Cyber Threat Intelligence Report

This week, we briefed our clients on how employees' use of popular AI tools may unknowingly expose their organization to new security and risk concerns.

 KEY TAKEAWAYS 

• Explore new areas of AI threats and risk, including AI agents, their vulnerabilities, malicious Skills, malicious extensions, and exposed infrastructure.

• Critical and high-severity vulnerabilities in SolarWinds, n8n, Ivanti, and Node.js, plus updates to CISA KEV, patch now!

New Era of AI Security Threats

New AI models and tools are coming out on an almost daily basis. It is extremely difficult to keep up with the latest tools and trends. The threats and risks these tools pose are no exception. While many headlines and articles focus on AI threats such as more realistic phishing and vishing attacks, or AI-generated malware, there are many other factors organizations need to consider for AI security and risk assessment. 

Data Privacy and Exposure

Back in the olden days of 2025, arguably the largest data privacy risk from AI was unauthorized use, or misuse, of cloud-based AI systems, such as ChatGPT. It is difficult to monitor exactly what data users are uploading to chatbots. Even when users use these chatbots for benign and productive reasons, organizations risk having sensitive information or credentials leaked to 3rd-party AI servers.

In 2026, there has been an explosion in popularity for AI assistants. These AI agents are able to run locally and often granted access to a variety of tools and platforms by the user. One of the newest AI assistants, OpenClaw (formerly Clawdbot, also known as Moltbot), has gone viral in the last few weeks. For these types of bots to fully function, they require credentialed access to any tool they interact with, which means they store API keys, bot tokens, OAuth secrets, and signing keys. These agents have access to email, calendars, chat applications (Telegram, Slack, Discord, Signal, etc.). If a threat actor gains read access to any of these agents, they effectively can get keys to the kingdom.

Vulnerabilities

Vulnerabilities can have a devastating impact depending on the software. Ransomware actors abuse vulnerabilities in edge devices like SSL VPN to gain initial footholds in target environments. Vulnerabilities in AI agents can give threat actors a beachhead in a target environment, with the added bonus of giving the threat actor all the credentialed access they need to achieve their goals. These types of devastating vulnerabilities are already in the wild. On January 30, OpenClaw disclosed CVE-2026-25253, where if a victim clicks a specially crafted link or visits a malicious site, OpenClaw can be tricked into giving the attacker the stored gateway token, which then "allows the attacker to connect to the victim's local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE."

Malicious Skills

AI agents can be augmented with "Skills", which are effectively how-to guides for AI. There are numerous sites and marketplaces that offer downloads of various Skills. Researchers at Koi Security ran an audit of every Skill on ClawHub, a marketplace for 3rd party skills for OpenClaw users. Of the 2,857 Skills reviewed, 341 of them were found to be malicious. These malicious Skills effectively download infostealer malware to the victim machine, which siphons off any stored credentials on the host. OpenClaw has since partnered with VirusTotal to improve Skill security.

Malicious VS Code Extensions

Threat actors know that some of the heaviest AI users are developers. Because of this, the VS Code Extension Marketplace is frequently targeted. Sticking with the OpenClaw theme, in late January a malicious extension named "ClawdBot Agent - AI Coding Assistant" found its way on the official Microsoft VS Code marketplace. Researchers at Koi Security also discovered two other AI coding assistants targeting other AI models. Downloading an extension from official marketplaces is not a guarantee that the extension is safe.

Fake ChatGPT Browser Extensions

One of the ways threat actors are targeting normal ChatGPT users is through malicious Chrome browser extensions. Researchers at LayerX Security recently uncovered 16 malicious extensions, masquerading as legitimate extensions to help use ChatGPT more efficiently. Instead, the extensions intercept ChatGPT session authentication tokens, giving the threat actor account-level access equivalent to that of the user (which includes conversation history). Below is a PacketWatch query to detect traffic to the infrastructure hosting these extensions:

http.host:(chatgptmods.com OR imagents.top)

Exposed Infrastructure

Without proper care, AI models and agents can be easily misconfigured and expose themselves to the open internet. Researchers at SentinelOne SentinelLABS and Censys recently found over 175,000 publicly exposed instances of the Ollama open-source AI model. The researchers noted "nearly half of observed hosts are configured with tool-calling capabilities that enable them to execute code, access APIs, and interact with external systems." In addition to the risk of allowing threat actors an entry point into the network, these misconfigurations carry the additional risk of LLMjacking, where the victim's AI infrastructure is abused by threat actors and the victim pays the bill.

Conclusion

AI continues to evolve at a breakneck pace. Threat actors are taking advantage of the chaos. Organizations need clearly defined AI usage policies that are strongly enforced. Additionally, organizations should strongly consider testing AI models, agents, and capabilities in isolated environments with non-production accounts and credentials so they can monitor and verify the tools before they are integrated into production. Any code or tool related to AI should not be inherently trusted. Organizations need to be aware that although AI tools can increase productivity, they carry large risks that cannot be ignored.

