// Articles
219 articles — sorted by date
Australia ACSC Warns of ClickFix Campaign Delivering Vidar Infostealer — Fake CAPTCHA Bypass Technique Targeting Enterprise Users
The Australian Cyber Security Centre has issued a warning about an active ClickFix social engineering campaign delivering Vidar infostealer malware. ClickFix presents victims with fake CAPTCHA or browser-fix dialogs that instruct them to run PowerShell commands, bypassing standard malware delivery defences. The campaign has been observed across multiple Australian industry sectors.
Google GTIG Confirms First AI-Developed Zero-Day Used in Active Exploitation — 2FA Bypass via Automated Vulnerability Discovery
Google's Threat Intelligence Group has confirmed the first documented case of a threat actor using AI tools to discover and develop a working zero-day exploit deployed in a live attack campaign. The target was a 2FA bypass in a widely-used open-source web administration tool. A separate China-aligned actor was also found using AI platforms for automated offensive reconnaissance.
Instructure Confirms ShinyHunters Exploited Canvas LMS to Deface University Login Portals in Mass Extortion Campaign
Instructure has confirmed that the ShinyHunters threat group exploited a vulnerability in Canvas LMS to deface login portals across multiple university clients with extortion messages. The attack moved beyond the data exposure incident disclosed on May 3 into active defacement — university login pages were replaced with ransom demands visible to students and staff. Instructure is notifying affected institutions and has issued an emergency patch.
Attackers Abuse Google Ads and Claude.ai Conversations to Deliver macOS Malware to Developers
A campaign targeting macOS users — particularly developers — is abusing both Google Ads and Claude.ai chat conversations as malware delivery vectors. Malicious ads impersonating developer tools redirect to sites hosting macOS malware, while a second vector embeds download links in Claude.ai conversations shared with targets. The campaign has updated the MacSync infostealer family with new macOS Sequoia-compatible components.
TrickMo Android Banking Trojan Moves C2 to TON Blockchain — Decentralised Infrastructure Makes Takedown Near-Impossible
The TrickMo Android banking trojan has been updated to use the Telegram Open Network (TON) blockchain as its command-and-control infrastructure. TON's decentralised architecture means law enforcement cannot seize or sink-hole C2 servers — TrickMo operators gain persistent, censorship-resistant communications regardless of takedowns. The move signals a broader industry shift toward blockchain-based C2 that defenders have limited ability to disrupt at the infrastructure level.
VENOM Phishing Kit Targets Senior Microsoft 365 Executives via AiTM Session Interception
A new phishing-as-a-service platform named VENOM is specifically targeting C-suite and senior executive Microsoft 365 accounts using adversary-in-the-middle (AiTM) infrastructure to intercept authenticated sessions. Unlike generic phishing kits, VENOM's targeting logic filters for high-value accounts — CFOs, CEOs, legal counsel, and board-level contacts — and includes executive-tailored lures designed for low suspicion.
Zara Confirms Data Breach Affecting 197,000 Customers — ShinyHunters' April Extortion Claim Now Substantiated
Inditex has confirmed that a breach of Zara customer data exposed the personal information of approximately 197,000 people, substantiating the ShinyHunters extortion claim from late April 2026. Exposed data includes names, email addresses, postal addresses, phone numbers, and purchase history. European GDPR notification has been filed and affected customers are being contacted.
FreeBSD CVE-2026-42511 — NFS Stack Vulnerability Affecting Network Appliances and BSD-Based Storage
A new vulnerability in FreeBSD's NFS networking stack has been disclosed as CVE-2026-42511, distinct from the previously covered CVE-2026-4747 (the 17-year-old NFSv4 daemon RCE). CVE-2026-42511 affects the NFS client implementation and is exploitable by a malicious NFS server to achieve code execution on FreeBSD hosts connecting to untrusted NFS mounts — a relevant threat model for enterprise environments mounting network storage from potentially compromised infrastructure.
Microsoft Edge Stores Saved Passwords as Plaintext in Process Memory — No CVE, No Patch
Security researchers have documented that Microsoft Edge's built-in password manager stores user-saved passwords in cleartext within the browser's process memory — readable by any process on the same system with the ability to dump Edge process memory. Microsoft has acknowledged the behaviour and characterised it as a performance design decision, not a vulnerability warranting a security fix. Users relying on Edge's password manager for credential storage should understand what this means for their threat model.
MicroStealer Infostealer Targets Education and Telecom via Discord Webhook Exfiltration
ANY.RUN analysts have documented MicroStealer, an infostealer active since December 2025 that specifically targets education and telecommunications sector organisations. MicroStealer uses multi-stage delivery, harvests browser credentials, session tokens, cryptocurrency wallets, and screenshots, and exfiltrates data exclusively via Discord webhooks — making it invisible to traditional network monitoring that blocks dedicated C2 domains. Detection rates on VirusTotal remain low.
pnpm 11 Defaults to 24-Hour Package Age Minimum — Blocking Automated Post-Publish Supply Chain Attacks
pnpm 11, released this week, introduces a package quarantine feature that by default blocks installation of any npm package published within the past 24 hours. The control targets the automated post-publish compromise pattern used by TeamPCP, CanisterSprawl, and similar supply chain threat actors who publish malicious package versions and immediately trigger mass installation before defenders can respond. It is the most substantive supply-chain-defensive default configuration added to a package manager since npm's provenance attestation.
Proton Mail Adds Post-Quantum Encryption for New Emails to Counter Harvest-Now-Decrypt-Later Attacks
Proton Mail has added optional post-quantum encryption for new emails sent between Proton Mail accounts, protecting against harvest-now-decrypt-later (HNDL) attacks in which adversaries collect encrypted communications today with the intention of decrypting them when sufficiently powerful quantum computers become available. The feature uses the CRYSTALS-Kyber (ML-KEM) algorithm standardised by NIST in 2024. Existing encrypted emails are not retroactively re-encrypted.
Calendly-Themed AiTM Phishing Kits Rise with Real-Time Socket.IO and Telegram Exfiltration
urlscan.io researchers have documented a surge in phishing kits impersonating Calendly booking pages, used as a step in multi-stage AiTM credential theft chains targeting enterprise users. The kits use real-time Socket.IO connections for live victim monitoring, fake CAPTCHA challenges for victim fingerprinting, and Telegram bot webhooks for credential exfiltration — a combination that makes the attack infrastructure highly operationally efficient while appearing to originate from legitimate Calendly sessions.
CallPhantom: 28 Fake Android Apps with 7.3M Play Store Downloads Charged for Fabricated Call Data
ESET researchers have identified 28 Android applications — collectively downloaded 7.3 million times from the Google Play Store — that charged users for access to fabricated call history, SMS logs, and WhatsApp message records that the apps could not actually retrieve. The CodedCallPhantom campaign, active primarily in India and South-East Asia, combines financial fraud (charging for non-existent data) with personal data collection used for follow-on targeting.
Fake OpenAI Repository on Hugging Face Reached #1 Trending, Delivered Rust Infostealer to 244,000 Users
A malicious repository impersonating an official OpenAI project reached the top trending position on Hugging Face before being removed — delivering a Rust-compiled infostealer to an estimated 244,000 users who executed the repository's loader script. The attack exploited Hugging Face's trending algorithm and the high trust developers place in repositories attributed to the OpenAI organisation. Affected users should rotate all credentials accessible from the compromised machine.
DOJ Indicts North Korean Developer for Leading Sales of DDoS and Cyberterrorism Tools for Regime Revenue
The US Department of Justice has indicted a North Korean software developer on charges of conspiracy to develop and sell cyberattack tools — including distributed denial-of-service infrastructure and cyberterrorism-enabling toolkits — through front companies operated by the Workers' Party of Korea. The indictment provides rare detail into how DPRK IT workers generate hard currency for the regime through offensive cyber tool sales, complementing the well-documented cryptocurrency theft and IT contractor programmes.
OpenAI Launches Advanced Account Security Programme with Mandatory Phishing-Resistant MFA
OpenAI has announced an opt-in Advanced Account Security programme for high-risk users — journalists, human rights advocates, executives, and researchers — offering phishing-resistant FIDO2 hardware key and passkey authentication, stricter account recovery controls, and session compromise mitigations. The programme, developed in partnership with Yubico, acknowledges that standard MFA is insufficient against sophisticated phishing and AiTM attacks targeting OpenAI accounts with access to sensitive workflows.
FTC Bans Kochava Subsidiary from Selling Sensitive Location Data in Landmark Enforcement Settlement
The US Federal Trade Commission has reached a settlement banning Kochava and its Collective Data Solutions subsidiary from selling sensitive location data derived from consumer mobile devices — marking the FTC's most significant enforcement action against the location data broker industry. The settlement establishes a precedent with direct implications for any organisation that monetises or purchases precise consumer location data, including advertising technology companies, retail analytics firms, and financial services using location data for fraud detection.
JDownloader Official Download Site Hijacked to Serve Python RAT in Supply Chain Attack
The official JDownloader download site was compromised during a window of approximately 18 hours between 6 and 7 May 2026, with legitimate installer downloads replaced by a trojanised package delivering a Python-based remote access trojan. JDownloader is a popular open-source download manager with millions of users. Users who installed JDownloader during the compromise window should treat their system as compromised and perform immediate credential rotation and system remediation.
PamDOORa: Linux Post-Exploitation PAM Module Backdoor Sold on Dark Web for $1,600
Flare.io researchers have identified PamDOORa, a commercially sold Linux backdoor sold for $1,600 on a Russian-language underground forum. PamDOORa installs as a malicious PAM (Pluggable Authentication Module) on compromised Linux systems, creating a persistent hidden SSH access mechanism that activates via a magic password and a TCP port — while also harvesting the credentials of all legitimate users who authenticate to the system.
QLNX Linux RAT Harvests Developer Credentials to Enable Malicious Package Publishing on npm and PyPI
Trend Micro researchers have identified QLNX (Quasar Linux), a Linux-targeting remote access trojan specifically designed to harvest developer credentials — npm tokens, PyPI upload credentials, AWS IAM keys, Docker registry credentials, and GitHub CLI tokens — from developer workstations. The harvested credentials are then used to publish malicious packages to npm and PyPI under the compromised developer's identity, enabling second-stage supply chain attacks against the developer's downstream users.
SonicWall CVE-2026-0204 — Authentication Bypass in SSLVPN Allows Unauthenticated Network Access
SonicWall has disclosed CVE-2026-0204, an authentication bypass vulnerability in the SonicWall SSLVPN product that allows a remote attacker to bypass VPN authentication and gain access to the protected network without valid credentials. SonicWall SSLVPN appliances are widely deployed as enterprise and SMB VPN concentrators. Patch available — update immediately.
TCLBanker Banking Trojan Spreads via WhatsApp and Outlook Worm Modules, Targets 59 Financial Platforms
Elastic Security has identified TCLBanker (tracked as REF3076 / Water Saci), an evolution of the Maverick banking trojan family, deploying worm modules that spread via WhatsApp message injection and Outlook email campaigns from infected machines. TCLBanker targets users of 59 financial platforms including online banking, cryptocurrency exchanges, and payment services. The malware uses DLL side-loading via legitimate Logitech software and employs anti-analysis watchdog processes to resist removal.
Eclipse BaSyx ICS Platform: CVE-2026-7411 CVSS 10.0 Path Traversal RCE Threatens Industrial Asset Administration
Two critical vulnerabilities in Eclipse BaSyx V2 — the open-source Industrial Internet of Things Asset Administration Shell implementation used in Industry 4.0 infrastructure — allow an unauthenticated attacker to achieve remote code execution and bypass network segmentation. CVE-2026-7411 (CVSS 10.0) enables arbitrary file write on the BaSyx server; CVE-2026-7412 (CVSS 8.6) enables blind SSRF that can bypass OT network isolation. Patches are available in BaSyx V2 milestone-10.
Firefox and Tor Browser CVE-2026-6770 — IndexedDB Cross-Origin Data Leak Exposes User Browsing Identity
A cross-origin data leakage vulnerability in Firefox and Tor Browser's IndexedDB implementation allows a malicious web page to read data stored by other origins in the IndexedDB API — potentially identifying users by their stored browsing data and breaking the origin isolation that Tor Browser's anonymity model depends on. CVE-2026-6770 is fixed in Firefox 130.0.1 and a Tor Browser update. Tor Browser users should update immediately given the privacy implications.
Ivanti EPMM CVE-2026-6973 — Remote Code Execution Added to CISA KEV, Patch Required
Ivanti has disclosed CVE-2026-6973, a remote code execution vulnerability in Endpoint Manager Mobile (EPMM, formerly MobileIron) that has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed limited exploitation. EPMM is a mobile device management platform used by government agencies and enterprises. Organisations should apply the available patch and audit administrator account activity. EPMM has a prior history of critical exploitation including the 2023 Norwegian government attack.
