Weekly Threat Landscape Digest – Week 14
Week 14 reflected an increasingly aggressive threat landscape marked by critical vulnerabilities in widely used enterprise applications, network appliances, mobile platforms, and software supply chains. Major risks included remote code execution, command injection, path traversal, denial-of-service, and credential theft, while recent campaigns demonstrated attackers leveraging trusted services, phishing lures, and compromised development ecosystems to bypass traditional defenses. Organizations should prioritize immediate patching of affected systems, restrict administrative access, strengthen email and endpoint protections, monitor for indicators of compromise, and maintain continuous threat intelligence and incident response preparedness.
- Critical Arbitrary Command Execution Vulnerability in Cisco Smart Software Manager On-Prem
A critical vulnerability in Cisco Smart Software Manager On-Prem could allow unauthenticated remote attackers to execute arbitrary commands with root privileges, leading to complete system compromise.
Technical Details / Key Points:
• CVE ID: CVE-2026-20160
• CVSS Score: 9.8 (Critical)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Advisory ID: cisco-sa-ssm-cli-execution-cHUcWuNr
• CWE: CWE-668 – Exposure of Resource to Wrong Sphere
• Attack Type: Unauthenticated Remote Command Execution
• Cause: Exposure of an internal service allows attackers to interact with a vulnerable API endpoint
• Successful exploitation may result in root-level command execution
• Affected Product: Cisco Smart Software Manager On-Prem (SSM On-Prem)
• Affected Versions: 9-202502 to 9-202510
• Fixed Version: 9-202601 and later
• Versions earlier than 9-202502 are not vulnerable
Impact:
• Attackers may gain root-level access and fully compromise the affected system
• May result in unauthorized access, malware deployment, lateral movement, data theft, and service disruption
Recommendations:
• Upgrade Cisco Smart Software Manager On-Prem to version 9-202601 or later immediately
• Restrict access to the management interface and vulnerable API endpoint
• Review logs and monitor for suspicious activity or exploitation attempts
- Critical Authentication Bypass Vulnerability in Cisco Integrated Management Controller (IMC)
A critical vulnerability in Cisco Integrated Management Controller (IMC) could allow unauthenticated remote attackers to bypass authentication and gain full administrative access to affected systems.
Technical Details / Key Points:
- CVE ID: CVE-2026-20093
• CVSS Score: 9.8 (Critical)
• CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• CWE: CWE-20 – Improper Input Validation
• Attack Type: Authentication Bypass / Unauthorized Password Reset
• Root Cause: Improper validation of password change requests and lack of authentication enforcement
• Attackers can send a crafted HTTP request to the password change endpoint and reset administrator credentials
• Successful exploitation may allow full authentication bypass and administrative access - Affected Products:
• Cisco 5000 Series ENCS
• Cisco Catalyst 8300 Series Edge uCPE
• Cisco UCS C-Series M5 and M6 (standalone mode)
• Cisco UCS E-Series M3 and M6
• Cisco appliances with exposed IMC UI, including APIC, Catalyst Center, CSPC, CMX, HyperFlex, Nexus Dashboard, Prime Infrastructure, Secure Firewall Management Center, Secure Network Analytics, and Secure Workload - Not Affected:
• UCS B-Series Blade Servers
• UCS C-Series M7 and M8 standalone servers
• UCS C-Series with Fabric Interconnects in UCS Manager or IMM
• UCS S-Series, UCS X-Series, and Unified Edge - Fixed Versions:
• UCS C-Series M5: 4.3(2.260007)
• UCS C-Series M6: 4.3(6.260017) or 6.0(1.250174)
• UCS E-Series M3: 3.2.17
• UCS E-Series M6: 4.15.3
• Cisco NFVIS Catalyst 8300 uCPE: 4.18.3
• Cisco 5000 Series ENCS NFVIS: 4.15.5
Impact:
- Attackers may gain full administrative access without authentication
• Could lead to unauthorized password changes, device takeover, data exposure, and service disruption
Recommendations:
- Upgrade all affected systems to the Cisco-recommended fixed releases immediately
• Apply NFVIS, HUU, or ISO firmware updates where required
• Restrict access to IMC interfaces and monitor for unauthorized password changes or suspicious HTTP requests
Reference:
- Google Chrome Security Updates Address Actively Exploited Zero-Day
Google has released Chrome security updates to address 21 vulnerabilities, including an actively exploited zero-day that could allow remote code execution and system compromise through malicious web content.
