Weekly Threat Landscape Digest – Week 13

1. Apple Releases Security Updates Addressing Multiple High-Risk Vulnerabilities

Apple has released comprehensive security updates across its ecosystem, including iOS, iPadOS, macOS, Safari, and other platforms. The updates address multiple vulnerabilities ranging from information disclosure and denial-of-service (DoS) to critical issues such as kernel memory corruption, sandbox escape, and WebKit-based attacks. Successful exploitation could allow attackers to compromise devices via malicious apps, crafted web content, or privileged network access.

Technical Details / Key Points:

• Critical WebKit flaws: 
  • CSP bypass, Same-Origin Policy bypass, XSS, sandbox escape 
  • Exploitable via malicious websites 
• Kernel vulnerabilities (High Risk): 
  • Memory corruption, use-after-free, kernel state leakage 
  • Potential for privilege escalation and full device compromise 
• Network & Telephony: 
  • 802.1X interception (privileged network position required) 
  • Baseband and telephony-related DoS and memory corruption issues 
• Privacy & Data Exposure: 
  • Clipboard, iCloud, Siri, Mail vulnerabilities leaking sensitive data 
  • App enumeration and user fingerprinting risks 
• Authentication & Access: 
  • Biometric bypass via passcode (physical access required) 
  • Unauthorized Keychain access 
• Third-party components affected: 
  • curl and ImageIO vulnerabilities leading to data leakage and crashes 

Impact:

• Remote exploitation via malicious websites or apps 
• Privilege escalation and sandbox escape 
• Exposure of sensitive user and system data 
• Device crashes and denial-of-service conditions 

Recommendations:

• Immediately update all Apple devices to the latest OS versions 
• Prioritize patching corporate and internet-facing devices 
• Avoid accessing untrusted websites or installing unknown apps 
• Enforce patch compliance via MDM solutions 

Reference:
• https://support.apple.com/en-us/100100

2. GitLab Releases Security Updates Addressing Multiple Vulnerabilities

GitLab has released security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing multiple vulnerabilities including high-severity issues. Successful exploitation could lead to authentication bypass, unauthorized actions, sensitive data exposure, execution of malicious scripts, or denial-of-service (DoS) conditions.

Technical Details / Key Points:

• High Severity Vulnerabilities: 
  • CVE-2026-2370 – Improper parameter handling in Jira Connect installations (CVSS 8.1) 
  • CVE-2026-3857 – CSRF in GraphQL API (CVSS 8.1) 
  • CVE-2026-2995 – HTML Injection in vulnerability reports (EE only) (CVSS 7.7) 
  • CVE-2026-3988 – DoS in GraphQL API (CVSS 7.5) 
• Medium Severity Vulnerabilities: 
  • Access control issues in WebAuthn 2FA and GraphQL queries 
  • DoS in CI configuration and webhook processing 
  • XSS in Mermaid renderer 
  • Access control flaws in Merge Requests and GraphQL API 
• Low Severity: 
  • Authorization caching issue (EE only) 
• Affected Components: 
  • GraphQL API heavily targeted (CSRF, DoS, access control issues) 
  • CI/CD pipelines and webhook configurations 
  • Authentication mechanisms (2FA, access controls) 
• Fixed Versions: 
  • GitLab CE/EE: 18.10.1, 18.9.3, 18.8.7 

Impact:

• Authentication bypass and unauthorized access 
• Execution of malicious scripts (XSS/HTML injection) 
• Exposure of sensitive data 
• Service disruption via DoS attacks 
• Risk to CI/CD pipelines and DevOps environments 

Recommendations:

• Immediately update GitLab instances to the latest patched versions 
• Restrict access to GraphQL API and monitor suspicious queries 
• Review access controls, especially for 2FA and Merge Requests 
• Monitor CI/CD pipelines and webhook configurations for anomalies 
• Apply security best practices for DevOps environments 

Reference:
• https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/

3. Actively Exploited RCE Vulnerability in Langflow

Langflow is affected by a critical unauthenticated remote code execution (RCE) vulnerability (CVE-2026-33017) that is actively being exploited. The flaw allows attackers to execute arbitrary code remotely without authentication, leading to full system compromise.

Technical Details / Key Points:

• CVE-2026-33017 (Critical – CVSS 9.3) 
• Vulnerable endpoint: /api/v1/build_public_tmp/{flow_id}/flow 
• Root cause: Execution of attacker-controlled input via Python exec() without authentication or sandboxing 
• Attack Characteristics: 
  • Remote exploitation over network 
  • No authentication required 
  • No user interaction required 
• CWE Mapping: 
  • CWE-94: Code Injection 
  • CWE-95: Improper Neutralization in Dynamically Evaluated Code 
  • CWE-306: Missing Authentication 
• Affected Versions: ≤ 1.8.1 
• Patched Version: ≥ 1.9.0 
• Distinct from previous CVE-2025-3248 (different endpoint, previously patched) 

Impact:

• Full remote code execution on affected systems 
• Complete system compromise 
• Data exfiltration and unauthorized access 
• Lateral movement within internal networks 
• High risk for exposed or internet-facing deployments 

Recommendations:

• Immediately upgrade Langflow to version 1.9.0 or later 
• Restrict public access to Langflow instances 
• Implement network-level controls (WAF, firewall rules) 
• Monitor for suspicious requests targeting vulnerable endpoints 
• If patching is not possible, isolate affected systems immediately 

Reference:
• https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx

4. Critical Vulnerability in NVIDIA Apex Enables Remote Code Execution

NVIDIA Apex for Linux is affected by a critical vulnerability (CVE-2025-33244) that could allow attackers to execute arbitrary code and compromise affected systems, particularly in environments using vulnerable PyTorch versions.

