TL;DR
WordPress core RCE flaws (wp2shell) now have public exploits; 7-Zip patches critical RCE; NadMesh botnet targets exposed AI services and steals AWS keys. Microsoft warns of ACR Stealer surge against enterprise customers. Abbott probes two separate breaches.
Executive Summary
- WordPress core “wp2shell” remote code execution flaws are under active exploitation with public proof-of-concept code released.
- 7-Zip released version 26.02 to patch a critical remote code execution vulnerability triggered by malicious archive files.
- NadMesh, a Go-based botnet, is actively harvesting exposed AI services (ComfyUI, Ollama, n8n, Open WebUI, Langflow, Gradio) to steal AWS keys and Kubernetes tokens; the operator’s dashboard claims 3,811 unique AWS keys.
- Microsoft reports a surge in ACR Stealer attacks targeting enterprise customers to steal browser-stored passwords, authentication tokens, and sensitive documents.
- Abbott Laboratories is investigating two separate cybersecurity incidents: unauthorized access to legacy Exact Sciences systems and a separate breach of its LabCentral portal.
Top Threats Today
1. WordPress Core “wp2shell” RCE Exploitation
Severity: HIGH Affected: Technology
An unauthenticated HTTP request can execute arbitrary code on WordPress installations. The vulnerability, dubbed “wp2shell,” resides in WordPress Core and now carries CVE identifiers [1]. Public exploits have been released and a working proof-of-concept is publicly available [1][2]. A persistent-object-cache condition has also surfaced as part of the attack surface [1]. This development makes immediate patching essential for all WordPress administrators.
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Immediately apply WordPress security updates to patch the wp2shell vulnerabilities.
- Review access logs for unauthorized activity and signs of code execution.
- Consider temporarily disabling WordPress REST API endpoints if not actively required.
- Enable Web Application Firewall (WAF) rules blocking suspicious HTTP patterns targeting WordPress core files.
2. NadMesh Botnet Harvesting Cloud Credentials
Severity: HIGH Affected: Technology
A Go-based botnet called NadMesh emerged in early July, actively scanning for exposed AI services including ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio [1]. The operator’s dashboard reports 3,811 unique AWS keys harvested from compromised systems [1]. The botnet uses a Shodan-based harvester to maintain a continuous queue of exposed services, creating a persistent threat to organizations running unprotected AI ⚠ infrastructure.
Sources:[1] The Hacker News
Recommended Action
- Audit all exposed AI service instances (ComfyUI, Ollama, n8n, etc.) and move them behind authentication and network segmentation.
- Rotate all AWS API keys and access tokens immediately; audit CloudTrail logs for unauthorized API calls.
- Implement strict firewall rules to restrict access to AI services from public internet; require VPN or private network connectivity.
- Monitor AWS GuardDuty and similar tools for anomalous credential usage patterns.
3. ACR Stealer Surge Targeting Microsoft Customers
Severity: HIGH Affected: Technology
Microsoft has observed a significant surge in attacks using ACR Stealer malware against its enterprise customers [1]. The malware targets browser-stored passwords, authentication tokens, and sensitive documents [1]. This indicates a coordinated or opportunistic campaign exploiting common credential storage patterns across multiple enterprises.
Sources:[1] BleepingComputer
Recommended Action
- Deploy endpoint detection and response (EDR) tools configured to flag suspicious browser process behavior and credential access.
- Enforce browser isolation or containerization for high-risk users and sensitive browsing activities.
- Require hardware-backed authentication (FIDO2 keys) or certificate-based auth where possible to reduce reliance on stored passwords and tokens.
- Audit and revoke any tokens or credentials that may have been exposed; implement token expiration and rotation policies.
4. 7-Zip Critical RCE via Malicious Archives
Severity: HIGH Affected: Technology
7-Zip version 26.02 was released to fix a remote code execution vulnerability that allows attackers to execute arbitrary code by convincing users to open specially crafted compressed files [1]. This is a classic client-side attack vector that requires user interaction but can spread rapidly through email attachments or file-sharing platforms.
Sources:[1] BleepingComputer
Recommended Action
- Update 7-Zip to version 26.02 or later across all user devices and servers.
- Configure email gateway rules to block suspicious archive file attachments or alert on .7z, .zip, and .rar files from untrusted senders.
- Educate users not to open archive files from unknown or unexpected sources.
- Monitor for unusual process spawning from archive extraction operations.
5. Abbott Laboratories Dual Breach Investigation
Severity: HIGH Affected: Healthcare
Abbott Laboratories is investigating two separate cybersecurity incidents: unauthorized access to internal legacy Exact Sciences systems within its Cancer Diagnostics business, and a separate breach of its LabCentral portal in which attackers reportedly stole company data [1]. The scope and identity of affected parties remain under investigation.
Sources:[1] BleepingComputer
Recommended Action
- If you are an Abbott customer or partner, monitor official communications for breach notifications and credential reset requirements.
- Review access logs and network traffic for any suspicious activity linked to Abbott systems or data transfers.
- Consider credential reset for any accounts or APIs connected to Abbott platforms or legacy systems.
Today’s Action Checklist
- ☐ URGENT: Patch WordPress installations to address wp2shell RCE; verify patching completion within 24 hours.
- ☐ URGENT: Audit and rotate AWS credentials; check CloudTrail for unauthorized activity related to NadMesh compromise indicators.
- ☐ Update 7-Zip to version 26.02 on all systems; configure email filtering for suspicious archive attachments.
- ☐ Deploy or enhance EDR coverage to detect ACR Stealer and similar credential-theft malware behavior.
- ☐ Review published guidance from Abbott regarding the dual breaches and implement any recommended remediation steps for dependent systems.