Resources

• https://www.bleepingcomputer.com/news/security/viral-moltbot-ai-assistant-raises-concerns-over-data-security/
  
• https://www.linkedin.com/pulse/hacking-clawdbot-eating-lobster-souls-jamieson-o-reilly-whhlc/
  
• https://github.com/openclaw/openclaw
  
• https://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html
  
• https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
  
• https://thehackernews.com/2026/01/fake-moltbot-ai-coding-assistant-on-vs.html
  
• https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html
  
• https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting
  
• https://openclaw.ai/blog/virustotal-partnership
  
• https://www.koi.ai/blog/maliciouscorgi-the-cute-looking-ai-extensions-leaking-code-from-1-5-million-developers
  
• https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/
  
• https://layerxsecurity.com/blog/how-we-discovered-a-campaign-of-16-malicious-extensions-chatgpt/
  
• https://thehackernews.com/2026/01/researchers-find-175000-publicly.html
  
• https://www.sentinelone.com/labs/silent-brothers-ollama-hosts-form-anonymous-ai-network-beyond-platform-guardrails/
  
• https://nvd.nist.gov/vuln/detail/CVE-2026-25253

Vulnerability Roundup

Multiple Vulnerabilities in SolarWinds Web Help Desk

In a recent security advisory from SolarWinds, four critical vulnerabilities were disclosed. The vulnerabilities tracked as CVE-2025-40551, CVE-2025-40552, and CVE-2025-40553, all allow for an unauthenticated attacker to run unauthorized code or commands. CVE-2025-40554 is an authentication bypass vulnerability that could allow for an attacker to invoke "specific actions" within Web Help Desk. CISA has already added CVE-2025-40551 to the Known Exploited Vulnerabilities (KEV) catalog. Administrators are urged to patch to version 2026.1 as soon as possible.

• https://www.solarwinds.com/trust-center/security-advisories

• https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm

• https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/

• https://thehackernews.com/2026/01/solarwinds-fixes-four-critical-web-help.html

• https://thehackernews.com/2026/02/cisa-adds-actively-exploited-solarwinds.html

• https://nvd.nist.gov/vuln/detail/cve-2025-40551

• https://nvd.nist.gov/vuln/detail/cve-2025-40552

• https://nvd.nist.gov/vuln/detail/cve-2025-40553

• https://nvd.nist.gov/vuln/detail/cve-2025-40554

Multiple Vulnerabilities in n8n Allow RCE & Sandbox Escape

In late January, security researchers at JFrog published research detailing two sandbox escapes in the popular n8n workflow automation platform. The vulnerabilities are tracked as CVE-2026-1470 and CVE-2026-0863. The most critical vulnerability of the two, CVE-2026-1470, allows any n8n authenticated user to achieve full remote code execution on the underlying system. Administrators are urged to upgrade to versions 1.123.17, 2.4.5, or 2.5.1 or greater.

A separate fix was introduced by n8n to address a bypass of a previous patch. Tracked as CVE-2026-25049, the fix for this vulnerability addresses shortcomings in the fix for CVE-2025-68613. Per their advisory, "an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n." Administrators are urged to patch to versions 1.123.17 or 2.5.2.

• https://research.jfrog.com/post/achieving-remote-code-execution-on-n8n-via-sandbox-escape/ 

   

• https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html 

   

• https://thehackernews.com/2026/02/critical-n8n-flaw-cve-2026-25049.html 

   

• https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8 

   

• https://nvd.nist.gov/vuln/detail/CVE-2026-1470 

   

• https://nvd.nist.gov/vuln/detail/CVE-2026-0863 

   

• https://nvd.nist.gov/vuln/detail/CVE-2026-25049 

   

• https://nvd.nist.gov/vuln/detail/CVE-2025-68613 

More Ivanti EPMM 0-Days

Ivanti disclosed two critical unauthenticated code injection remote code execution vulnerabilities impacting Endpoint Manager Mobile (EPMM). The vulnerabilities are tracked as CVE-2026-1281 and CVE-2026-1340 and affect the following versions:

• EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x)

• EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x)

Detailed upgrade instructions can be found here. Administrators are urged to apply the patch as soon as possible, as these vulnerabilities are under active exploitation.

•  

  https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US

• https://thehackernews.com/2026/01/two-ivanti-epmm-zero-day-rce-flaws.html 

• https://nvd.nist.gov/vuln/detail/CVE-2026-1281 

• https://nvd.nist.gov/vuln/detail/CVE-2026-1340 

vm2 Node.js Sandbox Escape  

A popular Node.js library, vm2, which is used to run untrusted code within a secure sandboxed environment, recently disclosed a sandbox escape vulnerability that could allow attackers to run arbitrary code on the underlying operating system. The vulnerability, tracked as CVE-2026-22709, affects vm2 versions prior to 3.10.2. Users are urged to upgrade to version 3.10.2 or greater, or use an alternative library such as isolated-vm.

•  

  https://nvd.nist.gov/vuln/detail/CVE-2026-22709

• https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8

• https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox.html

• https://github.com/laverdet/isolated-vm 

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2026-24423 - SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
• CVE-2025-11953 - React Native Community CLI OS Command Injection Vulnerability
• CVE-2025-40551 - SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
• CVE-2019-19006 - Sangoma FreePBX Improper Authentication Vulnerability
• CVE-2025-64328 - Sangoma FreePBX OS Command Injection Vulnerability
• CVE-2021-39935 - GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
• CVE-2026-1281 - Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
• CVE-2026-24858 - Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability
• CVE-2026-21509 - Microsoft Office Security Feature Bypass Vulnerability
• CVE-2026-24061 - GNU InetUtils Argument Injection Vulnerability
• CVE-2026-23760 - SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
• CVE-2025-52691 - SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
• CVE-2018-14634 - Linux Kernel Integer Overflow Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.