LiteLLM CVE-2026-42208 — SQL Injection in AI Gateway Proxy Added to CISA KEV
CVE-2026-42208, a SQL injection vulnerability in the LiteLLM AI gateway proxy, has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed exploitation. LiteLLM is widely deployed in enterprise environments as a unified API layer routing requests to multiple LLM providers (OpenAI, Anthropic, Azure OpenAI, Bedrock). Exploitation allows an attacker to read and modify the LiteLLM database, including API keys, user records, and model configuration. Update to LiteLLM 1.42.2 immediately.
OpenEMR: Three Critical Vulnerabilities Expose Patient Records Across 100,000 Healthcare Providers
Aisle security researchers have disclosed 38 vulnerabilities in OpenEMR — the world's most widely deployed open-source electronic medical records and practice management system, used by over 100,000 healthcare providers globally. Three of the vulnerabilities are critical, allowing unauthenticated remote code execution and patient record exfiltration. OpenEMR 7.0.2 patch 2 addresses all reported issues; unpatched instances are a direct patient data and regulatory liability.
ProFTPD CVE-2026-42167 — Authentication Bypass Leading to Remote Code Execution
A vulnerability in ProFTPD — one of the most widely deployed open-source FTP server implementations — allows a remote unauthenticated attacker to bypass authentication controls and achieve code execution on the server. CVE-2026-42167 affects ProFTPD versions prior to 1.3.9a. FTP servers are frequently forgotten in patch management programmes; administrators should verify ProFTPD version and apply the update.
Cisco CVE-2026-20188 — Unauthenticated DoS Permanently Crashes Crosswork Network Controller Until Manual Reboot
Cisco has disclosed a high-severity denial-of-service vulnerability in Crosswork Network Controller and NSO (Network Services Orchestrator) that allows an unauthenticated remote attacker to exhaust connection resources and permanently disable the device — requiring physical manual reboot to recover. CVE-2026-20188 affects the network automation and orchestration platforms used by major service providers and large enterprise networks for intent-based networking automation.
cPanel/WHM Patches Three New Vulnerabilities Including CVSS 8.8 Code Execution and Privilege Escalation
cPanel has released security updates addressing three new vulnerabilities distinct from the previously covered CVE-2026-41940 zero-day: CVE-2026-29202 (CVSS 8.8, Perl code execution), CVE-2026-29203 (CVSS 8.8, symlink-based privilege escalation), and CVE-2026-29201 (CVSS 4.3, arbitrary file read). Web hosting providers running cPanel/WHM should apply the updates urgently given the platform's current elevated threat posture following mass exploitation in May 2026.
GoDaddy ManageWP Credentials Targeted by AiTM Phishing Campaign via Malicious Google Ads
A real-time adversary-in-the-middle phishing campaign is targeting GoDaddy ManageWP administrators through malicious Google search advertisements that appear above legitimate results for ManageWP login queries. The campaign steals session tokens via a real-time proxy, bypassing MFA, and uses Telegram for credential exfiltration. Each compromised ManageWP account typically controls hundreds of WordPress sites, making this a high-leverage credential theft campaign.
Linux 'Dirty Frag' Zero-Day Chains Two Kernel Flaws for Deterministic Root — PoC Published, No Patch
Security researchers have published a proof-of-concept exploit for a new Linux kernel local privilege escalation vulnerability chain nicknamed Dirty Frag, which combines flaws in the xfrm-ESP and RxRPC page-cache subsystems to reliably achieve root access from an unprivileged user process. Unlike its predecessor CopyFail, Dirty Frag is deterministic — it does not rely on race conditions and succeeds reliably across Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, and Fedora. No CVE ID or kernel patch has been issued at time of disclosure.
Salesforce Marketing Cloud Server-Side Template Injection Exposed Entire Customer Contact Database
SL Cyber researchers have disclosed five patched vulnerabilities in Salesforce Marketing Cloud (ExactTarget), the most critical of which — a server-side template injection flaw — allowed an authenticated marketing user to exfiltrate the complete contacts database and historical email campaign content of any Salesforce Marketing Cloud instance. The vulnerabilities were patched by Salesforce; organisations should verify which contact data and historical communications were accessible to marketing team members.
vm2 Node.js Sandbox Escape CVE-2026-26956 — 1.3 Million Weekly Downloads, PoC Published
A critical sandbox escape vulnerability in the vm2 Node.js sandboxing library allows a malicious script to break out of the sandbox and execute arbitrary code in the host Node.js process. CVE-2026-26956 affects all vm2 versions prior to 3.9.22 and is present in any application using vm2 to safely execute untrusted code — including serverless platforms, coding challenge sites, CI/CD systems, and plugin architectures. A PoC is publicly available.
Fortinet 2026 Global Threat Landscape: Ransomware Victims Up 389% Year-over-Year, AI Crime Industrialising
Fortinet's 2026 Global Threat Landscape Report documents 7,831 confirmed ransomware victims in 2025 — a 389% increase over 2024's approximately 1,600 — alongside the first systematic evidence of AI-enabled cybercrime tooling (WormGPT, FraudGPT, BruteForceAI) being used at scale. Manufacturing, business services, and retail are the hardest-hit sectors. The report reframes the threat environment as fundamentally changed, not merely intensified.
CISA ICS Advisory: GRASSMARLIN OT Network Visualisation Tool Vulnerability CVE-2026-6807
CISA has issued ICS advisory ICSA-26-118-01 for CVE-2026-6807, a vulnerability in GRASSMARLIN — the NSA-developed open-source network visualisation tool widely used by industrial control system operators and OT security teams to map and analyse operational technology networks. The vulnerability affects teams using GRASSMARLIN for defensive ICS visibility, creating a risk of compromise of the analyst workstations conducting that analysis.
KidsProtect Stalkerware Abuses VS Code Tunnels and Discord Webhooks as Covert C2 Infrastructure
A commercially marketed Android application called KidsProtect, presented as a parental control tool, has been analysed and found to function as stalkerware — secretly recording device location, SMS messages, call logs, and browser history without consent. The tool evades conventional network monitoring by routing command-and-control traffic through legitimate VS Code Remote Tunnels and Discord webhook endpoints. Its developer explicitly markets it as an undetectable monitoring solution on underground forums.
Microsoft Threat Intelligence: AiTM Phishing Campaign Hit 35,000 Users Across 26 Countries in Two Days
Microsoft Threat Intelligence has published analysis of a highly targeted adversary-in-the-middle phishing campaign that compromised 35,000 user accounts across healthcare and financial services organisations in 26 countries during a 48-hour window in April 2026. The campaign used polished enterprise-grade HTML templates impersonating Microsoft 365 compliance and code-of-conduct notifications, bypassing standard MFA via real-time session token interception.
OpenSSH CVE-2026-35414 — Certificate Authentication Bypass via Comma Bug Grants Root Access
A single-character defect in OpenSSH's certificate Subject Alternative Name parsing allows an attacker with a maliciously crafted certificate to bypass host-based and user certificate authentication entirely, potentially gaining unauthorised access to systems relying on certificate-based SSH for privileged access. Researchers have named the vulnerability SplitSSHell. Operators using OpenSSH certificate authentication for root or privileged user access should review their CA trust chains immediately.
PAN-OS CVE-2026-0300 — Unauthenticated RCE Zero-Day Actively Exploited in Firewall Espionage Attacks
A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been under active exploitation since at least early April 2026, linked to espionage-motivated threat actors targeting government and critical infrastructure networks. CVE-2026-0300 affects the User-ID authentication portal on VM-Series and hardware firewalls; CISA added it to the KEV catalogue on 6 May 2026. Patches are available — apply immediately.
108 Malicious Chrome Extensions Exfiltrating Browser Data Removed from Web Store
Google has removed 108 extensions from the Chrome Web Store after researchers identified a coordinated malicious extension campaign conducting browser credential harvesting, session cookie theft, and clipboard monitoring across millions of installations. The extensions impersonated productivity tools, ad blockers, and security tools — with some active for over 18 months before detection. Enterprise Chrome deployments should audit installed extensions against the published IOC list.
Europol Dismantles €50M Crypto Investment Fraud Network — 12 Arrested Across Six Countries
Europol has coordinated the dismantling of a €50 million cryptocurrency investment fraud network operating across six European countries, resulting in 12 arrests, 30 property searches, and the seizure of cryptocurrency holdings, luxury assets, and fraud operation infrastructure. The network ran AI-enhanced investment scam call centres and operated fraudulent crypto trading platforms that fabricated returns to sustain victim investment before executing exit scams.
Five Eyes Advisory: China-Nexus Volt Typhoon and Flax Typhoon Using SOHO Router Botnets to Pre-Position in Critical Infrastructure
A joint advisory from CISA, NCSC-UK, the Australian Signals Directorate, and Four Eyes partners confirms that China-linked threat actors including Volt Typhoon and Flax Typhoon are systematically compromising small-office and home-office routers to build operational relay networks for espionage and pre-positioned attacks against critical national infrastructure. Organisations should audit edge device inventories and enforce firmware update policies.
Lotus Wiper Targets Venezuelan Energy Infrastructure in ICS-Aware Sabotage Campaign
A destructive wiper malware tracked as Lotus Wiper has been deployed against Venezuelan state energy company PDVSA and associated electricity generation infrastructure. Unlike generic wipers, Lotus Wiper includes ICS-aware modules that identify and corrupt engineering workstation configurations, HMI databases, and OT historian data before wiping. The campaign represents the most targeted wiper deployment against Latin American energy infrastructure on record.
MacSync Stealer Delivered via Malicious Google Ad Targeting macOS Homebrew Users
A macOS infostealer tracked as MacSync has been distributed through a malicious Google search advertisement impersonating the Homebrew package manager — a tool used by virtually all macOS developers. The campaign harvests browser credentials, session tokens, macOS keychain data, and cryptocurrency wallet files from developer machines. macOS users who installed Homebrew via a Google search in the past 30 days should verify their installation source.
Progress MOVEit Automation — Critical Authentication Bypass Vulnerability Disclosed, Patch Immediately
Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation, the workflow automation component of the MOVEit managed file transfer platform. Given MOVEit's history as the most mass-exploited enterprise application of 2023 (Cl0p ransomware, 2,700+ organisations), any new critical vulnerability requires emergency patching. Organisations should apply the patch and review automation workflow configurations before exploitation begins.
Wireshark CVE-2026-5656 — Remote Code Execution via Malicious PCAP File, Update to 4.4.6
A code execution vulnerability in Wireshark's PCAP/PCAPNG file parser allows a malicious capture file to trigger arbitrary code execution when opened by an analyst. CVE-2026-5656 affects all Wireshark versions prior to 4.4.6 across Windows, macOS, and Linux. The attack vector is especially concerning for security teams that open externally-sourced capture files during incident response or threat hunting — update Wireshark to 4.4.6 immediately.
AccountDumpling Abuses Google AppSheet as Legitimate Phishing Relay to Compromise 30,000 Facebook Accounts
The AccountDumpling campaign has compromised approximately 30,000 Facebook accounts by routing phishing emails through Google AppSheet — a legitimate no-code application platform — to bypass spam filters and email security gateways. The technique exploits trusted sender reputation of Google infrastructure and demonstrates the growing difficulty of filtering phishing delivered through legitimate SaaS platforms.
Two Former Cybersecurity Professionals Sentenced to Four Years for BlackCat/ALPHV Ransomware Operations
A US federal court has sentenced two individuals with professional cybersecurity backgrounds to four-year prison terms for their roles in the BlackCat/ALPHV ransomware-as-a-service operation, marking a notable law enforcement outcome that demonstrates insider security knowledge is not a prosecution shield. The sentences follow guilty pleas and cooperation with investigators.
Cordial Spider and Snarky Spider Drive Multi-Sector SaaS Account Takeover via Vishing and SSO AiTM Attacks
Two newly-designated threat actor clusters — Cordial Spider (UNC6671) and Snarky Spider (UNC6661) — are conducting coordinated vishing and adversary-in-the-middle SSO phishing campaigns against enterprise organisations across finance, technology, and logistics sectors, bypassing MFA to harvest persistent OAuth tokens. Organisations should review SSO conditional access policies and verify help desk vishing verification procedures.
EtherRAT Uses Ethereum Blockchain Transactions as Immutable C2 Channel — Campaign Targeting Government and Finance
Researchers have disclosed EtherRAT, a remote access trojan that encodes command-and-control instructions directly into Ethereum blockchain transactions, creating a C2 channel that cannot be taken down, domain-blocked, or sinkholed. Active campaigns have targeted government and financial organisations in Eastern Europe and the Middle East.
Three Critical Buffer Overflow Vulnerabilities Disclosed in Hashcat — Penetration Testing Toolchain at Risk
Security researchers have disclosed three buffer overflow vulnerabilities (CVE-2026-42482, CVE-2026-42483, CVE-2026-42484) in Hashcat, the widely-used open-source password recovery and penetration testing tool. The flaws can be triggered via maliciously crafted hash files or wordlists and may allow code execution in environments where Hashcat processes untrusted input — including shared red team infrastructure and automated password auditing pipelines.
Instructure (Canvas LMS) Discloses Cybersecurity Incident — Scope of Student and Faculty Data Exposure Under Investigation
Instructure, the company behind Canvas Learning Management System used by thousands of universities and K-12 school districts globally, has disclosed a cybersecurity incident affecting an internal infrastructure component. The scope of student, faculty, and institutional data potentially exposed is under forensic investigation. Institutions running Canvas should activate their incident response contact with Instructure and review data sharing scope.
China-Linked SHADOW-EARTH-053 Targets Asian Governments and NATO Member With ShadowPad Implants
Security researchers have attributed a sustained intrusion campaign against at least seven government ministries across Southeast and Central Asia — and one NATO member state's foreign affairs ministry — to the China-nexus cluster SHADOW-EARTH-053, operating the ShadowPad remote access trojan. The campaign exploits legacy Microsoft Exchange vulnerabilities for initial access and uses living-off-the-land techniques to evade detection.
ConsentFix v3 Automates Azure OAuth Abuse at Scale — MFA-Bypassing Phishing Platform Circulating on Forums
The third iteration of the ConsentFix Azure OAuth phishing toolkit has been observed circulating on cybercriminal forums, adding Pipedream-powered automation to the consent flow abuse technique that allows attackers to gain persistent access to Microsoft 365 tenants without requiring MFA. Enterprise security teams should review conditional access policies governing OAuth app registrations and user consent.
'Sorry' Ransomware Deploys en Masse via cPanel CVE-2026-41940 — 44,000 Hosts Compromised Within 48 Hours of Patch
A ransomware group tracking as 'Sorry' has leveraged the recently-patched cPanel/WHM authentication bypass (CVE-2026-41940) to compromise at least 44,000 web hosting servers globally, deploying a Go-compiled Linux encryptor within 48 hours of the vulnerability's public patch release. The speed of mass exploitation underscores the extreme urgency of applying the cPanel/WHM hotfix.
DEEP#DOOR: Python Backdoor Abuses Cloudflare Tunnels to Bypass Network Detection and Exfiltrate Credentials
Securonix researchers have disclosed DEEP#DOOR, a Python-based backdoor framework that routes command-and-control traffic through legitimate Cloudflare Tunnel infrastructure to evade network security controls. The malware establishes persistence via multiple mechanisms, disables Windows security features at installation, and specifically targets browser-stored passwords, session tokens, and cloud provider credentials.
Linux CopyFail LPE Added to CISA KEV With Active Exploitation Confirmed — CVE-2026-31431
CISA has added CVE-2026-31431 — the Linux kernel copy-on-write race condition LPE disclosed last week as 'CopyFail' — to the Known Exploited Vulnerabilities catalogue following confirmed active exploitation. All major Linux distributions have patches available. Federal agencies face a May 20 remediation deadline and all enterprise organisations should treat kernel patching as urgent.
PyTorch Lightning PyPI Package Compromised — Credential-Stealing Payload Delivered to AI/ML Development Environments
PyTorch Lightning versions 2.6.2 and 2.6.3 on PyPI were found to contain a credential-stealing postinstall payload, extending the Mini Shai-Hulud supply chain campaign that previously compromised SAP's official npm packages. Organisations running AI/ML workloads should audit Python environments and rotate any credentials stored on affected development or CI/CD systems.
Trellix Confirms Source Code Repository Breach — Forensic Investigation Underway
Cybersecurity vendor Trellix has confirmed unauthorised access to an internal source code repository, with law enforcement notified and a forensic investigation ongoing. The breach raises concerns about potential weaponisation of security product internals against Trellix's enterprise customer base.
DPRK Scales npm Malware Campaign With AI-Generated Code, Fake Tech Firms, and Remote RAT Deployment
North Korean threat actors have launched a new wave of npm supply chain attacks using AI-generated malicious package code that bypasses static analysis tools, fake software development firms as cover identities, and a multi-stage RAT that exfiltrates source code, cryptographic keys, and credentials from developer workstations. The campaign targets blockchain, DeFi, and fintech developers — organisations in these sectors should audit npm dependencies and developer machine security.
FBI Warns of $725M Cyber-Enabled Cargo Theft Wave Targeting Transportation and Logistics
The FBI has issued a warning documenting a sharp surge in cyber-enabled cargo theft targeting the US transportation and logistics industry, with losses exceeding $725 million in 2025. Criminal organisations use phishing, broker impersonation, and freight marketplace account takeovers to divert physical shipments. Supply chain security teams and freight brokers should treat this advisory as a direct threat to physical goods in transit.
GitHub Enterprise Server CVE-2026-3854 — Critical RCE via Single Git Push, No Authentication Required
CVE-2026-3854, a critical-severity remote code execution vulnerability in GitHub Enterprise Server, allows an attacker to execute arbitrary code on the server with a single specially crafted Git push, requiring no authentication. Any internet-exposed or internally-accessible GHES instance is vulnerable. GitHub has released hotfixes across all supported branches; apply immediately.
Linux 'CopyFail' Kernel Privilege Escalation — Root Access on All Major Distributions Since 2017
A newly weaponised local privilege escalation vulnerability in the Linux kernel's copy-on-write mechanism allows unprivileged local users to gain root access on virtually all major Linux distributions running kernels from 2017 onwards. A working public exploit has been released. Kernel patches are available; organisations running Linux servers, containers, and cloud instances should patch immediately.
PhantomRPC — Unpatched Windows Privilege Escalation Technique Abuses COM Server Activation
Security researchers have disclosed PhantomRPC, an unpatched local privilege escalation technique in Windows that abuses the COM server activation mechanism to elevate from standard user to SYSTEM without triggering standard EDR alerts. Microsoft has acknowledged the report but not committed to a patch timeline. Defenders should implement mitigation controls; red teams should incorporate this technique into assessments.
VECT 2.0 Ransomware Irreversibly Corrupts Files Over 131KB on Windows, Linux, and ESXi
VECT 2.0 is a new cross-platform ransomware variant that partially corrupts files larger than 131KB rather than encrypting them — rendering files permanently unrecoverable even after ransom payment, as the overwritten data cannot be reconstructed. Active campaigns have targeted manufacturing, logistics, and healthcare. Standard backup-based recovery strategies may fail against VECT 2.0 if backups were mounted or reachable at the time of attack.
cPanel and WHM CVE-2026-41940 — CVSS 9.8 Authentication Bypass Exploited as Zero-Day Before Patch
CVE-2026-41940, a CVSS 9.8 authentication bypass in cPanel and WHM web hosting control panel software, was exploited in the wild before the vendor issued a patch. All versions from 11.40 onwards are affected. Proof-of-concept code is now public. Web hosting providers, managed service providers, and any organisation running cPanel/WHM for server management should apply the emergency patch immediately.
Jenkins GitHub Plugin CVE-2026-42523 — CVSS 9.0 Stored XSS Enables Pipeline Hijacking and Secret Extraction
CVE-2026-42523, rated CVSS 9.0, is a stored cross-site scripting vulnerability in the Jenkins GitHub Plugin 1.46.0 and earlier. Exploitation allows an attacker with job creation rights to inject malicious JavaScript that executes in the browser of any Jenkins administrator who views the affected job — enabling session hijacking, secret extraction, and full pipeline takeover. Update to GitHub Plugin 1.46.1 or later.
Official SAP npm Packages Compromised to Steal Enterprise Developer Credentials
Threat actors compromised official SAP npm packages to insert credential-harvesting code targeting enterprise developers working on SAP integration projects. The malicious packages exfiltrate environment variables, SSH keys, and cloud credentials from developer workstations. Enterprise teams using SAP npm packages in their CI/CD pipelines should audit package integrity and rotate potentially exposed credentials.
Scattered Spider's 'Tylerb' Pleads Guilty — Senior Member Faces 20 Years for $8M SIM Swap and Enterprise Breaches
Tyler Robert Buchanan, 24, known online as 'Tylerb', has pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in Scattered Spider's 2022 SMS phishing and SIM-swapping campaign that breached Twilio, LastPass, DoorDash, Cloudflare, and at least 130 other organisations. The guilty plea represents a significant law enforcement milestone against the English-language cybercrime group responsible for the MGM and Caesars casino breaches.
Wazuh SIEM/XDR Platform CVE-2026-30893 — CVSS 9.0 Remote Code Execution in Enterprise SOC Infrastructure
CVE-2026-30893, rated CVSS 9.0, is a remote code execution vulnerability in the Wazuh open-source security platform affecting versions 4.x and later. Wazuh is widely deployed as a SIEM, XDR, and compliance platform in enterprise SOC environments. Compromising the Wazuh manager means compromising your security monitoring backbone — patch to 4.11.2 immediately.
WordPress Redirect Plugin Carried Dormant Backdoor for Three Years Before Activation
Researchers have uncovered a dormant backdoor in a widely-installed WordPress redirect management plugin that remained inactive for approximately three years before being activated by the attackers. The backdoor, present across an estimated 200,000+ active installations, highlights the long-game threat of supply chain compromise in the WordPress plugin ecosystem and the limits of periodic security scanning.
Apache Thrift 0.23.0 Patches Out-of-Bounds Read (CVE-2026-41604) and Node.js Uncontrolled Recursion DoS (CVE-2026-41636)
Apache Thrift 0.23.0 addresses two vulnerabilities: CVE-2026-41604, an out-of-bounds read in the binary protocol parser affecting all language bindings that can crash Thrift-based services and potentially leak memory contents; and CVE-2026-41636, an uncontrolled recursion flaw in the Node.js library that enables remote denial of service via deeply nested Thrift structures. Organisations operating Thrift-based microservices or inter-service RPC should upgrade to 0.23.0.
CISA KEV Additions: Windows Shell Spoofing CVE-2026-32202 and Cisco SD-WAN Sensitive File Exposure CVE-2026-20133
CISA's late-April Known Exploited Vulnerabilities additions include a Windows Shell protection mechanism failure under active exploitation and a Cisco Catalyst SD-WAN Manager flaw allowing unauthenticated access to sensitive OS files. Federal agencies face a May 12 remediation deadline for CVE-2026-32202; enterprise organisations should treat both additions as confirmation of active threat actor interest and patch accordingly.
D-Link DIR-823X Command Injection CVE-2025-29635 Added to CISA KEV — Mirai Botnet Exploiting Actively
CVE-2025-29635, an authenticated command injection in D-Link DIR-823X routers, has been added to CISA's Known Exploited Vulnerabilities catalogue following an active Mirai botnet campaign documented by Akamai. CVSS 7.2 understates the real risk: D-Link DIR-823X reached end of life, meaning no patch will be issued. Organisations with these routers must replace them. Federal deadline: May 19, 2026.
CISA ICS Advisory: Milesight AIOT Cameras Carry Five CVEs Including CVSS 9.8 Hard-Coded SSL Key Flaw
CISA advisory ICSA-26-113-03 covers five vulnerabilities across 18-plus Milesight AIOT camera model families, including a CVSS 9.8 flaw where all devices share a hard-coded factory SSL private key that cannot be changed. An attacker with the key — which is extractable from any unit — can conduct undetectable man-in-the-middle attacks against the entire deployed fleet. Organisations using Milesight cameras in operational technology or physical security environments should isolate these devices immediately.
Spring AI CVE-2026-40978 and CVE-2026-40967 — SQL Injection and Filter Expression Injection in RAG Vector Store Components
Two injection vulnerabilities in Spring AI's vector store integration layer affect AI applications using retrieval-augmented generation pipelines. CVE-2026-40978 (CVSS 8.8) allows SQL injection through the CosmosDB vector store component; CVE-2026-40967 (CVSS 8.6) enables filter expression injection in the FilterExpressionConverter used across multiple backends. Both flaws affect Spring AI 1.0.x and 1.1.x and are patched in 1.1.5.
Spring Boot 4.0 CVE-2026-40976 — Default Security Misconfiguration Exposes All Actuator Endpoints Unauthenticated
CVE-2026-40976 in Spring Boot 4.0.0 through 4.0.5 allows unauthenticated network access to all Spring Boot Actuator management endpoints when applications rely on the default Spring Security auto-configuration but omit the spring-boot-health dependency. Exposed endpoints include heapdump, env, mappings, and loggers — enough to extract secrets and manipulate application behaviour. Upgrade to Spring Boot 4.0.6 or later.
