Today’s roundup
You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)
Critical Cisco IMC auth bypass gives attackers Admin access
U.S. CISA adds a flaw in Google Dawn to its Known Exploited Vulnerabilities catalog
Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks
'NoVoice' Android malware on Google Play infected 2.3 million devices
Crypto platform Drift suspends services after millions stolen in security incident
North Dakota water treatment plant reports March ransomware attack
CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass
Italian spyware vendor creates Fake WhatsApp app, targeting 200 users
Summary
WatchTowr Labs detailed a pre-authenticated remote code execution (RCE) chain (CVE-2026-2699, CVE-2026-2701) in Progress ShareFile Storage Zone Controller version 5.12.3. An authentication bypass (CWE-698) allows admin access, enabling control over file upload paths and webshell deployment. Approximately 30,000 internet-facing instances are exposed; patches were released March 10, 2026, in version 5.12.4.
Cisco patched a critical authentication bypass vulnerability in its Integrated Management Controller (IMC), allowing unauthenticated attackers administrative access. Immediate updates are crucial for mitigating system compromise risks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-5281, an actively exploited use-after-free zero-day in Google Chrome's WebGPU Dawn component, to its KEV catalog. Federal agencies must patch by April 15, 2026, to prevent remote code execution. Updates to Chrome 146.0.7680.177/178 are available.
Internet security watchdog Shadowserver reports over 14,000 F5 BIG-IP APM instances remain exposed to active remote code execution (RCE) attacks, with attackers deploying webshells. Organizations are urged to apply patches for this critical vulnerability.
A new Android malware, dubbed 'NoVoice,' was discovered hidden within more than 50 applications on Google Play, infecting at least 2.3 million devices. This highlights significant mobile app security risks.
Decentralized finance (DeFi) platform Drift suspended services after a security incident resulted in the reported theft of millions of dollars in cryptocurrency. The attack led to financial losses and an operational halt.
The city of Minot, North Dakota, reported a ransomware attack on its water treatment plant in March. While operations continue normally, the incident underscores critical infrastructure vulnerabilities.
The Computer Emergency Response Team of Ukraine (CERT-UA) disclosed a phishing campaign active on March 26-27, 2026, where threat actors (UAC-0255) impersonated CERT-UA to distribute the AGEWHEEZE remote administration tool (RAT) to an estimated 1 million email recipients.
Microsoft warned of a campaign active since late February 2026, leveraging WhatsApp messages to spread malicious Visual Basic Script (VBS) files. These scripts establish persistence and remote access on Windows by bypassing User Account Control (UAC).
WhatsApp alerted approximately 200 users, mostly in Italy, who installed a fake iOS app infected with spyware. Italian firm Asigint (a subsidiary of SIO Spa) developed the client. WhatsApp took legal action, clarifying it was a social engineering attack, not a vulnerability in their encryption.
Want to dig deeper?
Vulnerabilities
Cyber Groups