Threat Briefs

ConnectWise ScreenConnect path traversal + auth bypass chain added to CISA KEV, exploited by Storm-1175 for Medusa ransomware (CVE-2024-1708/1709); CopyFail detection rules now available — Sigma, Falco, auditd, KQL, EQL community packages released (CVE-2026-31431).

CopyFail Linux LPE gives root on all distros since 2017 with a 732-byte Python script (CVE-2026-31431); GitHub Enterprise RCE via git push header injection (CVE-2026-3854) with 88% of GHES instances unpatched; Hugging Face LeRobot unpatched unauth RCE via pickle deserialization (CVE-2026-25874).

Public PoC for Metabase Enterprise RCE via H2 JDBC injection (CVE-2026-33725); CISA adds Windows Shell NTLM coercion flaw to KEV with May 12 deadline.

APT28 exploits incomplete Windows Shell patch for zero-click NTLM coercion (CVE-2026-32202); Entra ID Agent Administrator role enables service principal takeover.

ASP.NET Core DataProtection HMAC bypass (CVE-2026-40372) enables authentication cookie forgery on .NET 10 apps; Adobe Acrobat federal deadline today; Defender RedSun/UnDefend still unpatched.

GlassWorm Phase 4 activates 73 Open VSX sleeper extensions with Zig-compiled native dropper targeting developer IDEs; status updates on Bitwarden supply chain, CISA KEV additions, Defender zero-days.

Bitwarden CLI supply chain compromise deploys Shai-Hulud credential worm targeting AI coding tools; CISA KEV adds Samsung MagicINFO, SimpleHelp, D-Link; Tropic Trooper pivots to AdaptixC2 with GitHub-based C2.

LMDeploy LLM inference SSRF exploited within 12 hours of disclosure; Breeze Cache WordPress plugin unauthenticated file upload actively exploited; Marimo added to CISA KEV.

Lotus Wiper destructive campaign targets Venezuelan energy sector; CVE-2026-33825 (BlueHammer) added to CISA KEV; Cisco SD-WAN and Zimbra federal deadlines expire today.

Zimbra Classic UI XSS (CVE-2025-48700) exploited by UAC-0233 targeting Ukraine added to CISA KEV with April 23 deadline; PaperCut and TeamCity legacy CVEs also added.

CISA adds 8 to KEV including Quest KACE CVSS 10.0 auth bypass and Cisco SD-WAN trio; Kentico Xperience auth RCE now confirmed exploited in the wild.

Vercel supply-chain breach via compromised Context.ai OAuth integration exposes environment variables; new detection artifacts published for unpatched Microsoft Defender RedSun and UnDefend zero-days.

UAC-0247 targets Ukrainian clinics and government with CHROMELEVATOR/ZAPIXDESK/AGINGFLY data-theft malware; CVE-2026-33032 nginx-ui MCPwn exploitation escalates to mass opportunistic campaigns.

FortiSandbox CVE-2026-39808 unauthenticated root RCE PoC drops with single-curl exploit; Thymeleaf CVE-2026-40478 SSTI sandbox bypass enables RCE on Spring/Java apps via whitespace parsing gap.

Apache ActiveMQ Jolokia RCE (CVE-2026-34197) added to CISA KEV amid active ransomware/cryptominer deployment; RedSun PoC bypasses April Patch Tuesday fix for CVE-2026-33825 — Huntress confirms ITW exploitation of all three Chaotic Eclipse Defender chains.

Windows TCP/IP IPv6+IPSec race-condition RCE (CVE-2026-33827, CVSS 8.1) patched in April Patch Tuesday — no PoC yet but wormable-class pre-auth; BlueHammer CVE-2026-33825 gets 7 Sigma + 4 YARA community detection rules; Fortinet FortiClient EMS SQLi KEV deadline today.

Microsoft April Patch Tuesday ships 167 fixes including actively exploited SharePoint spoofing zero-day (CVE-2026-32201, KEV same day); critical Windows IKE double-free RCE (CVE-2026-33824, CVSS 9.8, ports 500/4500); public PoC for Windows Error Reporting ALPC LPE (CVE-2026-20817) lands on GitHub.