Technical Details / Key Points:

• CVE-2025-33244 (Critical – CVSS 9.0) 
• Root cause: Improper deserialization of untrusted data 
• Affected Environment: 
  • NVIDIA Apex on Linux 
  • PyTorch versions earlier than 2.6 
• Attack Impact: 
  • Remote code execution 
  • Privilege escalation 
  • Data tampering and unauthorized access 
  • Denial-of-service (DoS) conditions 
• Affected Versions: 
  • All versions not including commit db8e053 
• Fix / Mitigation: 
  • Update codebase to include commit db8e053 
  • Upgrade PyTorch to version 2.6 or later 

Impact:

• Full system compromise in AI/ML environments 
• Unauthorized access to sensitive data 
• Disruption of machine learning workloads 
• Increased risk in GPU-based and AI infrastructure 

Recommendations:

• Upgrade PyTorch to version 2.6 or later immediately 
• Apply patches including commit db8e053 
• Avoid loading untrusted serialized data 
• Restrict access to ML environments and training pipelines 
• Monitor systems for abnormal execution or privilege escalation 

Reference:
• https://nvidia.custhelp.com/app/answers/detail/a_id/5782

5. Cisco Releases Security Updates Addressing Critical and High-Severity Vulnerabilities

Cisco has released multiple security advisories addressing critical and high-severity vulnerabilities affecting widely deployed products including IOS, IOS XE, ASA, Secure Firewall Threat Defense (FTD), and FMC.

Technical Details / Key Points:

• Critical Vulnerability (RCE – FMC): 
  • CVE-2026-20131 – Remote Code Execution (CVSS 10.0) 
  • Affects Cisco Secure Firewall Management Center 
  • Root cause: Deserialization of untrusted data 
• High Severity Vulnerabilities: 
  • CVE-2026-20012 – IKEv2 DoS (memory leak) 
  • CVE-2026-20084 – DHCP Snooping DoS (resource exhaustion) 
  • CVE-2026-20125 – HTTP Server DoS 
  • CVE-2026-20004 – TLS memory exhaustion DoS 
  • CVE-2026-20086 – CAPWAP DoS (Wireless Controllers) 
• Medium Severity: 
  • CVE-2026-20104 – Secure Boot bypass vulnerability 
• Affected Products: 
  • Cisco IOS, IOS XE 
  • Cisco ASA, Secure Firewall FTD 
  • Catalyst 9000 Series Switches 
  • Wireless Controllers (CW9800) 
  • Firewall Management Center (FMC) 
• Attack Impact: 
  • Remote code execution (critical risk) 
  • Denial-of-service affecting network availability 
  • Security control bypass (secure boot) 
  • Potential disruption of enterprise network operations 

Impact:

• Full compromise of firewall management systems (FMC) 
• Network outages due to multiple DoS vectors 
• Reduced integrity of network devices (secure boot bypass) 
• Increased risk across enterprise and critical infrastructure environments 

Recommendations:

• Immediately apply Cisco security updates and patches 
• Prioritize patching FMC systems due to critical RCE risk 
• Restrict external access to management interfaces 
• Monitor network devices for abnormal traffic or crashes 
• Implement network segmentation and access controls 

Reference:
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-saasa-ftd-ios-dos-kPEpQGGK
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sabootp-WuBhNBxA
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-saios-http-dos-sbv8XRpL
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-saiosxe-tls-dos-TVgLDEZL
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sawlc-dos-hnX5KGOm
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-saxe-secureboot-bypass-B6uYxYSZ
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-safmc-rce-NKhnULJh

6. High-Severity Firmware Vulnerability in Insyde BIOS SMM Affects HP Systems

HP systems using InsydeH20 UEFI firmware are affected by a high-severity vulnerability (CVE-2025-10451) in System Management Mode (SMM), which could allow privileged attackers to execute arbitrary code at the firmware level.

Technical Details / Key Points:

• CVE-2025-10451 (High – CVSS 8.2) 
• Root cause: Improper memory handling in System Management Mode (SMM) 
• SMM Characteristics: 
  • Highly privileged execution layer below the OS 
  • Critical attack surface for persistence and stealth attacks 
• Attack Requirements: 
  • Requires elevated privileges on the system 
• Potential Exploitation Outcomes: 
  • Arbitrary code execution in firmware 
  • Firmware-level persistence (hard to detect/remove) 
  • Bypass of OS-level security controls 
• Affected Systems: 
  • Multiple HP laptop series including: 
    • HP 15, HP 14, HP 240/250/255 G7 series 
    • HP 340/348 G7 and related variants 

Impact:

• Deep system compromise at firmware level 
• Persistent backdoor beyond OS reinstall 
• Bypass of traditional security tools and EDR solutions 
• High risk in enterprise environments with affected devices 

Recommendations:

• Apply HP firmware/BIOS updates immediately 
• Restrict administrative privileges on endpoints 
• Monitor for suspicious privilege escalation activity 
• Validate firmware integrity in critical systems 
• Follow vendor advisory for complete affected product list 

Reference:
• https://support.hp.com/us-en/document/ish_14547790-14547813-16/hpsbhf04103

7. Google Chrome Security Updates Address Multiple High-Severity Vulnerabilities

Google has released security updates for the Google Chrome browser, addressing multiple high-severity vulnerabilities primarily related to memory safety issues. Successful exploitation could allow attackers to execute arbitrary code, crash the browser, or compromise system integrity.