Technical Details / Key Points:
- Actively Exploited CVE: CVE-2026-5281
• CVSS: High Severity | Attack Type: Use-After-Free / Remote Code Execution
• CVE-2026-5281 affects the Dawn WebGPU component and may allow drive-by exploitation via a crafted web page
• Successful exploitation could result in remote code execution, sandbox escape, and full system compromise - Other High-Severity Vulnerabilities Fixed:
• CVE-2026-5273 – Use-after-free in CSS
• CVE-2026-5272 – Heap buffer overflow in GPU
• CVE-2026-5274 – Integer overflow in Codecs
• CVE-2026-5275 – Heap buffer overflow in ANGLE
• CVE-2026-5276 – Insufficient policy enforcement in WebUSB
• CVE-2026-5277 – Integer overflow in ANGLE
• CVE-2026-5278 – Use-after-free in Web MIDI
• CVE-2026-5279 – Object corruption in V8
• CVE-2026-5280 – Use-after-free in WebCodecs
• CVE-2026-5282 – Out-of-bounds read in WebCodecs
• CVE-2026-5283 – Inappropriate implementation in ANGLE
• CVE-2026-5284 – Use-after-free in Dawn
• CVE-2026-5285 – Use-after-free in WebGL
• CVE-2026-5286 – Use-after-free in Dawn
• CVE-2026-5287 – Use-after-free in PDF
• CVE-2026-5288 – Use-after-free in WebView
• CVE-2026-5289 – Use-after-free in Navigation
• CVE-2026-5290 – Use-after-free in Compositing - Medium-Severity Vulnerabilities:
• CVE-2026-5291 – Inappropriate implementation in WebGL
• CVE-2026-5292 – Out-of-bounds read in WebCodecs - Fixed Versions:
• Chrome 146.0.7680.177/178 for Windows and macOS
• Chrome 146.0.7680.177 for Linux
Impact:
- Attackers may exploit malicious web pages to execute code, escape the browser sandbox, or compromise systems
• Unpatched systems are at increased risk due to active exploitation of CVE-2026-5281 in the wild
Recommendations:
- Update Google Chrome to version 146.0.7680.177/178 or later immediately
• Prioritize patching systems exposed to untrusted web content and monitor for suspicious browser activity
Reference:
- Critical Zero-Click Vulnerability in Telegram
A critical zero-click vulnerability has been identified in Telegram that could allow remote attackers to compromise devices without any user interaction.
Technical Details / Key Points:
- Vulnerability ID: ZDI-CAN-30207
• CVSS Score: 9.8 (Critical)
• CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Attack Type: Zero-Click Remote Device Compromise
• The vulnerability allows remote, unauthenticated attackers to compromise Telegram users without clicking links, opening files, or interacting with content
• The flaw is exploitable over the internet and does not require a Telegram account or prior access
• Exploitation complexity is low and may enable targeted surveillance, espionage, remote code execution, or complete device compromise
• The issue affects Telegram clients across mobile, desktop, and web platforms if not updated
Impact:
- Attackers may gain unauthorized access to affected devices with no user interaction required
• Successful exploitation may lead to data theft, account compromise, surveillance, malware deployment, and loss of system availability
Recommendations:
- Enable automatic updates for all Telegram mobile, desktop, and web clients
• Restrict who can message you to contacts only and disable media from unknown users
• Disable automatic media downloads, limit group invitations, and avoid unknown public groups or bots
• Monitor official Telegram announcements and apply patches immediately when released
Reference:
- NVIDIA Security Updates Address Multiple High-Severity Vulnerabilities
NVIDIA has released security updates for BioNeMo Framework and Jetson/IGX platforms to address multiple vulnerabilities that could allow remote code execution, privilege escalation, data tampering, and denial-of-service.
Technical Details / Key Points:
- CVE-2026-24164 | High Severity | Attack Type: Unsafe Deserialization / Remote Code Execution
• CVE-2026-24165 | High Severity | Attack Type: Unsafe Deserialization / Remote Code Execution
• CVE-2026-24164 and CVE-2026-24165 affect the BioNeMo Framework and may allow arbitrary code execution, denial-of-service, information disclosure, and data tampering
• Affected Product: BioNeMo Framework on Linux
• Affected Versions: All versions not including commit e5e58c8
• Fixed Version: Any release containing commit e5e58c8 or later - CVE-2026-24148 | High Severity | Attack Type: Insecure Initialization
• Affects Jetson devices and may allow information disclosure, data tampering, and partial denial-of-service due to default configuration issues - CVE-2026-24154 | High Severity | Attack Type: Privilege Escalation / Command Injection
• A vulnerability in the initrd component may allow attackers with physical access to inject malicious command-line arguments, leading to code execution and privilege escalation - CVE-2026-24153 | Medium Severity | Attack Type: Information Disclosure
• The nvluks trusted application is not disabled and may allow unauthorized access to sensitive information - Affected Jetson / IGX Products:
• Jetson Xavier Series
• Jetson Orin Series
• Jetson Thor - Affected Jetson Linux Versions:
• Versions prior to 35.6.4
• Versions prior to 36.5
• Version 38.2 - Fixed Versions:
• Jetson Linux 35.6.4 or later
• Jetson Linux 36.5 or later
• Jetson Linux 38.4
Impact:
- Successful exploitation may allow attackers to execute code, escalate privileges, disclose sensitive information, tamper with data, or cause denial-of-service
• Unpatched Jetson and BioNeMo systems may be at risk of compromise, particularly in environments with physical or shared system access
Recommendations:
- Update BioNeMo Framework to a version including commit e5e58c8 or later
• Upgrade Jetson and IGX devices to Jetson Linux 35.6.4, 36.5, 38.4, or later
• Restrict physical access to affected systems and monitor for unauthorized configuration changes
Reference:
- DoS Vulnerability in TP-Link TL-WR841N Router
A high-severity vulnerability has been identified in the UPnP component of the TP-Link TL-WR841N router that could allow attackers to crash the service and cause a denial-of-service condition.
