CyberNews: 30/03/2026 Edition

Published by Dunateo on 2026-03-30

Today’s roundup

  • Hackers now exploit critical F5 BIG-IP flaw in attacks, patch now
  • Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution
  • Please, We Beg, Just One Weekend Free Of Appliances (Citrix NetScaler CVE-2026-3055 Memory Overread Part 2)
  • Russia-linked APT TA446 uses DarkSword exploit to target iPhone users in phishing wave
  • Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels
  • Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign
  • File read flaw in Smart Slider plugin impacts 500K WordPress sites
  • The State of Secrets Sprawl 2026: 9 Takeaways for CISOs

    • Summary

    F5 has upgraded a denial-of-service vulnerability in its BIG-IP APM to a critical remote code execution (RCE) flaw, with active exploitation reported by attackers deploying webshells on unpatched devices. Immediate patching is crucial.

    A critical SQL injection vulnerability (CVE-2026-21643, CVSS 9.1) in Fortinet's FortiClient EMS platform is being actively exploited. Threat actors achieve remote code execution via SQL statements in HTTP requests' "Site"-header. Defused and Shadowserver researchers confirm attacks since March 28, 2026, affecting exposed instances, primarily in the U.S. and Europe. Upgrades to version 7.4.5 or above are advised.

    The critical Citrix NetScaler vulnerability CVE-2026-3055 comprises at least two memory overread flaws in `/saml/login` and `/wsfed/passive?wctx` endpoints. WatchTowr Labs confirms active exploitation since March 27, 2026, capable of leaking sensitive memory, including administrative session IDs, when appliances are configured as SAML Identity Providers. A detection artifact generator is available.

    Russia-linked APT TA446 (SEABORGIUM) is employing the leaked DarkSword iOS exploit kit in targeted spear-phishing campaigns. These attacks, observed by Proofpoint since March 26, 2026, aim to compromise iPhones and collect intelligence by luring users with malicious emails, often spoofing the Atlantic Council.

    A new Russian-origin remote access toolkit, CTRL, has been discovered. Delivered via malicious Windows shortcut (LNK) files, this .NET toolkit supports credential phishing, keylogging, RDP hijacking, and reverse tunneling.

    Three China-linked threat clusters engaged in a complex, well-resourced cyber campaign targeting a Southeast Asian government organization in 2025, deploying multiple malware families including HIUPAN and EggStremeLoader.

    A file read vulnerability in the Smart Slider 3 WordPress plugin, affecting over 500,000 of its 800,000 active installations, enables subscriber-level users to access arbitrary server files, posing a significant data exposure risk.

    GitGuardian's State of Secrets Sprawl 2026 report reveals 29 million new hardcoded secrets found in public GitHub in 2025, a 34% increase, emphasizing the escalating challenge of secrets management for CISOs, partially influenced by AI trends.

    Want to dig deeper?

    Cyber Groups

    Star Blizzard SEABORGIUM, Callisto Group, TA446, COLDRIVER