Technical Details / Key Points:

• 8 High-Severity Vulnerabilities Identified: 
  • CVE-2026-4673 – Heap buffer overflow in WebAudio 
  • CVE-2026-4674 – Out-of-bounds read in CSS 
  • CVE-2026-4675 – Heap buffer overflow in WebGL 
  • CVE-2026-4676 – Use-after-free in Dawn 
  • CVE-2026-4677 – Out-of-bounds read in WebAudio 
  • CVE-2026-4678 – Use-after-free in WebGPU 
  • CVE-2026-4679 – Integer overflow in Fonts 
  • CVE-2026-4680 – Use-after-free in FedCM 
• Vulnerability Types: 
  • Use-after-free (memory corruption) 
  • Heap buffer overflow 
  • Integer overflow 
  • Out-of-bounds read 
• Attack Vector: 
  • Exploitation via malicious web pages 
  • Triggered when users visit specially crafted websites 
• Fixed Versions: 
  • Chrome 146.0.7680.164 (Linux) 
  • Chrome 146.0.7680.164 / 165 (Windows/Mac) 

Impact:

• Remote code execution via browser exploitation 
• Browser crashes and denial-of-service 
• Potential compromise of user systems 
• High risk for users browsing untrusted or malicious websites 

Recommendations:

• Immediately update Google Chrome to the latest version 
• Enable automatic browser updates 
• Avoid visiting untrusted or suspicious websites 
• Use endpoint protection and browser isolation where applicable 

Reference:
• https://chromereleases.googleblog.com/

8. Mozilla Releases Security Updates Addressing Multiple High-Severity Vulnerabilities

Mozilla has released security updates for Firefox, Firefox ESR, and Thunderbird to address multiple high-severity vulnerabilities. Exploitation of these flaws could result in remote code execution, sandbox escape, and other significant security risks.

Technical Details / Key Points:

• Multiple High-Severity Vulnerabilities Identified: 
  • Use-after-free and race condition issues in WebRender 
  • Boundary condition flaws in Canvas2D, Graphics, Audio/Video components 
  • Sandbox escape vulnerabilities in Telemetry, Accessibility APIs, XPCOM, and Responsive Design Mode 
  • Integer overflow and memory corruption issues across multiple components 
  • JIT miscompilation in JavaScript engine 
  • Multiple memory safety bugs 
• Key Affected Components: 
  • Graphics (WebRender, Canvas2D) 
  • JavaScript Engine (JIT) 
  • XPCOM and Telemetry 
  • CSS Parsing and Layout (Text/Fonts) 
  • Audio/Video playback and Web Codecs 
• Attack Vector: 
  • Exploitation via malicious or crafted web content 
  • Triggered when users browse compromised or attacker-controlled websites 
• Fixed Versions: 
  • Firefox 149 
  • Firefox ESR 115.34 
  • Firefox ESR 140.9 

Impact:

• Remote code execution through browser exploitation 
• Sandbox escape leading to system-level compromise 
• Browser crashes and instability 
• Exposure to malicious web-based attacks 

Recommendations:

• Immediately update Firefox, Firefox ESR, and Thunderbird to the latest versions 
• Enable automatic updates for browsers 
• Avoid visiting untrusted or suspicious websites 
• Deploy endpoint protection and browser security controls 

Reference:
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-21/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/

9. Active Exploitation of Quest KACE SMA Authentication Bypass Vulnerability

Quest Software KACE Systems Management Appliance (SMA) is affected by a critical authentication bypass vulnerability (CVE-2025-32975) that is actively being exploited in the wild. Attackers are leveraging this flaw to gain unauthorized administrative access and fully compromise targeted environments.

Technical Details / Key Points:

• CVE-2025-32975 (Critical – CVSS 10.0) 
• Vulnerability Type: Authentication Bypass 
• Affects: Quest KACE Systems Management Appliance (SMA) 
• Observed Attack Chain: 
  • Initial Access: 
    • Exploitation of authentication bypass in exposed SMA instances 
    • Unauthorized impersonation of legitimate users 
  • Execution & Payload Delivery: 
    • Remote command execution via curl 
    • Download of Base64-encoded payloads from attacker-controlled server (216.126.225[.]156) 
  • Persistence Mechanisms: 
    • Creation of new administrative accounts 
    • Abuse of runkbot.exe (legitimate SMA agent process) 
    • Registry modifications via PowerShell 
  • Post-Exploitation: 
    • Credential dumping using Mimikatz 
    • Network reconnaissance (user/admin enumeration, net commands) 
    • Lateral movement via RDP 
    • Targeting backup systems (Veeam, Veritas) and domain controllers 
• Patched Versions: 
  • 13.0.385 
  • 13.1.81 
  • 13.2.183 
  • 14.0.341 (Patch 5) 
  • 14.1.101 (Patch 4) 

