Black Hat USA

Microsoft says the financially motivated cybercrime group has exploited N-day and zero-day vulnerabilities in campaigns predicated on speed.

Storm-1175 Deploys Medusa Ransomware at 'High Velocity'

By hiding malicious instructions on an attacker-controlled Web page, AI could ingest orders as benign and return sensitive data to the attacker's server.

Grafana Patches AI Bug That Could Have Leaked User Data

The Russia-linked threat actor known&nbsp;as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May&nbsp;2025.
The large-scale exploitation campaign has&nbsp;been codenamed&nbsp;

The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025.
The large-scale exploitation campaign has been codenamed

Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

In&nbsp;the rapid evolution of&nbsp;the 2026 threat landscape, a frustrating paradox has emerged for CISOs and security&nbsp;leaders: Identity programs are maturing, yet the risk is actually increasing.
According to new research from&nbsp;the Ponemon&nbsp;Institute, hundreds of applications within the typical enterprise remain disconnected from centralized identity systems.&nbsp;These&nbsp;"dark

In the rapid evolution of the 2026 threat landscape, a frustrating paradox has emerged for CISOs and security leaders: Identity programs are maturing, yet the risk is actually increasing.
According to new research from the Ponemon Institute, hundreds of applications within the typical enterprise remain disconnected from centralized identity systems. These "dark

[Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk

A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins&nbsp;(AuthZ) under specific circumstances.
The vulnerability, tracked&nbsp;as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix&nbsp;for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July&nbsp;2024.
"

A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances.
The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July 2024.
"

Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access

Dark Reading's Kelly Jackson Higgins shares insights on the past, present, and future of cybersecurity after attending RSAC 2026 Conference.

RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever

As AI dominated RSAC 2026, CISOs and industry leaders debated its role in security, from agentic applications to the challenges of scaling human involvement in decision-making.

Human vs AI: Debates Shape RSAC 2026 Cybersecurity Trends

A panel of five C-suite leaders discuss how cybersecurity success is measured and why it isn't improving results.

Lies, Damned Lies, and Cybersecurity Metrics

AI dominated the RSAC 2026 Conference and showed it's still humans in cybersecurity who matter most.

Focusing on the People in Cybersecurity at RSAC 2026 Conference

An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy&nbsp;botnet.
"A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes&nbsp;via ComfyUI-Manager if no exploitable node is already

An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet.
"A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already

Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign

New advisory warns cyber threat group APT28 have exploited vulnerable edge devices to support malicious operations.

UK exposes Russian military intelligence hijacking vulnerable routers for cyber attacks

Russian cyber actor APT28 exploit vulnerable routers to hijack DNS, enabling adversary‑in‑the‑middle attacks and theft of passwords and authentication tokens.

APT28 exploit routers to enable DNS hijacking operations

View CSAF
Summary
Successful exploitation of these vulnerabilities could allow a local attacker to disclose SQL Server credentials used by the affected products and use them to disclose, tamper with, or destroy data, or to cause a denial-of-service (DoS) condition on the system.
The following versions of Mitsubishi Electric GENESIS64 and ICONICS Suite products are affected:
GENESIS64 <=10.97.3 (CVE-2025-14815, CVE-2025-14816)
ICONICS Suite <=10.97.3 (CVE-2025-14815, CVE-2025-14816)
MobileHMI <=10.97.3 (CVE-2025-14815, CVE-2025-14816)
Hyper Historian <=10.97.3 (CVE-2025-14815, CVE-2025-14816)
AnalytiX <=10.97.3 (CVE-2025-14815, CVE-2025-14816)
MC Works 64 vers:all/* (CVE-2025-14815, CVE-2025-14816)
GENESIS <=11.02 (CVE-2025-14815, CVE-2025-14816)
CVSS
Vendor
Equipment
Vulnerabilities




v3 8.8
Mitsubishi Electric
Mitsubishi Electric GENESIS64 and ICONICS Suite products
Cleartext Storage of Sensitive Information, Cleartext Storage of Sensitive Information in GUI




Background
Critical Infrastructure Sectors: Critical Manufacturing
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Mitsubishi Electric Iconics Digital Solutions is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.
Vulnerabilities
Expand All +
CVE-2025-14815
When the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication, the SQL Server credentials are stored in plaintext within the local SQLite file. This results in a vulnerability due to Cleartext Storage of Sensitive Information (CWE 312), which may lead to information disclosure, tampering, or denial of service (DoS).
View CVE Details
Affected Products
Mitsubishi Electric GENESIS64 and ICONICS Suite products
Vendor:
Mitsubishi Electric
Product Version:
Mitsubishi Electric GENESIS64: <=10.97.3, Mitsubishi Electric ICONICS Suite: <=10.97.3, Mitsubishi Electric MobileHMI: <=10.97.3, Mitsubishi Electric Hyper Historian: <=10.97.3, Mitsubishi Electric AnalytiX: <=10.97.3, Mitsubishi Electric MC Works 64: vers:all/*, Mitsubishi Electric GENESIS: <=11.02, Mitsubishi Electric Iconics Digital Solutions GENESIS64: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions MobileHMI: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions Hyper Historian: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions AnalytiX: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions GENESIS: <=11.02
Product Status:
known_affected
Remediations
Vendor fix
Mitsubishi Electric is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf
Vendor fix
Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf". For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
https://iconics.com/about/security/cert
Vendor fix
Mitsubishi Electric is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf
Vendor fix
Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3". For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
https://iconics.com/about/security/cert
No fix planned
There are no plans to release fixed version for MC Works64. For users of MC Works64, refer to the Mitsubishi Electric security advisory "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf", and take the actions described there.
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf
Mitigation
For customer of GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, and AnalytiX that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf".
Mitigation
For customer of GENESIS that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3".
Mitigation
For customer of MC Works 64, Mitsubishi Electric recommends performing the following step (1) and (2). (1)In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf".
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using Windows authentication instead of SQL authentication for the SQL server authentication method, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend configuring the PCs with the affected product installed so that only an administrator can log in, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using the PCs with the affected product installed in the LAN and blocking remote login from untrusted networks and hosts, and from non-administrator users, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend blocking unauthorized access by using a firewall, virtual private network (VPN), etc. and allowing remote login only to administrator when internet access is required, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend restricting physical access to the PC with the affected product installed and to the network to which the PC is connected, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend preventing the user from clicking on web links in emails from untrusted sources, or from opening attachments in untrusted emails, to minimize the risk of exploiting this vulnerability.
Relevant CWE: CWE-312 Cleartext Storage of Sensitive Information
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
8.8
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H







CVE-2025-14816
In the Hyper Historian Splitter feature of the affected products, when SQL authentication is used for the SQL Server authentication, the SQL Server credentials are displayed in plain text in the GUI. This results in a vulnerability due to Cleartext Storage of Sensitive Information in GUI (CWE‑317 ), which may lead to information disclosure, tampering, or denial‑of‑service (DoS).
View CVE Details
Affected Products
Mitsubishi Electric GENESIS64 and ICONICS Suite products
Vendor:
Mitsubishi Electric
Product Version:
Mitsubishi Electric GENESIS64: <=10.97.3, Mitsubishi Electric ICONICS Suite: <=10.97.3, Mitsubishi Electric MobileHMI: <=10.97.3, Mitsubishi Electric Hyper Historian: <=10.97.3, Mitsubishi Electric AnalytiX: <=10.97.3, Mitsubishi Electric MC Works 64: vers:all/*, Mitsubishi Electric GENESIS: <=11.02, Mitsubishi Electric Iconics Digital Solutions GENESIS64: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions MobileHMI: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions Hyper Historian: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions AnalytiX: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions GENESIS: <=11.02
Product Status:
known_affected
Remediations
Vendor fix
Mitsubishi Electric is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf
Vendor fix
Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
https://iconics.com/about/security/cert
Vendor fix
Mitsubishi Electric is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf
Vendor fix
Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
https://iconics.com/about/security/cert
No fix planned
There are no plans to release fixed version for MC Works64. For users of MC Works64, refer to the Mitsubishi Electric security advisory "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf", and take the actions described there.
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf
Mitigation
For customer of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following steps (1) and (2). (1) Change the permissions of HHSplitter.exe so that only trusted administrators can execute it. (2) Delete HHSplitter.exe from the system if it is unnecessary.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using Windows authentication instead of SQL authentication for the SQL server authentication method, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend configuring the PCs with the affected product installed so that only an administrator can log in, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using the PCs with the affected product installed in the LAN and blocking remote login from untrusted networks and hosts, and from non-administrator users, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend blocking unauthorized access by using a firewall, virtual private network (VPN), etc. and allowing remote login only to administrator when internet access is required, and from non-administrator users, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend restricting physical access to the PC with the affected product installed and the network to which the PC is connected, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend preventing the user from clicking on web links in emails from untrusted sources, or from opening attachments in untrusted emails, to minimize the risk of exploiting this vulnerability.
Relevant CWE: CWE-317 Cleartext Storage of Sensitive Information in GUI
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
8.8
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H








Acknowledgments
Mitsubishi Electric reported these vulnerabilities to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Advisory Conversion Disclaimer
This ICSA is a verbatim republication of CISA V20251021-001, V20251029-001 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact CISA directly for any questions regarding this advisory.
Revision History
Initial Release Date: 2026-04-07
Date
Revision
Summary




2026-04-07
1
Initial Publication


2026-04-07
2
Initial CISA Republication of CISA V20251021-001, V20251029-001 advisory




Legal Notice and Terms of Use

Mitsubishi Electric GENESIS64 and ICONICS Suite products

Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure

When talking about credential security, the focus usually lands on breach prevention. This&nbsp;makes sense&nbsp;when IBM’s 2025 Cost of a Data Breach&nbsp;Report puts the average cost of a breach at $4.4&nbsp;million. Avoiding even one major incident is enough to justify most security investments, but that headline figure obscures the more persistent problems caused by recurring credential

When talking about credential security, the focus usually lands on breach prevention. This makes sense when IBM’s 2025 Cost of a Data Breach Report puts the average cost of a breach at $4.4 million. Avoiding even one major incident is enough to justify most security investments, but that headline figure obscures the more persistent problems caused by recurring credential

The Hidden Cost of Recurring Credential Incidents

New academic research has identified multiple RowHammer attacks against high-performance graphics processing units (GPUs) that could be exploited to escalate privileges and, in some cases, even take full control of a&nbsp;host.
The efforts have been&nbsp;codenamed GPUBreach, GDDRHammer,&nbsp;and GeForge.
GPUBreach goes a step further&nbsp;than GPUHammer, demonstrating for the first time that

New academic research has identified multiple RowHammer attacks against high-performance graphics processing units (GPUs) that could be exploited to escalate privileges and, in some cases, even take full control of a host.
The efforts have been codenamed GPUBreach, GDDRHammer, and GeForge.
GPUBreach goes a step further than GPUHammer, demonstrating for the first time that

New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips

A&nbsp;China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing&nbsp;systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent

A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent

China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware

Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.
The vulnerability in question&nbsp;is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.
"The CustomMCP node allows users to input configuration settings for connecting

Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck.
The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution.
"The CustomMCP node allows users to input configuration settings for connecting

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

PRT-scan is the second campaign in recent months where a threat actor appears to have leveraged AI for automated targeting of a widespread GitHub misconfiguration.

AI-Assisted Supply Chain Attack Targets GitHub

The attack on the popular NPM package Axios is just one of many targeting maintainers and has shone a light on how threat actors can scale sophisticated social engineering campaigns.

Axios Attack Shows Complex Social Engineering Is Industrialized

The authentication bypass flaw, tracked as CVE-2026-35616, is the latest in a series of Fortinet vulnerabilities that have been exploited in the wild.

Fortinet Issues Emergency Patch for FortiClient Zero-Day

An&nbsp;Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid&nbsp;ongoing conflict in the Middle&nbsp;East.
The&nbsp;activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check&nbsp;Point.
"The campaign is primarily

An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid ongoing conflict in the Middle East.
The activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check Point.
"The campaign is primarily

Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

Threat&nbsp;actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South&nbsp;Korea.
The&nbsp;attack chain,&nbsp;per Fortinet FortiGuard&nbsp;Labs, involves obfuscated Windows shortcut (LNK) files acting as the starting point to drop a decoy PDF

Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea.
The attack chain, per Fortinet FortiGuard Labs, involves obfuscated Windows shortcut (LNK) files acting as the starting point to drop a decoy PDF

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea

An emerging threat cluster tracked as UAT-10608 is exploiting vulnerable Web-exposed Next.js apps and using an automated tool to exfiltrate credentials, secrets, and other system data.

Automated Credential Harvesting Campaign Exploits React2Shell Flaw

Medical professionals are not going to stop using AI tools to manage growing workloads. Organizations should prioritize bolstering security protocols to limit their blast radius.

Shadow AI in Healthcare Is Here to Stay

In recognition of 21 generative AI risks, the standards groups recommends that companies take separate but linked approaches to defending GenAI and agentic AI systems.

OWASP GenAI Security Project Gets Update, New Tools Matrix

Your attack surface no&nbsp;longer lives&nbsp;on one operating system, and neither do the campaigns targeting&nbsp;it. In enterprise environments, attackers move across Windows endpoints, executive MacBooks, Linux infrastructure, and mobile devices, taking advantage of the fact that many SOC&nbsp;workflows are still fragmented by&nbsp;platform.&nbsp;
For security leaders, this creates&nbsp;a

Your attack surface no longer lives on one operating system, and neither do the campaigns targeting it. In enterprise environments, attackers move across Windows endpoints, executive MacBooks, Linux infrastructure, and mobile devices, taking advantage of the fact that many SOC workflows are still fragmented by platform. 
For security leaders, this creates a

Multi-OS Cyberattacks: How SOCs Close a Critical Risk in 3 Steps

This&nbsp;week had real hits. The&nbsp;key software got tampered with. Active&nbsp;bugs showed up in the tools people use every day. Some&nbsp;attacks didn’t even need much effort because the path was already&nbsp;there.
One weak spot now spreads wider than before. What&nbsp;starts small can reach a lot of systems fast. New&nbsp;bugs, faster use, less time to&nbsp;react.
That’s this week. Read&

