Security & IT News

On February 25, 2026, Gartner published its inaugural Market Guide for Guardian Agents, marking an important milestone for this emerging category. For those unfamiliar with the various Gartner report types, “a Market Guide defines a market and explains what clients can expect it to do in the short term. With the focus on early, more chaotic markets, a Market Guide does not rate or position

If you're a security leader operating in Germany, Austria, or Switzerland, you already know that compliance isn't a checkbox. It's a competitive differentiator. Rapid7 has completed BSI C5 Type 2 attestation for the Rapid7 Command Platform, including Threat Command, and it's a milestone worth unpacking. This isn't just a badge on a webpage. It's proof that our security controls work, not just on paper, but in practice, over time. What is BSI C5 and why does it matter? The Cloud Computing Compliance Criteria Catalogue (C5) was developed by Germany's Federal Office for Information Security (BSI). It sets some of the most rigorous cloud security standards in the world, covering everything from data protection to operational transparency. A Type 2 attestation is the gold standard within that framework. Unlike a point-in-time audit, Type 2 validates that security controls aren't just well-designed, but that they're actively working consistently over a sustained period. It's the difference between a security promise and a security proof. For organizations in the DACH region, C5 is more than a nice-to-have. It's a procurement requirement for German federal agencies, critical infrastructure operators, healthcare institutions, and financial services firms. If you're operating in any of these sectors, your cloud providers need to meet this bar. Rapid7 now does. BSI C5 Type 2 and your cloud security strategy Whether you're evaluating security vendors, managing compliance obligations, or looking to strengthen your organization's risk posture, the question is the same: How do you know your cloud security provider actually does what it says? BSI C5 Type 2 attestation answers that question. It's independent, rigorous, and sustained over time. While rooted in German regulatory requirements, C5 is increasingly recognized as a benchmark for secure cloud operations across Europe. It's one of the clearest signals that a cloud provider has the operational maturity to handle sensitive environments. The Rapid7 Command Platform unifies exposure management with detection and response, giving security teams clear visibility across their attack surface. Threat Command extends that protection further, identifying and helping remediate threats across the clear, deep, and dark web. Both are now independently validated against one of the world's toughest cloud security frameworks. Why independent validation of security controls matters Trusting a security vendor shouldn't require a leap of faith. Independent validation exists so you have the evidence to make that call with confidence. This attestation reflects our continued investment in meeting the highest security standards for customers across Germany and the wider European market. Rapid7 has achieved a milestone that speaks directly to the conversations had every day with public sector and enterprise organizations who need more than a promise. They need proof that a security provider's controls have been tested, verified,

I have written about how to use IP KVMs securely , and recently, researchers at Eclypsium published yet another report on IP KVM vulnerabilities. But there is another issue I haven't mentioned yet with IP KVMs: rogue IP KVMs. IP KVMs are often used by criminals. For example, North Koreans used KVMs to connect remotely to laptops sent to them by their employers. The laptops were located in the US, and the North Korean workers used IP KVMs to remotely connect to them. IP KVMs could also be used to access office PCs, either to enable undetected work from home or by threat actors who use them to gain remote access after installing the device on site. IP KVMs usually connect to the system in two ways: USB for keyboard/mouse HDMI for the monitor connection (some older variants may also use VGA) For my testing, I used two different IP KVMs. A PiKVM and a NanoKVM (Sipeed). Both were connected to Linux systems, but the techniques should work on other operating systems as well. USB For the Sipeed NanoKVM, lsusb give away the device: $ lsusb Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 0bda:c821 Realtek Semiconductor Corp. Bluetooth Radio Bus 001 Device 004: ID 051d:0002 American Power Conversion Uninterruptible Power Supply Bus 001 Device 005: ID 3346:1009 sipeed NanoKVM Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub PiKVM is a little bit less obvious, but this USB entry appears to be associated with PiVKM Bus 001 Device 004: ID 1d6b:0104 Linux Foundation Multifunction Composite Gadget Bus 001 Device 017: ID 1b3f:2008 Generalplus Technology Inc. USB Audio Device This needs a bit more testing for the PiKVM. HDMI HDMI devices send EDID (Extended Display Identification Data) to the system the display is connected to. The main purpose of EDID is to communicate available video modes and resolutions. But it also includes manufacturer information. For the NanoKVM: sudo get-edid | parse-edid ... Section Monitor Identifier Connector ModelName Connector VendorName VCS ... Not very obvious, but the VCS vendor name could be a reasonable indicator (check for false positives) For PiKVM, the Identified and ModelName are more telling: Section Monitor Identifier PiKVM V3 ModelName PiKVM V3 VendorName LNX Evasion Of course, a more sophisticated attacker can modify these strings. PiKVM offers a configuration file to do so, in part to allow for better compatibility. I do not know whether the NanoKVM provides a similar, simple way to evade detection (but it is likely not terribly hard). So sophisticated attacker may translate to able and willing to read the manual . Many endpoint protection solutions monitor USB devices and may alert on odd devices being connected. But I am not aware of any that check monitor EDID strings. This may be another neat feature for any solutions. In office environments, most organizations provide a limited set of monitor types. For home office use, things may be more complex as users often