Impact:

• Full administrative takeover of SMA systems 
• Remote command execution and malware deployment 
• Credential theft and lateral movement across networks 
• Targeting of critical infrastructure such as backups and domain controllers 

Recommendations:

• Immediately update SMA systems to the latest patched versions 
• Remove SMA instances from direct internet exposure 
• Place systems behind VPN or zero-trust access controls 
• Monitor for suspicious account creation and command execution 
• Investigate for indicators of compromise in exposed systems 

Reference:
• https://arcticwolf.com/resources/blog/cve-2025-32975/

10. Supply Chain Compromise of LiteLLM via TeamPCP Campaign

A sophisticated supply chain attack attributed to the TeamPCP threat actor has compromised the LiteLLM Python package (versions 1.82.7 and 1.82.8), distributed via PyPI. The malicious packages introduce a multi-stage payload enabling credential theft, Kubernetes compromise, lateral movement, and persistent backdoor installation. Any environment that installed these versions should be treated as fully compromised. 

Technical Details / Key Points:

• Affected Versions: 
  • LiteLLM 1.82.7 and 1.82.8 (malicious, removed from PyPI) 
• Attack Vector: 
  • Likely via compromised CI/CD pipelines (Trivy integration) 
  • Automatic execution without user interaction 
• Multi-Stage Attack Chain: 
  • Stage 1 – Credential Harvesting: 
    • Targets SSH keys, cloud credentials, Kubernetes secrets, .env files, crypto wallets 
    • Data exfiltration to: models.litellm[.]cloud 
  • Stage 2 – Kubernetes Lateral Movement: 
    • Uses service account tokens 
    • Deploys privileged pods (node-setup-*) across cluster nodes 
    • Gains host-level access via chroot 
  • Stage 3 – Persistence Mechanism: 
    • Installs systemd service: sysmon.service 
    • Executes: ~/.config/sysmon/sysmon.py 
    • Beaconing to: checkmarx[.]zone/raw 
• Execution Mechanisms: 
  • v1.82.7: Malicious code triggered on module import 
  • v1.82.8: .pth file ensures execution on every Python startup 
• Key IOCs: 
  • Domains: models.litellm.cloud, checkmarx.zone 
  • Files: /tmp/pglog, ~/.config/sysmon/, .pth payloads 
  • Kubernetes: rogue pods (node-setup-*) 
  • Exfiltration file: tpcp.tar.gz 

Impact:

• Full compromise of developer and production environments 
• Theft of credentials, secrets, and sensitive data 
• Kubernetes cluster takeover and lateral movement 
• Persistent backdoor installation across systems 
• High risk to CI/CD pipelines and cloud infrastructure 

Recommendations:

• Immediately remove affected LiteLLM versions and downgrade to safe versions 
• Treat all impacted systems as compromised and isolate them 
• Remove persistence mechanisms and malicious files 
• Rotate all credentials (SSH, cloud, API tokens, Kubernetes secrets) 
• Inspect Kubernetes clusters for rogue pods and unauthorized activity 
• Block malicious domains and review historical connections 
• Rebuild CI/CD pipelines from trusted sources and validate dependencies 

Reference:
• https://research.jfrog.com/post/litellm-compromised-teampcp/

11. Critical Vulnerability in ConnectWise ScreenConnect Enables Session Hijacking

ConnectWise ScreenConnect is affected by a critical vulnerability (CVE-2026-3564) that could allow attackers to gain unauthorized access by exploiting weaknesses in cryptographic key handling and session authentication.

Technical Details / Key Points:

• CVE-2026-3564 (Critical – CVSS 9.0) 
• Root cause: Improper protection and verification of cryptographic signatures 
• Machine keys stored insecurely in server configuration files 
• Attack Method: 
  • Extraction of machine keys from configuration files 
  • Forging or hijacking authenticated sessions 
• Affected Versions: 
  • ScreenConnect versions prior to 26.1 
• Fix Implemented: 
  • Version 26.1 introduces encrypted key storage and improved key management 

Impact:

• Unauthorized access to ScreenConnect sessions 
• Session hijacking and impersonation of legitimate users 
• Exposure of sensitive data 
• Potential full system compromise depending on access level 

Recommendations:

• Immediately upgrade to ScreenConnect version 26.1 or later 
• Secure access to configuration files and restrict permissions 
• Rotate cryptographic keys if compromise is suspected 
• Monitor for abnormal session activity or unauthorized access 
• Apply security best practices for remote access tools 

Reference:
• https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin

12. Multiple Vulnerabilities in NetScaler ADC and NetScaler Gateway

Citrix NetScaler ADC and NetScaler Gateway are affected by multiple vulnerabilities that could impact confidentiality, integrity, and availability of systems. These include a critical memory overread vulnerability and a high-severity session handling flaw.

