CybersecurityVulnerability Management

Vulnerabilities Surge as Exploit Kits Expand in Q1 2026

Analyst 207||Source: SecureList
Windows laptop on a clean surface with a notebook and pen nearby.
"The total volume of vulnerabilities continues rising," the Q1 2026 report warns, a line that frames this quarter’s steady uptick in both new flaws and the exploits weaponizing them. The report — drawing on cve.org data, open sources and vendor telemetry — outlines where attackers focused, which vulnerabilities dominated detections, and how exploit chains and C2 toolsets shifted in the first three months of the year.

New Microsoft Office and Windows logic‑flaw exploits

Q1 2026 saw exploit authors add several Microsoft Office and Windows logic‑flaw vulnerabilities to toolsets. The report highlights CVE-2026-21509 and CVE-2026-21514 as security‑feature bypasses that defeat Protected View, allowing specially crafted files to execute commands with the privileges of the user who opens the file. CVE-2026-21513, an MSHTML engine issue, bypasses restrictions on executing files from untrusted network sources; the data provider for that vulnerability was an LNK file.

These three appeared together in at least one single attack chain against Windows systems. The report notes the combination’s instability and predicts attackers will likely adopt the flaws individually as initial vectors in phishing campaigns rather than rely on the full chain.

Veteran Windows and Linux vulnerabilities still driving detections

Longstanding vulnerabilities remain central to exploit detections. For Windows, the report lists CVE-2018-0802 and CVE-2017-11882 (both Equation Editor RCEs), CVE-2017-0199 (Office/WordPad RCE), CVE-2023-38831 (improper handling of archive objects), CVE-2025-6218 (relative path extraction to arbitrary directories), and CVE-2025-8088 (NTFS Streams directory traversal bypass) as the veteran set that account for the largest share of detections.

On Linux, the most frequently detected exploits targeted CVE-2022-0847 (Dirty Pipe privilege escalation), CVE-2019-13272 (privilege inheritance mishandling), CVE-2021-22555 (Netfilter heap out‑of‑bounds write), and CVE-2023-32233 (Netfilter Use‑After‑Free). The report records a drop in the absolute number of detected exploits in Q1 2026, but an increase in detection rates compared with the same quarter last year — maintaining patching as a central mitigation priority.

C2 frameworks: Metasploit climbs while Sliver and Havoc hold ground

Command‑and‑control tooling usage shifted in Q1. According to open sources analyzed in the report, Metasploit returned to the top position for C2 frameworks used by APTs; Sliver and Havoc share second place, followed by Covenant and Mythic. The report links a set of exploited server‑side vulnerabilities observed interacting with C2 agents, including:

  • CVE-2023-46604 — insecure deserialization in Apache ActiveMQ allowing arbitrary code execution in the server process;
  • CVE-2024-12356 and CVE-2026-1731 — command injection in BeyondTrust software enabling execution without system authentication;
  • CVE-2023-36884 — Windows Search flaw enabling command execution while bypassing Office security mechanisms;
  • CVE-2025-53770 — insecure deserialization in Microsoft SharePoint permitting unauthenticated command execution;
  • CVE-2025-8088 and CVE-2025-6218 — directory traversal issues that allow archive extraction to predefined paths without alerting the user.

The report stresses that many of these server‑side flaws are exploited to bypass authentication and gain initial access because C2 agents themselves are being detected more effectively.

AI‑era flaws: Clawdbot, LangChain and OpenCode

Q1 2026 also surfaced several vulnerabilities tied to AI tooling and frameworks. Clawdbot (CVE-2026-25253) leaks credentials via WebSocket queries, enabling access to local data and elevated command execution; exploitation scenarios include prompt injection and ClickFix techniques to install stealers. CVE-2026-34070 concerns directory traversal in the LangChain framework where insecure handling of configuration in langchain_core/prompts/loading.py exposes arbitrary files and may lead to command execution. CVE-2026-22812 affects OpenCode: an HTTP server allowed local launches of authorized applications without authentication, permitting attackers to execute commands as the current user.

What this means for technologists, procurement teams, and AI developers

  • Technologists and security teams: prioritize timely patching and targeted vulnerability management. The report links continued detections to both old, well‑exploited CVEs and a wave of newly discovered logic flaws that are difficult to isolate to single libraries.
  • Enterprise procurement and patch managers: expect a continued influx of CVEs driven by AI‑assisted discovery and prioritize vendor patches for web frameworks, Microsoft Office, edge/networking devices and remote access systems — the report specifically recommends applying vendor patches.
  • AI developers and maintainers: audit WebSocket interfaces, configuration file handling and any unauthenticated local servers. The report’s examples — Clawdbot, LangChain and OpenCode vulnerabilities — show how AI components can expose credentials, arbitrary files, and command execution vectors.

Q1 2026 tells a consistent story: exploit authors are balancing tried‑and‑true CVEs with newly discovered logic and AI‑related flaws, and C2 operators are favoring authentication‑bypass attacks to reduce discovery risk. The practical takeaway in the report is unambiguous — maintain rigorous patch cadence, prioritize vulnerabilities tied to real‑world exploitation, and deploy continuous monitoring and proactive protection; the report notes these are features integrated into Kaspersky Next.

Original report

Emerging ThreatsThreat IntelligenceVulnerabilitiesWindowsZero-DayExploit KitsMicrosoft OfficeCVE-2026-21509CVE-2026-21514Logic-Flaw Exploits
Related Intelligence

Continue Reading

Blurred laptop screen on a minimalist desk shows a Microsoft Teams meeting, with a subtle gatekeeper figure in the…

Microsoft Fortifies Teams Against Bot Intrusions

Microsoft is stepping up its game to protect Teams meetings from unwanted bot intrusions by introducing a virtual bouncer that keeps automated accounts at bay. This new defensive measure is a significant boost to Microsoft Teams security.

Analyst 207
Dimly lit server room with rows of computer servers, cables, and softly glowing screens displaying code amidst shadows.

Weak RSA Keys Exposed in Widespread Use

Meet the badkeys project, an open-source service that scans public keys for vulnerabilities, which recently uncovered a surprising pattern of weak RSA keys in widespread use. By analyzing a massive dataset of real-world public keys, the team discovered a substantial number of keys with a suspicious structure, featuring regularly spaced blocks of zero bits and random data.

Analyst 207
Researchers working on a laptop in a clean-room setting surrounded by diagrams and notes.

Researchers Expose Lethal Flaw in AI Model Security

Researchers have uncovered a shocking vulnerability in AI model security, revealing that a simple formatting trick used to separate system instructions from user requests has become a critical weakness. This flaw, known as role confusion, threatens the very foundation of modern AI systems.

Analyst 207
Dimly lit computer laboratory with scattered technology equipment.

Anonymous Researcher Exploits 15 Software Products with Zero-Day Code Dump

A security bombshell has been dropped: an anonymous researcher has publicly shared exploit code for zero-day vulnerabilities in 15 software products, and hackers are already taking advantage of at least two of them. The alarming revelation has sent shockwaves through the cybersecurity community.

Analyst 207