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-083-01.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary commands with root privileges. /strong /p p The following versions of Pharos Controls Mosaic Show Controller are affected: /p ul li Mosaic Show Controller Firmware 2.15.3 (CVE-2026-2417) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td Pharos Controls /td td Pharos Controls Mosaic Show Controller /td td Missing Authentication for Critical Function /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United Kingdom /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-2417 /a /h3 div class= csaf-accordion-content p A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-2417 View CVE Details /a /p hr h4 Affected Products /h4 h5 Pharos Controls Mosaic Show Controller /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Pharos Controls /div div class= ics-version strong Product Version: /strong br Pharos Controls Mosaic Show Controller Firmware: 2.15.3 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br Pharos Controls recommends that users upgrade Mosaic Show Controller to version 2.16 or later. /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/306.html CWE-306 Missing Authentication for Critical Function /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS Version /th th role= columnheader Base Score /th th role= columnheader Base Severity /th th role= columnheader Vector String /th /tr /thead tbody tr td 3.1 /td td 9.8 /td td CRITICAL /td td a href= https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H /a /td /tr /tbody /tabl

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-083-03.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could risk privilege escalation, which could result in remote code execution. /strong /p p The following versions of Schneider Electric Plant iT/Brewmaxx are affected: /p ul li Plant iT/Brewmaxx 9.60_and_above (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.9 /td td Schneider Electric /td td Schneider Electric Plant iT/Brewmaxx /td td Use After Free, Integer Overflow or Wraparound, Improper Control of Generation of Code ('Code Injection') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy, Critical Manufacturing, Commercial Facilities /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong France /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-49844 /a /h3 div class= csaf-accordion-content p The affected product uses Redis, an open-source, in-memory database. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-49844 View CVE Details /a /p hr h4 Affected Products /h4 h5 Schneider Electric Plant iT/Brewmaxx /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Schneider Electric /div div class= ics-version strong Product Version: /strong br Schneider Electric Plant iT/Brewmaxx: 9.60_and_above /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br Schneider Electric recommends users immediately apply the following mitigations to reduce the risk of exploit: /p p strong Mitigation /strong br Install Patch ProLeiT-2025-001 via ProLeiT Support br a href= https://www.proleit.com/support/ https://www.proleit.com/support/ /a /p p strong Mitigation /strong br After installing ProLeiT-2025-001, disable the eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality /p p strong Mitigation /strong br Force usage of secure Redis configuration templates in system settings as documented in the patch manual /p p strong Mitigation /strong

