This week's report covers five active threats. A critical flaw in Ghost CMS is being used to hijack hundreds of websites and deliver malware to unsuspecting visitors. NGINX, the web server used across much of the UK's digital infrastructure, has a serious vulnerability that is already being exploited in the wild. Researchers at UK-based Fox-IT have uncovered a sophisticated North Korean hacking tool that hides in memory and evades security software, now being used against financial firms. The FBI has issued a warning about a new phishing kit called Kali365 that bypasses Microsoft 365 multi-factor authentication at scale, compromising hundreds of organisations every day. And Cisco has disclosed yet another maximum-severity vulnerability, this time in its Secure Workload platform, allowing unauthenticated attackers to access data across customer boundaries. Full details and recommended actions for each are below.
A serious flaw in Ghost CMS — a popular open-source blogging and publishing platform used by many organisations — is being exploited on a large scale. The vulnerability is tracked as CVE-2026-26980 and has a severity score of 9.4 out of 10. It is a SQL injection flaw, meaning an attacker can send specially crafted database commands to the website and get back the site's admin API key without needing a username or password.
Once attackers have the admin key, they take control of the website. Researchers at QiAnXin XLab found that more than 700 websites have already been compromised, including those belonging to universities, blockchain projects, and AI companies. The attackers inject malicious JavaScript code into the bottom of published articles. When real visitors open those articles, the code checks whether they are a genuine user and, if so, shows them a fake CAPTCHA verification page. That page tricks them into running a malicious Windows PowerShell command on their own computer, which installs malware.
Ghost CMS is used by many UK organisations, charities, and digital health teams to run their public-facing websites, blogs, and knowledge bases. A compromised Ghost site can be used to deliver malware to every visitor — including patients, customers, and staff — without any warning. Universities are already among the confirmed victims, and educational and healthcare websites are trusted by visitors, which makes them especially effective as a delivery point for social engineering attacks. For any UK organisation running Ghost CMS, this is an active risk right now.
A serious vulnerability in NGINX, one of the most widely used web server and reverse proxy platforms in the world, is being actively exploited. The flaw is tracked as CVE-2026-42945 and has a severity score of 9.2 out of 10. It was nicknamed "NGINX Rift" by researchers.
The bug is a heap buffer overflow in the part of NGINX that handles URL rewrite rules. An attacker who can send crafted network requests to an affected server can crash NGINX worker processes, causing the website or application behind it to go offline. Security researchers at AlmaLinux and VulnCheck confirmed that turning this crash into full remote code execution is hard but not impossible, and would allow an attacker to run any code they want on the server. Exploitation activity began within days of the flaw being publicly disclosed. VulnCheck confirmed that threat actors had already begun probing and attacking exposed servers.
NGINX is used on a huge proportion of UK web infrastructure — from NHS patient portals and GP booking systems to digital health apps and NHS supplier websites. It is also widely used as a reverse proxy in front of other applications, meaning a single NGINX server can sit in front of many services at once. A crashed NGINX server means none of the services behind it are reachable. For NHS-connected organisations, an outage affecting patient access, appointment booking, or clinical tools could have a direct impact on care. If code execution becomes possible, an attacker could access everything the server touches.
Researchers at Fox-IT, a UK-based subsidiary of NCC Group, have published detailed findings on a new malware tool used by the North Korean state-sponsored hacking group known as Lazarus. The malware is called RemotePE, and it is a remote access trojan — a tool that gives attackers full control of a victim's computer. What makes RemotePE unusual is that it never saves itself to the victim's hard drive. It runs entirely in memory, which makes it very hard for security software to find.
The attack starts with social engineering — for example, a convincing fake job offer or message sent to an employee. Once the attacker gets a foothold on a device, they load a series of stages that decrypt and launch RemotePE entirely in memory. RemotePE then connects back to an attacker-controlled server and can read, move, or delete files, run programmes, kill processes, and carry out other commands. It also uses advanced techniques to disable Windows event logging and avoid detection by endpoint security tools. Fox-IT confirmed that neither the loader nor the malware were detected by any tool on VirusTotal at the time of publication.
The Lazarus Group is linked to North Korea's intelligence services and is known for targeting banks, financial institutions, healthcare organisations, and cryptocurrency platforms worldwide.
UK financial institutions, NHS-connected payment processors, and digital health companies that handle financial data or valuable intellectual property are all plausible targets for Lazarus. The fact that this malware is undetectable by standard endpoint tools at the time of discovery is a significant concern. Many organisations rely heavily on endpoint security products as a primary defence. If an attacker gets in via social engineering — a convincing message, a fake job offer, or a spoofed contact — and then deploys RemotePE, the organisation may have no immediate indication that anything is wrong. This is a reminder that technical defences alone are not enough when attacks begin with human deception.
The FBI has issued a public warning about a phishing-as-a-service platform called Kali365, which is being sold on Telegram and used to steal Microsoft OAuth tokens — effectively bypassing multi-factor authentication (MFA) on Microsoft 365 accounts. Hundreds of organisations are being compromised every day.
Kali365 works in two main ways. In the first, attackers send a phishing email pretending to come from a trusted service — such as Adobe Acrobat Sign, DocuSign, or SharePoint. The email contains a device code and instructions telling the recipient to enter the code into a real Microsoft page. If they do, the attacker's device is registered to the victim's Microsoft 365 account, giving the attacker full access to emails, Teams, SharePoint, and other services — without needing the victim's password or MFA code.
In the second method, the attacker acts as a silent go-between, forwarding the victim's real login to Microsoft and capturing the session cookies that result. Those cookies let the attacker replay the session later as if they were the legitimate user. Kali365 is sold for $250 per month per target organisation and supports 14 languages. Security firm Arctic Wolf and Microsoft both confirmed the scale of the activity.
The NHS and its suppliers are among the UK's largest users of Microsoft 365. MFA is widely promoted as one of the most effective ways to stop account takeover, and many organisations have invested heavily in rolling it out. Kali365 shows that standard MFA — including SMS codes and authenticator apps — can be bypassed if users are tricked into completing a device code flow. A compromised M365 account gives an attacker access to emails, documents, and shared drives, which could include patient data, contracts, clinical information, or supplier credentials. For NHS suppliers required to meet DSPT obligations, an account compromise of this kind may trigger a reportable breach if personal data is accessed.
Cisco has disclosed a maximum-severity vulnerability in its Secure Workload platform, a product used by large enterprises to manage and secure workloads in data centres and cloud environments. The vulnerability is tracked as CVE-2026-20223 and has a score of 10.0 out of 10.
The flaw is in the internal REST API that Secure Workload uses internally. An attacker who can reach these endpoints does not need a username or password. Sending crafted requests is enough to grant them Site Admin privileges — the highest level of access in the product. With that access, an attacker can read sensitive information and make configuration changes across tenant boundaries, meaning a compromise of one customer's environment could potentially expose data belonging to other customers on the same platform. This is especially serious for cloud or multi-tenant deployments where different organisations share the same underlying infrastructure.
Cisco has confirmed there are no workarounds. The only fix is to install the patched release. Cisco said it discovered the flaw during internal security testing, and has not confirmed active exploitation at the time of publication. However, Cisco has suffered a run of maximum-severity vulnerabilities across multiple products in recent months, and unpatched critical bugs rarely stay quiet for long. Cloud-hosted SaaS deployments of Secure Workload have already been patched by Cisco automatically.
Large NHS trusts, NHS-connected data centres, and enterprise-scale NHS suppliers that use Cisco Secure Workload to protect their data centre environments will want to check their version and patch status immediately. A 10.0-score flaw with no workaround and cross-tenant implications is one of the most urgent patch obligations a team can face. Even for organisations not directly using Secure Workload, this is a further signal that Cisco infrastructure across the board needs careful attention to version control and patch management, given the volume of high-severity Cisco advisories in recent weeks.
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services and find out how we support UK digital health organisations, healthtechs, and NHS suppliers with practical, hands-on cybersecurity assurance.
https://www.periculo.co.uk/contact-us