Technical Details / Key Points:
- CVE ID: CVE-2026-3622
• CVSS Score: 7.1 (High)
• CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
• Attack Type: Out-of-Bounds Read / Denial-of-Service
• The vulnerability is caused by improper input validation in the UPnP component
• Successful exploitation may trigger an out-of-bounds read and crash the UPnP service
• Affected Product: TP-Link TL-WR841N Router Hardware Version v14
• Affected Component: UPnP (Universal Plug and Play) - Affected Firmware Versions:
• EN Firmware earlier than EN_0.9.1 4.19 Build 260303 Rel.42399n (V14_260303)
• US Firmware earlier than US_0.9.1.4.19 Build 260312 Rel.49108n (V14_0304) - Fixed Versions:
• EN_0.9.1 4.19 Build 260303 Rel.42399n (V14_260303) or later
• US_0.9.1.4.19 Build 260312 Rel.49108n (V14_0304) or later
Impact:
- Attackers may remotely crash the UPnP service and disrupt router functionality
• Successful exploitation may result in denial-of-service and temporary loss of network connectivity
Recommendations:
- Upgrade TP-Link TL-WR841N v14 routers to the latest firmware immediately
• Disable UPnP if it is not required to reduce the attack surface and prevent exploitation
Reference:
- Critical and High-Severity Vulnerabilities in Grafana
Grafana Labs has released urgent patches for two vulnerabilities that could allow remote code execution and denial-of-service in affected Grafana instances.
Technical Details / Key Points:
- CVE-2026-27876
• CVSS Score: 9.1 (Critical)
• Attack Type: Arbitrary File Write / Remote Code Execution
• The vulnerability may allow attackers to write arbitrary files and achieve remote code execution
• Affected Versions: Grafana 11.6.0 and later - CVE-2026-27880
• CVSS Score: 7.5 (High)
• Attack Type: Unauthenticated Denial-of-Service / Memory Exhaustion
• The vulnerability allows unauthenticated attackers to crash Grafana instances by exhausting system memory
• Affected Versions: Grafana 12.1.0 and later - Patched Versions:
• 12.4.2
• 12.3.6
• 12.2.8
• 12.1.10
• 11.6.14
Impact:
- CVE-2026-27876 may allow attackers to execute arbitrary code and fully compromise affected Grafana servers
• CVE-2026-27880 may cause Grafana instances to become unavailable, resulting in service disruption and monitoring outages
Recommendations:
- Upgrade Grafana immediately to one of the patched versions
• Restrict external access to Grafana instances and monitor for suspicious file writes or abnormal memory usage
Reference:
- Critical Vulnerability in HPE Telco Network Function Virtualization Orchestrator
A critical vulnerability has been identified in HPE Telco Network Function Virtualization Orchestrator that could allow remote attackers to compromise affected systems.
Technical Details / Key Points:
- CVE ID: CVE-2025-12543
• CVSS Score: 9.6 (Critical)
• CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
• Attack Type: Remote System Compromise
• The vulnerability may be exploited remotely through multiple attack vectors and could allow attackers to compromise affected systems
• Affected Product: HPE Telco Network Function Virtualization Orchestrator
• Affected Versions: Version 7.5.0 and earlier
• Fixed Version: HPE Telco Network Function Virtualization Orchestrator 7.5.1 and later
Impact:
- Successful exploitation may allow attackers to gain unauthorized access and compromise the affected orchestration platform
• May lead to exposure of sensitive information, manipulation of orchestrated services, and disruption of network operations
Recommendations:
- Upgrade HPE Telco Network Function Virtualization Orchestrator to version 7.5.1 or later immediately
• Restrict access to management interfaces and monitor systems for suspicious activity or exploitation attempts
Reference:
- Multiple Vulnerabilities in ISC BIND 9
Multiple vulnerabilities have been identified in ISC BIND 9 that could allow access control bypass, denial-of-service, and unexpected DNS service crashes in affected environments.
Technical Details / Key Points:
- CVE-2026-3591
• Severity: Medium
• Attack Type: Access Control List Bypass / Use-After-Return
• A stack use-after-return vulnerability in SIG(0) signed query handling may allow attackers to bypass ACL restrictions and gain unauthorized access - CVE-2026-1519
• Severity: High
• Attack Type: CPU Resource Exhaustion / Denial-of-Service
• Affects DNS resolvers performing DNSSEC validation
• Attackers may use malicious zones with excessive NSEC3 iterations to cause high CPU usage and degraded performance - CVE-2026-3119
• Severity: Medium
• Attack Type: Service Crash / Denial-of-Service
• A flaw in TKEY query processing may cause the BIND named service to terminate unexpectedly when trusted TSIG keys are configured - Affected Versions:
• BIND 9.11.0 to 9.16.50
• BIND 9.18.0 to 9.18.46
• BIND 9.20.0 to 9.20.20
• BIND 9.21.0 to 9.21.19 - Fixed Versions:
• BIND 9.18.47
• BIND 9.20.21
• BIND 9.21.20
Impact:
- Attackers may bypass access controls, exhaust CPU resources, or crash DNS services
• Successful exploitation may result in unauthorized access, degraded DNS performance, or DNS outages affecting business operations
Recommendations:
- Upgrade ISC BIND 9 to versions 9.18.47, 9.20.21, 9.21.20, or later immediately
• Apply ISC-provided mitigations and review DNSSEC, ACL, and TSIG configurations for unnecessary exposure
Reference:
- Multiple Vulnerabilities in F5 NGINX
Multiple high-severity vulnerabilities have been identified in F5 NGINX Plus and NGINX Open Source that could allow unauthenticated attackers to cause denial-of-service, crash worker processes, or potentially execute arbitrary code.