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-083-02.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Schneider Electric is aware of a vulnerability in its EcoStruxure Foxboro DCS Control Software on Foxboro DCS workstations and servers. Control Core Services and all runtime software, like FCPs, FDCs, and FBMs, are not affected. The EcoStruxure Foxboro DCS ([https://www.se.com/ww/en/product-range/63680-ecostruxure-foxboro-dcs/](https://www.se.com/ww/en/product-range/63680-ecostruxure-foxboro-dcs/)) product is an innovative family of fault-tolerant, highly available control components, which consolidates critical information and elevates staff capabilities to ensure flawless, continuous plant operation. Failure to apply the remediation provided below may risk deserialization of untrusted data, which could result in loss of confidentiality, integrity and potential remote code execution on the compromised workstation. /strong /p p The following versions of Schneider Electric EcoStruxure Foxboro DCS are affected: /p ul li EcoStruxure Foxboro DCS vers:generic/ /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 6.5 /td td Schneider Electric /td td Schneider Electric EcoStruxure Foxboro DCS /td td Deserialization of Untrusted Data /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Critical Manufacturing, Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong France /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-1286 /a /h3 div class= csaf-accordion-content p A deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-1286 View CVE Details /a /p hr h4 Affected Products /h4 h5 Schneider Electric EcoStruxure Foxboro DCS /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Schneider Electric /div div class= ics-version strong Product Version: /strong br EcoStruxure Foxboro DCS versions prior to CS8.1 /div div class= ics-status strong Product Status: /strong br fixed, known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Vendor fix /strong br Version CS 8.1 of EcoStruxure Foxboro DCS includes a fix for this vulnerability and is available through [https://buyautomation.se

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-083-01.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to send a specially crafted file, and when parsed, could result in a denial-of-service condition. /strong /p p The following versions of Grassroots DICOM (GDCM) are affected: /p ul li Grassroots DICOM (GDCM) 3.2.2 (CVE-2026-3650) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 7.5 /td td Grassroots /td td Grassroots DICOM (GDCM) /td td Missing Release of Memory after Effective Lifetime /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Healthcare and Public Health /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-3650 /a /h3 div class= csaf-accordion-content p A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed DICOM files with non-standard VR types in file meta information. The vulnerability leads to vast memory allocations and resource depletion, triggering a denial-of-service condition. A maliciously crafted file can fill the heap in a single read operation without properly releasing it. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-3650 View CVE Details /a /p hr h4 Affected Products /h4 h5 Grassroots DICOM (GDCM) /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Grassroots /div div class= ics-version strong Product Version: /strong br Grassroots Grassroots DICOM (GDCM): 3.2.2 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br The maintainer of Grassroots DICOM (GDCM) has not responded to requests to work with CISA to mitigate this vulnerability. For update information refer to the software page on SourceForge. /p p strong Mitigation /strong br https://sourceforge.net/projects/gdcm/. br a href= https://sourceforge.net/projects/gdcm/ https://sourceforge.net/projects/gdcm/ /a /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/401.html CWE-401 Missing Release of Memory after Effective Lifetime /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priorit

