Today’s Topics:

• LastPass Warns Users of Active Phishing Campaign Mimicking Maintenance Alerts
• CISA Flags Actively Exploited VMware vCenter Server Flaw in KEV Catalog
• How can Netizen help?

---

LastPass Warns Users of Active Phishing Campaign Mimicking Maintenance Alerts

LastPass is warning customers about an active phishing campaign that impersonates the service and attempts to steal users’ master passwords by posing as routine maintenance notifications. The activity appears to have started around January 19, 2026, and relies on urgency and familiar branding to pressure recipients into acting quickly.

The phishing emails claim that infrastructure maintenance is imminent and instruct users to create a local backup of their password vault within a 24-hour window. Several subject lines have been observed, including “LastPass Infrastructure Update: Secure Your Vault Now,” “Protect Your Passwords: Backup Your Vault (24-Hour Window),” and “Important: LastPass Maintenance & Your Vault Security.” The messages are crafted to look legitimate and direct recipients to a fake page hosted on cloud infrastructure, which then redirects to a spoofed domain designed to capture credentials.

According to LastPass, the emails route victims through URLs hosted on Amazon S3 buckets before landing on domains that visually resemble official LastPass web properties. The company stressed that it will never request a user’s master password under any circumstance and does not require immediate action through email prompts. LastPass stated that it is working with external partners to dismantle the malicious infrastructure behind the campaign.

The phishing messages were sent from several suspicious sender addresses, including support@sr22vegas[.]com and multiple variants using “lastpass[.]server” domains. These addresses are not associated with legitimate LastPass operations. A spokesperson from the company’s Threat Intelligence, Mitigation, and Escalation team told The Hacker News that the campaign relies on a manufactured sense of urgency, a tactic frequently seen in credential-harvesting attacks aimed at end users.

At the time of disclosure, LastPass said it did not know how many customers had been targeted and reported no evidence suggesting successful account compromise. Attribution has proven difficult due to the use of commonly available hosting services, though the activity pattern and wide targeting are consistent with financially motivated cybercriminal groups rather than a focused intrusion set.

An updated advisory issued on January 22, 2026, noted a new wave of phishing emails that reuse the same maintenance narrative but rotate infrastructure after earlier domains were taken offline. Newly observed phishing sites include systems-resources.s3.eu-west-3.amazonaws[.]com/sSvLaIvIEm5iMal and security-lastpass[.]com, paired with revised subject lines such as “Critical: Please Backup Your LastPass Vault Before Maintenance” and “LastPass Server Maintenance: Backup Recommended.”

This campaign follows earlier warnings from LastPass about unrelated malware activity that targeted macOS users through fake GitHub repositories distributing trojanized software posing as the password manager. The company continues to encourage users to report suspicious emails and reiterates a single rule that remains constant: any message requesting a master password is malicious by definition.

---

CISA Flags Actively Exploited VMware vCenter Server Flaw in KEV Catalog

Cybersecurity and Infrastructure Security Agency has added a critical security flaw affecting VMware vCenter Server to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The issue, tracked as CVE-2024-37079 and rated 9.8 on the CVSS scale, impacts Broadcom-managed VMware environments and was originally patched in June 2024.

The vulnerability stems from a heap overflow in the implementation of the DCE/RPC protocol. An attacker with network access to a vCenter Server instance could trigger remote code execution by sending a specially crafted packet, creating a direct path to full system compromise. The flaw was addressed by Broadcom alongside CVE-2024-37080, a related heap overflow in the same protocol handler that also allows remote code execution.

The issues were discovered and reported by researchers Hao Zheng and Zibo Li from QiAnXin LegendSec. During a security conference presentation in April 2025, the researchers explained that these bugs were part of a broader cluster of four vulnerabilities within the DCE/RPC service, consisting of three heap overflows and one privilege escalation flaw. The remaining two vulnerabilities, CVE-2024-38812 and CVE-2024-38813, were patched by Broadcom in September 2024.

The researchers demonstrated that one of the heap overflow vulnerabilities could be chained with the privilege escalation flaw, CVE-2024-38813, to obtain unauthorized remote root access. That chain ultimately allows full control of underlying ESXi hosts, escalating the impact from management-plane compromise to hypervisor-level takeover.

Details on real-world exploitation remain limited. The method of abuse, the actors involved, and the scope of observed attacks have not been publicly disclosed. Broadcom has since updated its advisory to confirm confirmed in-the-wild exploitation, stating that it has information indicating CVE-2024-37079 has already been abused outside of controlled research settings.

Following its inclusion in the KEV catalog, Federal Civilian Executive Branch agencies are now required to remediate the flaw by updating to a fixed version no later than February 13, 2026. The directive reinforces ongoing concerns around delayed patching in virtualization infrastructure, where vCenter often holds broad administrative reach across enterprise environments.

---

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

---