Technical Details / Key Points:
- CVE-2026-27654
• Severity: High
• Attack Type: Buffer Overflow / Path Traversal
• A vulnerability in ngx_http_dav_module may allow attackers to crash NGINX worker processes or manipulate file paths outside the document root when using MOVE or COPY methods with alias directives - CVE-2026-27784
• Severity: High
• Attack Type: Buffer Over-Read / Denial-of-Service
• Affects 32-bit NGINX Open Source systems and may be triggered by a specially crafted MP4 file, resulting in memory corruption and service disruption - CVE-2026-32647
• Severity: High
• Attack Type: Memory Corruption / Potential Remote Code Execution
• A vulnerability in the MP4 module may allow buffer over-read or overwrite operations, causing worker process termination or possible arbitrary code execution - CVE-2026-27651
• Severity: High
• Attack Type: Denial-of-Service
• A flaw in ngx_mail_auth_http_module may allow unauthenticated attackers to repeatedly crash worker processes when CRAM-MD5 or APOP authentication is enabled - Affected Products:
• NGINX Plus R32 through R36
• NGINX Open Source 1.0.0 through 1.29.6
• NGINX Open Source legacy versions 0.5.13 through 0.9.7 - Fixed Versions:
• NGINX Plus R36 P3, R35 P2, R32 P5 or later
• NGINX Open Source 1.29.7 or later
• NGINX Open Source legacy branch 1.28.3
Impact:
- Successful exploitation may crash NGINX worker processes, cause denial-of-service, or potentially enable arbitrary code execution
• Affected web servers and applications may experience service outages, unauthorized file access, or system compromise
Recommendations:
- Upgrade NGINX Plus and NGINX Open Source to the latest fixed versions immediately
• Apply F5-provided mitigations and disable unnecessary DAV, MP4, or mail authentication modules if not required
Reference:
- Actively Exploited Critical RCE Vulnerability in F5 BIG-IP APM
A critical vulnerability in F5 BIG-IP Access Policy Manager (APM) is being actively exploited and could allow unauthenticated attackers to execute arbitrary code and fully compromise affected systems.
Technical Details / Key Points:
- CVE ID: CVE-2025-53521
• CVSS v3.1: 9.8 (Critical)
• CVSS v4.0: 9.3 (Critical)
• CWE: CWE-770 – Allocation of Resources Without Limits or Throttling
• Attack Type: Unauthenticated Remote Code Execution
• Affected Component: apmd process in F5 BIG-IP APM
• The vulnerability is triggered through malicious traffic sent to APM-enabled virtual servers with access policies configured
• Initially classified as a Denial-of-Service issue, it is now confirmed to allow full remote code execution and system compromise
• Exploitation is active in the wild and affects appliance-mode deployments - Affected Versions:
• BIG-IP 17.5.0 to 17.5.1
• BIG-IP 17.1.0 to 17.1.2
• BIG-IP 16.1.0 to 16.1.6
• BIG-IP 15.1.0 to 15.1.10 - Fixed Versions:
• BIG-IP 17.5.1.3
• BIG-IP 17.1.3
• BIG-IP 16.1.6.1
• BIG-IP 15.1.10.8 - Indicators of Compromise:
• Presence of /run/bigtlog.pipe or /run/bigstart.ltm
• Modified /usr/bin/umount or /usr/sbin/httpd files
• Suspicious log entries referencing user “f5hubblelcdadmin” and iControl REST API access
• HTTP 201 responses with CSS content-type used to disguise attacker activity
Impact:
- Successful exploitation may allow attackers to execute arbitrary commands, maintain persistence, disable security controls, and fully compromise the BIG-IP appliance
• Compromised systems may be used for further attacks, credential theft, traffic interception, or lateral movement
Recommendations:
- Upgrade immediately to BIG-IP 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8, or later
• Review F5 IoCs and audit logs for suspicious activity, especially references to f5hubblelcdadmin, /run/bigtlog.pipe, and modified system binaries
• Run sys-eicheck and validate the integrity of /usr/bin/umount and /usr/sbin/httpd
Reference:
- Multiple Critical Vulnerabilities in Nginx UI
Multiple critical vulnerabilities have been identified in Nginx UI that could allow unauthenticated attackers to gain full administrative control or achieve persistent compromise through tampered backups.