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. This vulnerability, CVE-2026-3055 , which is classified as an out-of-bounds read and holds a CVSS score of 9.3 , allows unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory. The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable , whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on. Per the advisory , organizations can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: add authentication samlIdPProfile .* CVE-2026-3055 affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. The advisory notes that only customer-managed instances are affected, not cloud instances managed by Citrix . As of the advisory’s publication, there is no known in-the-wild exploitation and no public proof-of-concept (PoC) available. According to Citrix, the vulnerability was identified internally via security review. However, exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public. Therefore, it is crucial that customers running affected Citrix systems remediate this vulnerability as soon as possible; Citrix software has previously seen memory leak vulnerabilities broadly exploited in the wild, including the infamous “CitrixBleed” vulnerability, CVE-2023-4966 , in 2023. Mitigation guidance Organizations running affected on-premise instances of NetScaler ADC and NetScaler Gateway should prioritize upgrading to fixed versions on an emergency basis to remediate CVE-2026-3055. Affected components: NetScaler ADC and NetScaler Gateway versions 14.1, fixed in 14.1-66.59 . NetScaler ADC and NetScaler Gateway versions 13.1, fixed in 13.1-62.23 . NetScaler ADC 13.1-FIPS and 13.1-NDcPP, fixed in 13.1-37.262 (also referred to as 13.1.37.262 in the vendor advisory). Please read the vendor advisory (CTX696300) for the latest guidance. Rapid7 customers Exposure Command, InsightVM, and Nexpose Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-3055 on Citrix NetScaler ADC with an authenticated vulnerability check expected to be available in the March 24 content release. Updates March 23, 2026: Initial publication.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫ This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules this release: one targeting AVideo-Encoder’s getImage.php file and another targeting FreePBX. Leading the enhancements is a granularization for LDAP queries allowing the omission of SACL data on security descriptors, as without the proper permissions the entire query of the security descriptor will fail if the SACL data is even just a part of the query. New module content (2) AVideo Encoder getImage.php Unauthenticated Command Injection Authors: Valentin Lobstein [email protected] and arkmarta Type: Exploit Pull request: #21076 contributed by Chocapikk Path: linux/http/avideo_encoder_getimage_cmd_injection AttackerKB reference: CVE-2026-29058 Description: Adds an exploit module for CVE-2026-29058, an unauthenticated OS command injection in AVideo Encoder's getImage.php endpoint. FreePBX filestore authenticated command injection Authors: Cory Billington and Valentin Lobstein [email protected] Type: Exploit Pull request: #20719 contributed by Chocapikk Path: unix/http/freepbx_filestore_cmd_injection AttackerKB reference: CVE-2025-64328 Description: Adds a new Metasploit exploit module for FreePBX filestore authenticated command injection (CVE-2025-64328) with automatic vulnerable-version detection and full documentation, and renames the XorcomCompletePbx HTTP mixin to CompletePBX updating affected modules accordingly. Enhancements and features (2) #20730 from zeroSteiner - This update modifies the ldap_query module to skip querying the SACL (System Access Control List) on security descriptors by default. This behavior is now controlled by a new option, LDAP::QuerySacl. This change is necessary when using a non-privileged user to query security descriptors via LDAP; otherwise, querying the SACL will cause the entire query to be blocked, resulting in no security descriptors being returned. #20997 from Nayeraneru - This adds a new OptTimedelta datastore option type. It enables module authors to specify a time duration and users to set it with a human-friendly syntax. Bugs fixed (7) #20960 from g0tmi1k - This adds a DHCPINTERFACE option to the DHCP server mixin, allowing modules that start that server to specify a particular interface to bind to. #21020 from g0tmi1k - This makes a small change to the docs by removing two lines that were previously duplicated. #21024 from Aaditya1273 - Fixes a bug in the JSON-RPC msfrpcd functionality that incorrectly required SSL certificates to be present even when disabled with msfrpcd -S. #21025 from Hemang360 - Fixes a crash when calling the HTTP cookie jar with non-string values. #21028 from SilentSobs - Fixes a crash when using the reload_all command no module is present. #21081 from Hemang360 - Fixes a crash when using the windows/exec with non-ascii characters. #21139 from jheysel-r7 -