AI Agents Can Autonomously Compromise Cloud Infrastructure With Minimal Human Oversight, Research Finds
New academic research demonstrates that AI agents equipped with common cloud security tools can autonomously identify, chain, and exploit misconfigurations in production-like cloud environments — achieving lateral movement, privilege escalation, and data exfiltration in multi-step attack sequences without human guidance. The findings have direct implications for red team methodologies, cloud security posture management, and the adversarial use of AI-assisted attack tooling.
SentinelLabs Uncovers Fast16 — NSA-Linked OT Sabotage Malware Active Five Years Before Stuxnet
SentinelLabs has published research identifying Fast16, a Lua-based OT sabotage framework compiled in 2005 that predates Stuxnet and is attributed to a US intelligence-linked operation targeting Iranian high-precision calculation software. The discovery rewrites the timeline of state-sponsored ICS sabotage and provides new technical context for understanding the development of destructive OT malware.
FTC: Americans Lost $2.1 Billion to Social Media Scams in 2025 — AI-Enhanced Fraud Doubles Investment Losses
The US Federal Trade Commission's annual consumer fraud report records $2.1 billion in social media scam losses in 2025, a 47% increase from 2024 driven by AI-generated deepfake impersonations, synthetic romance fraud accounts, and AI-personalised investment scam targeting. Investment scams account for 53% of losses at $1.1 billion. The report carries compliance implications for organisations under FTC Section 5 and EU AI Act Article 50 transparency obligations.
Hugging Face LeRobot CVE-2026-25874 — Critical Unpatched RCE via Pickle Deserialization in Unauthenticated gRPC Endpoint
A critical unpatched remote code execution vulnerability in Hugging Face's LeRobot robotics AI framework allows unauthenticated attackers to execute arbitrary code on any server running the gRPC control interface. CVE-2026-25874, rated CVSS 9.3, affects the project's dataset loading and remote control pipeline via Python pickle deserialization. No patch is available; mitigations focus on network isolation.
Medtronic Confirms Data Breach — ShinyHunters Claims 9 Million Medical Device Patient Records Stolen
Medtronic, the world's largest medical device manufacturer, has confirmed a data breach after the ShinyHunters threat actor claimed to have stolen nine million patient records. The breach includes patient names, device serial numbers, implant dates, clinic details, and in some cases diagnostic data from cardiac, diabetes, and spinal device programmes across 150 countries. Regulatory notifications under HIPAA, GDPR, and MDR are expected.
Rituals Cosmetics Discloses Data Breach — Up to 40 Million My Rituals Members' PII Potentially Exposed
Amsterdam-based luxury cosmetics brand Rituals has disclosed a breach of its My Rituals membership platform affecting potentially up to 40 million registered members across its 1,170-plus retail locations in 37 countries. Exposed data includes names, contact details, date of birth, gender, and purchase history. The breach carries significant GDPR obligations as Rituals is headquartered in the EU.
Silk Typhoon Operator Xu Zewei Extradited to US — First MSS Shanghai Bureau Hacker Held Accountable
Xu Zewei, a hacker attributed to the MSS Shanghai Bureau and the Silk Typhoon (formerly Hafnium) APT group, has been extradited from Italy to face US federal charges relating to the theft of COVID-19 vaccine research, defence contractor IP, and financial sector data via Exchange Server zero-days. The extradition marks the first successful prosecution of a Silk Typhoon operator and sends a direct signal to MSS-affiliated cyber operators.
Azure Arc Windows Agent CVE-2026-26117 Lets Low-Privilege Users Escalate to SYSTEM and Seize Cloud-Managed Identity
CVE-2026-26117, a local privilege escalation flaw in the Azure Arc Connected Machine Agent for Windows, allows any domain user on a managed host to escalate to SYSTEM and inherit the host's Azure managed identity — granting access to all Azure resources the machine identity can reach. Microsoft rated the flaw CVSS 7.8; patch immediately given Arc's growing enterprise footprint.
Itron Smart Grid Giant Discloses Internal IT Breach via SEC Filing — Critical Infrastructure Supplier Affected
Itron, the world's largest smart meter and grid management vendor, has disclosed a breach of its internal IT network in an SEC 8-K filing. Attackers accessed systems supporting grid data analytics and workforce management. No operational technology networks were confirmed compromised, but the supplier-to-utility trust relationship demands immediate third-party risk assessment.
Linux Kernel nf_tables Use-After-Free CVE-2026-23231 Enables Privilege Escalation on Most Distributions
A use-after-free vulnerability in the Linux kernel's nf_tables netfilter subsystem allows a local attacker to escalate privileges to root on unpatched systems. CVE-2026-23231 affects kernels 5.14 through 6.9 and most major distributions including RHEL 9, Ubuntu 22.04/24.04, Debian 12, and SLES 15. Stable kernel patches are available and distribution security teams are issuing advisories.
Microsoft Entra Agent ID Role Misconfiguration Enabled Full Tenant Takeover via Service Principal Hijack
A flaw in Microsoft Entra's Agent ID role assignment model allowed an attacker with low-level Entra access to hijack privileged service principals and achieve full tenant administrator rights. Microsoft silently patched the issue on April 9; organisations with agentic AI workloads or automation service accounts should audit role bindings immediately.
NIST Halts NVD Enrichment for Lowest-Priority CVEs as Submission Volume Surges 263% — Vulnerability Management Impact
NIST has announced it will no longer provide full CVSS scoring, CPE matching, and CWE classification for the lowest-priority tier of CVE submissions in the NVD. The change, driven by a 263% surge in annual CVE volumes since 2024, means thousands of CVE records will remain in an unenriched 'DEFERRED' state — with no CVSS score, no affected product mapping, and no severity rating. Enterprise vulnerability management programmes that rely on NVD as their authoritative source must adapt their workflows immediately.
OpenSSH 10.3 Patches Shell Metacharacter Injection CVE-2026-35386 in Non-Default scp Configurations
OpenSSH 10.3, released April 26, addresses CVE-2026-35386, a shell metacharacter injection flaw in the scp client that can result in unintended remote command execution when transferring files from attacker-controlled servers. While exploitation requires non-default configuration, scp is still widely used in automated backup and deployment pipelines and should be updated promptly.
SAP April 2026 Patch Day: CVE-2026-34256 ABAP Code-Overwrite Lets Authenticated Attacker Sabotage Core ERP Functions
SAP's April 2026 Security Patch Day includes a fix for CVE-2026-34256, an ABAP code-overwrite vulnerability rated CVSS 7.1 that allows an authenticated attacker with low-privilege access to modify executable ABAP programme objects, potentially corrupting core business logic in SAP ERP, S/4HANA, and BW systems. The flaw requires no special administrative roles and affects all SAP NetWeaver ABAP Server releases through the current patched version.
APT28 Operation Masquerade: GRU Hijacked 18,000 Routers to Steal Microsoft 365 OAuth Tokens
Russia's GRU Unit 26165 operated an 18,000-router DNS hijacking network targeting Microsoft 365 OAuth tokens across 120 countries. The US DOJ's Operation Masquerade dismantled US-based infrastructure on April 7 2026, but the global campaign continues. Organisations should audit DNS resolver settings, revoke OAuth sessions, and enforce Conditional Access for remote users.
DPRK's Sapphire Sleet Backdoors Axios npm Package: 100 Million Weekly Downloads at Risk
North Korea's Sapphire Sleet compromised an axios npm maintainer account on March 31, publishing backdoored versions 1.14.1 and 0.30.4 that delivered a cross-platform RAT during a three-hour exposure window. Axios has approximately 100 million weekly downloads. CISA issued Advisory AA26-110A on April 20 — organisations that ran npm installs during the window should treat their CI/CD pipeline as compromised and rotate all secrets immediately.
CanisterSprawl: Self-Propagating npm Worm Steals Developer Credentials and Re-Infects Package Ecosystems
Researchers discovered CanisterSprawl, a self-propagating npm supply chain worm attributed to TeamPCP that compromised at least 16 packages including pgserve and @automagik/genie. A postinstall hook harvests npm tokens, cloud credentials, SSH keys, and AI tool configs, exfiltrating to a blockchain canister before using stolen tokens to inject the worm into every other package owned by the compromised developer. Organisations should audit postinstall scripts and rotate all credentials from affected development environments.
CVE-2026-6074: Unauthenticated Path Traversal in Intrado 911 Emergency Gateway Threatens PSAP Call Routing
CISA ICS advisory ICSA-26-113-06 discloses CVE-2026-6074, a CVSS 9.1 path traversal flaw in Intrado 911 Emergency Gateway versions 5.x–7.x that allows unauthenticated network access to read, write, and delete arbitrary files on the management interface. Exploitation could modify 911 call routing rules or disable emergency call processing. Intrado patched on March 2 2026 and is directly contacting affected PSAP operators.
France Titres (ANTS) Breach Exposes 11.7 Million Citizens' Identity Records
France's national secure-ID document agency confirmed a breach affecting 11.7 million citizens — roughly one in five residents — after threat actor 'breach3d' claimed to have exfiltrated records including names, dates of birth, addresses, email addresses, and phone numbers. CNIL, ANSSI, and the Paris Public Prosecutor have been notified. Organisations operating in France face elevated customer account fraud and social engineering risk from the compromised data.
Germany BKA Identifies REvil and GandCrab Leader 'UNKN' as Russian National Daniil Shchukin
Germany's federal criminal police (BKA) publicly attributed the REvil and GandCrab ransomware-as-a-service platforms to 31-year-old Russian national Daniil Shchukin, holding him responsible for 130+ attacks in Germany causing over €35 million in economic damage. Shchukin operates from Krasnodar and remains beyond extradition reach, but the attribution breaks the historical anonymity of top-tier RaaS operators and may precede US OFAC sanctions.
Microsoft Issues Emergency Patch KB5091157 After April Updates Crash Domain Controllers
Microsoft's April 2026 Patch Tuesday updates triggered LSASS crash-reboot loops on non-Global Catalogue domain controllers in PAM-enabled deployments and forced some Windows Server 2025 systems into BitLocker recovery mode. Emergency out-of-band updates were released April 19 for all affected Server versions. Immediate installation is required — affected DCs cause complete authentication outages across their domains.
ADT Confirms Customer Data Breach After ShinyHunters Vishing Attack on Help Desk
ADT, the US home and business security monitoring provider, has confirmed a data breach after ShinyHunters used voice phishing to social-engineer a support employee into granting access to customer management systems. Names, phone numbers, and account data were exfiltrated. The incident underlines how thoroughly attackers have made help desk social engineering a standard tool.
CISA Adds Four Exploited Flaws to KEV — SimpleHelp RMT and Samsung MagicINFO Head New Additions
CISA's Known Exploited Vulnerabilities catalogue has grown by four entries including critical flaws in SimpleHelp remote management tooling and Samsung's MagicINFO digital signage platform. Federal agencies face a May 2026 remediation deadline. Enterprise operators of RMM tools and display infrastructure should treat these as urgent.
Critical Flaw in CrowdStrike Falcon LogScale and High-Severity Nessus Bug Patched — Security Tooling Vulnerabilities Demand Rapid Response
CrowdStrike has patched a critical SSRF vulnerability in Falcon LogScale, its SIEM and log management platform, while Tenable has addressed a privilege escalation flaw in Nessus. Security tooling vulnerabilities are among the most consequential: a compromised SIEM or vulnerability scanner has privileged visibility across the entire environment it monitors.
FIRESTARTER Backdoor Persists on Cisco Firepower Devices After Patching — Federal Agency Confirmed Victim
A joint CISA and NCSC advisory reveals FIRESTARTER, a sophisticated backdoor implanted on Cisco FTD and ASA firewalls that survives firmware updates and reimaging. At least one US federal agency is a confirmed victim. Defenders must verify device integrity rather than assume patching closed the access.
LMDeploy RCE Vulnerability CVE-2026-33626 Weaponised in the Wild 13 Hours After Disclosure
A critical remote code execution flaw in LMDeploy, a widely used LLM inference serving framework, was exploited in active attacks just 13 hours after public disclosure. Organisations running self-hosted AI inference infrastructure must treat these platforms with the same urgency as any internet-exposed web application server — because attackers already do.
Microsoft Entra Passkeys Rolling Out to All Windows Devices — Phishing-Resistant MFA Now Generally Available
Microsoft has begun rolling out Entra passkey support to managed, unmanaged, and shared Windows devices, with general availability set for mid-June 2026. Passkeys close the credential-phishing gap that conventional passwords, SMS codes, and TOTP leave open, and enterprise deployment is now achievable at scale through existing Conditional Access policies.
Tropic Trooper APT Delivers AdaptixC2 via Trojanised SumatraPDF Installer and GitHub C2 Relay
The Chinese APT group Tropic Trooper has been observed deploying the AdaptixC2 post-exploitation framework through a malicious SumatraPDF installer distributed from a convincing lookalike site. Command-and-control communications are routed through GitHub's REST API, blending malicious traffic with the high-volume legitimate developer activity that most enterprises whitelist.