Technical Details / Key Points:
- CVE ID: CVE-2026-33032
• CVSS Score: 9.8 (Critical)
• Attack Type: Authentication Bypass / Unauthenticated Administrative Access
• The /mcp_message endpoint in the Model Context Protocol (MCP) integration is not properly protected
• An empty IP whitelist is treated as “allow all,” allowing any remote attacker to access the endpoint without authentication
• Successful exploitation may allow attackers to invoke MCP tools and fully control Nginx configurations and services
• Affected Product: All versions of Nginx UI
• Fixed Version: No official patch currently available - CVE ID: CVE-2026-33026
• CVSS Score: 9.4 (Critical)
• Attack Type: Backup Integrity Bypass / Persistent Compromise
• The backup and restore mechanism exposes the AES-256-CBC encryption key and IV to the client
• Attackers may tamper with backup files, recompute integrity values, and restore malicious configurations or backdoors
• The restore process may accept modified backups even when integrity checks fail
• Affected Versions: Nginx UI 2.3.3 and earlier
• Fixed Version: Nginx UI 2.3.4 and later
Impact:
- Attackers may gain unauthorized administrative access, redirect traffic, harvest credentials, or fully compromise the system
• Tampered backups may allow persistent backdoors, arbitrary command execution, and long-term compromise
Recommendations:
- Upgrade Nginx UI to version 2.3.4 or later for CVE-2026-33026
• Restrict access to Nginx UI management interfaces to trusted IPs and environments
• Apply strong authentication, monitor logs for suspicious activity, and verify backup integrity before restoration
• Monitor for vendor updates and apply patches immediately when available for CVE-2026-33032
Reference:
- Critical RCE Vulnerability in Kali Forms WordPress Plugin
A critical vulnerability in the Kali Forms WordPress plugin could allow unauthenticated attackers to execute arbitrary code on affected servers.
Technical Details / Key Points:
- CVE ID: CVE-2026-3584
• CVSS Score: 9.8 (Critical)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Attack Type: Unauthenticated Remote Code Execution / Code Injection
• Vulnerability Type: Improper Control of Generation of Code
• Affected Product: Kali Forms – Contact Form & Drag-and-Drop Builder WordPress Plugin
• Affected Versions: 2.4.9 and earlier
• Fixed Version: 2.4.10 and later - The vulnerability exists in the form_process functionality
• The prepare_post_data function improperly processes user input and maps attacker-controlled values into internal placeholders
• These placeholders are later executed through call_user_func, allowing arbitrary PHP function execution
• No authentication is required, significantly increasing the likelihood of exploitation
Impact:
- Attackers may execute arbitrary code and gain full control of the affected WordPress server
• Successful exploitation may result in website defacement, malware deployment, data theft, and complete site compromise
Recommendations:
- Upgrade Kali Forms to version 2.4.10 or later immediately
• If immediate patching is not possible, disable the Kali Forms plugin until it can be updated
• Review WordPress logs and monitor for suspicious form submissions or unauthorized changes
Reference:
- Multiple High-Severity Vulnerabilities in Zabbix
Multiple vulnerabilities have been identified in Zabbix Server, Proxy, and API components that could allow authenticated users to access sensitive data, inject commands, or perform SQL injection.
Technical Details / Key Points:
- CVE ID: CVE-2026-23919
• Severity: High
• Attack Type: Information Disclosure / Access Control Bypass
• Insufficient isolation of JavaScript execution contexts may allow non-super administrators to access sensitive data across other hosts - CVE ID: CVE-2026-23920
• Severity: High
• Attack Type: Command Injection
• Improper regex validation may be bypassed through newline injection, potentially allowing arbitrary command execution - CVE ID: CVE-2026-23921
• Severity: High
• Attack Type: Blind SQL Injection
• A flaw in the Zabbix API sortfield parameter may allow attackers to exfiltrate data and compromise accounts - Affected Products:
• Zabbix Server
• Zabbix Proxy
• Zabbix API - Affected Versions:
• 6.0.0 to 6.0.40
• 7.0.0 to 7.0.21
• 7.2.0 to 7.2.14
• 7.4.0 to 7.4.5 - Fixed Versions:
• CVE-2026-23919 fixed in 6.0.41, 7.0.19, 7.2.13, and 7.4.3
• CVE-2026-23920 and CVE-2026-23921 fixed in 7.0.22, 7.2.15, and 7.4.6
Impact:
- Attackers may access sensitive monitoring data, execute arbitrary commands, or compromise user accounts
• Successful exploitation may result in data theft, service disruption, and compromise of the Zabbix environment
Recommendations:
- Upgrade Zabbix Server, Proxy, and API components to the latest fixed versions immediately
• Apply Zabbix-provided mitigations and restrict access to trusted administrators only
• Monitor logs for suspicious API requests, command execution attempts, and abnormal administrative activity
Reference:
- High-Severity Vulnerability in Drupal Automated Logout Module
A cross-site request forgery (CSRF) vulnerability has been identified in the Drupal Automated Logout module. The issue may allow attackers to force users to be logged out without their consent, causing session disruption and potential availability issues.