Security leaders rarely struggle to produce data. The challenge is turning that data into something the board can use to make decisions. Walk into a board meeting with a slide showing 1,200 critical vulnerabilities and 44 internet-facing assets, and you will likely see polite acknowledgment rather than meaningful discussion. The question that follows tends to cut through quickly: what does this mean for the business? Boards allocate capital based on financial exposure, not vulnerability counts. A list of findings describes workload, but directors are responsible for revenue protection, liability, and risk to the balance sheet. When security reporting remains technical, it sits outside the way investment decisions are made elsewhere in the organization. The issue is less about communication and more about framing the problem in terms the business already understands. From severity to risk CVSS measures theoretical severity, but it does not measure business risk. A high score indicates that a flaw could be dangerous, yet it does not tell you whether the vulnerability is reachable in your environment, whether exploit code exists, or whether it is likely to affect revenue in the near term. It answers a useful engineering question, but it does not answer the question the board is asking. That question is about likelihood and impact. Most enterprise risk frameworks define risk in those terms, and that is how financial decisions are made. The gap becomes clear when two vulnerabilities appear similar on a dashboard but carry very different consequences. A high-CVSS issue on a segmented lab system may present little business risk, while a moderately severe vulnerability on an internet-facing production system with active exploit activity can expose regulated data and revenue streams. What is often missing in that comparison is threat context. Understanding how attackers behave, which vulnerabilities they are exploiting, and where access paths actually exist changes how risk is interpreted. Active Risk in InsightVM brings those elements together by combining exploit telemetry, attacker behavior, and asset context to estimate the likelihood that a vulnerability will be used. When that likelihood is paired with business impact, the conversation shifts toward exposure rather than severity. From CVSS scores to financial exposure Prioritization alone does not translate into board-level decisions. Knowing what is most likely to be exploited is necessary, but it is not sufficient when the goal is to justify investment. FAIR provides a way to bridge that gap. The model defines risk as a combination of how often a loss event is likely to occur and how much that event would cost. In practical terms: Annualized Loss Exposure (ALE) = Loss Event Frequency × Probable Loss Magnitude Active Risk informs the likelihood side of that equation by grounding it in observed attacker behavior and exploit activity. FAIR converts that likelihood into financial terms, allowing secur

p CISA and the Federal Bureau of Investigation released a a href= https://www.ic3.gov/PSA/2026/PSA260320 target= _blank Public Service Announcement (PSA) /a warning about ongoing phishing campaigns by cyber actors associated with the Russian Intelligence Services targeting commercial messaging applications (CMAs). These campaigns aim to bypass encryption to compromise to individual user accounts with targets including current and former U.S. government officials, military personnel, political figures, and journalists. nbsp; nbsp; /p p Evidence shows that cyber actors have been able to compromise individual CMA accounts, but not encryption of the applications themselves. The actors’ global campaigns have resulted in unauthorized access to thousands of individual CMA accounts to view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts. nbsp; /p p CISA and FBI urge CMA users to review the PSA, follow recommended cybersecurity practices, and remain vigilant for suspicious activity. /p

p CISA has added five new vulnerabilities to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href="https://www.cve.org/CVERecord?id=CVE-2025-31277" target="_blank" CVE-2025-31277 /a Apple Multiple Products Buffer Overflow Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-32432" target="_blank" CVE-2025-32432 /a Craft CMS Code Injection Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-43510" target="_blank" CVE-2025-43510 /a Apple Multiple Products Improper Locking Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-43520" target="_blank" CVE-2025-43520 /a Apple Multiple Products Classic Buffer Overflow Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-54068" target="_blank" CVE-2025-54068 /a Laravel Livewire Code Injection Vulnerability /li /ul p These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href="https://www.cisa.gov/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities" specified criteria /a . nbsp; /p

