← Back to Security Blog
Security Briefing 8 min read

VMware Exploit Goes Wild, OAuth Phishing Surge & LexisNexis Breached

Published: 2026-03-04

CISA flags VMware Aria Operations RCE as actively exploited. Microsoft exposes a sophisticated OAuth redirect attack bypassing MFA. LexisNexis confirms hackers stole 2GB of data including government employee records. Plus: AkzoNobel hit by Anubis ransomware and fake IT support campaigns deploy Havoc C2.


🔴 Critical: VMware Aria Operations Under Active Attack

CVE-2026-22719 — PATCH IMMEDIATELY

CISA has added a VMware Aria Operations command injection vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw allows unauthenticated attackers to execute arbitrary commands, leading to full remote code execution.

CVSS Score: 8.1 (High)  |  Deadline: March 24, 2026 for federal agencies

The vulnerability exists in the migration service component of VMware Aria Operations. During support-assisted product migration, an unauthenticated actor can inject commands that run as root via a sudoers misconfiguration in vmware-casa-workflow.sh.

Broadcom released patches on February 24 along with a temporary workaround script (aria-ops-rce-workaround.sh) that disables the vulnerable migration components. The company acknowledged reports of active exploitation but stated it "cannot independently confirm their validity."

Also patched in VMSA-2026-0001:

CVETypeImpact
CVE-2026-22719Command InjectionUnauthenticated RCE
CVE-2026-22720Stored XSSSession hijacking
CVE-2026-22721Privilege EscalationAdmin access

🟠 OAuth Redirect Abuse: Bypassing MFA at Scale

Microsoft Defender researchers have uncovered a sophisticated campaign where threat actors abuse the legitimate OAuth 2.0 redirect mechanism to bypass email and browser phishing protections. The attacks primarily target government and public-sector organizations.

How the attack works:

  1. Lure delivery: Phishing emails disguised as e-signature requests, SSA notices, or meeting invites contain OAuth redirect URLs
  2. Silent auth failure: Attackers register malicious OAuth apps with invalid scopes and prompt=none, forcing authentication errors
  3. Redirect hijack: The identity provider redirects victims to the attacker-controlled redirect URI
  4. Credential theft: EvilProxy attacker-in-the-middle frameworks intercept session cookies, bypassing MFA

In some variants, victims are redirected to a /download path that auto-delivers ZIP files containing malicious .LNK files. These launch PowerShell for reconnaissance before DLL side-loading deploys the final payload.

Key takeaway: This attack abuses intended behavior in the OAuth framework. The error handling mechanism works exactly as the standard specifies — attackers simply weaponize the redirect flow.


🔴 LexisNexis Breach: Government Data Exposed

Legal data giant LexisNexis Legal & Professional has confirmed hackers breached its AWS infrastructure on February 24 by exploiting the React2Shell vulnerability in an unpatched React frontend application.

Threat actor "FulcrumSec" leaked 2GB of structured data from the breach, claiming access to:

LexisNexis stated the compromised data was "mostly legacy, deprecated data from prior to 2020" and did not include SSNs, financial information, or active passwords. The company says the intrusion has been contained.


🟠 Anubis Ransomware Hits AkzoNobel

Dutch paint and coatings giant AkzoNobel ($12B+ revenue, 35,000 employees, 150+ countries) confirmed a network breach at one of its U.S. sites. The Anubis ransomware gang claims to have exfiltrated 170GB of data including:

Anubis, a RaaS operation active since December 2024, offers affiliates 80% of ransom payments and added a destructive data wiper capability in mid-2025.


🟡 Fake IT Support Deploys Havoc C2 Framework

Huntress researchers identified a campaign across five organizations where attackers masquerade as IT support staff to deploy the Havoc command-and-control framework. The playbook closely mirrors tactics used by former Black Basta ransomware affiliates:

  1. Email bomb the target's inbox with spam
  2. Call pretending to be IT support offering help
  3. Deploy Havoc Demon payloads and legitimate RMM tools
  4. Move laterally — in one case, 9 endpoints compromised in 11 hours

The speed of lateral movement suggests end goals of data exfiltration or ransomware deployment.


📊 More Headlines at a Glance

StoryImpact
Iranian strikes on AWS data centers in UAEPhysical infrastructure vulnerability exposed; two facilities directly struck
University of Hawaii Cancer Center breach1.2M individuals affected; SSNs, health data, voter records stolen
Quantum RSA breakthroughNew algorithm suggests RSA decryption feasible sooner than expected
Android Qualcomm zero-day patchedInteger overflow in graphics component leads to memory corruption
SloppyLemming targets Pakistan & BangladeshDual malware chains targeting government infrastructure
Facebook worldwide outageAccounts unavailable globally on March 3

How Kensai Protects You

Real-time CVE Monitoring — CVE-2026-22719 indexed and flagged within hours of KEV addition

OAuth Attack Detection — Monitor suspicious OAuth app registrations and redirect patterns

Cloud Infrastructure Scanning — Detect React2Shell and similar web app vulnerabilities before attackers do

Ransomware Readiness — Continuous exposure management against threats like Anubis RaaS


Recommended Actions

  1. Immediate: Patch VMware Aria Operations or apply the workaround script for CVE-2026-22719
  2. Immediate: Audit OAuth application registrations in your Entra ID tenant
  3. Today: Check React/Node.js frontends for React2Shell vulnerability
  4. This week: Review Conditional Access policies and restrict OAuth app consent
  5. Ongoing: Train staff on fake IT support social engineering tactics

Protect Your Organization with Kensai

AI-powered vulnerability management with 335,000+ CVEs indexed.

Start Free Trial

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles