Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
CISA has issued an emergency patching order for CVE-2026-20131, a maximum-severity vulnerability in Cisco Secure Firewall Management Center, requiring federal agencies to remediate by March 22, 2026. This indicates either active exploitation or imminent threat intelligence suggesting weaponization.
International law enforcement shut down 373,000 dark web sites distributing fake child sexual abuse material (CSAM) packages, disrupting a fraud scheme that victimizes both potential offenders seeking illegal content and defrauds them. This represents a significant takedown of deceptive criminal commerce infrastructure.
Oracle released an emergency out-of-band patch for an unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager (CVE-2026-21992). This is a critical identity infrastructure flaw that likely enables complete system compromise without credentials.
Russian state-linked threat actors are executing targeted phishing campaigns against Signal and WhatsApp users, with thousands of accounts already compromised. This represents a sophisticated effort to penetrate secure communications infrastructure used by journalists, activists, and government officials.
Russian intelligence services are conducting widespread phishing campaigns targeting commercial messaging application accounts of U.S. government officials, military personnel, and journalists. Attackers have successfully compromised thousands of individual accounts to access messages and contact lists, demonstrating a shift from targeting application encryption to exploiting user-level account security.
MinIO's OIDC implementation contains a JWT algorithm confusion vulnerability allowing attackers who possess the ClientSecret to forge identity tokens and obtain admin-level S3 credentials. This PoC demonstrates a deterministic, high-impact attack path requiring only knowledge of a shared credential.
Unauthenticated SSRF in AVideo's standalone DVR saver allows attackers to forge server-side requests to arbitrary URLs, potentially chaining to authentication bypass and internal network reconnaissance. The PoC demonstrates complete lack of input validation in a publicly accessible endpoint.
All versions of IGL-Technologies eParking.fi contain critical authentication and access control vulnerabilities (CVSS 9.4) that could allow attackers to gain unauthorized administrative control over EV charging stations or launch denial-of-service attacks against charging services.
A remote out-of-bounds read vulnerability in Mitsubishi Electric CNC Series controllers enables denial-of-service attacks. This affects critical industrial manufacturing infrastructure across multiple product lines with varying patch states.
Schneider Electric EcoStruxure Automation Expert versions ≤25.0.1 contain a vulnerability enabling arbitrary command execution on engineering workstations. This threatens the integrity of critical industrial control systems across discrete, hybrid, and continuous manufacturing processes.
Automated Logic WebCTRL Premium Server contains multiple critical vulnerabilities including cleartext transmission, authentication bypass via spoofing, and port binding issues that allow attackers to intercept, read, and modify communications in building automation systems.
Schneider Electric Modicon Controllers (M241, M251, M258, M262, LMC058) contain XSS/open redirect and denial-of-service vulnerabilities affecting web interfaces. Exploitation could lead to account takeover, browser-based code execution, or operational disruption in industrial environments.
HAPI FHIR's HTTP client transmits authentication headers and sensitive data to redirect destinations without validation, enabling credential theft and cross-host impersonation attacks. Defenders must identify and patch affected deployments immediately.
gRPC-Go servers fail to canonicalize HTTP/2 :path pseudo-headers before authorization checks, allowing attackers to bypass path-based access control policies by omitting the leading slash in requests.
The Tekton git resolver fails to sanitize the `pathInRepo` parameter, allowing namespace-scoped tenants to read arbitrary files from the resolver pod filesystem via path traversal sequences. This enables credential exfiltration including ServiceAccount tokens.
ConnectWise patched a cryptographic signature verification vulnerability in ScreenConnect that allows attackers to bypass authentication and hijack remote access sessions. This is a critical supply-chain risk affecting thousands of managed service providers and their downstream customers.
CISA issued a binding directive for U.S. federal agencies to patch an actively exploited XSS vulnerability in Zimbra Collaboration Suite, indicating threat actors are leveraging email infrastructure compromises for potential lateral movement and data theft.
Aura, an identity protection company, suffered a data breach exposing ~900,000 marketing contact records (names, emails). The breach is particularly damaging given Aura's core business is protecting customers from identity theft and data exposure.
CISA confirmed March 2026 cyberattack against Stryker Corporation exploiting endpoint management system misconfigurations in Microsoft environments. This represents active adversary targeting of legitimate administration tools to achieve organizational compromise.
CISA added two known-exploited vulnerabilities to its KEV catalog: a Zimbra Collaboration Suite XSS flaw and a Microsoft SharePoint deserialization vulnerability. Both are under active exploitation and carry significant risk to federal and enterprise environments.
SiYuan's SVG sanitizer blocks data:text/html and data:image/svg+xml but misses data:text/xml and data:application/xml, allowing unauthenticated XSS via the /api/icon/getDynamicIcon endpoint. The fix for CVE-2026-29183 was incomplete, leaving equivalent bypass vectors.
jsPDF versions before 4.2.1 fail to sanitize user-controlled options passed to window-opening output methods, allowing attackers to inject arbitrary HTML and JavaScript into the PDF viewer context. This enables XSS attacks when applications pass unsanitized user input to these functions.
Apple released a new Background Security Improvements update addressing WebKit CVE-2026-20643 across iOS, iPadOS, and macOS without requiring full operating system upgrades. This represents a significant shift in Apple's patching strategy, enabling faster security remediation for critical browser engine vulnerabilities.
A vulnerability in CODESYS runtime components bundled with Festo Automation Suite prior to v2.8.0.138 allows unauthenticated remote attackers to execute arbitrary code on industrial automation systems. This affects a widely-used ICS development platform with significant operational technology footprint.
Schneider Electric SCADAPack x70 RTUs and RemoteConnect products contain an authentication or access control vulnerability affecting firmware versions prior to 9.12.2, potentially allowing unauthorized remote access to critical industrial control systems with downstream impacts on device integrity and availability.