Security & IT News

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to send a specially crafted file, and when parsed, could result in a denial-of-service condition. /strong /p p The following versions of Grassroots DICOM (GDCM) are affected: /p ul li Grassroots DICOM (GDCM) 3.2.2 (CVE-2026-3650) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 7.5 /td td Grassroots /td td Grassroots DICOM (GDCM) /td td Missing Release of Memory after Effective Lifetime /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Healthcare and Public Health /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-3650 /a /h3 div class= csaf-accordion-content p A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-3650 View CVE Details /a /p hr h4 Affected Products /h4 h5 Grassroots DICOM (GDCM) /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Grassroots /div div class= ics-version strong Product Version: /strong br Grassroots Grassroots DICOM (GDCM): 3.2.2 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br The maintainer of Grassroots DICOM (GDCM) has not responded to requests to work with CISA to mitigate this vulnerability. For update information refer to the software page on SourceForge. /p p strong Mitigation /strong br https://sourceforge.net/projects/gdcm/. br a href= https://sourceforge.net/projects/gdcm/ https://sourceforge.net/projects/gdcm/ /a /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/401.html CWE-401 Missing Release of Memory after Effective Lifetime /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priorit

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. This vulnerability, CVE-2026-3055 , which is classified as an out-of-bounds read and holds a CVSS score of 9.3 , allows unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory. The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable , whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on. Per the advisory , organizations can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: add authentication samlIdPProfile .* CVE-2026-3055 affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. The advisory notes that only customer-managed instances are affected, not cloud instances managed by Citrix . As of the advisory’s publication, there is no known in-the-wild exploitation and no public proof-of-concept (PoC) available. According to Citrix, the vulnerability was identified internally via security review. However, exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public. Therefore, it is crucial that customers running affected Citrix systems remediate this vulnerability as soon as possible; Citrix software has previously seen memory leak vulnerabilities broadly exploited in the wild, including the infamous “CitrixBleed” vulnerability, CVE-2023-4966 , in 2023. Mitigation guidance Organizations running affected on-premise instances of NetScaler ADC and NetScaler Gateway should prioritize upgrading to fixed versions on an emergency basis to remediate CVE-2026-3055. Affected components: NetScaler ADC and NetScaler Gateway versions 14.1, fixed in 14.1-66.59 . NetScaler ADC and NetScaler Gateway versions 13.1, fixed in 13.1-62.23 . NetScaler ADC 13.1-FIPS and 13.1-NDcPP, fixed in 13.1-37.262 (also referred to as 13.1.37.262 in the vendor advisory). Please read the vendor advisory (CTX696300) for the latest guidance. Rapid7 customers Exposure Command, InsightVM, and Nexpose Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-3055 on Citrix NetScaler ADC with an authenticated vulnerability check expected to be available in the March 24 content release. Updates March 23, 2026: Initial publication.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫ This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules this release: one targeting AVideo-Encoder’s getImage.php file and another targeting FreePBX. Leading the enhancements is a granularization for LDAP queries allowing the omission of SACL data on security descriptors, as without the proper permissions the entire query of the security descriptor will fail if the SACL data is even just a part of the query. New module content (2) AVideo Encoder getImage.php Unauthenticated Command Injection Authors: Valentin Lobstein [email protected] and arkmarta Type: Exploit Pull request: #21076 contributed by Chocapikk Path: linux/http/avideo_encoder_getimage_cmd_injection AttackerKB reference: CVE-2026-29058 Description: Adds an exploit module for CVE-2026-29058, an unauthenticated OS command injection in AVideo Encoder's getImage.php endpoint. FreePBX filestore authenticated command injection Authors: Cory Billington and Valentin Lobstein [email protected] Type: Exploit Pull request: #20719 contributed by Chocapikk Path: unix/http/freepbx_filestore_cmd_injection AttackerKB reference: CVE-2025-64328 Description: Adds a new Metasploit exploit module for FreePBX filestore authenticated command injection (CVE-2025-64328) with automatic vulnerable-version detection and full documentation, and renames the XorcomCompletePbx HTTP mixin to CompletePBX updating affected modules accordingly. Enhancements and features (2) #20730 from zeroSteiner - This update modifies the ldap_query module to skip querying the SACL (System Access Control List) on security descriptors by default. This behavior is now controlled by a new option, LDAP::QuerySacl. This change is necessary when using a non-privileged user to query security descriptors via LDAP; otherwise, querying the SACL will cause the entire query to be blocked, resulting in no security descriptors being returned. #20997 from Nayeraneru - This adds a new OptTimedelta datastore option type. It enables module authors to specify a time duration and users to set it with a human-friendly syntax. Bugs fixed (7) #20960 from g0tmi1k - This adds a DHCPINTERFACE option to the DHCP server mixin, allowing modules that start that server to specify a particular interface to bind to. #21020 from g0tmi1k - This makes a small change to the docs by removing two lines that were previously duplicated. #21024 from Aaditya1273 - Fixes a bug in the JSON-RPC msfrpcd functionality that incorrectly required SSL certificates to be present even when disabled with msfrpcd -S. #21025 from Hemang360 - Fixes a crash when calling the HTTP cookie jar with non-string values. #21028 from SilentSobs - Fixes a crash when using the reload_all command no module is present. #21081 from Hemang360 - Fixes a crash when using the windows/exec with non-ascii characters. #21139 from jheysel-r7 -

Security leaders rarely struggle to produce data. The challenge is turning that data into something the board can use to make decisions. Walk into a board meeting with a slide showing 1,200 critical vulnerabilities and 44 internet-facing assets, and you will likely see polite acknowledgment rather than meaningful discussion. The question that follows tends to cut through quickly: what does this mean for the business? Boards allocate capital based on financial exposure, not vulnerability counts. A list of findings describes workload, but directors are responsible for revenue protection, liability, and risk to the balance sheet. When security reporting remains technical, it sits outside the way investment decisions are made elsewhere in the organization. The issue is less about communication and more about framing the problem in terms the business already understands. From severity to risk CVSS measures theoretical severity, but it does not measure business risk. A high score indicates that a flaw could be dangerous, yet it does not tell you whether the vulnerability is reachable in your environment, whether exploit code exists, or whether it is likely to affect revenue in the near term. It answers a useful engineering question, but it does not answer the question the board is asking. That question is about likelihood and impact. Most enterprise risk frameworks define risk in those terms, and that is how financial decisions are made. The gap becomes clear when two vulnerabilities appear similar on a dashboard but carry very different consequences. A high-CVSS issue on a segmented lab system may present little business risk, while a moderately severe vulnerability on an internet-facing production system with active exploit activity can expose regulated data and revenue streams. What is often missing in that comparison is threat context. Understanding how attackers behave, which vulnerabilities they are exploiting, and where access paths actually exist changes how risk is interpreted. Active Risk in InsightVM brings those elements together by combining exploit telemetry, attacker behavior, and asset context to estimate the likelihood that a vulnerability will be used. When that likelihood is paired with business impact, the conversation shifts toward exposure rather than severity. From CVSS scores to financial exposure Prioritization alone does not translate into board-level decisions. Knowing what is most likely to be exploited is necessary, but it is not sufficient when the goal is to justify investment. FAIR provides a way to bridge that gap. The model defines risk as a combination of how often a loss event is likely to occur and how much that event would cost. In practical terms: Annualized Loss Exposure (ALE) = Loss Event Frequency × Probable Loss Magnitude Active Risk informs the likelihood side of that equation by grounding it in observed attacker behavior and exploit activity. FAIR converts that likelihood into financial terms, allowing secur

p CISA and the Federal Bureau of Investigation released a a href= https://www.ic3.gov/PSA/2026/PSA260320 target= _blank Public Service Announcement (PSA) /a warning about ongoing phishing campaigns by cyber actors associated with the Russian Intelligence Services targeting commercial messaging applications (CMAs). These campaigns aim to bypass encryption to compromise to individual user accounts with targets including current and former U.S. government officials, military personnel, political figures, and journalists. nbsp; nbsp; /p p Evidence shows that cyber actors have been able to compromise individual CMA accounts, but not encryption of the applications themselves. The actors’ global campaigns have resulted in unauthorized access to thousands of individual CMA accounts to view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts. nbsp; /p p CISA and FBI urge CMA users to review the PSA, follow recommended cybersecurity practices, and remain vigilant for suspicious activity. /p

p CISA has added five new vulnerabilities to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href="https://www.cve.org/CVERecord?id=CVE-2025-31277" target="_blank" CVE-2025-31277 /a Apple Multiple Products Buffer Overflow Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-32432" target="_blank" CVE-2025-32432 /a Craft CMS Code Injection Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-43510" target="_blank" CVE-2025-43510 /a Apple Multiple Products Improper Locking Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-43520" target="_blank" CVE-2025-43520 /a Apple Multiple Products Classic Buffer Overflow Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-54068" target="_blank" CVE-2025-54068 /a Laravel Livewire Code Injection Vulnerability /li /ul p These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href="https://www.cisa.gov/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities" specified criteria /a . nbsp; /p

Yesterday, I discovered a malicious Bash script that installs a GSocket backdoor on the victim s computer. I don t know the source of the script not how it is delivered to the victim. GSocket[ 1 ] is a networking tool, but also a relay infrastructure, that enables direct, peer-to-peer style communication between systems using a shared secret instead of IP addresses or open ports. It works by having both sides connect outbound to a global relay network. Tools like gs-netcat can provide remote shells, file transfer, or tunneling and bypass classic security controls. The script that I found uses a copy of gs-netcat but the way it implements persistence and anti-forensic techniques deserves a review. A few weeks ago, I found a sample that used GSocket connectivity as a C2 channel. It makes me curious and I started to hunt for more samples. Bingo! The new one that I found (SHA256:6ce69f0a0db6c5e1479d2b05fb361846957f5ad8170f5e43c7d66928a43f3286[ 2 ]) has been detected by only 17 antivirus solutions on VT. The script is not obfuscated and even has comments so I think that it was uploaded on VT for testing purposes by the developper (just a guess) Let s have a look at the techniques used. When you execute it in a sandbox, you see this: Note the identification of the tool ( G-Socket Bypass Stealth ) and the reference to @bboscat [ 3 ] A GSocket client is downloaded, started and is talking to the following IP: The malware implements persistence through different well-known techniques on Linux. First, a cron job is created: Every top-hour, the disguised gs-netcat will be killed (if running) and restarted. To improve persistence, the same code is added to the victim's .profile: The malware itself is copied in .ssh/putty and the GSocket shared secret stored in a fake SSH key file: The ELF file id_rsa (SHA256: d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa) is the gs-netcat tool downloaded directly from the G-Socket CDN. Ok, let s have a look at an interesting anti-forensic technique implemented in the Bash script. File operations are not simply performed using classic commands like cp, rm, mv, etc. They are embedded in helper functions with a timestamp tracking/restoration system so the malware can later hide filesystem changes. Here is an example with a function that will create a file: mk_file() { local fn local oldest local pdir local pdir_added fn= $1 local exists # DEBUGF ${CC}MK_FILE($fn)${CN} pdir= $(dirname $fn ) [[ -e $fn ]] exists=1 ts_is_marked $pdir || { # HERE: Parent not tracked _ts_add $pdir NOT BY XMKDIR pdir_added=1 } ts_is_marked $fn || { # HERE: Not yet tracked _ts_get_ts $fn # Do not add creation fails. touch $fn 2 /dev/null || { # HERE: Permission denied [[ -n $pdir_added ]] { # Remove pdir if it was added above # Bash 5.0 does not support arr[-1] # Quote ( ) to silence shellcheck unset _ts_ts_a[${#_ts_ts_a[@]}-1] unset _ts_fn_a[${#_ts_fn_a[@]}-1] unset _ts_mkdir_fn_a[${#_ts_mkdir_fn_a[@]}-1] } return 69 # False } [[

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Earlier this year, we made a significant announcement: Rapid7 partnered with ARMO to add AI-powered cloud application detection and response (CADR) – or cloud runtime security – to our cloud security portfolio. At the time, I published a blog highlighting this two-part approach for modern cloud security that combines preemptive exposure management (understanding the threats that could exist) with proactive runtime security (detecting the threats that are happening). Today, we are thrilled to announce that this vision is fully realized and integrated with Rapid7 Exposure Command . For our customers, this milestone represents our ability to deliver on the promise of a complete Cloud-Native Application Protection Platform (CNAPP) that helps security teams preemptively identify and proactively thwart attacks. Exploring the possibilities of this unified CNAPP At Rapid7, we believe that a CNAPP is unified if it operates from a single, objective source of truth. By integrating cloud runtime security directly into Exposure Command, we are seamlessly merging the preemptive (posture, configurations, identities, and vulnerabilities) with the proactive (runtime behavior and active threats). The table below summarizes this enhancement: ⠀ Today’s Rapid7 Cloud Security solution What cloud runtime adds Primary Focus Prevention, risk reduction, and preemptive response Real-time exposure detection and proactive response Core Question "What is vulnerable and could be attacked?" "Is an attacker exploiting our environment now?" Lifecycle Stage Pre-deployment, continuous scanning, or periodic intervals Continuous monitoring of live (in-production) workloads What It Finds Misconfigurations, exposed secrets, software CVEs, missing patches Active exploits, lateral movement, unauthorized process execution, SQL injection ⠀ The true power of this unified architecture is best understood through the lens of a security practitioner’s daily battle against cloud threats. The previous blog post discussed this in theory; let’s use this blog to talk about the reality. The baseline Exposure Command continuously scans and assesses your cloud posture to identify whether a container exposure exists in a production cluster. Traditional scanners would stop here, leaving you to prioritize this vulnerability against others. In Exposure Command, this detection is not just part of a static score, but instead it is part of an attack path. Our preemptive security platform tells you, for instance, whether this specific container has internet access and an over-privileged IAM role, making it highly reachable and exploitable. This means that you are not just looking at a CVE; you are looking at the potential blueprint behind a major breach. The proactive validation This is where cloud runtime security turns theory into reality. Instead of treating the vulnerability as just a potential risk, the platform utilizes eBPF sensors to provide continuous, direct kernel-level observability and application

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could allow an attacker to read, intercept, or modify communications. /strong /p p The following versions of Automated Logic WebCTRL Premium Server are affected: /p ul li WebCTRL Premium Server /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.1 /td td Automated Logic /td td Automated Logic WebCTRL Premium Server /td td Multiple Binds to the Same Port, Authentication Bypass by Spoofing, Cleartext Transmission of Sensitive Information /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-25086 /a /h3 div class= csaf-accordion-content p Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow the attacker to craft and send malicious packets and impersonate the WebCTRL service without requiring code injection into the WebCTRL software. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-25086 View CVE Details /a /p hr h4 Affected Products /h4 h5 Automated Logic WebCTRL Premium Server /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Automated Logic /div div class= ics-version strong Product Version: /strong br Automated Logic WebCTRL Premium Server: lt;v8.5 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC. /p p strong Mitigation /strong br For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/. br a href= https://www.auto

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-02.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability may risk a Cross-site Scripting or an open redirect attack which could result in an account takeover scenario or the execution of code in the user browser. /strong /p p The following versions of Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 are affected: /p ul li Modicon M241 versions prior to 5.4.13.12 Modicon_Controller_M241 /li li Modicon M251 versions prior to 5.4.13.12 Modicon_Controller_M251 /li li Modicon Controllers M258 all firmware versions Modicon_Controllers_M258 /li li Modicon Controllers LMC058 all firmware versions Modicon_Controllers_LMC058 /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 5.4 /td td Schneider Electric /td td Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 /td td Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Critical Manufacturing, Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong France /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-13902 /a /h3 div class= csaf-accordion-content p CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim's browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-13902 View CVE Details /a /p hr h4 Affected Products /h4 h5 Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Schneider Electric /div div class= ics-version strong Product Version: /strong br Schneider Electric Modicon M241 versions prior to 5.4.13.12: Modicon_Controller_M241, Schneider Electric Modicon M251 versions prior to 5.4.13.12: Modicon_Controller_M251, Schneider Electric Modicon Controllers M258 all firmware versions: Modicon_Controllers_M258, Schneider Electric Modicon Controllers LMC058 all firmware versions: Modicon_Controllers_LMC058 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class=

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks. /strong /p p The following versions of CTEK Chargeportal are affected: /p ul li Chargeportal vers:all/* /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.4 /td td CTEK /td td CTEK Chargeportal /td td Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy, Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Sweden /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-25192 /a /h3 div class= csaf-accordion-content p WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-25192 View CVE Details /a /p hr h4 Affected Products /h4 h5 CTEK Chargeportal /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br CTEK /div div class= ics-version strong Product Version: /strong br CTEK Chargeportal: vers:all/* /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information https://www.ctek.com/support. br a href= https://www.ctek.com/support https://www.ctek.com/support /a /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/306.html CWE-306 Missing Authentication for Critical Function /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stac

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-07.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks. /strong /p p The following versions of IGL-Technologies eParking.fi are affected: /p ul li eParking.fi vers:all/* /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.4 /td td IGL-Technologies /td td IGL-Technologies eParking.fi /td td Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy, Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Finland /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-29796 /a /h3 div class= csaf-accordion-content p WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-29796 View CVE Details /a /p hr h4 Affected Products /h4 h5 IGL-Technologies eParking.fi /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br IGL-Technologies /div div class= ics-version strong Product Version: /strong br IGL-Technologies eParking.fi: vers:all/* /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br IGL-Technologies has updated eParking's OCPP servers to reduce the risks posed by the vulnerability. These updates implemented the following security controls: br 1) Enforce modern security profiles and stronger authentication. br 2) Device‑level whitelisting was implemented to ensure that only authorized charging units can connect. br 3) Rate‑limiting controls preven

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-05.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition in the affected products. /strong /p p The following versions of Mitsubishi Electric CNC Series are affected: /p ul li M800VW (BND-2051W000) lt;=BB /li li M800VS (BND-2052W000) lt;=BB /li li M80V (BND-2053W000) lt;=BB /li li M80VW (BND-2054W000) lt;=BB /li li M800W (BND-2005W000) lt;=FM /li li M800S (BND-2006W000) lt;=FM /li li M80 (BND-2007W000) lt;=FM /li li M80W (BND-2008W000) lt;=FM /li li E80 (BND-2009W000) lt;=FM /li li C80 (BND-2036W000) vers:all/* /li li M750VW (BND-1015W002) vers:all/* /li li M730VW (BND-1015W000) vers:all/* /li li M720VW (BND-1015W000) vers:all/* /li li M750VS (BND-1012W002) vers:all/* /li li M730VS (BND-1012W000-**) vers:all/* /li li M720VS (BND-1012W000) vers:all/* /li li M70V (BND-1018W000) vers:all/* /li li E70 (BND-1022W000) vers:all/* /li li NC Trainer2 (BND-1802W000) vers:all/* /li li NC Trainer2 plus (BND-1803W000) vers:all/* /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 5.9 /td td Mitsubishi Electric /td td Mitsubishi Electric CNC Series /td td Improper Validation of Specified Index, Position, or Offset in Input /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Japan /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-2399 /a /h3 div class= csaf-accordion-content p Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) vulnerability in the affected products allows a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition in the affected products by sending specially crafted packets to TCP port 683. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-2399 View CVE Details /a /p hr h4 Affected Products /h4 h5 Mitsubishi Electric CNC Series /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Mitsubishi Electric /div div class= ics-version strong Product Version: /strong br Mitsubishi Electric M800VW (BND-2051W000): lt;=BB, Mitsubishi Electric M800VS (BND-2052W000): lt;=BB, Mitsubishi Electric M80V (BND-2053W000): lt;=BB, Mitsubishi Electric M80VW (BND-2054W000): lt;=BB, Mitsubishi Electric M800W (BND-2005W000): l

The predictive window has collapsed. In 2025, high-impact vulnerabilities weren’t quietly accumulating risk. They were operationalized, and often within days. Today, Rapid7 Labs released the 2026 Global Threat Landscape Report , an in-depth analysis of how attacker behavior is evolving across vulnerability exploitation, ransomware operations, identity abuse, and AI-driven tradecraft. The data shows a clear pattern: exposure is being identified and weaponized faster than most organizations are set up to defend. From disclosure to exploitation in days, not weeks In 2025, confirmed exploitation of newly disclosed CVSS 7–10 vulnerabilities increased 105% year over year, rising from 71 to 146. The median time from publication to inclusion in CISA’s Known Exploited Vulnerabilities list fell from 8.5 days to 5.0 days. At the same time, the number of high-probability vulnerabilities that remained unexploited dropped sharply. The buffer that once allowed teams to triage and schedule remediation is shrinking to the point where some severe flaws were seen to have been exploited almost immediately. The broader trend is unmistakable: vulnerability management programs built around reactive remediation cycles are struggling to keep pace with adversaries operating at machine speed. Cybercrime as a structured market Cybercrime in 2025 no longer resembles chaotic hacking. It resembles platform capitalism. The report highlights how the underground economy now mirrors legitimate SaaS ecosystems. Initial Access Brokers obtain and validate network footholds. Ransomware operators focus on encryption and extortion. Infostealer operators sell subscription-style access to fresh credential logs. This specialization lowers barriers to entry and increases scale creating a supply chain in which access is acquired, packaged, priced, and sold to anyone who wants it. Ransomware is a good example of this business maturity. It was present in 42% of Rapid7 MDR investigations in 2025 with leak posts increasing 46.4% year over year, and the number of active groups growing from 102 to 140. That kind of growth is anything but random or coincidental: it is an indication of systemic changes to the ransomware ecosystem indicating growing sophistication, specialization, and, ultimately, risk. Logging in, not breaking in Authentication-based attacks remain incredibly common as the lack of consistency across organizations can lead to easy exploitation. Valid accounts without multi-factor authentication (MFA) were responsible for 43.9% of incidents over that year. Rather than forcing their way past defenses, attackers increasingly authenticate with stolen credentials, hijacked sessions, or abused tokens. This is where the increase in AI-driven attacks is particularly acute with the benefits generative AI can play in improving the maturity and sophistication of social engineering attacks. As enterprises extend trust across cloud platforms, SaaS ecosystems, APIs, and remote work environments, a

Over the last few months, tools like OpenClaw have shown what tech-savvy AI users can do by setting a virtual cadre of automated agents on a task. But that individual convenience can be a DDOS-level pain for online service providers faced with a torrent of Sybil attack-style requests from thousands of such agents at once. Identity startup World thinks its "proof of human" World ID technology can provide a potential solution to this problem. Today, the company launched a beta of Agent Kit, a new way for humans to prove they are directing their AI agents and for websites to limit access to AI agents working on behalf of an actual human. If you recognize the name World, it's probably as the organization behind WorldCoin , the Sam Altman-founded cryptocurrency outfit that launched in 2023 alongside an offer to give free WorldCoin to anyone who scanned their iris in a physical "orb" . While WorldCoin still exists (at a current value well below its early 2024 peaks ), World has now pivoted to focus on World ID , which uses the same iris-scanning technology as the basis for a cryptographically secure, unique online identity token stored on your phone. Read full article Comments

The cybersecurity channel is evolving fast. Buying behaviors are shifting and customers are rethinking how they evaluate solutions. And partners are rethinking how they deliver value at scale. In this environment, vendor partner programs can’t stay static. Most partner programs are built around what works for the vendor. We continue to choose a different path, asking our partners where we could evolve and improve. The result? Meaningful updates to the Rapid7 PACT Partner Program for 2026. Carefully designed to deliver stronger economics, simpler engagement, and clearer paths to growth. Rapid7 PACT: Built with partner feedback in mind Over the past year, we had ongoing conversations with partners across our global ecosystem. Those discussions were grounded in trust, candor, and a shared ambition to win together. Partners told us where friction existed. They told us where our economics needed to be more competitive. They told us where clarity and simplicity would make it easier to go to market. The 2026 PACT updates are our response to that feedback. What is the Rapid7 'PACT' partner program? PACT is the framework that defines how Rapid7 works with our global network of resellers, managed security service providers (MSSPs), and distributors. But PACT is more than a framework. It reflects our commitment to transparency, consistency, and accountability in every partner interaction. These aren’t aspirational values, they are operational principles that guide how we build trust across our channel ecosystem. What’s new in PACT for 2026 This year’s updates focus on four core areas, each directly shaped by partner input. Stronger Economics: Expanded program discounts, rebates and incentives drive greater margin, predictability, and MDR competitiveness. Simpler Engagement: We are operating with two clear motions; Deal Registration and Co-Sell. Resulting in less friction and faster execution. Platinum Partner Tier: A new top tier recognizes and accelerates our highest-performing, most strategic partners. Tech Champion Program: Exclusive recognition and access for partner Systems Engineers to deepen technical collaboration and influence. Why this matters now The vendors who will earn (and retain) partner mindshare are those who combine in-demand cybersecurity solutions with a partner experience that is simple, profitable, and built for scale. We know technology leadership alone isn’t enough. The experience of working with us has to be just as strong as the solutions we deliver. The 2026 PACT updates reflect that commitment. Ready to grow with us? The updated 2026 PACT Partner Program is now live. Whether you’re an existing partner exploring what’s changed, or an organization considering a partnership with Rapid7, you can find everything you need at rapid7.com/partners . We’re excited about what’s ahead, and we’re building it together with our partners.

The Rapid7 MDR team is currently monitoring an increase in phishing campaigns where threat actors (TAs) impersonate internal IT departments via Microsoft Teams. The primary objective is to persuade users to launch Quick Assist, granting the TA remote access to deploy malware, exfiltrate data, or facilitate lateral movement across the network. Social engineering via IT Support impersonation is not a new threat, but the recent surge in Teams-based delivery highlights a critical vulnerability in how organizations manage external access. Teams often allows any external user to message internal staff. This is the functional equivalent of operating an email server without a gateway filter. While a cautious user might notice an "External" tag on the chat, the inherent trust placed in collaboration tools often overrides standard security instincts, granting TAs a direct, high-trust channel to your end users. Threat overview The attack we’ve observed typically follows a specific sequence of events: Initial contact: The threat actor sends spoofed Microsoft Teams chat requests to multiple users within an environment, simultaneously. These often appear to come from "IT Support," "System Admin," or other spoofed internal aliases. Engagement: Once a user accepts the chat request, the threat actor initiates a conversation under the pretext of IT support offering computer support, such as "fixing a technical issue" or "performing a security update." Exploitation: The threat actor requests the user to launch Quick Assist. Once the connection is established, the TA gains remote access to the machine, allowing them to deploy malware, exfiltrate data, or move laterally through the network. What you should do now To protect your environment from this activity, Rapid7 recommends the following technical controls: Harden Microsoft Teams settings In the Teams Admin Center, limit external communications to "Only allowed domains." This prevents random external tenants from messaging your employees unless they are on an approved allowlist. In addition, Rapid7 recommends disabling the ability for users to communicate with external Teams users who are not managed by an organization. If your business doesn't require cold outreach from external vendors, toggle off "Allow External Users to Start Conversations" to ensure only your users can initiate outside chats. If your business does require this functionality more broadly, consider implementing Spoof Intelligence. Implement automatic blocking of spoofed Teams messages Enable Spoof Intelligence within your Microsoft 365 security settings. This feature automatically detects and blocks senders who are not who they claim to be. This feature works by identifying and managing senders that fail SPF/DKIM/DMARC. If you have known senders who don’t have these configured, ensure you set the appropriate exceptions. Disable/harden Quick Assist Rapid7 recommends removing or disabling Microsoft Quick Assist if it is not required within your