This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there.
One weak spot now spreads wider than before. What starts small can reach a lot of systems fast. New bugs, faster use, less time to react.
That’s this week. Read&

⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More

<p>CISA has added one new vulnerability to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.</p>
<ul>
<li><a href="https://www.cve.org/CVERecord?id=CVE-2026-35616" target="_blank">CVE-2026-35616</a> - Fortinet FortiClient EMS Improper Access Control Vulnerability</li>
</ul>
<p>This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.</p>
<p><a href="https://www.cisa.gov/binding-operational-directive-22-01">Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities</a> established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the <a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf">BOD 22-01 Fact Sheet</a> for more information.</p>
<p>Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">KEV Catalog vulnerabilities</a> as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the <a href="https://www.cisa.gov/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities">specified criteria</a>.&nbsp;</p>


CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-35616 - Fortinet FortiClient EMS Improper Access Control Vulnerability
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA Adds One Known Exploited Vulnerability to Catalog

The&nbsp;most active piece of enterprise infrastructure in the company is the developer workstation. That&nbsp;laptop is where credentials are created, tested, cached, copied, and reused across services, bots, build tools, and now local AI&nbsp;agents.
In&nbsp;March 2026, the TeamPCP threat&nbsp;actor proved just how&nbsp;valuable developer&nbsp;machines are. Their&nbsp;supply chain attack on

The most active piece of enterprise infrastructure in the company is the developer workstation. That laptop is where credentials are created, tested, cached, copied, and reused across services, bots, build tools, and now local AI agents.
In March 2026, the TeamPCP threat actor proved just how valuable developer machines are. Their supply chain attack on

How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers

Threat actors associated&nbsp;with Qilin&nbsp;and Warlock ransomware operations&nbsp;have been&nbsp;observed using the bring your own vulnerable driver&nbsp;(BYOVD) technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend&nbsp;Micro.
Qilin attacks analyzed by Talos&nbsp;have been&nbsp;found to deploy a malicious DLL named "msimg32.dll,"

Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver (BYOVD) technique to silence security tools running on compromised hosts, according to findings from Cisco Talos and Trend Micro.
Qilin attacks analyzed by Talos have been found to deploy a malicious DLL named "msimg32.dll,"

Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools

Germany's Federal Criminal Police Office (aka BKA or the Bundeskriminalamt) has unmasked the real identities of two of the key figures associated with the now-defunct REvil (aka Sodinokibi) ransomware-as-a-service (RaaS) operation.
One of the threat actors, who went by the alias UNKN, functioned as a representative of the group, advertising the ransomware in June 2019 on the XSS cybercrime forum

BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks

Drift&nbsp;has revealed that the April 1, 2026, attack that led to&nbsp;the theft of $285&nbsp;million was the culmination of a months-long targeted and meticulously planned social engineering operation undertaken by the Democratic People's Republic of Korea (DPRK) that began in the fall of&nbsp;2025.
The&nbsp;Solana-based decentralized exchange described it as "an attack six months in the

Drift has revealed that the April 1, 2026, attack that led to the theft of $285 million was the culmination of a months-long targeted and meticulously planned social engineering operation undertaken by the Democratic People's Republic of Korea (DPRK) that began in the fall of 2025.
The Solana-based decentralized exchange described it as "an attack six months in the

$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent&nbsp;implant.
"Every package contains three files (package.json, index.js, postinstall.js), has no description, repository,

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant.
"Every package contains three files (package.json, index.js, postinstall.js), has no description, repository,

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the&nbsp;wild.
The&nbsp;vulnerability, tracked&nbsp;as CVE-2026-35616 (CVSS score: 9.1), has been described as a pre-authentication API access bypass leading to privilege escalation.
"An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an

Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild.
The vulnerability, tracked as CVE-2026-35616 (CVSS score: 9.1), has been described as a pre-authentication API access bypass leading to privilege escalation.
"An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Data privacy labels are a great idea for mobile apps, but the current versions just aren't good enough.

Inconsistent Privacy Labels Don't Tell Users What They Are Getting

A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025,&nbsp;following a two-year&nbsp;period of minimal targeting in the&nbsp;region.
The campaign has been attributed&nbsp;to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo&nbsp;Panda.
"This TA416 activity included multiple

A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region.
The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda.
"This TA416 activity included multiple

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Even organizations with users unwilling or unable to adopt iOS 26 can now protect themselves from a severe mobile OS-cracking tool.

Apple Breaks Precedent, Patches DarkSword for iOS 18

Threat&nbsp;actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research&nbsp;Team.
"Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution,

Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team.
"Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution,

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

As organizations disclose breaches tied to TeamPCP's supply chain attacks, ShinyHunters and Lapsus$ are getting involved, taking credit, and creating a murky situation for enterprises.

Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting

&quot;Skull vibration harmonics generated by vital signs&quot; can be used to sign in to VR, AR, and MR headsets, according to emerging research.

"Skull vibration harmonics generated by vital signs" can be used to sign in to VR, AR, and MR headsets, according to emerging research.

Picking Up 'Skull Vibrations'? Could Be XR Headset Authentication

Or, why the software supply chain should be treated as critical infrastructure with guardrails built in at every layer.

Claude Source Code Leak Highlights Big Supply Chain Missteps

The rebuilt Chainguard platform adds deeper security designed to continuously reconcile open source artifacts across containers, libraries, agent skills, and GitHub Actions.

Chainguard Unveils Factory 2.0 to Automate Hardening the Software Supply Chain

Once CrowdStrike's nemesis, Microsoft is now a collaborator. A shared interest in Formula 1 helped thaw the years-long fierce rivalry.

CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry

The&nbsp;maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked&nbsp;as UNC1069.
Maintainer Jason Saayman said the attackers tailored their social engineering efforts "specifically to me" by first approaching him under the guise of the founder of a

The maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked as UNC1069.
Maintainer Jason Saayman said the attackers tailored their social engineering efforts "specifically to me" by first approaching him under the guise of the founder of a

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

The next major&nbsp;breach hitting your clients probably won't come&nbsp;from inside their&nbsp;walls. It'll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That's the new attack surface, and most organizations are underprepared for&nbsp;it.
Cynomi's new&nbsp;guide, Securing the Modern Perimeter: The Rise of Third-Party

The next major breach hitting your clients probably won't come from inside their walls. It'll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That's the new attack surface, and most organizations are underprepared for it.
Cynomi's new guide, Securing the Modern Perimeter: The Rise of Third-Party

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture

Cybersecurity researchers&nbsp;have discovered a new version of&nbsp;the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the&nbsp;trojan was discovered targeting both the mobile operating&nbsp;systems.
The&nbsp;malware&nbsp;has&nbsp;been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while

Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems.
The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while

New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images

Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1,&nbsp;2026.
"Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers," the&

Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026.
"Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers," the&

Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK

AI-driven threats, global leadership shifts, and the future of cybersecurity in a rapidly evolving landscape were among the discussions at RSAC 2026 Conference.

Geopolitics, AI, and Cybersecurity: Insights From RSAC 2026

The company's 8-K filing notes &quot;unauthorized access&quot; and that it has activated business continuity plans and taken some systems offline.

The company's 8-K filing notes "unauthorized access" and that it has activated business continuity plans and taken some systems offline.

Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate

A&nbsp;large-scale credential harvesting operation&nbsp;has been&nbsp;observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at&nbsp;scale.
Cisco&nbsp;Talos has attributed the operation to a threat cluster it tracks&nbsp;as

A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale.
Cisco Talos has attributed the operation to a threat cluster it tracks as

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

CISOs are bullish on AI and have big plans to roll out future tools. We talk to Reddit CISO Frederick Lee and leading analyst Dave Gruber about how AI is working out in the real world, as well as its future promise.

Security Bosses Are All-In on AI. Here's Why

As AI took center stage at this year's conference, experts debated automation, oversight and the evolving role of human intelligence in cybersecurity — despite the US government's notable absence.

RSAC 2026: AI Dominates, But Community Remains Key to Security

Cisco&nbsp;has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges.
The&nbsp;vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8&nbsp;out of a maximum of&nbsp;10.0.
"This

Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges.
The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0.
"This

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Augmented Marauder's multipronged banking-Trojan cyber campaigns are targeting Spanish speakers, evading detection, and replicating rapidly.

Bank Trojan 'Casbaneiro' Worms Through Latin America

The&nbsp;latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No&nbsp;corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this&nbsp;week.
Things&nbsp;are moving fast. The&nbsp;list includes researchers chaining small bugs together to create massive backdoors, old software flaws

The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this week.
Things are moving fast. The list includes researchers chaining small bugs together to create massive backdoors, old software flaws

ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories

<p>CISA has added&nbsp;one&nbsp;new&nbsp;vulnerability&nbsp;to its&nbsp;<a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.&nbsp;</p>
<ul>
<li><a href="https://www.cve.org/CVERecord?id=CVE-2026-3502" target="_blank">CVE-2026-3502</a>&nbsp;TrueConf&nbsp;Client Download of Code Without Integrity Check Vulnerability&nbsp;</li>
</ul>
<p>This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.&nbsp;</p>
<p><a href="https://www.cisa.gov/binding-operational-directive-22-01">Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities</a>&nbsp;established the KEV&nbsp;Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the&nbsp;<a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf">BOD 22-01 Fact Sheet</a>&nbsp;for more information.&nbsp;</p>
<p>Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing&nbsp;timely&nbsp;remediation of&nbsp;<a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">KEV Catalog vulnerabilities</a>&nbsp;as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the&nbsp;<a href="https://www.cisa.gov/known-exploited-vulnerabilities">specified criteria</a>.&nbsp;</p>


CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 
CVE-2026-3502 TrueConf Client Download of Code Without Integrity Check Vulnerability 
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-092-03.json"><strong>View CSAF</strong></a></p>
<h2>Summary</h2>
<p><strong>Hitachi Energy is aware of a Jasper Report vulnerability that affects the Ellipse product versions mentioned in this document below. This vulnerability can be exploited to carry out remote code execution (RCE) attack on the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.</strong></p>
<p>The following versions of Hitachi Energy Ellipse are affected:</p>
<ul>
<li>Ellipse vers:Ellipse/&lt;=9.0.50 (CVE-2025-10492)</li>
</ul>
<div class="csaf-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS</th>
<th role="columnheader">Vendor</th>
<th role="columnheader">Equipment</th>
<th role="columnheader">Vulnerabilities</th>
</tr>
</thead>
<tbody>
<tr>
<td>v3 9.8</td>
<td>Hitachi Energy</td>
<td>Hitachi Energy Ellipse</td>
<td>Deserialization of Untrusted Data</td>
</tr>
</tbody>
</table>
</div>
<h3>Background</h3>
<ul>
<li><strong>Critical Infrastructure Sectors: </strong>Critical Manufacturing</li>
<li><strong>Countries/Areas Deployed: </strong>Worldwide</li>
<li><strong>Company Headquarters Location: </strong>Switzerland</li>
</ul>
<hr>
<h2>Vulnerabilities</h2>
<div class="csaf-accordion">
<p><a class="csaf-accordion-toggle-all" href="#">Expand All +</a></p>
<div class="csaf-accordion-item">
<h3><a class="csaf-accordion-toggle" href="#">CVE-2025-10492</a></h3>
<div class="csaf-accordion-content">
<p>A vulnerability exists in Jasper Report third party component that is used for creating custom reports in Ellipse product. A Java deserialization vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library.</p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2025-10492">View CVE Details</a></p>
<hr>
<h4>Affected Products</h4>
<h5>Hitachi Energy Ellipse</h5>
<div class="ics-vendor-version-status">
<div class="ics-vendor"><strong>Vendor:</strong><br>Hitachi Energy</div>
<div class="ics-version"><strong>Product Version:</strong><br>Ellipse versions 9.0.50 and prior</div>
<div class="ics-status"><strong>Product Status:</strong><br>known_affected</div>
</div>
<div class="ics-remediations">
<h6>Remediations</h6>
<p><strong>Mitigation</strong><br>Since the vulnerability exists in Jasper Report component that is external to Ellipse application, restrict the loading of external custom reports created by end users by allowing only trusted Jasper reports generated by the system administrator.</p>
</div>
<p><strong>Relevant CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/502.html">CWE-502 Deserialization of Untrusted Data</a></p>
<hr>
<h4>Metrics</h4>
<div class="csaf-table csaf-metrics-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS Version</th>
<th role="columnheader">Base Score</th>
<th role="columnheader">Base Severity</th>
<th role="columnheader">Vector String</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>9.8</td>
<td>CRITICAL</td>
<td><a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<hr>
<h2>Acknowledgments</h2>
<ul>
<li>Hitachi Energy PSIRT reported this vulnerability to CISA.</li>
</ul>
<hr>
<h2>Notice</h2>
<p>The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.</p>
<hr>
<h2>Support</h2>
<p>For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers.</p>
<hr>
<h2>General Mitigation Factors</h2>
<p>Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. Proper password policies and processes should be followed.</p>
<hr>
<h2>Legal Notice and Terms of Use</h2>
<p>This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy &amp; Use policy (https://www.cisa.gov/privacy-policy).</p>
<hr>
<h2>Recommended Practices</h2>
<p>CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.</p>
<p>Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.</p>
<p>Locate control system networks and remote devices behind firewalls and isolate them from business networks.</p>
<p>When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.</p>
<p>CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.</p>
<p>CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.</p>
<p>CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.</p>
<p>Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.</p>
<hr>
<h2>Advisory Conversion Disclaimer</h2>
<p>This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000238 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory.</p>
<h2>Revision History</h2>
<ul>
<li><strong>Initial Release Date: </strong>2026-02-24</li>
</ul>
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">Date</th>
<th role="columnheader">Revision</th>
<th role="columnheader">Summary</th>
</tr>
</thead>
<tbody>
<tr>
<td>2026-02-24</td>
<td>1</td>
<td>Initial public release</td>
</tr>
<tr>
<td>2026-04-02</td>
<td>2</td>
<td>Initial CISA Republication of Hitachi Energy PSIRT 8DBD000238 advisory</td>
</tr>
</tbody>
</table>
<hr>
<h2>Legal Notice and Terms of Use</h2>