Azure IoT Central Privilege Escalation via Sensitive Data Exposure — CVSS 9.9
A CVSS 9.9 privilege escalation vulnerability in Azure IoT Central exposes sensitive platform data allowing authenticated low-privilege attackers to gain administrative control. April 2026 Patch Tuesday addressed the flaw — audit IoT Central role assignments and rotate provisioning credentials now.
CISA Adds Quest KACE (CVSS 10.0), Kentico Xperience, and Zimbra ZCS to Known Exploited Vulnerabilities — Federal Deadline May 4
CISA's April 2026 KEV additions include a CVSS 10.0 unauthenticated SQL injection in Quest KACE Systems Management Appliance, active exploitation of Kentico Xperience CMS, and Zimbra Collaboration Suite vulnerabilities. Federal agencies have a May 4 remediation deadline; enterprise organisations should treat confirmed KEV additions as indicators of active attacker tooling and prioritise these systems immediately.
26 Fake Crypto Wallet Apps Found on Apple App Store Harvesting Mnemonic Seed Phrases
Researchers have discovered 26 malicious applications that bypassed Apple's App Store review and actively harvest cryptocurrency wallet seed phrases from victims. Users who installed any suspect app should rotate all wallet credentials immediately — mnemonic phrase compromise results in permanent, irreversible asset loss.
KTransformers AI Inference Framework Exposes Unauthenticated RCE via Pickle Deserialization — CVSS 9.8
CVE-2026-26210 is a CVSS 9.8 pre-authentication RCE in KTransformers, a popular AI inference acceleration framework. The scheduler's ZMQ ROUTER socket binds to all interfaces with no authentication and deserialises arbitrary pickle payloads — any network-reachable host can execute code on the inference server.
Microsoft Bing Remote Code Execution via Deserialization — CVSS 10.0 Patch Now
A critical CVSS 10.0 unauthenticated RCE vulnerability in Microsoft Bing allows attackers to execute arbitrary code over the network via unsafe deserialization. Patched in April 2026 Patch Tuesday — update immediately.
Microsoft Entra ID Entitlement Management SSRF (CVE-2026-35431, CVSS 10.0) — Cloud IAM Attack Surface Disclosed Before Silent Server-Side Fix
A perfect-score SSRF vulnerability in Microsoft Entra ID Entitlement Management allowed unauthenticated network-accessible exploitation of Microsoft's cloud identity governance platform. Microsoft patched it server-side with no customer action required, but the disclosure surfaces a structural question enterprise security teams need to answer: how do you monitor for exploitation of a vulnerability in infrastructure you don't control?
NASA OIG: Chinese Spear-Phishing Campaign Targeted Defence Software Over Four Years
A newly released NASA OIG report details a sustained Chinese spear-phishing operation by Song Wu that targeted NASA, DoD contractors, and universities to steal defence software source code. The campaign ran from 2017 to 2021 — a defence supply chain IP theft template that remains relevant today.
SAP BPC SQL Injection (CVE-2026-27681, CVSS 9.9) Gives Low-Privilege Users Full Access to Financial ERP Data
A near-perfect CVSS 9.9 SQL injection vulnerability in SAP Business Planning and Consolidation and BW/4HANA allows any authenticated user with standard access to read, modify, and delete financial consolidation data. SAP patched the flaw in its April 2026 Security Patch Day; organisations should treat unpatched SAP financial systems as having their financial data integrity at risk from any internal user with SAP credentials.
CISA Advisory: TPM 2.0 Out-of-Bounds Read in Siemens SIMATIC Industrial PCs (CVE-2025-2884)
CISA advisory ICSA-26-111-01 covers a TPM 2.0 out-of-bounds read vulnerability in Siemens SIMATIC CN 4100, Field PG M5/M6, and IPC BX series industrial computers. The flaw enables information disclosure or denial of service against the hardware root of trust, with direct implications for Secure Boot integrity and the trusted execution environment of industrial control systems.
TeamPCP Supply Chain Campaign Expands to npm and Docker Hub — Bitwarden CLI and Checkmarx KICS Both Backdoored
The TeamPCP supply chain threat group has extended its campaign beyond GitHub Actions and PyPI to poison the @bitwarden/cli npm package and overwrite Checkmarx KICS Docker images and VS Code extensions. The campaign now spans four developer distribution channels across six weeks, deploying a self-propagating worm that exfiltrates SSH keys, cloud credentials, and MCP configuration files from compromised developer environments.
UNC6692 Abuses Microsoft Teams to Deliver SNOW Malware via IT Help Desk Vishing
Threat actor UNC6692 is impersonating IT help desk staff via Microsoft Teams to socially engineer victims into installing SNOW malware. The campaign exploits trusted internal communication channels where detection tooling is typically absent — immediate Teams external access policy review is recommended.
Wormable Windows TCP/IP Race Condition RCE (CVE-2026-33827) — IPv6-Enabled Networks Face EternalBlue-Class Propagation Risk
A race condition in the Windows TCP/IP stack allows unauthenticated remote code execution against systems with IPv6 or IPSec enabled, demonstrated at Pwn2Own 2026 and patched in April's Patch Tuesday. The vulnerability's wormable characteristics — no user interaction, no authentication, network-adjacent propagation — place it in the same risk category as EternalBlue for environments that have not applied the April update.
BeigeBurrow: New Go-Based Covert C2 Agent Deployed via Active Directory RCE CVE-2026-33826
A previously undocumented post-exploitation tool named BeigeBurrow has been observed in at least two enterprise intrusions following exploitation of the Windows Active Directory RCE CVE-2026-33826. The Go-based agent uses HashiCorp's Yamux library to multiplex covert relay channels over port 443, blending into encrypted enterprise traffic. CVE-2026-33826 was patched in April Patch Tuesday; organisations that have not yet applied the patch should treat it as urgent.
Seized Gentlemen Ransomware C2 Server Exposes 1,570 Victims — GPO Deployment Reveals Full Domain Compromise
Check Point Research's analysis of a seized SystemBC command-and-control server linked to The Gentlemen ransomware operation exposed 1,570+ victim IP addresses and documented the group's use of Group Policy Objects to deploy ransomware domain-wide. GPO-based distribution is a forensic marker that attackers achieved Domain Admin access days before encryption — defenders should treat it as an indicator of extended dwell time, not a starting point.
Sanctioned Russian Crypto Exchange Grinex Shut Down After $13.74M Hack — Blames Western Intelligence
Grinex, a cryptocurrency exchange linked to the sanctioned Garantex operation, suspended all services after attackers drained $13.74 million in a targeted April 15 incident. The exchange blamed 'hostile state intelligence agencies,' pointing to the attack's technical sophistication. Elliptic and Chainalysis analysts have traced the funds but stop short of confirming attribution. The shutdown removes a significant node in Russia's sanctions-evasion infrastructure.
Kyber Ransomware Deploys Dual Windows and VMware ESXi Variants — Claims Post-Quantum Encryption
A new ransomware operation named Kyber is targeting enterprise Windows servers and VMware ESXi infrastructure with two distinct variants analysed by Rapid7. The Windows variant written in Rust implements genuine Kyber1024 post-quantum key encapsulation; the ESXi variant falsely markets the same capability while using ChaCha8 and RSA-4096. Both variants share Tor-based ransom infrastructure and have been deployed simultaneously on the same networks.
Marimo AI Notebook RCE CVE-2026-39987 Exploited at Scale — 662 Events in Three Days, NKAbuse Malware Deployed
CVE-2026-39987 (CVSS 9.3) in the Marimo Python notebook has been weaponised at scale, with Sysdig recording 662 exploitation events over three days and attackers completing credential theft within minutes of gaining access. The unauthenticated WebSocket RCE is being used to deploy NKAbuse, a multi-platform malware using the NKN peer-to-peer network for command and control. Upgrade to Marimo 0.23.0 immediately.
Anthropic's Claude Mythos AI Discovers Thousands of Zero-Days Across Every Major OS — Project Glasswing Offers Private Access
Anthropic's specialised vulnerability-hunting AI, Claude Mythos, has systematically discovered thousands of zero-day vulnerabilities across Windows, macOS, Linux, and major browsers — including a 17-year-old NFS RCE in FreeBSD and a 27-year-old OpenBSD denial-of-service. Project Glasswing provides private early access to Microsoft, Google, Apple, and select others. The implications for enterprise risk governance are immediate.
Microsoft Issues Emergency Patch for ASP.NET Core DataProtection Key Exposure — CVE-2026-40372
A critical security regression in Microsoft.AspNetCore.DataProtection (CVSS 9.1) introduced in .NET 10.0.0 causes encryption keys to leak on Linux deployments. Applications using cookie authentication, anti-forgery tokens, or TempData are at immediate risk. Update to .NET 10.0.7 now.
Cohere Terrarium AI Sandbox Escape — CVSS 9.3 WebAssembly Flaw Allows Root Code Execution on Host
CVE-2026-5752 (CVSS 9.3) in Cohere Terrarium allows an attacker to escape the Pyodide WebAssembly sandbox via JavaScript prototype chain traversal, achieving root code execution on the host Node.js process. Organisations running AI code execution environments should patch immediately and network-isolate these workloads.
Everest Ransomware Claims Citizens Bank Breach — 380 GB Including 250,000 SSNs and 3.4 Million Records
The Everest ransomware group claims to have stolen 380 GB of Citizens Bank customer data via a third-party vendor, including 250,000 Social Security Numbers and 3.4 million banking records. Citizens attributes the breach to a vendor, not its core systems — but regulatory notification obligations apply regardless.
Google Antigravity AI Coding Assistant Had Two Chained Vulnerabilities — Prompt Injection to RCE and Reinstall-Surviving Backdoor
Mindgard researchers discovered two vulnerabilities in Google's Antigravity AI coding assistant: a prompt injection via the find_by_name tool that bypasses Strict Mode to achieve code execution, and a persistent backdoor via workspace trust that survives reinstallation of the IDE extension. Google has patched both; update immediately and audit workspace trust settings.
ShinyHunters Claims Breaches at Zara, Carnival, and 7-Eleven — Extortion Deadline Set
Prolific threat actor ShinyHunters posted simultaneous claims of data theft from Inditex/Zara, Carnival Corporation, and 7-Eleven on dark web forums on 21 April, threatening to publish stolen datasets. None of the companies has confirmed the breaches. Given ShinyHunters' track record, claims should be treated as credible pending investigation.
CISA Adds Eight CVEs to KEV: PaperCut, JetBrains TeamCity, and Cisco SD-WAN Actively Exploited
CISA's April 20 Known Exploited Vulnerabilities addition is the largest single-day batch this month, confirming active exploitation across enterprise print management, CI/CD pipelines, content management, and Cisco SD-WAN infrastructure. The batch spans CVE publication years from 2023 to 2026, demonstrating that unpatched legacy vulnerabilities continue to be weaponised alongside newly disclosed flaws. Federal agencies face a BOD 22-01 remediation deadline, and private sector organisations should treat these as immediate prioritisation signals.
Four Critical Cisco Flaws: Webex SSO User Impersonation (CVSS 9.8) and ISE Root Code Execution (CVSS 9.9)
Cisco patched four critical vulnerabilities across Webex Services and Identity Services Engine. CVE-2026-20184 allows unauthenticated attackers to impersonate any Webex user via crafted SSO tokens. Three ISE flaws at CVSS 9.9 let read-only admins execute arbitrary commands as root. Webex deployments with SSO require urgent manual action — Cisco's cloud fix is not sufficient without administrator intervention.
Public Exploit Released for Critical FortiSandbox RCE (CVE-2026-39808, CVSS 9.1) — Unauthenticated Root Access
A public proof-of-concept exploit has been released for CVE-2026-39808, a critical OS command injection vulnerability in Fortinet FortiSandbox that allows unauthenticated attackers to execute arbitrary commands as root via a single HTTP request. A companion authentication bypass flaw (CVE-2026-39813) affects the same versions. Patch to FortiSandbox 4.4.9 or 5.0.6 immediately.
Two Unpatched Windows Defender Zero-Days (RedSun + UnDefend) Actively Exploited — No Fix Available
A security researcher released two additional Windows Defender zero-days — RedSun and UnDefend — after Microsoft failed to patch them. RedSun exploits Defender's cloud file rollback mechanism to achieve SYSTEM privileges on all supported Windows versions. UnDefend silently prevents Defender from updating its threat signatures. Both are confirmed exploited in the wild, and neither has a patch or assigned CVE.
Vercel Confirms Breach via Compromised AI Tool — Developer Environment Variables and Credentials Exposed
Cloud deployment platform Vercel has confirmed a breach traced to a Lumma infostealer infection at Context.ai, a third-party AI tool used by a Vercel employee. Attackers used the stolen Google Workspace OAuth access to reach Vercel's internal environments, exposing environment variables and a limited set of customer credentials. ShinyHunters is claiming responsibility and demanding $2 million for the stolen data.