Technical Details / Key Points:
- CVE ID: CVE-2026-4393
• Severity: Moderately Critical
• Vulnerability Type: Cross-Site Request Forgery (CSRF) - The vulnerability exists in the Drupal Automated Logout module, which automatically logs out users after a period of inactivity
• The affected routes are not adequately protected against CSRF attacks
• An attacker can craft a malicious request that forces a logged-in user to be logged out without user interaction - Affected Versions:
• Automated Logout module versions earlier than 1.7.0
• Automated Logout module versions 2.0.0 through 2.0.1 - Fixed Versions:
• Upgrade 8.x-1.x versions to 8.x-1.7
• Upgrade 2.x versions to 2.0.2
Impact:
- Forced logout of authenticated users
• Disruption of active sessions and user activity
• Potential reduction in service availability and user experience
Recommendations:
- Upgrade the Drupal Automated Logout module to version 8.x-1.7 or 2.0.2 immediately
• Apply Drupal-provided mitigations and ensure all sensitive routes are protected against CSRF
• Monitor for abnormal logout activity or repeated forced session termination attempts
Reference:
- High-Severity Vulnerability in WatchGuard Firebox Fireware OS Web UI
A high-severity path traversal vulnerability has been identified in the Fireware OS Web UI of WatchGuard Firebox devices. The flaw may allow a privileged authenticated attacker to write arbitrary files and potentially execute code with elevated privileges.
Technical Details / Key Points:
- CVE ID: CVE-2026-3987
• Severity: High
• CVSS v4.0 Score: 8.6
• Vulnerability Type: Path Traversal / Arbitrary File Write - The vulnerability is caused by insufficient input validation in the Fireware OS Web UI
• A privileged authenticated attacker can exploit the flaw to perform path traversal and write arbitrary files on the affected device
• Successful exploitation may lead to remote code execution under an elevated system context - Affected Products:
• Fireware OS 12.x versions 12.6.1 through 12.11.8
• Fireware OS 2025.1.x versions 2025.1 through 2026.1.2 - Affected Platforms include:
• Firebox T20, T25, T40, T45, T55, T70, T80, T85
• Firebox M270, M290, M370, M390, M470, M570, M590, M670, M690
• Firebox M440, M4600, M4800, M5600, M5800
• Firebox Cloud, Firebox NV5, FireboxV
• Firebox T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695 - Fixed Versions:
• Upgrade Fireware OS 12.x to version 12.12 or later
• Upgrade Fireware OS 2025.1.x to version 2026.2 or later
Impact:
- Arbitrary file write on affected Firebox devices
• Potential remote code execution with elevated privileges
• Compromise of confidentiality, integrity, and availability of the affected firewall
Recommendations:
- Upgrade affected Firebox devices to the latest fixed version immediately
• Restrict Web UI access to trusted administrators and internal management networks only
• Review device logs for unexpected file modifications, unusual administrative activity, or signs of exploitation
• Apply WatchGuard-recommended mitigations and hardening measures
Reference:
- Remote DoS Vulnerability in ISC Kea DHCP Server
A high-severity vulnerability has been identified in the Internet Systems Consortium (ISC) Kea DHCP server. The flaw may allow unauthenticated remote attackers to crash DHCP services, leading to disruption of IP address allocation and network availability.
Technical Details / Key Points:
- CVE ID: CVE-2026-3608
• Severity: High (CVSS 7.5)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• Vulnerability Type: Stack Overflow
• Attack Vector: Network-based
• Authentication Required: None
• User Interaction Required: None - The vulnerability is caused by a stack overflow condition in the Kea DHCP server
• A remote attacker can send specially crafted network traffic to trigger the flaw and crash the affected service
• Successful exploitation may result in complete denial of service of DHCP functionality
• No active exploitation has been reported at this time - Affected Versions:
• Kea DHCP 2.6.0 through 2.6.4
• Kea DHCP 3.0.0 through 3.0.2 - Fixed Versions:
• Upgrade Kea 2.6 branch to version 2.6.5
• Upgrade Kea 3.0 branch to version 3.0.3
Impact:
- Crash of DHCP services and interruption of IP address assignment
• Loss of network connectivity for new or renewing clients
• Potential disruption to business operations and critical network services
Recommendations:
- Upgrade affected ISC Kea DHCP servers to the latest patched version immediately
• Restrict exposure of DHCP services to trusted networks only
• Monitor DHCP logs and network traffic for unexpected crashes or malformed requests
• Apply ISC-recommended mitigations if immediate patching is not possible
Reference:
- Apple Security Updates Address DarkSword and Multiple Critical Vulnerabilities
Apple has released iOS 18.7.7 and iPadOS 18.7.7 to address multiple vulnerabilities affecting Kernel, WebKit, Audio, Clipboard, AppleKeyStore, and other system components. The update also adds protection against the DarkSword web exploit delivered through malicious websites.
