■■□□□ CYBER INTELLIGENCE ALERT: ZERO-DAY VULNERABILITY EXPLOITATION — SERVERS IN CHINA 🇨🇳
[
STATUS: UNCONFIRMED / ACTIVE EXPLOITATION / THREAT ASSESSMENT]
An active exploitation campaign targeting web servers and applications in .cn domains has been detected, using zero-day vulnerabilities to gain root access.
Affected Entities: Multiple web servers and applications hosted under the .cn domain.
Threat Actor: codeb0ss 👤
Date Recorded: June 3, 2026 📅
Reported Scope: The actor is using an automated exploit to compromise servers, gaining full access to shells, files, and configurations, with a severity classified as “Critical”.
Status of Evidence and Assessment 📊
Evidence: The activity has been documented, detailing the execution of an “Auto/Mass Exploit” against various hosts, confirming successful root access.
Methodology: The actor uses an automated script to scan for and exploit vulnerabilities in Apache/Linux servers, also offering the source code and private exploits through a VIP/Premium scheme.
Status of Compromise: The activity log shows several hosts marked as “Exploited,” with successful acquisition of root user privileges and file system access.
Mitigation Recommendations 🛡️
Server Audit: System administrators in .cn domains are advised to perform an immediate audit of their Apache/Linux environments to detect potential malicious shells or unauthorized access.
Critical Update: Apply security patches as a priority to web applications, especially those managing Apache/Tomcat configurations, due to the use of this new type of private vulnerability.
Access Monitoring: Implement enhanced security measures to prevent privilege escalation to the root level and monitor for mass scanning patterns originating from this actor’s tools.
Source: 𝕏 | Vercel