Technical Details / Key Points:

• CVE-2026-3055 (Critical – CVSS 9.3) 
  • Insufficient input validation leading to memory overread 
  • Allows remote attackers to access sensitive information 
• CVE-2026-4368 (High – CVSS 7.7) 
  • Race condition vulnerability 
  • May result in user session mix-up and unauthorized access 
• Affected Versions: 
  • NetScaler ADC/Gateway 14.1 before 14.1-66.59 
  • NetScaler ADC/Gateway 13.1 before 13.1-62.23 
  • NetScaler ADC FIPS/NDcPP before 13.1-37.262 
  • Specific versions of 14.1-66.54 affected by session issue 
• Fixed Versions: 
  • 14.1-66.59 and later 
  • 13.1-62.23 and later 
  • 13.1-37.262 (FIPS/NDcPP) and later 

Impact:

• Exposure of sensitive data through memory overread 
• Unauthorized access due to session mix-up 
• Potential system instability and disruption 
• Risk to enterprise remote access and application delivery environments 

Recommendations:

• Immediately update NetScaler ADC and Gateway to patched versions 
• Restrict access to management and gateway interfaces 
• Monitor for abnormal session behavior or unauthorized access 
• Apply vendor-recommended mitigations and security configurations 

Reference:
• https://support.citrix.com/external/article/CTX696300

13. Critical Vulnerability in WAGO Managed Switches Allows Full Device Compromise

WAGO managed switches are affected by a critical vulnerability (CVE-2026-3587) that allows unauthenticated attackers to gain full administrative control over affected devices.

Technical Details / Key Points:

• CVE-2026-3587 (Critical – CVSS 10.0) 
• Root cause: Undocumented functionality in device firmware 
• Attack Method: 
  • Exploitation of undocumented CLI function 
  • Bypass of authentication and security restrictions 
• Access Level: 
  • No authentication required 
  • Remote exploitation possible 
• Affected Devices: 
  • Multiple WAGO Lean and Industrial Managed Switch models 
  • Includes 852-1812, 852-1813, 852-1816, 852-303, 852-1305, 852-1505, 852-602, 852-603, 852-1605 series 
• Fixed Versions: 
  • Firmware updates available per model (e.g., V1.2.x, V1.0.x series) 

Impact:

• Complete takeover of network switches 
• Unauthorized control over network traffic 
• Potential disruption of industrial and operational environments 
• Increased risk of lateral movement within internal networks 

Recommendations:

• Immediately update affected devices to latest firmware versions 
• Restrict remote access to network infrastructure devices 
• Segment industrial and critical networks 
• Monitor for unauthorized access or configuration changes 
• Follow vendor advisory for full list of affected models 

Reference:
• https://www.tenable.com/cve/CVE-2026-3587

14. Atlassian Releases Security Updates Addressing Multiple High-Severity Vulnerabilities

Atlassian has released its March 2026 Security Bulletin addressing multiple high-severity vulnerabilities across several products. These vulnerabilities could allow remote code execution (RCE), path traversal, file inclusion, denial-of-service (DoS), and cross-site scripting (XSS), potentially leading to system compromise or service disruption.

Technical Details / Key Points:

• Bamboo Data Center & Server: 
  • CVE-2026-21570 – Remote Code Execution (CVSS 8.6) 
  • CVE-2025-68493 – Missing XML validation (Apache Struts) 
  • CVE-2025-64775 – Denial-of-Service 
• Bitbucket Data Center & Server: 
  • CVE-2022-25883 – DoS via semver dependency 
• Confluence Data Center & Server: 
  • CVE-2025-64756 – OS Command Injection 
• Crowd Data Center & Server: 
  • Multiple DOM-based XSS vulnerabilities 
  • DoS via axios dependency 
• Fisheye / Crucible: 
  • DoS via nimbus-jose-jwt dependency 
• Jira Software & Jira Service Management: 
  • Path Traversal and File Inclusion (node-tar dependency) 
  • Multiple DoS vulnerabilities via dependencies 
• Key Risk Areas: 
  • Third-party dependency vulnerabilities (Apache Struts, node-tar, axios, etc.) 
  • File handling and path validation flaws 
  • Input validation and XSS issues 
• Fixed Versions: 
  • Multiple patched versions across Bamboo, Bitbucket, Confluence, Crowd, Jira, and Fisheye products 

Impact:

• Remote code execution and system compromise 
• Unauthorized file access and data exposure 
• Service disruption due to DoS attacks 
• Exploitation through vulnerable dependencies in enterprise tools 

Recommendations:

• Immediately update all Atlassian products to latest patched versions 
• Audit third-party dependencies used within environments 
• Restrict external access to Atlassian services 
• Monitor logs for suspicious activity and exploitation attempts 
• Apply secure configuration and access control policies 

Reference:
• https://confluence.atlassian.com/security/security-bulletin-march-17-2026-1721271371.html

15. Critical RCE Vulnerability in Oracle Identity Manager and Web Services Manager

Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM) are affected by a critical vulnerability (CVE-2026-21992) that allows unauthenticated remote code execution over HTTP, posing a significant risk to affected environments.