View CSAF
Summary
Hitachi Energy is aware of a Jasper Report vulnerability that affects the Ellipse product versions mentioned in this document below. This vulnerability can be exploited to carry out remote code execution (RCE) attack on the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.
The following versions of Hitachi Energy Ellipse are affected:
Ellipse vers:Ellipse/<=9.0.50 (CVE-2025-10492)
CVSS
Vendor
Equipment
Vulnerabilities




v3 9.8
Hitachi Energy
Hitachi Energy Ellipse
Deserialization of Untrusted Data




Background
Critical Infrastructure Sectors: Critical Manufacturing
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Switzerland
Vulnerabilities
Expand All +
CVE-2025-10492
A vulnerability exists in Jasper Report third party component that is used for creating custom reports in Ellipse product. A Java deserialization vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library.
View CVE Details
Affected Products
Hitachi Energy Ellipse
Vendor:
Hitachi Energy
Product Version:
Ellipse versions 9.0.50 and prior
Product Status:
known_affected
Remediations
Mitigation
Since the vulnerability exists in Jasper Report component that is external to Ellipse application, restrict the loading of external custom reports created by end users by allowing only trusted Jasper reports generated by the system administrator.
Relevant CWE: CWE-502 Deserialization of Untrusted Data
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H








Acknowledgments
Hitachi Energy PSIRT reported this vulnerability to CISA.
Notice
The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.
Support
For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers.
General Mitigation Factors
Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. Proper password policies and processes should be followed.
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Advisory Conversion Disclaimer
This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000238 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory.
Revision History
Initial Release Date: 2026-02-24
Date
Revision
Summary




2026-02-24
1
Initial public release


2026-04-02
2
Initial CISA Republication of Hitachi Energy PSIRT 8DBD000238 advisory




Legal Notice and Terms of Use

Hitachi Energy Ellipse

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-092-01.json"><strong>View CSAF</strong></a></p>
<h2>Summary</h2>
<p><strong>Multiple SICAM 8 products are affected by multiple vulnerabilities that could lead to denial of service, namely: - SICAM A8000 Device firmware - CPCI85 for CP-8031/CP-8050 - SICORE for CP-8010/CP-8012 - RTUM85 for CP-8010/CP-8012 - SICAM EGS Device firmware - CPCI85 - SICAM S8000 - SICORE - RTUM85 Siemens has released new versions for the affected products and recommends to update to the latest versions.</strong></p>
<p>The following versions of Siemens SICAM 8 Products are affected:</p>
<ul>
<li>CPCI85 Central Processing/Communication vers:intdot/&lt;26.10 (CVE-2026-27663, CVE-2026-27664)</li>
<li>RTUM85&nbsp;RTU Base vers:intdot/&lt;26.10 (CVE-2026-27663)</li>
<li>SICORE Base system vers:intdot/&lt;26.10.0 (CVE-2026-27664)</li>
</ul>
<div class="csaf-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS</th>
<th role="columnheader">Vendor</th>
<th role="columnheader">Equipment</th>
<th role="columnheader">Vulnerabilities</th>
</tr>
</thead>
<tbody>
<tr>
<td>v3 7.5</td>
<td>Siemens</td>
<td>Siemens SICAM 8 Products</td>
<td>Allocation of Resources Without Limits or Throttling, Out-of-bounds Write</td>
</tr>
</tbody>
</table>
</div>
<h3>Background</h3>
<ul>
<li><strong>Critical Infrastructure Sectors: </strong>Critical Manufacturing</li>
<li><strong>Countries/Areas Deployed: </strong>Worldwide</li>
<li><strong>Company Headquarters Location: </strong>Germany</li>
</ul>
<hr>
<h2>Vulnerabilities</h2>
<div class="csaf-accordion">
<p><a class="csaf-accordion-toggle-all" href="#">Expand All +</a></p>
<div class="csaf-accordion-item">
<h3><a class="csaf-accordion-toggle" href="#">CVE-2026-27663</a></h3>
<div class="csaf-accordion-content">
<p>The affected application contains denial-of-service (DoS) vulnerability. The remote operation mode is susceptible to a resource exhaustion condition when subjected to a high volume of requests. Sending multiple requests can exhaust resources, preventing parameterization and requiring a reset or reboot to restore functionality.</p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2026-27663">View CVE Details</a></p>
<hr>
<h4>Affected Products</h4>
<h5>Siemens SICAM 8 Products</h5>
<div class="ics-vendor-version-status">
<div class="ics-vendor"><strong>Vendor:</strong><br>Siemens</div>
<div class="ics-version"><strong>Product Version:</strong><br>CPCI85 Central Processing/Communication, RTUM85&nbsp;RTU Base</div>
<div class="ics-status"><strong>Product Status:</strong><br>known_affected</div>
</div>
<div class="ics-remediations">
<h6>Remediations</h6>
<p><strong>Vendor fix</strong><br>Update to V26.10 or later version The firmware RTUM85 V26.10 is present within “CP-8010/CP-8012 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109972894/ and also within “SICAM S8000 Package” V26.10 https://support.industry.siemens.com/cs/document/109818240</p>
<p><strong>Vendor fix</strong><br>Update to V26.10 or later version The firmware CPCI85 V26.10 is present within “CP-8031/CP-8050 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109804985/ and also within “SICAM EGS Package” V26.10 https://support.industry.siemens.com/cs/document/109972536/</p>
</div>
<p><strong>Relevant CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/770.html">CWE-770 Allocation of Resources Without Limits or Throttling</a></p>
<hr>
<h4>Metrics</h4>
<div class="csaf-table csaf-metrics-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS Version</th>
<th role="columnheader">Base Score</th>
<th role="columnheader">Base Severity</th>
<th role="columnheader">Vector String</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>6.5</td>
<td>MEDIUM</td>
<td><a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H">CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="csaf-accordion-item">
<h3><a class="csaf-accordion-toggle" href="#">CVE-2026-27664</a></h3>
<div class="csaf-accordion-content">
<p>The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition.</p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2026-27664">View CVE Details</a></p>
<hr>
<h4>Affected Products</h4>
<h5>Siemens SICAM 8 Products</h5>
<div class="ics-vendor-version-status">
<div class="ics-vendor"><strong>Vendor:</strong><br>Siemens</div>
<div class="ics-version"><strong>Product Version:</strong><br>CPCI85 Central Processing/Communication, SICORE Base system</div>
<div class="ics-status"><strong>Product Status:</strong><br>known_affected</div>
</div>
<div class="ics-remediations">
<h6>Remediations</h6>
<p><strong>Vendor fix</strong><br>Update to V26.10 or later version The firmware CPCI85 V26.10 is present within “CP-8031/CP-8050 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109804985/ and also within “SICAM EGS Package” V26.10 https://support.industry.siemens.com/cs/document/109972536/</p>
<p><strong>Vendor fix</strong><br>Update to V26.10.0 or later version The firmware SICORE V26.10.0 is present within “CP-8010/CP-8012 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109972894/ and also within “SICAM S8000 Package” V26.10 https://support.industry.siemens.com/cs/document/109818240</p>
</div>
<p><strong>Relevant CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/787.html">CWE-787 Out-of-bounds Write</a></p>
<hr>
<h4>Metrics</h4>
<div class="csaf-table csaf-metrics-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS Version</th>
<th role="columnheader">Base Score</th>
<th role="columnheader">Base Severity</th>
<th role="columnheader">Vector String</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>7.5</td>
<td>HIGH</td>
<td><a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<hr>
<h2>Acknowledgments</h2>
<ul>
<li>T. Weber, S. Dietz, D. Blagojevic, and F. Koroknai of CyberDanube coordinated disclosure of CVE-2026-27663</li>
<li>S. Dietz of CyberDanube and VERBUND Digital Power coordinated disclosure of CVE-2026-27664</li>
<li>S. Dietz of Siemens ProductCERT reported these vulnerabilities to CISA.</li>
</ul>
<hr>
<h2>General Recommendations</h2>
<p>Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment. Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity</p>
<hr>
<h2>Additional Resources</h2>
<p>For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories</p>
<hr>
<h2>Terms of Use</h2>
<p>The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.</p>
<hr>
<h2>Legal Notice and Terms of Use</h2>
<p>This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy &amp; Use policy (https://www.cisa.gov/privacy-policy).</p>
<hr>
<h2>Recommended Practices</h2>
<p>CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.</p>
<p>Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.</p>
<p>Locate control system networks and remote devices behind firewalls and isolate them from business networks.</p>
<p>When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.</p>
<p>CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.</p>
<p>CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.</p>
<p>CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.</p>
<p>Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.</p>
<hr>
<h2>Advisory Conversion Disclaimer</h2>
<p>This ICSA is a verbatim republication of Siemens ProductCERT SSA-246443 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory.</p>
<h2>Revision History</h2>
<ul>
<li><strong>Initial Release Date: </strong>2026-03-26</li>
</ul>
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">Date</th>
<th role="columnheader">Revision</th>
<th role="columnheader">Summary</th>
</tr>
</thead>
<tbody>
<tr>
<td>2026-03-26</td>
<td>1</td>
<td>Publication Date</td>
</tr>
<tr>
<td>2026-04-02</td>
<td>2</td>
<td>Initial CISA Republication of Siemens ProductCERT SSA-246443 advisory</td>
</tr>
</tbody>
</table>
<hr>
<h2>Legal Notice and Terms of Use</h2>