CISA adds seven CVEs to KEV including Fortinet FortiClient EMS pre-auth SQLi (CVE-2026-21643) and Windows Host Process for Tasks LPE (CVE-2025-60710, PoC public); 36 malicious Strapi-themed npm packages deliver Redis RCE, Postgres theft, and persistent C2 targeting Guardarian

Adobe Acrobat/Reader zero-day gets CVE-2026-34621 and emergency patch after months of ITW exploitation; APT28 FrostArmada campaign hijacks SOHO router DNS at scale for M365 credential theft — DOJ disruption and IOCs published

CPUID supply-chain attack delivers STX RAT via trojanized CPU-Z/HWMonitor; Storm-1175 chains zero-days for high-velocity Medusa ransomware deployment across healthcare and services

Marimo Python notebook pre-auth RCE (CVE-2026-39987) exploited ITW within 10 hours; Smart Slider 3 Pro supply-chain backdoor via compromised Nextend update servers; UNC6783 BPO-to-enterprise extortion campaign

Adobe Reader unpatched zero-day (no CVE) exploited since Nov 2025 with Russian-language lures — block C2 169.40.2.68:45191. APT28 PRISMEX suite targets Ukraine/NATO logistics via steganography and COM hijacking. CISA AA26-097A: CyberAv3ngers compromising Rockwell PLCs across U.S. critical infrastructure.

Ivanti EPMM CVE-2026-1340 added to CISA KEV (April 8) with federal deadline April 11 — mass unauthenticated RCE via bash arithmetic expansion in map-appstore-url; public PoCs live. PraisonAI ships two pre-auth critical RCEs (CVE-2026-39890 YAML, CVE-2026-39888 sandbox escape).

Flowise CustomMCP RCE (CVE-2025-59528, CVSS 10.0) under active ITW exploitation — unauthenticated POST to /api/v1/node-load-method/customMCP yields Node.js child_process execution; 12-15K exposed

BlueHammer Windows zero-day LPE — disgruntled researcher drops working PoC abusing Windows Defender RPC + NTFS junctions for SYSTEM via SAM access; no patch

Fortinet FortiClient EMS pre-auth API bypass CVE-2026-35616 actively exploited as zero-day; emergency weekend hotfix for 2,000+ exposed instances

Cisco SD-WAN auth bypass CVE-2026-20127 gets public Metasploit module and Five Eyes hunt guide; WhatsApp VBS/MSI backdoor campaign uses LOLBins for persistent remote access

UAT-10608 mass credential harvesting via React2Shell (CVE-2025-55182) compromises 766+ Next.js hosts; CISA ICS advisory for PTC Windchill CVE-2026-4681

Cisco IMC auth bypass + SSM On-Prem RCE (dual CVSS 9.8 pre-auth); nginx-ui unpatched unauthenticated RCE via exposed MCP endpoint (CVSS 9.8)

Chrome zero-day CVE-2026-5281 (Dawn WebGPU UAF) added to CISA KEV; UAC-0255 AGEWHEEZE RAT campaign impersonates CERT-UA across Ukrainian orgs

Axios npm supply chain attack delivers WAVESHAPER.V2 RAT attributed to North Korean UNC1069; Operation TrueChaos exploits TrueConf zero-day CVE-2026-3502 to deploy Havoc across Southeast Asian government networks

DeepLoad malware uses ClickFix + AI obfuscation + WMI persistence for credential theft; CVE-2026-3055 Citrix NetScaler added to CISA KEV with active exploitation confirmed; TeamPCP pivots to Vect ransomware affiliate program

No new actionable threats; status updates for F5 BIG-IP APM federal deadline (today), PTC Windchill unpatched RCE, Cisco FMC Interlock campaign, and Citrix NetScaler recon activity

TeamPCP compromises Telnyx PyPI package with WAV steganography credential stealer; Citrix NetScaler CVE-2026-3055 active reconnaissance escalates to targeted SAML IdP fingerprinting

F5 BIG-IP APM RCE added to CISA KEV — China-linked UNC5221 deploys BRICKSTORM backdoor via source code breach; federal deadline March 30

Trivy supply chain CVE hits CISA KEV; PTC Windchill/FlexPLM CVSS 10.0 RCE with imminent exploitation threat

1 new threat: CVE-2026-20817 Windows Error Reporting ALPC privilege escalation PoC released — SYSTEM via WerFault.exe command-line injection. Status updates on Langflow CVE-2026-33017 CISA KEV, Citrix NetScaler CVE-2026-3055, and Cisco FMC CVE-2026-20131.

1 new threat: TeamPCP supply chain attack backdoors LiteLLM PyPI package (versions 1.82.7–1.82.8) with credential stealer, K8s lateral movement, and systemd persistence. Status updates on Citrix NetScaler CVE-2026-3055 and Cisco FMC CVE-2026-20131.

3 new threats: Citrix NetScaler SAML IDP memory leak (CVE-2026-3055, CVSS 9.3), Oracle Identity Manager pre-auth RCE (CVE-2026-21992, CVSS 9.8), VMware Aria Operations command injection KEV deadline today (CVE-2026-22719). Status update on Cisco FMC CVE-2026-20131.

1 qualifying update: DarkSword iOS exploit kit campaign expansion with newly published IOC domains and GHOSTBLADE infostealer details targeting crypto wallets and messaging apps. CISA deadlines: SharePoint CVE-2026-20963 due today, Qualcomm CVE-2026-21385 due tomorrow.

1 qualifying threat: CVE-2026-2631 Datalogics Ecommerce Delivery WordPress plugin unauthenticated privilege escalation (CVSS 9.8) with weaponized PoC enabling mass exploitation of ~15K installations. CISA deadline for Cisco FMC CVE-2026-20131 arrives today.

3 qualifying threats: CVE-2026-33017 Langflow unauthenticated RCE exploited within 20 hours of disclosure, plus CISA KEV additions for Craft CMS (CVE-2025-32432) and Laravel Livewire (CVE-2025-54068) unauthenticated RCE vulnerabilities under active exploitation.

Daily threat brief covering 2 new threats: GlassWorm supply chain Phase 3 with sleeper VS Code extensions activating and GitHub-hosted VSIX delivery evading takedowns, and PolyShell unauthenticated file upload flaw affecting all Magento/Adobe Commerce 2.x with RCE and account takeover potential.

Daily threat brief covering 4 threats: Interlock ransomware exploiting Cisco FMC zero-day CVE-2026-20131 (CVSS 10.0) with 36-day pre-disclosure exploitation, Microsoft SharePoint RCE CVE-2026-20963 added to CISA KEV, APT28 exploiting Zimbra XSS CVE-2025-66376 in Operation GhostMail, and DarkSword iOS exploit kit used by multiple state-sponsored actors across 4 countries.

Daily threat brief covering 8 threats: CVE-2026-32746 critical unpatched telnetd RCE, LeakNet ransomware ClickFix+Deno BYOR chain, Claude Fraud AI dev tool campaign, Payload ransomware Babuk derivative, Chrome zero-days CVE-2026-3909/3910, Wing FTP info-disclosure CISA KEV, ACRStealer HijackLoader evolution, and Konni APT EndRAT via KakaoTalk hijacking.

Today's brief covers four threats with fresh technical intel: Wing FTP Server exploit chain actively exploited (CISA KEV), Hive0163/Slopoly AI-generated C2 malware with Interlock ransomware, DRILLAPP/Laundry Bear Edge-abusing espionage backdoor targeting Ukraine, and Chrome double zero-day (Skia + V8) in active exploitation.

Chrome zero-days under active exploitation hit CISA KEV, CrackArmor drops 9 AppArmor LPE flaws on 12.6M Linux systems, a clever new ClickFix variant bypasses Defender via WebDAV + trojanized Electron app, and a FiveM gaming backdoor with 3,856 infected servers gets fully reverse-engineered.

Chrome zero-days actively exploited, Hive0163 Slopoly AI-assisted malware, INC ransomware pre-encryption exfiltration playbook, n8n RCE in CISA KEV, SocksEscort/AVrecon botnet takedown, and CrackArmor Linux privilege escalation.

Chrome dual zero-day exploit pair (Skia + V8), CrackArmor Linux LPE cluster, Hive0163 AI-generated Slopoly backdoor in Interlock ransomware chain, MicroStealer corporate credential theft, and n8n CISA KEV RCE update.

Daily detection engineering threat brief covering n8n RCE KEV, UNC6426 nx npm supply chain to AWS admin escalation, KadNap router botnet, CISA triple KEV (SolarWinds/Ivanti/Workspace One), and March 2026 Patch Tuesday LPE hotspots.

Microsoft March 2026 Patch Tuesday (2 zero-days, CVE-2026-26144 Copilot exfil), CISA KEV triple-add (SolarWinds WHD, Ivanti EPM, VMware Workspace One), APT28 dual-implant campaign (BEARDSHELL + COVENANT), and Zombie ZIP AV bypass technique (CVE-2026-0866).

Daily Detection Engineering Threat Brief covering new Metasploit exploit modules (GestioIP RCE, SPIP Saisies RCE, GL.iNet router exploit chain) and a possible malicious ScreenConnect C2 domain.

Daily Detection Engineering Threat Brief covering Grafana SQL Expressions RCE, Mythic C2 active IOCs, and new KQL detection queries for persistence and defense evasion.