Yesterday, I discovered a malicious Bash script that installs a GSocket backdoor on the victim s computer. I don t know the source of the script not how it is delivered to the victim. GSocket[ 1 ] is a networking tool, but also a relay infrastructure, that enables direct, peer-to-peer style communication between systems using a shared secret instead of IP addresses or open ports. It works by having both sides connect outbound to a global relay network. Tools like gs-netcat can provide remote shells, file transfer, or tunneling and bypass classic security controls. The script that I found uses a copy of gs-netcat but the way it implements persistence and anti-forensic techniques deserves a review. A few weeks ago, I found a sample that used GSocket connectivity as a C2 channel. It makes me curious and I started to hunt for more samples. Bingo! The new one that I found (SHA256:6ce69f0a0db6c5e1479d2b05fb361846957f5ad8170f5e43c7d66928a43f3286[ 2 ]) has been detected by only 17 antivirus solutions on VT. The script is not obfuscated and even has comments so I think that it was uploaded on VT for testing purposes by the developper (just a guess) Let s have a look at the techniques used. When you execute it in a sandbox, you see this: Note the identification of the tool ( G-Socket Bypass Stealth ) and the reference to @bboscat [ 3 ] A GSocket client is downloaded, started and is talking to the following IP: The malware implements persistence through different well-known techniques on Linux. First, a cron job is created: Every top-hour, the disguised gs-netcat will be killed (if running) and restarted. To improve persistence, the same code is added to the victim's .profile: The malware itself is copied in .ssh/putty and the GSocket shared secret stored in a fake SSH key file: The ELF file id_rsa (SHA256: d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa) is the gs-netcat tool downloaded directly from the G-Socket CDN. Ok, let s have a look at an interesting anti-forensic technique implemented in the Bash script. File operations are not simply performed using classic commands like cp, rm, mv, etc. They are embedded in helper functions with a timestamp tracking/restoration system so the malware can later hide filesystem changes. Here is an example with a function that will create a file: mk_file() { local fn local oldest local pdir local pdir_added fn= $1 local exists # DEBUGF ${CC}MK_FILE($fn)${CN} pdir= $(dirname $fn ) [[ -e $fn ]] exists=1 ts_is_marked $pdir || { # HERE: Parent not tracked _ts_add $pdir NOT BY XMKDIR pdir_added=1 } ts_is_marked $fn || { # HERE: Not yet tracked _ts_get_ts $fn # Do not add creation fails. touch $fn 2 /dev/null || { # HERE: Permission denied [[ -n $pdir_added ]] { # Remove pdir if it was added above # Bash 5.0 does not support arr[-1] # Quote ( ) to silence shellcheck unset _ts_ts_a[${#_ts_ts_a[@]}-1] unset _ts_fn_a[${#_ts_fn_a[@]}-1] unset _ts_mkdir_fn_a[${#_ts_mkdir_fn_a[@]}-1] } return 69 # False } [[

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Earlier this year, we made a significant announcement: Rapid7 partnered with ARMO to add AI-powered cloud application detection and response (CADR) – or cloud runtime security – to our cloud security portfolio. At the time, I published a blog highlighting this two-part approach for modern cloud security that combines preemptive exposure management (understanding the threats that could exist) with proactive runtime security (detecting the threats that are happening). Today, we are thrilled to announce that this vision is fully realized and integrated with Rapid7 Exposure Command . For our customers, this milestone represents our ability to deliver on the promise of a complete Cloud-Native Application Protection Platform (CNAPP) that helps security teams preemptively identify and proactively thwart attacks. Exploring the possibilities of this unified CNAPP At Rapid7, we believe that a CNAPP is unified if it operates from a single, objective source of truth. By integrating cloud runtime security directly into Exposure Command, we are seamlessly merging the preemptive (posture, configurations, identities, and vulnerabilities) with the proactive (runtime behavior and active threats). The table below summarizes this enhancement: ⠀ Today’s Rapid7 Cloud Security solution What cloud runtime adds Primary Focus Prevention, risk reduction, and preemptive response Real-time exposure detection and proactive response Core Question "What is vulnerable and could be attacked?" "Is an attacker exploiting our environment now?" Lifecycle Stage Pre-deployment, continuous scanning, or periodic intervals Continuous monitoring of live (in-production) workloads What It Finds Misconfigurations, exposed secrets, software CVEs, missing patches Active exploits, lateral movement, unauthorized process execution, SQL injection ⠀ The true power of this unified architecture is best understood through the lens of a security practitioner’s daily battle against cloud threats. The previous blog post discussed this in theory; let’s use this blog to talk about the reality. The baseline Exposure Command continuously scans and assesses your cloud posture to identify whether a container exposure exists in a production cluster. Traditional scanners would stop here, leaving you to prioritize this vulnerability against others. In Exposure Command, this detection is not just part of a static score, but instead it is part of an attack path. Our preemptive security platform tells you, for instance, whether this specific container has internet access and an over-privileged IAM role, making it highly reachable and exploitable. This means that you are not just looking at a CVE; you are looking at the potential blueprint behind a major breach. The proactive validation This is where cloud runtime security turns theory into reality. Instead of treating the vulnerability as just a potential risk, the platform utilizes eBPF sensors to provide continuous, direct kernel-level observability and application