Technical Details / Key Points:
- Affected Platforms:
• iOS 18.7.7
• iPadOS 18.7.7 - The DarkSword exploit uses malicious web content to target Apple devices through vulnerable WebKit components
• Successful exploitation may result in arbitrary code execution, disclosure of sensitive data, denial-of-service, or system compromise
Critical Vulnerabilities:
- Kernel – CVE-2026-28867, CVE-2026-28868, CVE-2026-20687
• Malicious applications may disclose memory, crash the system, or write to kernel memory - WebKit – CVE-2026-20665, CVE-2026-20643, CVE-2025-43376, CVE-2026-28861, CVE-2026-28871
• Malicious websites may bypass security controls, leak DNS queries, trigger cross-site scripting, or execute arbitrary code remotely
High-Severity Vulnerabilities:
- CVE-2026-28865 – 802.1X
• An attacker in a privileged network position may intercept network traffic - CVE-2026-20637 – AppleKeyStore
• An application may cause unexpected system termination - CVE-2026-28879 – Audio
• Specially crafted media files may crash processes - CVE-2026-28866 – Clipboard
• Applications may access sensitive clipboard data - CVE-2026-20690 – CoreMedia
• Malicious media may terminate processes unexpectedly - CVE-2026-28886 – CoreUtils
• A null pointer dereference may cause denial-of-service - CVE-2026-28878 – Crash Reporter
• Applications may enumerate installed applications - CVE-2025-14524 – curl
• Sensitive information may be transmitted unintentionally - CVE-2026-28876 – DeviceLink
• Improper path handling may expose sensitive information - CVE-2026-20668 – Focus
• Logging issues may expose sensitive information - CVE-2026-28880 – iCloud
• Applications may enumerate installed applications - CVE-2026-28864 – Security
• A local attacker may gain access to Keychain items - CVE-2026-28852 – UIFoundation
• Stack overflow may lead to denial-of-service - CVE-2026-20657 – Vision
• A crafted file may terminate the affected application
Affected Devices:
- iPhone XR, XS, XS Max
• iPhone 11 through iPhone 16 series
• iPhone SE (2nd and 3rd generation)
• Supported iPad mini, iPad, iPad Air, and iPad Pro models listed by Apple
Impact:
- Remote code execution through malicious web content
• Exposure of sensitive data, Keychain items, clipboard data, and DNS information
• Application crashes, denial-of-service, and potential system compromise
Recommendations:
- Update all affected Apple devices to iOS 18.7.7 and iPadOS 18.7.7 immediately
• Prioritize patching devices exposed to untrusted websites or external networks
• Monitor enterprise-managed devices for signs of exploitation, unexpected crashes, or abnormal browser activity
• Advise users to avoid opening suspicious links or untrusted web content until all devices are updated
Reference:
- Quish Splash QR Code Phishing Campaign Targets 1.6 Million Users
A large-scale QR code phishing campaign named “Quish Splash” targeted more than 1.6 million users by hiding malicious links inside QR code image attachments, allowing the emails to bypass traditional email security controls.
Technical Details / Key Points:
- Attack Type: QR Code Phishing / Credential Theft
• Campaign Name: Quish Splash
• Timeframe: 26 February 2026 to 18 March 2026
• More than 1.6 million phishing emails were distributed in less than three weeks - Attackers embedded phishing URLs inside BMP image attachments containing QR codes
• The emails bypassed SPF, DKIM, and DMARC checks because the sender domain was properly configured
• Microsoft Defender reportedly failed to detect the malicious emails
• The campaign used the sender identity “Baron Lester” and sent messages related to COVID-19 and RSV research
• The malicious emails originated from the domain iconicdeciphercom and the address covid_info@iconicdeciphercom
• Each recipient received a unique QR code image, making hash-based detection and blocking ineffective
• Attackers also leveraged Out-of-Office replies to confirm valid email addresses and active users
• The campaign occurred in three waves, with the largest phase targeting employees connected to an initially targeted manager
Impact:
- Users scanning the QR code on mobile devices may be redirected to phishing pages and have credentials stolen
• The campaign can bypass traditional email filtering and evade corporate endpoint protection
• Mobile devices outside corporate security controls may be used as an entry point into the organisation
Recommendations:
- Block or closely monitor emails containing QR code image attachments, especially BMP files
• Train users not to scan QR codes received through unsolicited email messages
• Implement mobile device security controls and phishing-resistant MFA
• Monitor for emails from the domains iconicdeciphercom and covid_info@iconicdeciphercom
• Review mail filtering policies to inspect embedded QR codes and image attachments for hidden URLs
Reference:
- Axios Supply Chain Attack via Compromised npm Account Delivering Cross-Platform RAT
A critical supply chain attack has affected the Axios JavaScript package after attackers compromised an npm maintainer account and published malicious package versions containing a cross-platform RAT.
Technical Details / Key Points:
- Attack Type: Software Supply Chain Attack / Remote Access Trojan
• Affected Package: Axios
• Compromised Versions:
• [email protected]
• [email protected] - Malicious Dependency:
• [email protected] - Attackers compromised the npm account of Axios maintainer “jasonsaayman” and published malicious versions directly through npm
• The attack bypassed the normal GitHub Actions CI/CD process and injected a malicious dependency into the released package
• The malicious dependency executes automatically during npm install through a postinstall script - Infection Chain:
• Installation of compromised Axios version
• Automatic execution of malicious setup.js during postinstall
• Download of an operating system-specific payload from a command-and-control server
• Deployment of a RAT on Windows, macOS, or Linux
• Self-deletion and cleanup of malicious traces to evade detection - Platform-Specific Payloads:
• Windows: Drops a malicious wt.exe and launches a PowerShell-based RAT
• macOS: Drops a trojanized binary in /Library/Caches/com.apple.act.mond
• Linux: Downloads and executes /tmp/ld.py
Impact:
- Full compromise of developer workstations, CI/CD pipelines, build servers, and production environments
• Theft of API keys, tokens, SSH keys, credentials, and environment secrets
• Remote command execution and persistent access across Windows, macOS, and Linux systems
Recommendations:
- Immediately remove [email protected] and [email protected] from all systems
• Downgrade to safe versions:
• [email protected]
• [email protected] - Delete the malicious dependency [email protected] from node_modules and package-lock files
• Assume compromise if the affected versions were installed and rotate all credentials, API keys, tokens, SSH keys, and environment secrets
• Review CI/CD and package installation logs for unexpected outbound connections or postinstall activity
• Scan systems for malicious files including wt.exe, /Library/Caches/com.apple.act.mond, and /tmp/ld.py
Reference:
- North Korea-Linked Axios Supply Chain Attack Attributed to UNC1069
Google Threat Intelligence has attributed the Axios npm supply chain attack to UNC1069, a North Korea-linked threat actor, after malicious Axios releases deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems.
