ThreatPulse — April 19, 2026 | 10 threats, personalised for Demo User
ThreatPulse — April 19, 2026
Personalised for Demo User | Soc Analyst | Detection: KQL
10
Items
9
Critical
1
High
9
CISA KEV
48/100
CVSS 10.0
EPSS 94.4%
huntress.com
CISA KEVCRITICALYOUR STACKKQLCVE-2021-44228
Analysis
# SOC BRIEFING: CVE-2021-44228 (Log4j RCE)
## SUMMARY
CVE-2021-44228 is a critical remote code execution vulnerability in Apache Log4j 2 (CVSS 10.0) that allows unauthenticated attackers to execute arbitrary code via malicious log messages containing JNDI injection payloads. This vulnerability is actively exploited in the wild and affects millions of internet-facing applications globally.
## TRIAGE
**Severity: CRITICAL** | **Priority: IMMEDIATE**
CISA KEV listed. EPSS 94.4% indicates near-certain exploitation. Requires urgent inventory and patching of all Log4j-dependent systems.
---
## DETECTION
**Query 1: Detect Log4j JNDI Injection Attempts (Network)**
**Query 2: Detect Suspicious Java Process Execution with Log4j Indicators**
**Query 3: Detect Outbound LDAP/RMI Connections from Java Processes (Post-Exploitation)**
---
## MITRE ATT&CK
- **T1190**: Exploit Public-Facing Application
- **T1059.007**: Command and Scripting Interpreter (Java)
- **T1071.001**: Application Layer Protocol (HTTP/HTTPS)
- **T1105**: Ingress Tool Transfer
---
## ACTION
**Immediate:** Identify all systems running Log4j 2 versions < 2.17.0 (or 2.3.1 for legacy branches). Apply emergency patch to 2.17.1+ or implement mitigation: set `log4j2.formatMsgNoLookups=true` JVM property. Block outbound LDAP/RMI traffic (ports 389, 636, 1099) from Java processes at network boundary pending patch completion.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("${jndi:", "${java:", "ldap://", "rmi://", "nis://", " dns://", "iiop://", "corba://")
or RemoteUrl matches regex @"(?i)\$\{jndi:[a-z]+://"
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("log4j", "-Dlog4j", "JNDI", "ldap://", "rmi://")
or (FileName =~ "java.exe" and ProcessCommandLine contains_cs "${")
| project Timestamp, DeviceName, ProcessId, ProcessCommandLine, AccountName, FolderPath, SHA256
| limit 1000
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "java.exe"
and (RemotePort in (389, 636, 1099) or Protocol =~ "ldap" or RemoteUrl has_any ("ldap://", "rmi://"))
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl
| limit 1000
Source: huntress.com
48/100
CVSS 9.8
EPSS 91.9%
wiz.io
CISA KEVCRITICALYOUR STACKKQLCVE-2023-21554CVE-2023-28252
Analysis
# SOC BRIEFING: CVE-2023-28252 & CVE-2023-21554 (April 2023 Patch Tuesday)
## SUMMARY
Microsoft released critical patches for CVE-2023-28252 (EoP, actively exploited) and CVE-2023-21554 (RCE, CVSS 9.8) in April 2023. Both vulnerabilities are in CISA KEV and pose immediate risk to unpatched systems; CVE-2023-28252 is confirmed exploited in the wild.
## TRIAGE
**CRITICAL** — Immediate investigation required. EPSS 91.9%, active exploitation confirmed, RCE + EoP chain enables full system compromise. Prioritize all unpatched Windows systems.