View CSAF
Summary
Multiple SICAM 8 products are affected by multiple vulnerabilities that could lead to denial of service, namely: - SICAM A8000 Device firmware - CPCI85 for CP-8031/CP-8050 - SICORE for CP-8010/CP-8012 - RTUM85 for CP-8010/CP-8012 - SICAM EGS Device firmware - CPCI85 - SICAM S8000 - SICORE - RTUM85 Siemens has released new versions for the affected products and recommends to update to the latest versions.
The following versions of Siemens SICAM 8 Products are affected:
CPCI85 Central Processing/Communication vers:intdot/<26.10 (CVE-2026-27663, CVE-2026-27664)
RTUM85 RTU Base vers:intdot/<26.10 (CVE-2026-27663)
SICORE Base system vers:intdot/<26.10.0 (CVE-2026-27664)
CVSS
Vendor
Equipment
Vulnerabilities




v3 7.5
Siemens
Siemens SICAM 8 Products
Allocation of Resources Without Limits or Throttling, Out-of-bounds Write




Background
Critical Infrastructure Sectors: Critical Manufacturing
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Germany
Vulnerabilities
Expand All +
CVE-2026-27663
The affected application contains denial-of-service (DoS) vulnerability. The remote operation mode is susceptible to a resource exhaustion condition when subjected to a high volume of requests. Sending multiple requests can exhaust resources, preventing parameterization and requiring a reset or reboot to restore functionality.
View CVE Details
Affected Products
Siemens SICAM 8 Products
Vendor:
Siemens
Product Version:
CPCI85 Central Processing/Communication, RTUM85 RTU Base
Product Status:
known_affected
Remediations
Vendor fix
Update to V26.10 or later version The firmware RTUM85 V26.10 is present within “CP-8010/CP-8012 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109972894/ and also within “SICAM S8000 Package” V26.10 https://support.industry.siemens.com/cs/document/109818240
Vendor fix
Update to V26.10 or later version The firmware CPCI85 V26.10 is present within “CP-8031/CP-8050 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109804985/ and also within “SICAM EGS Package” V26.10 https://support.industry.siemens.com/cs/document/109972536/
Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
6.5
MEDIUM
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H







CVE-2026-27664
The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition.
View CVE Details
Affected Products
Siemens SICAM 8 Products
Vendor:
Siemens
Product Version:
CPCI85 Central Processing/Communication, SICORE Base system
Product Status:
known_affected
Remediations
Vendor fix
Update to V26.10 or later version The firmware CPCI85 V26.10 is present within “CP-8031/CP-8050 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109804985/ and also within “SICAM EGS Package” V26.10 https://support.industry.siemens.com/cs/document/109972536/
Vendor fix
Update to V26.10.0 or later version The firmware SICORE V26.10.0 is present within “CP-8010/CP-8012 Package” V26.10 https://support.industry.siemens.com/cs/ww/en/view/109972894/ and also within “SICAM S8000 Package” V26.10 https://support.industry.siemens.com/cs/document/109818240
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H








Acknowledgments
T. Weber, S. Dietz, D. Blagojevic, and F. Koroknai of CyberDanube coordinated disclosure of CVE-2026-27663
S. Dietz of CyberDanube and VERBUND Digital Power coordinated disclosure of CVE-2026-27664
S. Dietz of Siemens ProductCERT reported these vulnerabilities to CISA.
General Recommendations
Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment. Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Advisory Conversion Disclaimer
This ICSA is a verbatim republication of Siemens ProductCERT SSA-246443 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory.
Revision History
Initial Release Date: 2026-03-26
Date
Revision
Summary




2026-03-26
1
Publication Date


2026-04-02
2
Initial CISA Republication of Siemens ProductCERT SSA-246443 advisory




Legal Notice and Terms of Use

Siemens SICAM 8 Products

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-092-02.json"><strong>View CSAF</strong></a></p>
<h2>Summary</h2>
<p><strong>Successful exploitation of this vulnerability could allow an attacker to login as the PROG user and modify permissions.</strong></p>
<p>The following versions of Yokogawa CENTUM VP are affected:</p>
<ul>
<li>CENTUM VP &gt;=R5.01.00|</li>
<li>CENTUM VP &gt;=R6.01.00|</li>
<li>CENTUM VP vR7.01.00 (CVE-2025-7741)</li>
</ul>
<div class="csaf-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS</th>
<th role="columnheader">Vendor</th>
<th role="columnheader">Equipment</th>
<th role="columnheader">Vulnerabilities</th>
</tr>
</thead>
<tbody>
<tr>
<td>v3 4</td>
<td>Yokogawa</td>
<td>Yokogawa CENTUM VP</td>
<td>Use of Hard-coded Password</td>
</tr>
</tbody>
</table>
</div>
<h3>Background</h3>
<ul>
<li><strong>Critical Infrastructure Sectors: </strong>Critical Manufacturing, Energy, Food and Agriculture</li>
<li><strong>Countries/Areas Deployed: </strong>Worldwide</li>
<li><strong>Company Headquarters Location: </strong>Japan</li>
</ul>
<hr>
<h2>Vulnerabilities</h2>
<div class="csaf-accordion">
<p><a class="csaf-accordion-toggle-all" href="#">Expand All +</a></p>
<div class="csaf-accordion-item">
<h3><a class="csaf-accordion-toggle" href="#">CVE-2025-7741</a></h3>
<div class="csaf-accordion-content">
<p>Affected products contain a hardcoded password for the user account (PROG) used for CENTUM Authentication Mode within the system. Under the following conditions, there is a risk that an attacker could log in as the PROG user. The default permission for the PROG users is S1 permission (equivalent to OFFUSER). Therefore, for properly permission-controlled targets of operation and monitoring, even if an attacker logs in as the PROG user, the risk of critical operations or configuration changes being performed is considered low. If the PROG user's permissions have been changed for any reason, there is a risk that operations or configuration changes may be performed under the modified permissions. Additionally, exploiting this vulnerability requires an attacker to already have access to the HIS screen controls.</p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2025-7741">View CVE Details</a></p>
<hr>
<h4>Affected Products</h4>
<h5>Yokogawa CENTUM VP</h5>
<div class="ics-vendor-version-status">
<div class="ics-vendor"><strong>Vendor:</strong><br>Yokogawa</div>
<div class="ics-version"><strong>Product Version:</strong><br>Yokogawa CENTUM VP: &gt;=R5.01.00|&lt;R5.04.20, Yokogawa CENTUM VP: &gt;=R6.01.00|&lt;R6.12.00, Yokogawa CENTUM VP: vR7.01.00</div>
<div class="ics-status"><strong>Product Status:</strong><br>known_affected</div>
</div>
<div class="ics-remediations">
<h6>Remediations</h6>
<p><strong>Mitigation</strong><br>Yokogawa recommends users applying the following mitigations to affected versions:</p>
<p><strong>Vendor fix</strong><br>CENTUM VP R5.01.00 to R5.04.20: Change the user authentication mode to Windows Authentication Mode.</p>
<p><strong>Vendor fix</strong><br>CENTUM VP R6.01.00 to R6.12.00: Change the user authentication mode to Windows Authentication Mode.</p>
<p><strong>Vendor fix</strong><br>CENTUM VP R7.01.00: Apply patch software R7.01.10.</p>
<p><strong>Mitigation</strong><br>NOTE:Changing to Windows Authentication Mode requires engineering work. If users wish to make this change, please contact Yokogawa directly https://contact.yokogawa.com/cs/gw?c-id=000498.<br><a href="https://contact.yokogawa.com/cs/gw?c-id=000498">https://contact.yokogawa.com/cs/gw?c-id=000498</a></p>
<p><strong>Mitigation</strong><br>For more information and details on implementing these mitigations, users should see the Yokogawa advisory YSAR-26-0003 at https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf<br><a href="https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf">https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf</a></p>
</div>
<p><strong>Relevant CWE:</strong> <a href="https://cwe.mitre.org/data/definitions/259.html">CWE-259 Use of Hard-coded Password</a></p>
<hr>
<h4>Metrics</h4>
<div class="csaf-table csaf-metrics-table">
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">CVSS Version</th>
<th role="columnheader">Base Score</th>
<th role="columnheader">Base Severity</th>
<th role="columnheader">Vector String</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>4</td>
<td>MEDIUM</td>
<td><a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N">CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N</a></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<hr>
<h2>Acknowledgments</h2>
<ul>
<li>Yokogawa reported this vulnerability to CISA</li>
</ul>
<hr>
<h2>Legal Notice and Terms of Use</h2>
<p>This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy &amp; Use policy (https://www.cisa.gov/privacy-policy).</p>
<hr>
<h2>Recommended Practices</h2>
<p>CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.</p>
<p>Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.</p>
<p>Locate control system networks and remote devices behind firewalls and isolating them from business networks.</p>
<p>When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.</p>
<p>CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.</p>
<p>CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.</p>
<p>CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.</p>
<p>Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.</p>
<p>Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.</p>
<p>CISA also recommends users take the following measures to protect themselves from social engineering attacks:</p>
<p>Do not click web links or open attachments in unsolicited email messages.</p>
<p>Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.</p>
<p>Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.</p>
<p>No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.</p>
<hr>
<h2>Revision History</h2>
<ul>
<li><strong>Initial Release Date: </strong>2026-04-02</li>
</ul>
<table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
<thead>
<tr>
<th role="columnheader" data-tablesaw-priority="persist">Date</th>
<th role="columnheader">Revision</th>
<th role="columnheader">Summary</th>
</tr>
</thead>
<tbody>
<tr>
<td>2026-04-02</td>
<td>1</td>
<td>Initial Republication of YSAR-26-0003</td>
</tr>
</tbody>
</table>
<hr>
<h2>Legal Notice and Terms of Use</h2>


View CSAF
Summary
Successful exploitation of this vulnerability could allow an attacker to login as the PROG user and modify permissions.
The following versions of Yokogawa CENTUM VP are affected:
CENTUM VP >=R5.01.00|
CENTUM VP >=R6.01.00|
CENTUM VP vR7.01.00 (CVE-2025-7741)
CVSS
Vendor
Equipment
Vulnerabilities




v3 4
Yokogawa
Yokogawa CENTUM VP
Use of Hard-coded Password




Background
Critical Infrastructure Sectors: Critical Manufacturing, Energy, Food and Agriculture
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Japan
Vulnerabilities
Expand All +
CVE-2025-7741
Affected products contain a hardcoded password for the user account (PROG) used for CENTUM Authentication Mode within the system. Under the following conditions, there is a risk that an attacker could log in as the PROG user. The default permission for the PROG users is S1 permission (equivalent to OFFUSER). Therefore, for properly permission-controlled targets of operation and monitoring, even if an attacker logs in as the PROG user, the risk of critical operations or configuration changes being performed is considered low. If the PROG user's permissions have been changed for any reason, there is a risk that operations or configuration changes may be performed under the modified permissions. Additionally, exploiting this vulnerability requires an attacker to already have access to the HIS screen controls.
View CVE Details
Affected Products
Yokogawa CENTUM VP
Vendor:
Yokogawa
Product Version:
Yokogawa CENTUM VP: >=R5.01.00|<R5.04.20, Yokogawa CENTUM VP: >=R6.01.00|<R6.12.00, Yokogawa CENTUM VP: vR7.01.00
Product Status:
known_affected
Remediations
Mitigation
Yokogawa recommends users applying the following mitigations to affected versions:
Vendor fix
CENTUM VP R5.01.00 to R5.04.20: Change the user authentication mode to Windows Authentication Mode.
Vendor fix
CENTUM VP R6.01.00 to R6.12.00: Change the user authentication mode to Windows Authentication Mode.
Vendor fix
CENTUM VP R7.01.00: Apply patch software R7.01.10.
Mitigation
NOTE:Changing to Windows Authentication Mode requires engineering work. If users wish to make this change, please contact Yokogawa directly https://contact.yokogawa.com/cs/gw?c-id=000498.
https://contact.yokogawa.com/cs/gw?c-id=000498
Mitigation
For more information and details on implementing these mitigations, users should see the Yokogawa advisory YSAR-26-0003 at https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf
https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf
Relevant CWE: CWE-259 Use of Hard-coded Password
Metrics
CVSS Version
Base Score
Base Severity
Vector String




3.1
4
MEDIUM
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N








Acknowledgments
Yokogawa reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.
Revision History
Initial Release Date: 2026-04-02
Date
Revision
Summary




2026-04-02
1
Initial Republication of YSAR-26-0003




Legal Notice and Terms of Use

Yokogawa CENTUM VP

A&nbsp;financially motivated operation&nbsp;codenamed REF1695&nbsp;has been&nbsp;observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November&nbsp;2023.
"Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic

A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023.
"Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic

Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners

In December&nbsp;2025, we shared the first-ever The State of Trusted Open&nbsp;Source report, featuring insights from our product data and customer base on open source consumption across our catalog of container image projects, versions, images, language libraries, and builds. These&nbsp;insights shed light on what teams pull, deploy, and maintain day to day, alongside the vulnerabilities and

In December 2025, we shared the first-ever The State of Trusted Open Source report, featuring insights from our product data and customer base on open source consumption across our catalog of container image projects, versions, images, language libraries, and builds. These insights shed light on what teams pull, deploy, and maintain day to day, alongside the vulnerabilities and

The State of Trusted Open Source Report

Meta-owned messaging platform WhatsApp said it alerted about 200 users who were tricked into installing a bogus version of its iOS app that was infected with&nbsp;spyware.
According to reports from Italian&nbsp;newspaper La Repubblica and news&nbsp;agency ANSA, the vast majority of the targets are located in Italy. It's assessed that the threat actors behind the activity used social engineering

Meta-owned messaging platform WhatsApp said it alerted about 200 users who were tricked into installing a bogus version of its iOS app that was infected with spyware.
According to reports from Italian newspaper La Repubblica and news agency ANSA, the vast majority of the targets are located in Italy. It's assessed that the threat actors behind the activity used social engineering

WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action

Apple&nbsp;on&nbsp;Wednesday expanded the availability of iOS 18.7.7&nbsp;and iPadOS 18.7.7&nbsp;to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known&nbsp;as DarkSword.
"We enabled the availability of iOS 18.7.7&nbsp;for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security

Apple on Wednesday expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword.
"We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security

Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit

A chief medical information officer describes what hospitals face when they inevitably suffer a ransomware attack—whether it leads to short- or long-term outages.

Ransomware Will Hit Hospitals. Rehearsals Are Key to Defense

A newly released study exclusively shared with Dark Reading details the unique circumstances that make up Latin America's labor pool, and why organizations may want to expand their talent search.

LatAm's Self-Taught Cyber Talent Overlooked Amid Cyberattack Glut

Cyber threats across Latin America are increasingly targeting government systems, from disruptive attacks in Puerto Rico to a surge of probes against Colombia’s health sector.

Cyberattacks Intensify Pressure on Latin American Governments

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE.
As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive

CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails

A new service on the cybercrime market provides automated capabilities to create persistent information-stealing social engineering attacks.

Venom Stealer MaaS Platform Commoditizes ClickFix Attacks

Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files.
The activity, beginning in late February 2026, leverages these scripts to initiate a multi-stage infection chain for establishing persistence and enabling remote access. It's currently not known what lures the threat actors use to trick users into

Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass

There is a character that keeps appearing in enterprise security departments, and most CISOs know exactly who that is. It doesn&rsquo;t build. It doesn&rsquo;t enable. Its entire function is to say "No."
No to ChatGPT.
No to DeepSeek.
No to the file-sharing tool the product team swears by.
For years, this looked like security. But in 2026, "Doctor No" is no longer just a management headache &

There is a character that keeps appearing in enterprise security departments, and most CISOs know exactly who that is. It doesn’t build. It doesn’t enable. Its entire function is to say "No."
No to ChatGPT.
No to DeepSeek.
No to the file-sharing tool the product team swears by.
For years, this looked like security. But in 2026, "Doctor No" is no longer just a management headache &

Block the Prompt, Not the Work: The End of "Doctor No"

A multi-pronged phishing campaign is targeting Spanish-speaking users in organizations across Latin America and Europe to deliver Windows banking trojans like Casbaneiro (aka Metamorfo) via another malware called Horabot.
The activity has been attributed to a Brazilian cybercrime threat actor tracked as Augmented Marauder and Water Saci. The e-crime group was first documented by Trend Micro in

Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures

<p>CISA has added one new vulnerability to its<a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog"> Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.</p>
<ul>
<li><a href="https://www.cve.org/CVERecord?id=CVE-2026-5281" target="_blank">CVE-2026-5281</a> Google Dawn Use-After-Free Vulnerability</li>
</ul>
<p>This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.</p>
<p><a href="https://www.cisa.gov/binding-operational-directive-22-01">Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities</a> established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the <a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf">BOD 22-01 Fact Sheet</a> for more information.</p>
<p>Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog">KEV Catalog vulnerabilities</a> as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the <a href="https://www.cisa.gov/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities">specified criteria</a>.&nbsp;</p>


CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-5281 Google Dawn Use-After-Free Vulnerability
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild.
The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn, an open-source and cross-platform implementation of the WebGPU standard.
"Use-after-free in Dawn in Google Chrome prior

New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released

For years, cybersecurity has followed a familiar model: block malware, stop the attack. Now, attackers are moving on to what’s next.
Threat actors now use malware less frequently in favor of what’s already inside your environment, including abusing trusted tools, native binaries, and legitimate admin utilities to move laterally, escalate privileges, and persist without raising alarms. Most

3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)

Ask the Expert: Cybersecurity teams need to expand their field of view to include new, unique threat sources, rather than relying on past, proven threat actors.

Are We Training AI Too Late?

Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069.
"We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement.
"North Korean

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error.
"No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson said in a statement shared with CNBC News. "This was a release packaging issue caused by human error, not a security

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

Technology Talk: That forgotten notebook holds plenty of secrets to enterprise access.

The Forgotten Endpoint: Security Risks of Dormant Devices

The NPM package for Axios, a popular JavaScript HTTP client library, was briefly compromised this week, possibly by North Korean threat actors.

Axios NPM Package Compromised in Precision Attack

Palo Alto Networks researchers show how attackers could exploit AI agents on Google's Vertex AI to steal data and break into restricted cloud infrastructure.

Google's Vertex AI Is Over-Privileged. That's a Problem

The threat group's shift to speedy attacks on AWS, Azure, and SaaS instances shows organizations need to respond quickly to compromised credentials.

Blog