McGraw Hill Confirms 13.5 Million Account Breach After ShinyHunters Exploits Salesforce Misconfiguration
Education publisher McGraw Hill has confirmed a data breach affecting 13.5 million accounts after the ShinyHunters cybercriminal group threatened to publish 45 million Salesforce records. The breach stemmed from a misconfiguration within Salesforce's environment — one McGraw Hill acknowledges is part of a broader issue affecting multiple organisations. Over 100GB of data has been publicly released.
Payouts King Ransomware Deploys Hidden QEMU VMs to Blind Endpoint Security — New EDR Evasion Technique
The Payouts King ransomware operation, linked to former BlackBasta affiliates, has introduced a novel EDR bypass: deploying a legitimate QEMU virtual machine running Alpine Linux on compromised Windows hosts. Because endpoint security agents cannot inspect inside the VM, attackers operate the full intrusion — credential theft, lateral movement, and data exfiltration — completely invisible to host-level detection.
Five-Year-Old ShowDoc RCE Flaw CVE-2025-0520 (CVSS 9.4) Now Under Active Exploitation — Over 2,000 Instances Exposed
Threat actors are actively exploiting CVE-2025-0520, a critical unauthenticated remote code execution vulnerability in ShowDoc — an IT documentation tool used by developers and operations teams. The flaw, patched in October 2020 but present in thousands of unupgraded installations, allows file upload exploitation to deploy web shells. More than 2,000 publicly accessible ShowDoc instances remain vulnerable.
April Patch Tuesday Bug Crashes LSASS on PAM-Enabled Domain Controllers — No Fix Yet
KB5082063, Microsoft's April 2026 cumulative update, is causing LSASS to crash on non-Global Catalog domain controllers in Privileged Access Management environments, triggering unrecoverable reboot loops that take down Active Directory authentication. Microsoft has confirmed the issue across all Windows Server versions from 2016 to 2025 and is developing a corrected update, but none is available yet.
CISA Confirms Active Exploitation of Windows Task Host Privilege Escalation CVE-2025-60710 — Four Public Exploits Available
A link-following flaw in the Windows Host Process for Tasks allows any local user to escalate to SYSTEM privileges. Patched in November 2025, CVE-2025-60710 has been confirmed as actively exploited — CISA added it to the Known Exploited Vulnerabilities catalogue on 13 April with a 27 April federal deadline. Four public proof-of-concept exploits are now freely available on GitHub.
NIST Ends Full NVD Enrichment — What It Means for Your Vulnerability Management Programme
NIST has announced it will no longer enrich every CVE record in the National Vulnerability Database, shifting to a risk-based model that prioritises only the most critical submissions. With CVE volumes up 263% since 2020 and the NVD backlog now officially unresolvable, security teams that rely on NVD CVSS scores and CPE data for vulnerability prioritisation must urgently adapt their tooling and workflows.
Standard Bank Breach: 1.2TB of Client Data — Including Credit Card Details — Published Online
A threat actor claiming to have spent three weeks inside Standard Bank's network has published approximately 1.2TB of stolen data online, including client names, national identity numbers, account details, and a subset of credit card numbers. One of Africa's largest banks, Standard Bank operates across more than 20 countries and holds significant international exposure. The double-extortion attack pattern and lessons for database-layer monitoring are directly relevant to financial services defenders globally.
CVE-2026-33826: Windows Active Directory RCE via Crafted RPC Calls — Patch Now
A critical remote code execution flaw in Windows Active Directory allows any authenticated domain user to execute arbitrary code on domain controllers and other AD-joined servers by sending specially crafted RPC calls. Rated CVSS 8.0 and assessed by Microsoft as 'Exploitation More Likely', CVE-2026-33826 poses a serious lateral-movement and domain-compromise risk for every Windows Server environment. The April 2026 Patch Tuesday update provides the only full remediation.
CVE-2026-33824: Critical Windows IKE Service RCE Demands Urgent Patching
A CVSS 9.8 double-free vulnerability in the Windows Internet Key Exchange service allows unauthenticated remote attackers to achieve SYSTEM-level code execution on all supported Windows versions. With no user interaction required and confirmation of pre-patch exploitation, every unpatched Windows host with IKEv2 enabled is at immediate risk. Apply the April 2026 Patch Tuesday update or block UDP ports 500 and 4500 immediately.
CVE-2026-5194: Critical wolfSSL Flaw Enables Certificate Forgery Across 5 Billion Devices
A critical cryptographic validation flaw in wolfSSL, a lightweight TLS library embedded in billions of IoT devices, routers, industrial control systems, and automotive components, allows attackers to present forged X.509 certificates that pass signature verification without a legitimate private key. The vulnerability enables man-in-the-middle attacks and authentication bypass across an enormous installed base. wolfSSL version 5.9.1, released 8 April 2026, provides the fix.
nginx-ui CVE-2026-33032 Actively Exploited — Unauthenticated Full Server Takeover
A critical authentication bypass vulnerability (CVSS 9.8) in the nginx-ui web management interface allows any network attacker to take complete control of the underlying Nginx server without credentials. Over 2,600 instances are internet-exposed and the flaw is being actively exploited. Update to version 2.3.4 immediately.
OpenSSH 10.3 Patches CVE-2026-35385 — SCP Privilege Escalation via Setuid Bit Preservation
OpenSSH 10.3 fixes CVE-2026-35385 (CVSS 7.5), a privilege escalation flaw in the legacy SCP protocol where files downloaded as root without the -p flag may retain their setuid or setgid bits. Any Linux or macOS system with OpenSSH prior to 10.3 and a workflow involving scp downloads as root is affected.
ShinyHunters Leaks 78.6M Rockstar Records — The Real Story Is Anodot's Access
ShinyHunters has released 78.6 million records stolen from Rockstar Games, following the company's refusal to pay a ransom by the April 14 deadline. The breach did not involve Rockstar's own systems: attackers compromised Anodot, a third-party SaaS analytics vendor with direct access to Rockstar's Snowflake data warehouse. No player records were exposed, but the incident illustrates the persistent enterprise risk of SaaS vendor data access.
Microsoft Closes APT29's Favourite Phishing Door With New RDP File Protections
The April 2026 Windows update introduces mandatory security warnings and redirections-blocked-by-default for RDP connection files, directly countering the technique used by APT29 and other threat actors to silently redirect local drives and harvest credentials. Organisations using Windows 10 and 11 should confirm the KB is deployed.
Google Patches Fourth Chrome Zero-Day of 2026 — CVE-2026-5281 Use-After-Free in WebGPU
Google has patched CVE-2026-5281, a use-after-free vulnerability in Chrome's Dawn WebGPU implementation that is being actively exploited in the wild. This is the fourth Chrome zero-day exploited in attacks in 2026. CISA added it to the KEV catalogue on 1 April with a deadline of 15 April for federal agencies. Update to Chrome 146.0.7680.177/178.
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Emergency Hotfix Available
A pre-authentication remote code execution zero-day in Fortinet FortiClient Enterprise Management Server (CVE-2026-35616, CVSS 9.1) has been under active exploitation since 31 March 2026, ahead of Fortinet's advisory. CISA added it to the KEV catalogue on 6 April with a federal deadline of 9 April. An emergency hotfix is available without requiring system downtime.
Microsoft April 2026 Patch Tuesday: 167 Flaws Patched Including Two Zero-Days
Microsoft's April 2026 Patch Tuesday addresses 167 vulnerabilities, including an actively exploited SharePoint spoofing zero-day (CVE-2026-32201) and a publicly disclosed Defender elevation-of-privilege flaw. Eight Critical-rated vulnerabilities include a CVSS 9.8 IKE RCE and a Critical Active Directory RCE assessed as exploitation more likely.
North Korea's UNC4736 Spent Six Months Infiltrating Drift Protocol Before Stealing $285 Million
North Korean state hackers (UNC4736/AppleJeus) executed a meticulously planned six-month social engineering operation against Drift Protocol, culminating in a $285 million theft from the Solana DeFi platform on 1 April 2026. The attack leveraged fabricated tokens and pre-signed transactions to hand attackers admin control — the largest DeFi exploit of 2026 and the second-largest in Solana's history.
Basic-Fit Breach Exposes Personal and Bank Data of One Million European Gym Members
Dutch fitness chain Basic-Fit has disclosed a data breach affecting approximately one million members across six European countries, with bank account details among the compromised data. The breach targeted the company's visit-tracking system, exposing names, contact details, dates of birth, and banking information. GDPR notifications have been filed.
Linux Kernel Netfilter Vulnerability Batch: CVE-2026-31414 and Cluster Require Prompt Patching
A cluster of Linux kernel vulnerabilities in the netfilter subsystem — led by CVE-2026-31414 — has been patched across stable kernel branches, affecting versions 6.1 through 6.10. The flaws span NULL pointer dereferences and connection tracking weaknesses that can cause privilege escalation or denial of service. Enterprise Linux distributions are releasing updates; unmanaged servers and container hosts running custom kernel builds require manual attention.
CISA Flags SharePoint Zero-Day CVE-2026-32201 as Actively Exploited — Patch Arrives Tomorrow
CISA has added CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability under active exploitation, to the KEV catalogue with a 28 April remediation deadline. The timing is unusual: Microsoft has not yet released a patch as of this alert, with the fix expected in tomorrow's Patch Tuesday release. Organisations must decide whether to implement mitigations today or accept overnight exposure until the patch lands.
Adobe Acrobat Reader Zero-Day CVE-2026-34621 Exploited for Four Months Before Patch
Adobe has released an emergency patch for CVE-2026-34621, a prototype pollution vulnerability in Acrobat Reader that has been actively exploited since at least November 2025. Opening a crafted PDF triggers JavaScript execution that fingerprints the victim's system and can deploy RCE and sandbox escape payloads. CISA added the CVE to the KEV catalogue the same day, requiring federal agencies to patch by 27 April.
CISA Adds Seven CVEs to KEV Including Decade-Old Microsoft Bugs Exploited by Storm-1175
CISA has added seven vulnerabilities to the Known Exploited Vulnerabilities catalogue, including four Microsoft flaws spanning from 2012 to 2025 being actively leveraged by the Storm-1175 ransomware group. The additions highlight a persistent patching blind spot: vulnerabilities patched years ago that never made it into legacy system maintenance cycles, now routinely weaponised for initial access and privilege escalation.
FBI and Indonesian Police Dismantle W3LL Phishing Platform Behind $20M in MFA-Bypass Fraud
The FBI Atlanta Field Office and Indonesia's National Police have dismantled the W3LL phishing-as-a-service platform, arresting its alleged developer and seizing domains used in a global credential-theft and MFA-bypass operation. W3LL targeted over 17,000 victims in Microsoft 365 environments, capturing not just passwords but session tokens that allowed attackers to bypass multi-factor authentication.
Booking.com Breach Exposes Reservation Data — Phishing Wave Follows
Booking.com has disclosed unauthorised access to customer reservation data including names, contact details, and booking information. No payment data was taken, but the exposed reservation details create a high-quality dataset for targeted travel-themed phishing campaigns. Reservation PINs have been reset across affected bookings.
Second Critical FortiClient EMS Flaw in a Month: CVE-2026-21643 Pre-Auth SQL Injection Exposed
Bishop Fox has published full technical details of CVE-2026-21643, a CVSS 9.8 pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 that enables unauthenticated remote code execution. The flaw is distinct from last week's CVE-2026-35616 and affects a different version — organisations that patched for CVE-2026-35616 by upgrading to 7.4.5 or 7.4.6 may now be running a version vulnerable to the newer access control flaw.
CISA Adds Ivanti EPMM CVE-2026-1340 to KEV — Federal Patch Deadline Today
CISA has added CVE-2026-1340, a critical unauthenticated remote code execution flaw in Ivanti Endpoint Manager Mobile, to the Known Exploited Vulnerabilities catalogue with a federal agency deadline of 11 April. The vulnerability chains with CVE-2026-1281 to enable full appliance takeover and has been actively exploited since January 2026. All organisations running Ivanti EPMM on-premises must patch immediately.
NIS2 Moves From Grace Period to Enforcement — Germany's BSI Registration Deadline Is Now
Eighteen months after the NIS2 transposition deadline, EU member states are moving from legislative implementation to active supervisory enforcement. Germany's BSI has set April 2026 as the registration deadline for essential and important entities under the national NIS2 implementation (NIS2UmsuCG). Organisations still treating NIS2 as a future requirement face immediate regulatory exposure as national competent authorities begin audit and penalty activity.