Technical Details / Key Points:
- Threat Actor: UNC1069 (North Korea-linked)
• Attack Type: Software Supply Chain Attack / Cross-Platform RAT
• Compromised Axios Versions:
• [email protected]
• [email protected] - Malicious Dependency:
• [email protected] - Attackers compromised the Axios maintainer account and changed the associated email address to ifstap@proton[.]me
• The malicious package used a postinstall script to silently execute setup.js, also tracked as SILKBELL
• The dropper deployed the WAVESHAPER.V2 backdoor, an updated variant previously associated with UNC1069 - Windows Payload:
• Copies powershell.exe to %PROGRAMDATA%\wt.exe
• Downloads and executes a PowerShell RAT from sfrclak[.]com:8000
• Creates persistence using %PROGRAMDATA%\system.bat and a MicrosoftUpdate registry Run key - macOS Payload:
• Downloads a Mach-O binary to /Library/Caches/com.apple.act.mond
• Executes the file through zsh and maintains communication with the attacker - Linux Payload:
• Downloads a Python backdoor to /tmp/ld.py - The malware beacons every 60 seconds to the command-and-control infrastructure using the User-Agent:
• mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) - Command-and-Control Infrastructure:
• sfrclak[.]com
• 142.11.206.73
• Additional infrastructure: 23.254.167.216
Impact:
- Compromise of developer systems, CI/CD pipelines, build servers, and production environments
• Theft of credentials, tokens, API keys, SSH keys, and environment secrets
• Remote command execution, persistence, file enumeration, and deployment of additional payloads
Recommendations:
- Immediately remove [email protected] and [email protected] and downgrade to safe versions
• Search for the malicious dependency plain-crypto-js versions 4.2.0 and 4.2.1 in lockfiles and node_modules
• Block network traffic to sfrclak[.]com, 142.11.206.73, and 23.254.167.216
• Rotate all credentials and secrets if affected versions were installed
• Clear npm, yarn, and pnpm caches on workstations and CI/CD systems
• Monitor for files such as %PROGRAMDATA%\wt.exe, %PROGRAMDATA%\system.bat, /Library/Caches/com.apple.act.mond, and /tmp/ld.py
Reference:
- Tax-Themed Phishing Campaigns Deliver Malware, RMM Tools, and Credential Theft
Threat actors are actively using tax-related themes during the 2026 filing season to deliver malware, remote monitoring tools, and credential phishing campaigns targeting users in multiple countries.
Technical Details / Key Points:
- Attack Type: Tax-Themed Phishing / Credential Theft / Malware Delivery
• More than 100 tax-themed campaigns have been observed in 2026 targeting users in the United States, Canada, Australia, Switzerland, Japan, and other countries - Common lures include:
• Fake IRS or tax authority notifications
• Expired tax documents
• W-8BEN, W-2, and W-9 tax forms
• Tax violations and requests for filing assistance - Threat actors are increasingly delivering legitimate remote monitoring and management (RMM) tools including:
• N-Able
• Datto
• RemotePC
• Zoho Assist
• ScreenConnect - A campaign observed on 5 February 2026 impersonated the U.S. IRS and used a malicious Bitbucket link to install N-Able RMM on victim systems
- Newly tracked threat actor TA4922 used tax-themed emails targeting Japan and other Asian countries
• TA4922 requested victims’ mobile phone numbers and then used out-of-band communication to deliver malware from the Winos4.0 / ValleyRAT ecosystem
• TA4922 also distributed an information stealer through the URL:
• hxxps://www[.]upsystems[.]one/Alex[.]exe - Threat actor TA2730 used fake W-8BEN tax form requests to steal credentials for investment platforms in Switzerland and Canada
• The phishing pages impersonated legitimate financial institutions such as Swissquote and Questrade
Impact:
- Theft of user credentials, tax information, and financial account access
• Deployment of RMM tools and malware providing persistent remote access
• Potential identity theft, banking fraud, and compromise of investment accounts
• Exposure of employee W-2 and W-9 information in business email compromise attacks
Recommendations:
- Educate users to verify all tax-related emails, especially those requesting credentials, phone numbers, or document downloads
• Block or monitor unauthorized RMM tools such as N-Able, Datto, Zoho Assist, and ScreenConnect
• Review email filtering for tax-related keywords, Bitbucket links, and suspicious domains
• Monitor for communication with known malicious infrastructure including upsystems[.]one and the listed phishing domains
• Require phishing-resistant MFA for email, financial, and tax-related systems
Reference: