Today’s roundup
CISA and BSI warn orgs of critical PTC Windchill and FlexPLM flaw
CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation
Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files
TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign
The European Commission confirmed a cyberattack affecting part of its cloud systems
Iran-linked group Handala hacked FBI Director Kash Patel’s personal email account
New AITM phishing wave hijacks TikTok Business accounts
Fake VS Code alerts on GitHub spread malware to developers
China Upgrades the Backdoor It Uses to Spy on Telcos Globally
Summary
CISA and BSI have issued an urgent advisory for a critical Remote Code Execution (RCE) vulnerability, CVE-2026-4681 (CVSS 10.0), in PTC’s Windchill and FlexPLM software. While no patches are yet available, the German Federal Criminal Police Office (BKA) took the unprecedented step of physically visiting companies to warn them, indicating a severe and potentially imminent exploitation risk. Organizations are advised to apply mitigations provided by the vendor.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical F5 BIG-IP Access Policy Manager (APM) vulnerability, CVE-2025-53521 (CVSS 9.3), to its Known Exploited Vulnerabilities (KEV) catalog. The flaw allows for remote code execution and is currently under active exploitation.
A critical memory overread vulnerability, CVE-2026-3055 (CVSS 9.3), affecting Citrix NetScaler ADC and NetScaler Gateway, is experiencing active reconnaissance activity. Security firms Defused Cyber and watchTowr reported the flaw, which could lead to the leakage of sensitive information due to insufficient input validation.
The TeamPCP threat actor group, known for past supply chain attacks, has compromised the Telnyx Python package on PyPI. Malicious versions 4.87.1 and 4.87.2 were uploaded on March 27, 2026, delivering credential-stealing malware hidden within WAV audio files.
Proofpoint researchers have detailed a new targeted spear-phishing campaign attributed to the Russian state-sponsored threat group TA446 (also known as Callisto). The campaign utilizes the recently disclosed DarkSword exploit kit to compromise iOS devices.
The European Commission has confirmed a cyberattack detected on March 24, 2026, affecting the cloud infrastructure hosting its Europa.eu websites. While the incident was contained and internal systems were not impacted, early findings suggest some data may have been accessed. An attacker claimed to have stolen over 350 GB of data from the Commission's AWS account.
The Iran-linked hacking group Handala claimed responsibility for breaching the personal Gmail account of FBI Director Kash Patel, leaking alleged files and photos. The FBI confirmed awareness of the incident, stating that the exposed information is historical and contains no government or classified data.
Push Security has uncovered a new wave of Adversary-in-the-Middle (AiTM) phishing attacks targeting TikTok for Business accounts. The campaign leverages TikTok and Google-themed login pages to hijack accounts for malvertising, using newly registered domains and bot protection to evade detection.
A large-scale campaign is targeting developers on GitHub with fake Visual Studio Code (VS Code) security alerts posted in project Discussions. The alerts aim to trick users into downloading malware, posing a supply chain risk for development environments.
Chinese APT group Red Menshen has upgraded its BPFdoor malware, enabling it to bypass traditional cybersecurity defenses. The advanced backdoor is being used to spy on telecommunications companies globally, posing a significant threat to critical infrastructure.
Want to dig deeper?
Vulnerabilities
Cyber Groups