Apache ActiveMQ CVE-2026-34197: 13-Year-Old Jolokia API Flaw Enables Unauthenticated RCE
A critical unauthenticated remote code execution vulnerability in Apache ActiveMQ's Jolokia management API allows attackers to execute arbitrary OS commands by invoking a management MBean. CVE-2026-34197 roots in a design flaw present since ActiveMQ 5.x and chains dangerously with CVE-2024-32114. Patches are available in ActiveMQ 6.2.3 and 5.19.4.
BlueHammer Windows LPE Zero-Day Gives Attackers SYSTEM Access — No Patch Available
A publicly disclosed zero-day local privilege escalation vulnerability in Windows Defender's signature-update mechanism allows any authenticated user to escalate to SYSTEM. Named BlueHammer by researchers at Cyderes, the flaw has a working public exploit and no Microsoft patch as of publication. Security teams should implement interim mitigations immediately.
CIRCIA Final Rule Expected May 2026: What Critical Infrastructure Operators Must Do Now
CISA is expected to publish the long-awaited CIRCIA final rule in May 2026, mandating 72-hour cyber incident reporting and 24-hour ransomware payment reporting for critical infrastructure sectors. With weeks remaining, organisations that have not started preparing face significant compliance and legal exposure when the rule takes effect.
CISA Supplemental Direction ED 26-03: How to Hunt for Compromise in Cisco Catalyst SD-WAN
CISA has issued supplemental hunt-and-hardening guidance for Cisco Catalyst SD-WAN systems under Emergency Directive 26-03, providing defenders with specific indicators to look for in environments exposed to CVE-2026-20127 — a CVSS 10.0 authentication bypass exploited since 2023. Organisations running Cisco SD-WAN infrastructure should treat this guidance as a mandatory compromise assessment checklist.
NSA's January 2027 PQC Deadline Is Nine Months Away — Enterprise Migration Is Now Mandatory
With NIST's post-quantum cryptography standards finalised and the NSA's CNSA 2.0 deadline requiring all new National Security System acquisitions to be quantum-resistant by January 2027, the migration window for enterprise and federal contractor environments is closing fast. Most organisations have yet to inventory their cryptographic assets, let alone begin migration.
AI-Powered Device Code Phishing Bypasses MFA at Hundreds of Organisations
A sophisticated phishing campaign is abusing the OAuth device authorisation flow to hijack Microsoft 365 access tokens while victims complete entirely genuine MFA challenges. Hundreds of organisations have been compromised. FIDO2 passkeys block this attack; push notifications, TOTP, and SMS codes do not. Organisations should block the device code grant in Conditional Access immediately.
DPRK's Contagious Interview Campaign Spreads 1,700+ Malicious Packages Across Five Ecosystems
North Korea's UNC1069 (BlueNoroff) threat group has expanded its Contagious Interview supply chain operation to five package registries — npm, PyPI, Go Modules, crates.io, and Packagist — publishing more than 1,700 malicious packages that deliver a cross-platform infostealer and RAT. The operation is the largest coordinated open-source supply chain attack attributed to a nation-state actor.
World Leaks Exposes 7.7TB of LAPD Records After City Attorney's Discovery Tool Breach
Extortion group World Leaks has published more than 337,000 sensitive LAPD files — including officer personnel records, Internal Affairs investigations, and witness medical information — after breaching a third-party legal discovery transfer tool used by the Los Angeles City Attorney's Office. The incident illustrates how legal and compliance workflows that touch sensitive data are increasingly targeted as a softer entry point than agency systems themselves.
Palo Alto PAN-OS CVE-2026-3197: SAML Auth Bypass Under Mass Exploitation by Nation-State Actors
A critical SAML authentication bypass in Palo Alto Networks PAN-OS GlobalProtect allows unauthenticated remote attackers to gain administrative firewall access. CVE-2026-3197 chains with a command injection flaw to achieve root-level OS execution and is being exploited by at least three distinct threat actor clusters including a China-nexus nation-state group. CISA has added it to the KEV catalogue.
Secure Boot Certificates Expire June 2026 — Enterprise Action Window Is Now
Microsoft's 2011 Secure Boot signing certificates expire on 26 June 2026, with the Windows bootloader certificate following in October. Organisations that fail to apply firmware and OS updates before these deadlines lose the ability to receive boot-level security fixes and risk UEFI bootkit exposure. Microsoft has begun displaying warnings in Windows Security app in April 2026, but the update process requires OEM firmware coordination that takes weeks.
ShinyHunters Breach Anodot SaaS Integrator, Steal Snowflake Customer Data via Harvested Tokens
The ShinyHunters threat group breached Anodot, an AI analytics platform used to integrate with Snowflake cloud data warehouses, and stole authentication tokens that enabled downstream data theft from over a dozen Snowflake customer environments. The attack is a textbook fourth-party risk incident: the direct target was not the victim organisations' systems but a trusted third-party integration layer.
Citrix NetScaler CVE-2026-3055 Actively Exploited — CISA Orders Patch by 2 April
A critical unauthenticated memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway is being actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities catalogue. Appliances configured as SAML Identity Providers are leaking sensitive memory contents including session tokens via a crafted SAML request.
DPRK-Linked Hackers Steal $285 Million from Drift Protocol in Six-Month Social Engineering Operation
North Korean threat actors attributed to UNC4736 (Citrine Sleet/AppleJeus) stole $285 million from Solana-based Drift Protocol after a six-month infiltration campaign combining social engineering of multisig signers with a novel durable nonce pre-signing technique. The incident reveals social engineering tactics directly transferable to enterprise environments.
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Apply Emergency Hotfix Now
A critical pre-authentication API bypass in Fortinet FortiClient EMS (CVSS 9.1) is being actively exploited in the wild, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalogue on 6 April. Organisations running FortiClient EMS 7.4.5 or 7.4.6 must apply the emergency hotfix immediately — FCEB agencies faced a remediation deadline of 9 April.
Iranian-Affiliated Hackers Target US Water, Energy and Government Facilities via Internet-Exposed PLCs
A joint advisory from CISA, FBI, NSA, and the Department of Energy warns that Iranian-affiliated APT actors have been compromising internet-facing programmable logic controllers at water utilities, energy facilities and local government sites since at least March 2026. Operators should treat any internet-exposed OT device as potentially compromised and implement immediate network isolation.
Progress ShareFile Pre-Auth RCE Chain Puts 30,000 Exposed Servers at Risk — Patch to 5.12.4
Researchers at watchTowr Labs have disclosed a two-vulnerability chain in Progress ShareFile Storage Zones Controller that enables unauthenticated remote code execution via webshell upload. Approximately 30,000 Storage Zone Controller instances are internet-exposed and remain at risk if not patched to version 5.12.4, which was released on 10 March 2026 before full public disclosure of the attack path.
Smart Slider 3 Pro Update Infrastructure Compromised — Backdoored Plugin Pushed to 800,000 Sites
Attackers breached Nextend's update servers and distributed a fully weaponised backdoor through the official Smart Slider 3 Pro update channel, affecting WordPress and Joomla sites that auto-updated between 7–8 April 2026. The compromised version 3.5.1.35 creates rogue admin accounts, drops persistent remote access tools, and exfiltrates credentials — all delivered through the trusted plugin update mechanism.
April Windows Update Enforces AES-Only Kerberos — RC4 Fallback Blocked Across Active Directory
Microsoft's April 2026 cumulative update moves Windows domain controllers into AES-only Kerberos enforcement mode, permanently blocking RC4-HMAC as an authentication fallback under CVE-2026-20833. Organisations with legacy service accounts or unmanaged devices that have not set the msDS-SupportedEncryptionTypes attribute will begin seeing Kerberos authentication failures when the update is deployed.
ChipSoft Ransomware Attack Takes Down Patient Records Across 80% of Dutch Hospitals
Dutch healthcare IT vendor ChipSoft, whose HiX electronic patient record system is used by approximately 80% of hospitals in the Netherlands, was struck by a ransomware attack on 7 April. Eleven hospitals have disconnected from ChipSoft systems and reverted to emergency paper procedures. ChipSoft has confirmed a 'data incident' with possible unauthorised access to patient records, and Z-CERT has advised all connected healthcare institutions to disconnect VPN links to the vendor.
Storm-1175 Deploys Medusa Ransomware Within 24 Hours Using Zero-Day Exploits
Microsoft has identified Storm-1175, a China-linked financially motivated threat group, as the affiliate behind a surge in Medusa ransomware deployments exploiting zero-day and n-day vulnerabilities in internet-facing systems. The group is exploiting vulnerabilities within days — sometimes within 24 hours — of public disclosure, with particular focus on healthcare, education, and finance sectors in the US, UK, and Australia.
CVSS 10.0 Flowise RCE Actively Exploited Across 12,000 Exposed Instances
CVE-2025-59528, a maximum-severity remote code execution vulnerability in the Flowise AI workflow platform, is being actively exploited in the wild. Over 12,000 internet-exposed instances remain unpatched, allowing attackers to execute arbitrary JavaScript on host machines and extract API keys, credentials, and configuration secrets.
Anubis Ransomware Hits Signature Healthcare, Brockton Hospital Diverts Ambulances
A ransomware attack on Signature Healthcare's Brockton Hospital in Massachusetts forced the facility to divert ambulances to neighbouring hospitals and cancel chemotherapy treatments. The Anubis ransomware group claimed responsibility on April 9, marking another significant attack on US healthcare infrastructure at a time when the sector remains one of the most targeted by ransomware operators.
Handala Ransomware Surges to 23 Victims in March — Geopolitically-Motivated Wiper Threat Expands Beyond Israel
Handala ransomware claimed 23 victims in March 2026 — the group's most active month, accounting for more than half of its total 2026 activity to date. While predominantly targeting Israeli organisations with suspected IRGC ties, Handala has begun extending its reach into European financial services, healthcare, and utilities. The group deploys wiper functionality alongside ransomware, meaning recovery from an attack is frequently impossible even without a ransom payment.
Qilin and Warlock Ransomware Deploy BYOVD Technique to Disable 300+ EDR Tools Before Encryption
Cisco Talos and Trend Micro have documented that Qilin and Warlock ransomware operations are now using the Bring Your Own Vulnerable Driver (BYOVD) technique to systematically disable endpoint detection and response software before deploying ransomware payloads. The technique exploits a legitimate but outdated signed kernel driver to terminate over 300 EDR products from virtually every security vendor — including CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black.
Linux Kernel AP VLAN Flaw CVE-2026-31394 Allows Privilege Escalation in Virtualised and Cloud Environments
CVE-2026-31394 is a privilege escalation vulnerability in the Linux kernel's AP VLAN (access point virtual LAN) network driver. Highlighted in Microsoft's Windows Update security reference guide and tracked by multiple Linux distributions, the flaw allows a local user with network namespace access to escalate privileges. Virtual machine hosts, Kubernetes nodes, and container infrastructure are the highest-risk deployment contexts.
March 2026 Patch Cycle: The Governance and Risk Metrics That CISOs Should Be Reporting
March 2026 has been an unusually demanding patch cycle — 83 Microsoft CVEs, three new CISA KEV additions across F5, Citrix, and Active Directory, and concurrent exploitable vulnerabilities across Linux, PAN-OS, and Dell hardware. CISOs face board-level questions about patching velocity and exposure windows. This analysis provides the governance framework and risk metrics to answer those questions accurately.
Windows Kerberos Security Feature Bypass CVE-2026-24297 — Race Condition Enables Unauthenticated Network Attack
CVE-2026-24297 is a security feature bypass in the Windows Kerberos implementation caused by a race condition that can be triggered remotely without credentials or user interaction. Patched in the March 2026 Patch Tuesday, the vulnerability allows an attacker with network access to a Kerberos-speaking service to bypass security validation in the authentication flow. No active exploitation has been confirmed but the attack vector requires no credentials, increasing urgency.
PAN-OS GlobalProtect Denial-of-Service CVE-2026-0227 — PoC Published, Firewalls Risk Forced Maintenance Mode
A proof-of-concept exploit has been published for CVE-2026-0227, a denial-of-service vulnerability in Palo Alto Networks PAN-OS affecting GlobalProtect gateways and portals. An unauthenticated remote attacker can crash the firewall into a mandatory maintenance mode by sending malformed requests to the GlobalProtect interface. Prisma Access deployments are also affected. Palo Alto has released patches; the PoC significantly elevates exploitation risk.
Citrix CVE-2026-3055 Confirmed Exploited — CISA KEV Addition Triggers Mandatory Patch Deadline
CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities catalogue on 30 March, confirming active exploitation of the critical Citrix NetScaler memory overread vulnerability disclosed the previous week. NetScaler appliances configured as SAML Identity Providers are leaking session tokens from memory, allowing attackers to impersonate users without credentials. Organisations must patch immediately.
Dell iDRAC Service Module CVE-2026-23856 Allows Local Privilege Escalation on PowerEdge Servers
Dell has patched CVE-2026-23856, a privilege escalation vulnerability in the iDRAC Service Module (iSM) shipped with PowerEdge servers. A local attacker with standard user privileges can exploit improper access controls in the iSM — which runs with elevated system privileges to communicate with the hardware management interface — to elevate to SYSTEM or root. Updated iSM packages are available for both Windows and Linux.
Apple macOS CoreMedia Out-of-Bounds Write RCE Disclosed — Remote Exploitation via Malicious Media Files
Zero Day Initiative researchers have disclosed ZDI-26-230, an out-of-bounds write vulnerability in the Apple macOS CoreMedia framework that could allow remote code execution when a user processes a specially crafted media file. A companion vulnerability ZDI-26-231 discloses a separate macOS information disclosure flaw. Both were disclosed on 30 March 2026 following Apple's 120-day coordinated disclosure window.
March 2026 Brought 83 Patch Tuesday CVEs and Three CISA KEV Additions — How to Prioritise
March 2026's Patch Tuesday addressed 83 vulnerabilities including three critical Office RCEs, an Active Directory privilege escalation now in CISA's KEV catalogue, and a Kerberos security feature bypass. Add three separate CISA KEV additions throughout the month — F5 BIG-IP, Citrix NetScaler, and Active Directory — and security teams are managing a substantial patching backlog entering April. This analysis cuts through the volume to identify where to focus.
Active Directory Privilege Escalation CVE-2026-25177 Added to CISA KEV — Domain Admin Risk via SPN Abuse
CVE-2026-25177, a privilege escalation vulnerability in Active Directory Domain Services patched in March's Patch Tuesday, has been added to CISA's Known Exploited Vulnerabilities catalogue. An authenticated attacker with low-privileged domain credentials can exploit improper SPN and UPN name validation to escalate to domain administrator level. The KEV addition confirms in-the-wild exploitation approximately three weeks after patching was available.
Qilin Ransomware Posts Record 131 Victims in March — Third Consecutive Month Above 100
Qilin ransomware posted 131 confirmed victims in March 2026, its highest monthly total since emerging as a major ransomware-as-a-service operation. This marks three consecutive months above 100 victims — a sustained tempo that no tracked ransomware group has previously achieved. Healthcare, manufacturing, and professional services bear the heaviest burden, with the US accounting for half of all March ransomware victims across all groups.
CISA Publishes Dual ICS Advisories Covering Critical Flaws in Rockwell and Siemens OT Products
CISA released two industrial control system advisories on 31 March — ICSA-26-090-01 and ICSA-26-090-02 — covering critical and high-severity vulnerabilities in Rockwell Automation ControlLogix and Siemens SIMATIC S7 products. The advisories follow a pattern of stepped-up CISA ICS disclosure activity in March and arrive against a backdrop of active Iranian-affiliated targeting of operational technology environments.
F5 BIG-IP APM Vulnerability Reclassified as Critical RCE — CISA Mandates Three-Day Patch Window
A vulnerability in F5 BIG-IP Access Policy Manager initially classed as denial-of-service has been reclassified as critical remote code execution with CVSS 9.8 after active exploitation was confirmed. CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalogue on 27 March and set a three-day patch deadline for federal agencies. All organisations running BIG-IP APM should treat this as an emergency.
Langflow RCE CVE-2026-33017 Exploited Within 20 Hours, Added to CISA KEV
A critical unauthenticated remote code execution vulnerability in Langflow AI pipeline builder was exploited in the wild within 20 hours of disclosure, with attackers harvesting API keys for OpenAI, Anthropic, and AWS from compromised instances. CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalogue on 26 March, making patching mandatory for US federal agencies.
TeamPCP Backdoors LiteLLM on PyPI — AI Gateway Package With 3 Million Daily Downloads Compromised
The LiteLLM Python package — a widely-deployed AI gateway library with three million daily downloads — was backdoored on PyPI on 24 March by threat actor TeamPCP. Malicious versions 1.82.7 and 1.82.8 deployed a three-stage payload stealing cloud credentials, Kubernetes secrets, and CI/CD tokens from any system that installed the package during a 40-minute window.
Ubiquiti UniFi CVSS 10 Path Traversal CVE-2026-22557 Enables Full Account Takeover
Ubiquiti disclosed a maximum-severity path traversal vulnerability in the UniFi Network Application that allows unauthenticated attackers to read arbitrary files from the underlying OS and take over controller accounts with no credentials required. Censys identified approximately 87,000 internet-exposed UniFi endpoints at time of disclosure. The vulnerability is frequently chained with a companion NoSQL injection flaw for full administrative access.
NIST Updates DNS Security Guidance SP 800-81-3 — What Changed and Why It Matters Now
NIST released an updated edition of Special Publication 800-81, its foundational guidance on securing the Domain Name System, as DNS-based attacks and abuse techniques have evolved significantly since the previous version. The new SP 800-81-3 expands coverage of DNS-over-HTTPS, DNSSEC deployment best practices, DNS-based threat detection, and resilience against cache poisoning variants. Security teams should use this revision to audit current DNS architecture against current recommendations.
Cyberattack Hits European Commission Europa Web Platform — Data Taken From Hosted Websites
The European Commission confirmed on 27 March that a cyberattack struck the cloud infrastructure hosting the Europa web platform on 24 March 2026, with early forensic findings indicating data was exfiltrated from affected websites. The Commission operates hundreds of websites across the europa.eu domain hosting EU policy documents, consultation portals, and public databases. The incident is under investigation.
MongoBleed CVE-2025-14847: 87,000 Exposed MongoDB Instances Under Active Attack, Memory Leaking Credentials
CVE-2025-14847, named MongoBleed, is an unauthenticated memory disclosure vulnerability in MongoDB Server that allows attackers to read uninitialized heap memory from any internet-exposed instance. With 87,000 potentially vulnerable deployments globally and CISA KEV inclusion confirmed, active exploitation campaigns are targeting MongoDB instances to extract credentials, API keys, and sensitive data cached in server memory. The fix has been available since December 2025.
German Police Physically Visit Companies to Warn of Critical PTC Windchill RCE — No Patch Available
A critical unauthenticated remote code execution vulnerability in PTC Windchill and FlexPLM — industrial PLM software used across manufacturing, aerospace, and defence — prompted German federal and state police to physically dispatch officers to affected companies on the weekend of 27 March. No patch was available at time of the emergency response. PTC has provided a temporary workaround via Apache/IIS rule modification while developing a permanent fix.
Qilin Claims ASB Saarland Attack — 72 GB Stolen From German Humanitarian Organisation
Qilin ransomware claimed responsibility for a cyberattack against ASB Saarland, a German humanitarian and social services organisation, alleging theft of 72 GB of data including employee records, applicant data, health-related information, and client data. The attack continues Qilin's record-breaking March 2026 activity, during which the group claimed 131 victims — their highest monthly total — driven by wide deployment of BYOVD techniques to defeat endpoint detection.
Interlock Ransomware Exploited Cisco FMC Zero-Day for 36 Days Before Patch — Root Access on Enterprise Firewalls
Cisco's Firepower Management Center (FMC) contains a CVSS 10.0 deserialization vulnerability that Interlock ransomware was exploiting as a zero-day for 36 days before Cisco disclosed or patched it. CVE-2026-20131 allows unauthenticated remote attackers to execute arbitrary Java code as root on any internet-exposed FMC appliance. Cisco patched the flaw on 4 March 2026, but unpatched appliances remain under active ransomware targeting.
UAC-0255 Impersonates CERT-UA to Target Ukrainian Government, Healthcare, and Finance
Russian-linked threat actor UAC-0255 launched a targeted phishing campaign on 26–27 March posing as CERT-UA, Ukraine's national computer emergency response team, to deliver malware to state organisations, medical centres, financial institutions, and software development companies. The campaign uses CERT-UA brand authority to lower recipient suspicion of archive attachments containing remote access implants.
ShinyHunters Claims Infinite Campus Breach — 11 Million Student Records at Risk
Infinite Campus, the K-12 student information system used by over 3,200 school districts across 46 US states, has warned customers of a security incident after ShinyHunters claimed to have stolen data via a Salesforce ticketing system compromise on 18 March. The company confirmed the attack lasted 38 minutes and primarily exposed school staff contact details, asserting no student database access occurred — but the threat actor's extortion deadline has passed without resolution.
React2Shell CVE-2025-55182: China-Nexus Groups Exploit Max-Severity Next.js Flaw Across 30+ Organisations
CVE-2025-55182 (React2Shell), a maximum-severity unauthenticated remote code execution vulnerability in React Server Components and Next.js, is being actively exploited by China-state-affiliated threat groups and financially motivated actors simultaneously. Palo Alto Networks has confirmed over 30 organisations breached and 77,000 internet-exposed vulnerable instances, with attackers systematically harvesting AWS credentials, database connection strings, and SSH keys from compromised web infrastructure.
Craft CMS CVSS 10 Code Injection CVE-2025-32432 Added to CISA KEV
CISA added CVE-2025-32432, a maximum-severity code injection vulnerability in Craft CMS, to its Known Exploited Vulnerabilities catalogue on 20 March 2026. The flaw allows unauthenticated remote attackers to execute arbitrary code on any publicly accessible Craft CMS installation. Exploitation has been ongoing since at least February 2025 and the Mimo threat actor has been actively using it to deploy cryptocurrency miners and residential proxy malware.
Trivy Security Scanner Hijacked — 75 GitHub Action Tags Redirected to Credential Stealer
The widely-used Aqua Security Trivy vulnerability scanner was compromised in a supply chain attack that replaced 75 version tags in the official trivy-action and setup-trivy GitHub Actions with credential-stealing malware. Threat actor TeamPCP leveraged non-atomic secret rotation to retain access after an initial February compromise, launching a second attack wave on 19 March. Any CI/CD pipeline that ran trivy-action or setup-trivy during the compromise window may have had cloud credentials, API tokens, and SSH keys exfiltrated.
DarkSword Apple Exploit Chain Adds Three CVEs to CISA KEV — Federal Deadline April 3
CISA has added three vulnerabilities from the DarkSword iOS/macOS exploit chain to its Known Exploited Vulnerabilities catalogue, mandating federal agencies patch all Apple devices by 3 April. DarkSword is a multi-stage attack framework linking six chained vulnerabilities to achieve full kernel compromise across iOS, iPadOS, macOS, watchOS, and tvOS — with no user interaction required beyond visiting a malicious webpage.
Ivanti EPM Authentication Bypass CVE-2026-1603 Exploited — Federal Patch Deadline Today
CISA added CVE-2026-1603, an authentication bypass in Ivanti Endpoint Manager, to the Known Exploited Vulnerabilities catalogue on 9 March with a federal agency patch deadline of 23 March. The flaw allows unauthenticated attackers to bypass authentication entirely and steal Domain Administrator password hashes and service account credentials from EPM's credential vault.
VMware Aria Operations CVE-2026-22719 — CISA KEV With Federal Deadline Tomorrow
CISA has added CVE-2026-22719, a command injection vulnerability in VMware Aria Operations, to the Known Exploited Vulnerabilities catalogue with a federal agency patch deadline of 24 March. The flaw allows unauthenticated remote attackers to execute arbitrary commands on the management infrastructure and was patched by Broadcom in February — but active exploitation has been confirmed before many organisations applied the fix.
Google Patches Two Actively Exploited Chrome Zero-Days — CISA Orders Federal Agencies to Update by 27 March
Google released an emergency Chrome update on 13 March addressing two zero-day vulnerabilities — an out-of-bounds write in Skia and a V8 sandbox escape — both confirmed as exploited in the wild. CISA added both to the Known Exploited Vulnerabilities catalogue the same day with a 27 March federal remediation deadline.
China-Nexus UNC6201 Exploits Dell RecoverPoint CVSS 10.0 Flaw to Deploy BRICKSTORM Backdoors
A hardcoded credentials vulnerability in Dell RecoverPoint data replication appliances (CVE-2026-22769, CVSS 10.0) has been exploited since mid-2024 by the China-nexus threat cluster UNC6201, who use access to deploy BRICKSTORM and GRIMBOLT backdoors via a SLAYSTYLE web shell. CISA added the vulnerability to the KEV catalogue in February. Organisations running Dell RecoverPoint should patch immediately and hunt for indicators of compromise.
Qualcomm Android Flaw CVE-2026-21385 Exploited in Targeted Attacks — Patch in March Android Security Update
A memory corruption vulnerability in Qualcomm mobile chipset firmware has been confirmed as exploited in limited, targeted attacks. The flaw is addressed in the March 2026 Android Security Bulletin, which patches 129 vulnerabilities across the Android ecosystem. CISA added CVE-2026-21385 to the Known Exploited Vulnerabilities catalogue on 3 March with a 24 March federal deadline.