---
## DETECTION
**Query 1: Detect CVE-2023-28252 exploitation (EoP via Win32k.sys)**
**Query 2: Detect CVE-2023-21554 exploitation (RCE via remote code execution patterns)**
**Query 3: Detect unpatched systems via missing April 2023 security updates**
---
## MITRE ATT&CK
- **T1548.004** — Abuse Elevation Control Mechanism (Token Elevation)
- **T1190** — Exploit Public-Facing Application (RCE vector)
- **T1053.005
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessIntegrityLevel has_any ("Low", "Medium") and ProcessTokenElevation has "TokenElevationTypeFull"
| where InitiatingProcessFileName in~ ("explorer.exe", "svchost.exe", "lsass.exe")
| where FolderPath has_any ("\\AppData\\", "\\Temp\\", "\\ProgramData\\")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FileName, ProcessId, ProcessIntegrityLevel
| limit 1000
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (445, 139, 135, 3389) and ActionType has_any ("ConnectionSuccess", "ConnectionAttempt")
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("powershell", "cmd.exe", "wmic", "rundll32")
| project DeviceId, ProcessId, ProcessCommandLine, FileName
) on DeviceId
| where InitiatingProcessFileName in~ ("svchost.exe", "services.exe", "lsass.exe")
| project Timestamp, DeviceName, RemoteIP, RemotePort, ProcessCommandLine, FileName
| limit 1000
SecurityEvent
| where Timestamp > ago(7d)
| where EventID == 4688
| where NewProcessName has_any ("wuauclt.exe", "svchost.exe")
| where CommandLine has_any ("Windows Update", "KB5025221", "KB5025222")
| summarize LastUpdateCheck = max(Timestamp), UpdateStatus = make_set(CommandLine) by Computer, Account
| where LastUpdateCheck < ago(30d)
| project Computer, Account, LastUpdateCheck, UpdateStatus
| limit 1000
Source: wiz.io
46/100
CVSS 9.8
EPSS 75.7%
huntress.com
CISA KEVCRITICALYOUR STACKKQLCVE-2025-59287
Analysis
# SOC BRIEFING: CVE-2025-59287 WSUS Remote Code Execution
## SUMMARY
Threat actors are actively exploiting CVE-2025-59287, a critical remote code execution vulnerability in Windows Server Update Services (WSUS) with a CVSS score of 9.8 and 75.7% EPSS probability. Successful exploitation allows unauthenticated attackers to execute arbitrary code on WSUS servers, potentially compromising patch management infrastructure and enabling lateral movement across the enterprise.
## TRIAGE
**Severity: CRITICAL**
**Priority: IMMEDIATE**
Investigate all WSUS server activity within the last 7 days. This vulnerability is in CISA KEV and actively exploited in the wild.
---
## DETECTION
**Query 1: Suspicious WSUS Process Execution and Network Activity**
**Query 2: WSUS Server Unexpected Code Execution and Privilege Escalation**
**Query 3: WSUS-Related File Modifications and Suspicious Registry Changes**
---
## MITRE ATT&CK
- **T1190
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("wsus", "WsusService.exe", "WsusUtil.exe")
| where ActionType in ("ProcessCreated", "ProcessModified")
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("wsus", "WsusService.exe", "WsusUtil.exe")
| where RemoteIPType == "Public"
) on DeviceId, DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, AccountName
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where DeviceName has_any ("wsus", "update", "patch")
| where ProcessIntegrityLevel == "System" or ProcessTokenElevation == "TokenElevationTypeFull"
| where ParentProcessFileName !in ("services.exe", "svchost.exe", "lsass.exe", "csrss.exe")
| where FileName !in ("powershell.exe", "cmd.exe", "notepad.exe", "explorer.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, ParentProcessFileName, AccountName, ProcessId
| limit 1000
union
(DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("wsus", "WsusContent", "UpdateServicesPackages")
| where ActionType in ("FileCreated", "FileModified")
| project Timestamp, DeviceName, FolderPath, FileName, ActionType, InitiatingProcessFileName, AccountName),
(DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has_any ("WSUS", "WindowsUpdate", "UpdateServices")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, ActionType, InitiatingProcessFileName, AccountName)
| limit 1000
Source: huntress.com
46/100
CVSS 8.8
EPSS 94.3%
huntress.com
CISA KEVHIGHYOUR STACKKQLCVE-2021-40444
Analysis
# SOC BRIEFING: CVE-2021-40444 MSHTML RCE
## SUMMARY
CVE-2021-40444 is a critical remote code execution vulnerability in the Windows MSHTML engine affecting Microsoft Office products, with 94.3% exploit probability (EPSS) and active exploitation confirmed. Successful exploitation allows unauthenticated attackers to execute arbitrary code on vulnerable systems, typically via malicious Office documents or web content.
## TRIAGE
**CRITICAL** — CVSS 8.8, in CISA KEV, high exploit prevalence. Immediate investigation required for any Office document processing or MSHTML rendering activity on endpoints.
---
## DETECTION
**Query 1: Suspicious Office Process Spawning System Binaries**
**Query 2: MSHTML/Office Network Connections to Suspicious Destinations**
**Query 3: Office Document File Creation in Temp/AppData Followed by Execution**
---
## MITRE ATT&CK
- **T1203** — Exploitation for Client Execution
- **T1566.001** — Phishing: Spearphishing Attachment
- **T1059.001** — Command and Scripting Interpreter: PowerShell
- **T1047** — Windows Management Instrumentation
---
## ACTION
**Immediate:** Patch all Windows and Microsoft Office installations to the latest security update (
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "msaccess.exe", "outlook.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "regsvr32.exe", "rundll32.exe", "mshta.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName, FileName
| limit 1000
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "msaccess.exe", "iexplore.exe", "msedge.exe")
| where RemoteIPType == "Public" and RemotePort in (80, 443, 8080, 8443)
| where RemoteUrl !has "microsoft.com" and RemoteUrl !has "office.com"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, AccountName
| limit 1000
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("%temp%", "AppData\\Local\\Temp", "AppData\\Roaming")
| where FileName matches regex @"(?i)\.(docx?|xlsx?|pptx?|msg)$"
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe")
) on DeviceName
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName
| limit 1000
Source: huntress.com
43/100
CVSS 10.0
EPSS 94.4%
thedfirreport.com
CISA KEVCRITICALKQLCVE-2023-46604
Analysis
# SOC BRIEFING: Apache ActiveMQ RCE → LockBit Ransomware
## SUMMARY
Threat actors exploited CVE-2023-46604 (CVSS 10.0) in exposed Apache ActiveMQ servers to achieve remote code execution via malicious Java Spring classes, establishing initial access for LockBit ransomware deployment. This is a critical supply-chain attack vector affecting any organization running unpatched ActiveMQ instances exposed to the internet.
## TRIAGE
**CRITICAL** — Immediate investigation required. CVE-2023-46604 has 94.4% EPSS and is actively exploited in the wild. Any successful exploitation leads directly to ransomware deployment.
---
## DETECTION
**Query 1: Detect ActiveMQ Process Execution with Suspicious Java Spring Class Loading**
**Query 2: Detect Suspicious Network Connections from ActiveMQ Process to External IPs**
**Query 3: Detect LockBit Ransomware Indicators Post-Exploitation (File Encryption & Ransom Notes)**
---
## MITRE ATT&CK
- **T1190** — Exploit Public-Facing Application (ActiveMQ RCE)
- **T1059.001** — Command and Scripting Interpreter: PowerShell / Java
- **T1486** — Data Encrypted for Impact (LockBit ransomware)
- **T1133** — External Remote Services (exposed ActiveMQ port)
---
## ACTION
**Immediate:** Identify all ActiveMQ instances in your environment via network discovery or asset inventory. Verify patch status against CVE-2023-46604 (ActiveM
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("activemq", "org.apache.activemq") or InitiatingProcessFileName =~ "activemq.exe"
| where ProcessCommandLine matches regex @"(?i)(spring|java\.lang\.runtime|exec|ProcessBuilder)" or FolderPath has "activemq"
| project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, SHA256, InitiatingProcessFileName
| limit 1000
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "activemq.exe" or InitiatingProcessCommandLine has "activemq"
| where RemoteIPType == "Public" and ActionType == "ConnectionSuccess"
| where RemotePort !in (80, 443, 8161) or RemoteUrl !has "activemq"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine
| limit 1000
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated", "FileModified") and (FileName endswith ".lockbit" or FileName == "LOCKBIT_RECOVERY_INSTRUCTIONS.txt" or FolderPath has "LOCKBIT")
| join kind=inner (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has_any ("activemq", "java")) on DeviceId
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName
| limit 1000
Source: thedfirreport.com
43/100
CVSS 10.0
EPSS 94.4%
wiz.io
CISA KEVCRITICALKQLCVE-2024-50603
Analysis
# SOC BRIEFING: CVE-2024-50603 Aviatrix Controller RCE
## SUMMARY
Wiz Research confirms active exploitation of CVE-2024-50603, an unauthenticated remote code execution vulnerability in Aviatrix Controller that bypasses authentication entirely. Successful exploitation grants attackers code execution on the controller and potential privilege escalation into AWS control plane environments.
## TRIAGE
**CRITICAL** — CVSS 10.0, EPSS 94.4%, confirmed in-the-wild exploitation, CISA KEV listed. Immediate investigation required for all Aviatrix Controller instances; assume compromise if unpatched and internet-facing.
## DETECTION
**Query 1: Detect HTTP requests to Aviatrix Controller endpoints (unauthenticated RCE attempt pattern)**
**Query 2: Detect suspicious process execution on Aviatrix Controller hosts (post-exploitation)**
**Query 3: Detect failed authentication followed by successful code execution on Aviatrix (lateral movement indicator)**
## MITRE
- **T1190**: Exploit Public-Facing Application (unauthenticated RCE)
- **T1548**: Abuse Elevation Control Mechanism (privilege escalation to AWS control plane)
- **T1021**: Remote Services (lateral movement via compromised controller)
## ACTION
1. **Immediate**: Identify all Aviatrix Controller instances in your environment; verify they are patched to the latest version (check Aviatrix security advisories for patch version).
2. **If unpatched and internet-facing**: Isolate from public internet immediately; restrict access to trusted IPs only via WAF/security group rules.
3. **If patched**: Review access logs for the past 30 days for suspicious HTTP requests to `/api/` endpoints from external IPs; correlate with process execution logs for shell commands.
4.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "aviatrix" or RemoteUrl matches @"(?i)controller"
| where ActionType == "ConnectionSuccess" or ActionType == "ConnectionAttempted"
| where InitiatingProcessFileName !in ("aviatrix-agent", "aviatrix-controller")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where DeviceName has "aviatrix" or DeviceName has "controller"
| where ProcessCommandLine has_any ("bash", "sh", "cmd", "powershell", "curl", "wget") and ProcessCommandLine has_any ("/api/", "unauthenticated", "rce")
| where AccountName !in ("aviatrix", "root", "system")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, ProcessId, ParentProcessFileName
| limit 1000
union
(SecurityEvent | where EventID == 4625 and Computer has "aviatrix" | project Timestamp, Computer, Account, IpAddress),
(DeviceProcessEvents | where DeviceName has "aviatrix" and ProcessCommandLine has_any ("bash", "sh", "cmd") | project Timestamp, DeviceName, ProcessCommandLine, AccountName)
| sort by Timestamp desc
| limit 1000
Source: wiz.io
43/100
CVSS 9.8
EPSS 94.4%
thedfirreport.com
CISA KEVCRITICALKQLCVE-2023-22527
Analysis
# SOC BRIEFING: CVE-2023-22527 Confluence RCE / ELPACO-team Ransomware
## SUMMARY
Unpatched Confluence servers are being exploited via CVE-2023-22527 (template injection, CVSS 9.8) to achieve remote code execution, with confirmed follow-on deployment of Metasploit payloads and ransomware by ELPACO-team. This is a critical, actively exploited vulnerability with 94.4% EPSS score and confirmed CISA KEV listing.
## TRIAGE
**CRITICAL** — Immediate investigation required. Unpatched Confluence instances are direct-to-RCE targets; ransomware deployment observed in the wild.
---
## DETECTION
**Query 1: Confluence Process Execution Anomalies (Metasploit/Payload Indicators)**
**Query 2: Confluence Web Server Exploitation Attempts (CVE-2023-22527 Template Injection)**
**Query 3: Suspicious File Writes Post-Exploitation (Ransomware Staging)**
---
## MITRE ATT&CK
- **T1190** — Exploit Public-Facing Application (CVE-2023-22527 template injection)
- **T1059** — Command and Scripting Interpreter (curl, PowerShell, bash execution)
- **T1105** — Ingress Tool Transfer (Metasploit payload download)
- **T1486** — Data Encrypted for Impact (ransomware deployment)
---
## ACTION
**Immediate:** Identify all Confluence instances in your environment via asset inventory; cross-reference against
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("java", "confluence")
| where ProcessCommandLine has_any ("curl", "wget", "powershell", "cmd.exe /c", "bash -c")
| where ProcessCommandLine matches regex @"(?i)(http|ftp|payload|meterpreter|reverse)"
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, ProcessId, AccountName
| limit 1000
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("confluence", "/rest/", "/wiki/") or RemoteUrl matches regex @"(?i)(template|velocity|freemarker|ssti)"
| where InitiatingProcessFileName has_any ("java", "tomcat", "confluence")
| where ActionType in ("ConnectionSuccess", "ConnectionAttempted")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
| limit 1000
DeviceFileEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("java", "confluence", "curl", "powershell")
| where FolderPath has_any ("temp", "appdata", "programdata", "windows\\system32")
| where FileName matches regex @"(?i)(\.exe|\.dll|\.ps1|\.bat|\.sh|ransom|crypt|encrypt)"
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileSize
| limit 1000
Source: thedfirreport.com
43/100
CVSS 9.8
EPSS 94.4%
wiz.io
CISA KEVCRITICALKQLCVE-2024-4577
Analysis
# SOC BRIEFING: CVE-2024-4577 PHP CGI RCE
## SUMMARY
CVE-2024-4577 is a critical remote code execution vulnerability in PHP CGI (CVSS 9.8, EPSS 94.4%) that allows unauthenticated attackers to execute arbitrary code on vulnerable servers. This vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog, requiring immediate patching across all PHP CGI deployments.
## TRIAGE
**Severity: CRITICAL**
**Investigation Priority: IMMEDIATE**
Exploitation requires no authentication and results in full system compromise. Any PHP CGI process accepting untrusted input is at risk.
---
## DETECTION
**Query 1: Detect PHP CGI Process Execution with Suspicious Command-Line Arguments**
**Query 2: Detect Suspicious HTTP Requests to PHP CGI Endpoints with Payload Indicators**
**Query 3: Detect Unexpected Child Processes Spawned from PHP CGI**
---
## MITRE ATT&CK
- **T1190**: Exploit Public-Facing Application
- **T1059**: Command and Scripting Interpreter
- **T1053**: Scheduled Task/Job (if
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has_any ("php-cgi.exe", "php-cgi") or ProcessCommandLine has "php-cgi"
| where ProcessCommandLine matches regex @"(?i)(-d\s+auto_prepend_file|allow_url_include|register_globals)" or ProcessCommandLine contains "-r" or ProcessCommandLine contains "eval"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ProcessId, InitiatingProcessFileName, FolderPath
| limit 1000
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl matches regex @"(?i)(\.php\?|cgi-bin|php-cgi)" or RemoteUrl contains "auto_prepend_file" or RemoteUrl contains "allow_url_include"
| where InitiatingProcessFileName has_any ("w3wp.exe", "httpd.exe", "nginx", "apache2", "php-cgi.exe") or RemotePort in (80, 443, 8080)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine, LocalPort, RemotePort
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ParentFileName has_any ("php-cgi.exe", "php-cgi") or ParentProcessId in (
DeviceProcessEvents
| where FileName has_any ("php-cgi.exe", "php-cgi")
| project ProcessId
)
| where FileName has_any ("cmd.exe", "powershell.exe", "bash", "sh", "whoami", "net.exe", "ipconfig.exe") or ProcessCommandLine matches regex @"(?i)(cmd|powershell|bash|nc|ncat|curl|wget)"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, ParentFileName, ProcessId, ParentProcessId
| limit 1000
Source: wiz.io
43/100
CVSS 10.0
EPSS 86.9%
recordedfuture.com
CISA KEVCRITICALKQLCVE-2025-55182
Analysis
# SOC BRIEFING: React2Shell (CVE-2025-55182) Exploitation Campaign
## SUMMARY
CVE-2025-55182 (React2Shell) is a CVSS 10.0 critical vulnerability in Meta's React framework with 86.9% EPSS probability and active exploitation in the wild. December 2025 saw a 120% surge in critical CVE exploitation, with this flaw dominating threat activity across web applications using vulnerable React versions.
## TRIAGE
**CRITICAL** — Immediate investigation required. CVSS 10.0 + CISA KEV listing + active exploitation = highest priority. All React-based applications must be inventoried and patched within 24 hours.
---
## DETECTION
**Query 1: Detect React Framework Process Execution with Suspicious Command Patterns**
**Query 2: Detect Outbound Network Connections from React/Node Processes to Suspicious Destinations**
**Query 3: Detect File Writes and Modifications in React Application Directories**
---
## MITRE ATT&CK
- **T1190** — Exploit Public-Facing Application (vulnerable React framework)
- **T1203** — Exploitation for Client Execution (code injection via React)
- **T1059.007** — Command and Scripting Interpreter: JavaScript/Node.js
- **T1105** — Ingress Tool Transfer (payload delivery)
---
## ACTION
**Immediate:** Identify all internal applications using React framework versions prior to the patched release. Cross-reference with DeviceProcessEvents and DeviceNetworkEvents for exploitation indicators. Patch or isolate affected systems within 24 hours
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where ProcessCommandLine has_any ("react", "node", "npm") and (ProcessCommandLine matches regex @"(?i)(eval|exec|spawn|child_process)" or ProcessCommandLine contains "--expose-gc" or ProcessCommandLine contains "--max-old-space-size")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ProcessId, FileName, FolderPath
| limit 1000
DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName in~ ("node.exe", "npm.exe", "react.exe") or InitiatingProcessCommandLine has "react"
| where RemoteIPType == "Public" and RemotePort in (80, 443, 8080, 3000, 5000)
| where RemoteUrl !has_any ("npmjs.com", "github.com", "cdn.jsdelivr.net", "unpkg.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| limit 1000
DeviceFileEvents
| where TimeGenerated > ago(7d)
| where FolderPath has_any ("node_modules", "react", ".next", "dist", "build") and ActionType in ("FileCreated", "FileModified")
| where FileName !endswith (".json", ".lock", ".log") and FileName !has_any ("package", "tsconfig", "webpack")
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath, FileName, SHA256
| limit 1000
Source: recordedfuture.com
41/100
CVSS 9.8
EPSS 89.4%
github.com
CRITICALKQLCVE-2025-61882
Summary
CVE-2025-61882 (NetVanguard-cmd) is a critical vulnerability with a CVSS score of 9.8 affecting multiple platforms including Windows, Azure, and Docker environments. Detection should focus on identifying exploitation attempts through command execution patterns and suspicious process activity associated with vulnerable NetVanguard components.
Detection Query (KQL)DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine contains "netguard" or ProcessCommandLine matches regex @"(?i)(netvanguard|netguard).*cmd" | where InitiatingProcessName !in ("explorer.exe", "svchost.exe") | project Timestamp, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessName, InitiatingProcessId, AccountName | union (SecurityEvent | where EventID == 4688 and (CommandLine contains "netvanguard" or CommandLine contains "netguard") | project TimeGenerated, Computer, NewProcessId, CommandLine, ParentProcessName, SubjectUserName)
Detection Logic
Monitor for process creation events containing NetVanguard-cmd references in command lines, focusing on suspicious parent processes and execution contexts. Cross-reference Windows Security Event logs (EventID 4688) and Microsoft Defender for Endpoint process events to identify exploitation attempts. Alert on any execution from non-standard locations or by unexpected service accounts.
Affected ProductsWindows, Azure, Docker, VMware, Cisco, Chrome, Python, Office365
ATT&CK TechniquesT1059.001, T1190, T1203
False Positive NotesLegitimate NetVanguard administrative tools may trigger alerts; whitelist known administrative accounts and scheduled maintenance windows. Filter out expected system processes and legitimate security software. Tune based on organizational baseline of NetVanguard usage patterns. Consider excluding events from approved administrative workstations and change management systems.
Source: github.com
ThreatPulse — Automated Threat Intelligence
Unsubscribe |
Update Preferences
Don't miss what's next. Subscribe to Ethan Andrews: