GIFTEDCROOK via UAC-0226 and Earth Dahu still exploiting WinRAR CVE-2025-8088 against Ukraine (Trend Micro)

Trend Micro documents two Russia-aligned campaigns still exploiting CVE-2025-8088 — a path traversal via NTFS Alternate Data Streams in WinRAR patched in July 2025 — nearly a year after the fix (Trend Micro, 2026-06-08). SHADOW-EARTH-066 (UAC-0226) delivers GIFTEDCROOK via crafted RAR archives with decoy PDFs and hidden ADS payloads that extract to the Startup folder and run in-memory PowerShell DLL loaders to steal passwords, cookies and documents from Chrome, Edge, Opera and Firefox; a separate Earth Dahu chain uses an HTA-to-VBScript dropper (The Hacker News, 2026-06-09). Both actors moved C2 off Telegram to dedicated servers after Russia's February 2026 Telegram block. The defender lesson is the persistence of an exploited entry point in unmanaged software: hunt wscript.exe/mshta.exe spawned from archive-extraction events, Startup-folder writes (Sysmon EID 11), and PowerShell script-block logging (EID 4104) for in-memory reflection. CVE-2025-8088 affects any unpatched WinRAR globally; ensure deployed versions are current (T1059.005, T1547.001, T1555.003).

CVE-2026-34926 (CVSS 6.7, CWE-23 Relative Path Traversal) affects Apex One On-Premise server and agent builds below 17079. An authenticated attacker who has already obtained administrative credentials to the Apex One management server traverses the directory structure to modify a key table, injecting malicious code that the management server then distributes to all enrolled agent endpoints via the product's built-in update mechanism — one compromised management console results in fleet-wide code execution on every managed endpoint. The exploitation prerequisite (admin credentials to the Apex One server) does not reduce urgency: CISA added CVE-2026-34926 to KEV on 2026-05-21 following confirmed ITW exploitation, and management server admin accounts are a high-value target for credential theft campaigns. JPCERT/CC confirmed exploitation in the wild on 2026-05-22; CISA added CVE-2026-34926 to KEV on 2026-05-21. Fixed: server and agent build 17079 per Trend Micro KA-0023430. The Apex One as a Service (SaaS) variant is not affected. Until patched, restrict local-network access to the Apex One management console to a dedicated management VLAN; treat the console host as Tier-0 infrastructure given its fleet-wide code distribution capability. Technique: T1574 Hijack Execution Flow via trusted software update path.

CVE-2025-34291 (CVSS 4.0: 9.4 / CVSS 3.1: 8.8, CWE-942 Overly Permissive CORS) affects Langflow <= 1.6.9. The platform's default CORS policy (allow_origins='*' with allow_credentials=True) combined with the refresh token cookie configured as SameSite=None allows any malicious webpage to perform cross-origin requests with the authenticated victim's credentials, reaching /api/v1/auth/refresh to obtain access tokens and subsequently calling all authenticated endpoints — including Langflow's code-execution functionality. Exploitation requires only victim browser navigation to an attacker-controlled page; no prior access needed (T1190 Exploit Public-Facing Application). First confirmed exploitation: 2026-01-23; Trend Micro documented Flodric botnet deployment through compromised Langflow instances. CISA added CVE-2025-34291 to KEV on 2026-05-21. Fixed: Langflow 1.7.0 (restrictive CORS default) and 1.9.3 (explicit fix). Block internet exposure of Langflow instances; enforce HTTPS-only with explicit CORS allowlists; hunt for anomalous subprocess execution from the Langflow process tree (Sysmon EID 1, parent langflow-backend or uvicorn).

CVE-2026-20223 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) is an access validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform (Cisco PSIRT, 2026-05-20). An unauthenticated remote attacker sends a single crafted HTTP request to an internal API endpoint to be granted Site Admin-level privileges — enabling cross-tenant data read, configuration modification, and full visibility over workload segmentation policy across all tenant boundaries. Both SaaS-hosted and on-premises deployments are affected; Cisco silently patched SaaS. On-premises operators must upgrade: 4.0.x → 4.0.3.17; 3.10.x → 3.10.8.3; 3.9 and earlier must migrate (no fix available). No workaround exists. Cisco found no evidence of exploitation at disclosure (2026-05-20); the vulnerability was discovered internally. NCSC-CH flagged this on 2026-05-21. The attack surface is the internal REST API management plane — restrict untrusted network access to the Secure Workload cluster API as the primary compensating control until patching is complete. Technique: T1190 Exploit Public-Facing Application. This is distinct from CVE-2026-20182 (Cisco Catalyst SD-WAN) covered on 2026-05-20.

CVE Summary Table

If you did nothing this week: if you run Apex One On-Premise, your endpoint-management server can push attacker code to every managed agent; if you run Langflow, a cross-origin request can steal a session. CISA added both to KEV on 2026-05-21 with confirmed in-the-wild exploitation.

CVE-2026-34926 (Apex One On-Premise, CVSS 6.7) is a post-auth relative-path-traversal flaw in builds below 17079 that lets an admin-credential holder inject code which the management server then deploys fleet-wide to all managed agents — turning the security console into a malware distribution point; JPCERT/CC issued at260014 corroborating. CVE-2025-34291 (Langflow ≤ 1.6.9, CVSS 9.4) is an overly-permissive CORS configuration combined with a SameSite=None refresh token that enables cross-origin token theft, exploited by the Flodric botnet. Patch both; for Apex One, restrict management-console access and audit agent-deployment jobs for unexpected packages.