Technical Details / Key Points:

• CVE-2026-21992 (Critical – CVSS 9.8) 
• Attack Vector: Network (HTTP) 
• Authentication Required: None 
• Vulnerability Type: 
  • Remote Code Execution (RCE) 
• Affected Products: 
  • Oracle Identity Manager: 
    • 12.2.1.4.0 
    • 14.1.2.1.0 
  • Oracle Web Services Manager: 
    • 12.2.1.4.0 
    • 14.1.2.1.0 
• Attack Characteristics: 
  • Exploitable remotely without credentials 
  • Low complexity, high impact 
  • Can be triggered via crafted HTTP requests 

Impact:

• Full system compromise 
• Unauthorized access to enterprise identity systems 
• Potential takeover of authentication and access management infrastructure 
• High risk for internet-facing or exposed Oracle environments 

Recommendations:

• Immediately apply Oracle security patches 
• Verify patch deployment across all environments 
• Restrict external access to Oracle services 
• Monitor for suspicious HTTP requests and abnormal activity 
• Conduct security review of identity and access management systems 

Reference:
• https://www.oracle.com/security-alerts/alert-cve-2026-21992.html

16. Critical Unpatched RCE Vulnerability in GNU InetUtils Telnetd

GNU InetUtils telnetd is affected by a critical vulnerability (CVE-2026-32746) that allows unauthenticated remote code execution during the Telnet session negotiation phase. The flaw is currently unpatched, increasing the risk to exposed systems.

Technical Details / Key Points:

• CVE-2026-32746 (Critical – CVSS 9.8) 
• Root cause: Improper bounds checking in TELNET LINEMODE SLC option 
• Attack Method: 
  • Exploitation during initial Telnet handshake 
  • Malicious SLC suboption triggers buffer overflow 
• Attack Characteristics: 
  • No authentication required 
  • No user interaction required 
  • Single connection to TCP port 23 sufficient 
  • Executes with root privileges 
• Affected Systems: 
  • GNU InetUtils telnetd (all versions up to 2.7) 
  • Linux distributions (Debian, Ubuntu, RHEL, SUSE) 
  • Embedded/IoT devices using Telnet 
  • ICS/OT environments 
  • Any system exposing TCP port 23 
• Patch Status: 
  • No official patch currently available 
  • Patch expected (as per advisory timeline) 

Impact:

• Remote code execution with root privileges 
• Full system compromise 
• High risk for legacy and exposed Telnet environments 
• Potential lateral movement within internal networks 

Recommendations:

• Immediately disable Telnet service if not required 
• Block or restrict TCP port 23 at network level 
• Avoid running telnetd with root privileges 
• Restrict access to trusted/internal IPs only 
• Replace Telnet with secure alternatives (SSH) 
• Monitor for suspicious Telnet traffic and connections 
• Apply vendor patches immediately once available 

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2026-32746
• https://dreamgroup.com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/#

17. Critical Vulnerability in Synology DiskStation Manager (DSM) via Telnetd Component

Synology DiskStation Manager (DSM) is affected by a critical vulnerability (CVE-2026-32746) in the GNU Inetutils telnetd component, allowing unauthenticated remote code execution and potential full system compromise.

Technical Details / Key Points:

• CVE-2026-32746 (Critical – CVSS 9.8) 
• CWE-120: Buffer overflow due to lack of bounds checking 
• Root cause: Out-of-bounds write in LINEMODE SLC handler (add_slc function) 
• Attack Method: 
  • Exploitation during Telnet session negotiation 
  • No authentication required 
  • Remote code execution via crafted input 
• Affected Systems: 
  • DSM versions using vulnerable GNU Inetutils telnetd (≤ 2.7) 
• Fixed Versions: 
  • DSM 7.3 → 7.3.2-86009-3 or later 
  • DSM 7.2.2 → 7.2.2-72806-8 or later 
  • DSM 7.2.1 → 7.2.1-69057-11 or later 
  • DSMUC 3.1 → Fix in progress 

Impact:

• Remote code execution without authentication 
• Full compromise of NAS devices 
• Exposure of stored data and backups 
• Potential lateral movement within internal networks 

Recommendations:

• Immediately upgrade DSM to the latest patched versions 
• Disable Telnet service via Control Panel → Terminal settings 
• Restrict access to NAS devices from external networks 
• Monitor for suspicious Telnet activity 
• Replace Telnet with secure alternatives where possible 

Reference:
• https://www.synology.com/en-global/security/advisory/Synology_SA_26_03

18. Critical Vulnerability in QNAP QVR Pro Allows Unauthorized Remote Access

QNAP QVR Pro is affected by a critical vulnerability (CVE-2026-22898) caused by missing authentication controls, allowing unauthenticated remote attackers to gain unauthorized access to affected systems.