Daily detection-engineering-focused threat brief covering new YARA-detectable APT36 (Translucent Werewolf) Linux .desktop launcher tradecraft (Google Drive payload fetch + WebSocket C2).

Daily detection-engineering-focused threat brief covering Cisco Secure FMC critical auth bypass + insecure Java deserialization RCE exposure triage, Metasploit PoCs for pyquokka Arrow Flight gRPC pickle RCE and smolagents RemotePythonExecutor rogue Jupyter pickle RCE, and a Sliver C2 reverse-weaponization kill-switch PoC.

Daily detection-engineering-focused threat brief covering Cisco Catalyst SD-WAN pre-auth RCE PoC (wildfly WAR/JSP drop) and Tactical RMM Jinja2 SSTI RCE via reporting template preview endpoint.

Daily detection-engineering-focused threat brief covering Dohdoor DoH backdoor, SloppyLemming BurrowShell APT, DeepSeek-Claw malicious npm, VMware Aria Operations KEV, Juniper Junos OS Evolved pre-auth RCE, Cisco SD-WAN PoC, MajorDoMo Metasploit modules, and fresh MuddyWater C2 IOCs.

New Metasploit modules for GL.iNet router brute-force+RCE and Barracuda ESG XLS RCE, a macOS infostealer tradecraft bundle with concrete C2/contact endpoints, and a new Nuclei template capturing an EKC Tournament Manager WordPress traversal pattern.

APT37's Ruby Jumper air-gap bridging toolkit, new Prosperous Werewolf (Trinper/LeetAgent) YARA artifacts, and an MCP indirect prompt injection PoC enabling unauthorized filesystem access.

Daily threat intelligence for detection engineers: ICS/HVAC vulnerabilities, gaming trojan campaign, OpenClaw security bypass

Cisco SD-WAN CVSS 10.0 zero-day exploited since 2023 gets CISA Emergency Directive; Google/Mandiant disrupt Chinese APT using Google Sheets as C2; Steaelite RAT unifies double extortion in one panel; Windows CLFS PoC drops.

FileZen KEV exploitation, SolarWinds Serv-U 4-CVE RCE cluster, Lazarus/Medusa healthcare extortion, VMware Aria Operations RCE, and the IBM X-Force + Sophos intelligence drops.

CrowdStrike GTR 2026, ClickFix + Matanbuchus 3.0 + AstarionRAT pre-ransomware chain, Silver Fox/ValleyRAT via fake AV site, APT28 Operation MacroMaze, seven MCP server RCEs, Dragos OT 2026 report, and Apache ActiveMQ → LockBit intrusion analysis.

SANDWORM_MODE npm supply chain worm poisons AI coding assistants; MuddyWater launches Operation Olalampo with new Rust backdoor; SolarWinds Web Help Desk RCE hits CISA KEV.

AI-augmented FortiGate campaign, Sentry SAML zero-day, Phobos affiliate arrest, USB air-gap cryptominer, and D-Link RCE cluster with public exploits.

CISA adds two actively exploited Roundcube webmail vulnerabilities to KEV catalog, including a 10-year-old deserialization RCE weaponized within 48 hours and an SVG-based XSS flaw.

BeyondTrust exploitation update with VShell/SparkRAT, VS Code extension vulnerabilities affecting 128M downloads, Cline AI supply chain attack, Remcos RAT real-time surveillance, and ClearFake/PS1Bot detection opportunities.

VoIP RCE with Metasploit exploit, Dell RecoverPoint zero-day exploited by China-nexus UNC6201, Keenadu Android supply chain backdoor, CRESCENTHARVEST Iranian espionage, and DPRK MetaMask wallet tampering.

Dell RecoverPoint zero-day exploited since 2024, CISA adds 4 KEVs, AI assistants weaponized as C2 proxies, Ivanti EPMM exploitation expands

BridgePay ransomware disrupts US municipalities, Odido breach exposes 6.2M, Phobos ransomware arrest in Poland

Chrome zero-day under active exploitation, infostealers now targeting AI agent configurations, and malware campaigns weaponizing Google Groups

DNS-based ClickFix delivers stealers via nslookup; CANFAIL malware targets Ukraine; macOS MacSync stealer via Claude artifacts

BeyondTrust post-exploitation TTPs revealed; Microsoft patches 6 zero-days; Ivanti EPMM under attack; Lazarus poisons npm/PyPI; AgreeToSteal Outlook add-in

BeyondTrust pre-auth RCE with public PoC, Notepad++ supply chain, Windows Notepad markdown RCE, Warlock ransomware via SmarterMail, Apple dyld zero-day.