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-08.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could allow an attacker to read, intercept, or modify communications. /strong /p p The following versions of Automated Logic WebCTRL Premium Server are affected: /p ul li WebCTRL Premium Server /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.1 /td td Automated Logic /td td Automated Logic WebCTRL Premium Server /td td Multiple Binds to the Same Port, Authentication Bypass by Spoofing, Cleartext Transmission of Sensitive Information /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-25086 /a /h3 div class= csaf-accordion-content p Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow the attacker to craft and send malicious packets and impersonate the WebCTRL service without requiring code injection into the WebCTRL software. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-25086 View CVE Details /a /p hr h4 Affected Products /h4 h5 Automated Logic WebCTRL Premium Server /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Automated Logic /div div class= ics-version strong Product Version: /strong br Automated Logic WebCTRL Premium Server: lt;v8.5 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br Automated Logic notes that WebCTRL 7 is End of Life (EOL) and has been out of support since January 27, 2023. Users are advised to upgrade to the latest version of the WebCTRL server application, which supports the more secure BACnet/SC. /p p strong Mitigation /strong br For customers using supported versions of WebCTRL (WebCTRL 8.5 cumulative releases and later), Automated Logic provides secure configuration guidance for hardware and software deployments; BACnet Secure Connect (BACnet/SC) support, which introduces TLS encryption and mutual authentication; and published best practices for network segmentation, access control, and secure protocol implementation. Additional information is available at: https://www.automatedlogic.com/en/company/security-commitment/. br a href= https://www.auto

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-02.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability may risk a Cross-site Scripting or an open redirect attack which could result in an account takeover scenario or the execution of code in the user browser. /strong /p p The following versions of Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 are affected: /p ul li Modicon M241 versions prior to 5.4.13.12 Modicon_Controller_M241 /li li Modicon M251 versions prior to 5.4.13.12 Modicon_Controller_M251 /li li Modicon Controllers M258 all firmware versions Modicon_Controllers_M258 /li li Modicon Controllers LMC058 all firmware versions Modicon_Controllers_LMC058 /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 5.4 /td td Schneider Electric /td td Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 /td td Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Critical Manufacturing, Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong France /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-13902 /a /h3 div class= csaf-accordion-content p CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim's browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-13902 View CVE Details /a /p hr h4 Affected Products /h4 h5 Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Schneider Electric /div div class= ics-version strong Product Version: /strong br Schneider Electric Modicon M241 versions prior to 5.4.13.12: Modicon_Controller_M241, Schneider Electric Modicon M251 versions prior to 5.4.13.12: Modicon_Controller_M251, Schneider Electric Modicon Controllers M258 all firmware versions: Modicon_Controllers_M258, Schneider Electric Modicon Controllers LMC058 all firmware versions: Modicon_Controllers_LMC058 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class=

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks. /strong /p p The following versions of CTEK Chargeportal are affected: /p ul li Chargeportal vers:all/* /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.4 /td td CTEK /td td CTEK Chargeportal /td td Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy, Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Sweden /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-25192 /a /h3 div class= csaf-accordion-content p WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-25192 View CVE Details /a /p hr h4 Affected Products /h4 h5 CTEK Chargeportal /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br CTEK /div div class= ics-version strong Product Version: /strong br CTEK Chargeportal: vers:all/* /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br CTEK will be sunsetting this product in April 2026. Please contact CTEK for more information https://www.ctek.com/support. br a href= https://www.ctek.com/support https://www.ctek.com/support /a /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/306.html CWE-306 Missing Authentication for Critical Function /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stac