Technical Details / Key Points:

• CVE-2026-22898 (Critical) 
• Vulnerability Type: Missing authentication for critical function 
• Attack Method: 
  • Remote exploitation without authentication 
  • Direct access to sensitive system functionality 
• Affected Product: 
  • QVR Pro 2.7.x 
• Fixed Version: 
  • QVR Pro 2.7.4.1485 and later 

Impact:

• Unauthorized access to surveillance systems 
• Potential compromise of video data and recordings 
• Loss of control over monitoring infrastructure 
• Increased risk in enterprise and security-sensitive environments 

Recommendations:

• Immediately upgrade QVR Pro to the latest patched version 
• Restrict external access to surveillance systems 
• Monitor for unauthorized access attempts 
• Apply strong authentication and network segmentation 
• Follow vendor advisory for additional mitigation steps 

Reference:
• https://www.qnap.com/en/security-advisory/qsa-26-07

19. Actively Exploited Vulnerabilities in Apple Products Linked to DarkSword Exploit Kit

Apple products are affected by multiple high-severity vulnerabilities that are actively being exploited in the wild. These vulnerabilities are associated with the DarkSword exploit kit and are leveraged in watering hole attacks to achieve remote code execution, privilege escalation, and data compromise.

Technical Details / Key Points:

• Actively Exploited Vulnerabilities: 
  • CVE-2025-31277 – WebKit memory corruption leading to remote code execution 
  • CVE-2025-43510 – Kernel memory corruption enabling privilege escalation 
  • CVE-2025-43520 – Kernel memory corruption allowing arbitrary code execution 
• Attack Vector: 
  • Maliciously crafted web content 
  • Watering hole attacks targeting users via trusted websites 
• Exploit Framework: 
  • DarkSword exploit kit used by multiple threat actors 
  • Enables deployment of advanced malware with persistence and data theft capabilities 
• Affected Platforms: 
  • iOS, iPadOS, macOS, Safari 
  • watchOS, tvOS, visionOS 

Impact:

• Remote code execution via browser exploitation 
• Privilege escalation to kernel level 
• Deployment of advanced malware and persistent backdoors 
• Theft of sensitive data from compromised devices 

Recommendations:

• Immediately update all Apple devices to latest versions 
• Enable automatic updates 
• Avoid visiting untrusted or suspicious websites 
• Monitor systems for abnormal behavior or indicators of compromise 
• Implement endpoint protection and network monitoring controls 

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2025-31277
• https://nvd.nist.gov/vuln/detail/CVE-2025-43510
• https://nvd.nist.gov/vuln/detail/CVE-2025-43520
• https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain

20. Actively Exploited RCE Vulnerability in Livewire

Livewire is affected by a critical remote code execution vulnerability (CVE-2025-54068) that is actively being exploited in the wild. The flaw allows unauthenticated attackers to execute arbitrary commands on affected systems without user interaction.

Technical Details / Key Points:

• CVE-2025-54068 (Critical – CVSS 9.2) 
• Vulnerability Type: Remote Code Execution (RCE) 
• Root Cause: 
  • Improper handling of component property update hydration in Livewire v3 
• Attack Characteristics: 
  • Network-based exploitation 
  • No authentication required 
  • No user interaction required 
• Affected Package: 
  • livewire/livewire (Composer) 
• Affected Versions: 
  • ≥ 3.0.0-beta.1 and < 3.6.3 
• Patched Version: 
  • ≥ 3.6.4 

Impact:

• Remote code execution on web applications 
• Full compromise of application servers 
• Unauthorized access and data manipulation 
• High risk for publicly exposed Laravel applications 

Recommendations:

• Immediately upgrade Livewire to version 3.6.4 or later 
• Audit applications using Livewire v3 for exposure 
• Restrict external access to vulnerable endpoints 
• Monitor for suspicious requests and command execution 
• Apply web application firewall (WAF) protections where possible 

Reference:
• https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3

21. Railway PaaS Abuse in Microsoft 365 Token Replay Phishing Campaign

Threat actors are abusing Railway PaaS infrastructure to conduct a large-scale Microsoft 365 device code phishing campaign, leveraging token replay techniques to maintain persistent access to compromised accounts across hundreds of organizations. 

Technical Details / Key Points:

• Attack Technique: 
  • OAuth Device Code Phishing (no password bypass required) 
  • Victims enter attacker-generated device codes on legitimate Microsoft login page 
• Infrastructure Abuse: 
  • Railway PaaS used to host token harvesting and replay infrastructure 
  • Clean cloud IP reputation helps bypass Microsoft risk detection 
• Associated Threat Platform: 
  • EvilTokens (Phishing-as-a-Service) 
  • Includes AI-assisted phishing, credential harvesting, and email targeting 
• Attack Flow: 
  • Phishing email → multi-hop redirect chain → fake landing page 
  • Victim enters device code → attacker receives OAuth tokens 
  • Tokens reused for persistent access (even after password reset) 
• Persistence Mechanism: 
  • Refresh tokens valid up to 90 days 
  • Automated token refresh via scripts (BAV2ROPC) 
• Infrastructure & Evasion: 
  • Abuse of Cloudflare workers.dev, Vercel, AWS, and compromised websites 
  • URL wrapping using Cisco, Mimecast, Trend Micro links 
  • AI-generated phishing lures (DocuSign, RFP, voicemail, etc.) 
• Key Indicators: 
  • Railway IP ranges: 
    • 162.220.232.0/22 
    • 162.220.234.0/22 
  • Suspicious User-Agent patterns and automated login behavior 

Impact:

• Persistent unauthorized access to Microsoft 365 accounts 
• Bypass of MFA protections via legitimate authentication flow 
• Data exfiltration, email compromise, and financial fraud 
• High risk across enterprise environments and critical sectors 

Recommendations:

• Block Railway IP ranges via Conditional Access 
• Revoke all refresh tokens for affected users immediately 
• Disable or restrict device code authentication flows 
• Enable Continuous Access Evaluation (CAE) 
• Monitor sign-in logs for suspicious IPs and token usage 
• Train users on device code phishing techniques 
• Deploy identity threat detection and response solutions 

Reference:
• https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign

22. WebRTC-Based Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites

A new payment skimmer campaign leverages WebRTC data channels to bypass traditional security controls and exfiltrate sensitive payment data from compromised e-commerce platforms, marking a significant evolution in web-based attacks.

