April 10, 2024 at one of its network security monitoring (NSM) customers, and on April 11, 2024 subsequently learnt that another NSM customer was compromised by the same threat actor. Palo Alto Networks was then notified by Volexity that a zero-day vulnerability in its GlobalProtect Gateway was under active…
Research Lab
Versa Security Bulletin: ConnectWise ScreenConnect Authentication Bypass and Path-Traversal Vulnerabilities
By Versa Security Research Team
March 8, 2024
CVEs: CVE-2024-1708; CVE-2024-1709 Summary On Feb. 13, 2024, ConnectWise was notified of two vulnerabilities in their remote access tool ScreenConnect. On Feb. 19, 2024, ConnectWise publicly disclosed two new high severity and critical vulnerabilities patched in its remote access tool ScreenConnect Version 23.9.8, with the following CVEs: CVE-2024-1708 Path-Traversal vulnerability (CWE-22) and CVE-2024-1709 Authentication Bypass vulnerability (CWE-288). These vulnerabilities can be exploited to deliver Remote Access Trojans (RATs), Ransomware, Cryptocurrency miners, Stealer malware and many others. CVE Description CVSSv3 Severity CVE-2024- 1709 (CWE-288) Authentication Bypass Using Alternate Path or Channel 10.0 Critical CVE-2024- 1708 (CWE-22) Improper Limitation of a Pathname to…
Research Lab
Versa Security Bulletin: Volt Typhoon Exploitation of N-Day and Zero-Day Vulnerabilities
By Versa Security Research Team
February 28, 2024
Summary This security bulletin focuses on understanding the sophisticated exploitation of critical n-day and zero-day vulnerabilities in VPN and other network devices by state-sponsored threat actors, reinforcing the urgency for organizations to prioritize patching vulnerabilities in appliances known to be targeted. The recent exploitation of the critical FortiOS vulnerability followed a disclosure by CISA and other federal agencies revealing that China-linked threat group Volt Typhoon has been known to exploit network appliances from several vendors including Fortinet. Fortinet released a blog post to coincide with the U.S. agencies’ advisory, which pointed to “the need for organizations to have a robust…
Research Lab
Versa Security Bulletin: Multiple Vulnerabilities Affecting Ivanti Connect Secure and Ivanti Policy Secure
By Versa Security Research Team
February 7, 2024
CVEs: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893 Summary Recently, Ivanti Connect Secure appliances have faced active exploitation through a series of linked vulnerabilities of high or critical severity. On January 10, 2024, Ivanti disclosed two new vulnerabilities in its Ivanti Connect Secure and Ivanti Policy Secure gateways: CVE-2023-46805 (high severity authentication bypass vulnerability) and CVE-2024-21887 (critical severity command injection vulnerability).
Company Updates, Research Lab
Versa Security Bulletin: Okta Customer Support Security Incident
By Versa Security Research Team
December 5, 2023
On October 20, 2023, Okta disclosed a security incident affecting their customer support management system. In a note following that disclosure Okta said that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers.
Company Updates
Modernizing Retail with Secure SD-WAN
By Leo Jiao
Sr. Systems Engineer. Versa Networks
November 2, 2023
In recent years we’ve witnessed transformative changes in both technology and the retail industry. The retail world has seen tremendous ups and downs over the past several years thanks to the impact of COVID. In addition to challenges such as store closures, reduced foot traffic, and supply chain problems, digital disruptions include an increasing shift to e-commerce and new types of cyber threats that have dramatically changed how people shop and how retail businesses should operate. In the technology world, numerous stunning innovations such as AI/ML-assisted network operations and threat detection are making people’s jaws drop because of their capabilities…
Company Updates, Research Lab
Versa Security Bulletin: Cisco IOS XE Web UI Privilege Escalation Vulnerability affecting upwards of 50k devices (patched)
By Jayesh Gangadas Patel
Principle Threat Researcher, Versa Networks
October 26, 2023
Summary On October 16, 2023, Cisco reported two new vulnerabilities in the web UI for its Cisco IOS XE operating system that runs many of its routers and switches, CVE-2023-20198 and CVE-2023-20273. These vulnerabilities were initially being exploited by unknown hackers and affected more than 10,000 devices at the time of its first known existence. However, in the following days the attack was leveraged to affect more than 50,000 devices, and that’s when a free software fix was identified by Cisco to keep a check on devices. Cisco released the updated version 17.9.4a on October 23 to fix the issue….
Subscribe to the Versa Blog
Recent Posts