Technical Details / Key Points:

• Attack Technique: 
  • Skimmer uses WebRTC DataChannels instead of HTTP/HTTPS 
  • Bypasses Content Security Policy (CSP) protections 
• Initial Exploitation Vector: 
  • PolyShell vulnerability in Magento Open Source and Adobe Commerce 
  • Unauthenticated file upload via REST API → remote code execution 
• Payload Behavior: 
  • Establishes WebRTC connection to attacker IP: 202.181.177[.]177 (UDP 3479) 
  • Downloads malicious JavaScript payload 
  • Injects script into web page to capture payment details 
• Evasion Capabilities: 
  • Uses DTLS-encrypted UDP (not HTTP) 
  • Avoids detection by traditional network monitoring tools 
  • CSP bypass (no HTTP requests involved) 
• PolyShell Vulnerability Details: 
  • Root cause: Improper validation in ImageProcessor::processImageContent() 
  • Allows upload of polyglot files (valid image + malicious code) 
  • Exploited via endpoint:
    /rest/default/V1/guest-carts/{cart_id}/items 
• Exposure Conditions: 
  • Misconfigured servers (missing .htaccess or improper Nginx rules) 
  • Public access to /pub/media/custom_options/ directory 
• Threat Activity: 
  • Mass exploitation observed since March 19, 2026 
  • Over 50 IPs scanning 
  • ~56.7% of vulnerable stores impacted 

Impact:

• Theft of payment card data from customers 
• Undetected data exfiltration bypassing CSP and network controls 
• Full compromise of e-commerce platforms 
• Financial fraud and reputational damage 

Recommendations:

• Apply latest Magento/Adobe Commerce patches (≥ 2.4.9-beta1) 
• Block access to /pub/media/custom_options/ directory 
• Validate web server configurations (Nginx/Apache security rules) 
• Monitor for WebRTC traffic anomalies 
• Scan systems for web shells and injected scripts 
• Implement runtime application security and WAF protections 

Reference:
• https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html

23. Pawn Storm APT Campaign Deploys PRISMEX Malware Targeting Government and Critical Infrastructure

The Russia-aligned APT group Pawn Storm (APT28 / Fancy Bear) is conducting a sophisticated cyber espionage campaign targeting government, defense supply chains, and critical infrastructure using a new malware framework called PRISMEX. 

Technical Details / Key Points:

• Threat Actor: 
  • Pawn Storm (APT28 / Fancy Bear / Forest Blizzard) 
• Malware Framework: 
  • PRISMEX (multi-stage modular malware) 
  • Components: 
    • PrismexDrop (dropper) 
    • PrismexLoader (steganography loader) 
    • PrismexStager (C2 implant via Covenant framework) 
• Key Techniques: 
  • Steganography (payload hidden in PNG images) 
  • COM hijacking for persistence 
  • Fileless execution in memory 
  • Abuse of legitimate cloud services (Filen.io) for C2 
• Exploited Vulnerabilities: 
  • CVE-2026-21509 – Microsoft Office OLE bypass (initial access) 
  • CVE-2026-21513 – MSHTML zero-day (privilege bypass & execution) 
• Attack Chain: 
  • Spear-phishing email → malicious RTF document 
  • OLE exploit triggers WebDAV request → downloads malicious LNK 
  • LNK executes payload (potential zero-day exploit) 
  • Payload deployed via steganographic images → executed in memory 
• Evasion Techniques: 
  • Execution inside trusted process (explorer.exe) 
  • No file artifacts (fileless malware) 
  • Encrypted C2 via legitimate cloud platforms 
  • Advanced obfuscation and anti-analysis techniques 
• Targeted Sectors: 
  • Ukrainian government and defense supply chain 
  • NATO logistics hubs (Poland, Romania, Slovakia, etc.) 
  • Military, transport, meteorological, and humanitarian sectors 

Impact:

• Cyber espionage and intelligence collection 
• Potential sabotage capabilities (including wiper functionality) 
• Compromise of critical infrastructure and supply chains 
• Long-term persistence and lateral movement in targeted networks 

Recommendations:

• Immediately patch Microsoft Office and Windows systems 
• Block macro execution and restrict OLE object usage 
• Monitor for COM hijacking and abnormal DLL loading 
• Restrict access to unapproved cloud storage services 
• Enable advanced endpoint detection and behavioral monitoring 
• Conduct threat hunting for fileless malware and unusual process activity 

Reference:
• https://www.trendmicro.com/tr_tr/research/26/c/pawn-storm-targets-govt-infra.html