← All threat briefs
Threat Brief

Weekly Situation Report — 3/30/26

Executive summary

This week’s developments for partners and clients: breaches, emerging vulnerabilities, research, threat actor activity, and mitigation guidance.

Key takeaways

  • A critical Oracle Identity Manager vulnerability (CVE-2026-21992) enables remote code execution on affected systems.
  • TEAMPCP supply chain attacks are escalating following the compromise of a security tool used in development environments.
  • Attackers are abusing Microsoft Azure Monitor alerts to conduct callback phishing campaigns against targeted users.
  • The United States has announced a ban on certain foreign consumer-grade routers over national security concerns.
  • PTC has warned customers of an imminent threat from a critical remote code execution flaw in Windchill and FlexPLM.
  • Threat actors are actively exploiting the Magento “PolyShell” vulnerability to compromise e-commerce platforms.

1. Oracle Identity Manager Flaw CVE-2026-21992 Results in RCE

Summary

Oracle released an urgent security update to address a severe unauthenticated remote code execution vulnerability (CVE-2026-21992) in Oracle Identity Manager and Web Services Manager.

Category

Critical Vulnerabilities

Industry

Multiple

Analyst comments

Oracle distributed an out-of-band security update addressing a critical unauthenticated remote code execution vulnerability in Oracle Identity Manager and Web Services Manager. The vulnerability is easily exploitable over HTTP without requiring authentication or user interaction. Patches are only available for versions under Premier or Extended Support, leaving older unsupported versions vulnerable.

Affected versions:

Oracle Identity Manager, versions 12.2.1.4.0, 14.1.2.1.0
Oracle Web Services Manager, versions 12.2.1.4.0, 14.1.2.1.0

Actionable guidance

Patching is the primary defense mechanism. Restricting API endpoints from public internet access may reduce the attack surface. Defenders should monitor for traffic from non-standard API REST endpoints. Any unauthenticated access attempts to atypical URL paths should be investigated. If the affected products don’t require public internet access, restrict them to internal networks accessible via VPN until patches are applied.


2. TEAMPCP Supply Chain Attacks Ramp Up After Security Tool Compromise

Summary

TeamPCP, also known as Shellforce, compromised Aqua Security’s GitHub organization and pushed malicious Docker images for Trivy, a widely-used vulnerability scanner. The group also compromised Checkmarx KICS, another automated security tool.

Category

Supply Chain Risk

Industry

Technology

Analyst comments

TeamPCP targeted Aqua Security by pushing malicious Docker images and tampering with GitHub repositories. Compromised artifacts appeared as image tags 0.69.5 and 0.69.6 on Docker Hub, indicating a breach of the company’s GitHub organization. The attackers exploited a service account to change repository descriptions and add prefixes across repositories.

Previously, the group compromised Checkmarx KICS, along with OpenVSX extensions: cx-dev-assist 1.7.0 and ast-results 2.53.0.

The attack led to two downstream compromises of PyPI packages LiteLLM and Telnyx’s Python SDK. The latest compromise uses steganography in .wav files containing base64 encoded Python code that downloads hidden payloads for credential theft. Threat actor communications indicate discussions with potential ransomware partners, suggesting a role as an initial access broker.

Compromised packages and versions:

# PYPI packages
telnyx==4.87.1
telnyx==4.87.2
Exposure window = March 27th

litellm==1.82.7
litellm==1.82.8
Exposure window = March 24th

# Trivy tools
trivy==0.69.4
trivy==0.69.5
trivy==0.69.6
trivy-action==0.35.0
setup-trivy==All releases
Exposure window = March 19th-March 22nd

# Checkmarx KICS Packages from OpenVSX
ast-results==2.53.0
cx-dev-assist==1.7.0
Exposure window = March 23rd

Actionable guidance

Organizations should audit projects to determine if compromised versions were installed. Remove affected packages and audit projects for added code, commits, or unattributable activity. Rotate cloud credentials, secrets, and sensitive access information immediately. This should be treated as high priority, as credible information suggests these attacks may precede ransomware campaigns.

The malware primarily targets Windows hosts and will drop msbuild.exe in the current user’s startup folder for persistence. Data exfiltration occurs via POST request with X-Filename header set as tpcp.tar.gz. Developers should review repository history for suspicious changes, especially code relying on base64 encoded content.


3. Microsoft Azure Monitor alerts abused for callback phishing attacks

Summary

Microsoft Azure Monitor is being exploited by threat actors to send phishing emails mimicking alerts from the Microsoft Security Team. These messages prompt recipients to call fraudulent support numbers about unauthorized charges, allowing attackers to bypass standard email security protocols.

Category

Phishing

Industry

Multiple

Analyst comments

Attackers send legitimate-looking Azure Monitor alerts about unauthorized charges, urging recipients to call specific numbers. These alerts are crafted by creating false conditions in Azure Monitor and using its legitimate email system, bypassing SPF, DKIM, and DMARC checks.

The scam involves entering fraudulent messages into alert descriptions mimicking automated billing notifications to create urgency and trick users into calling attacker-controlled numbers. Users are then guided to install AnyDesk as the next attack stage.

While emails typically bypass standard security rules, they include alert metadata that can aid identification.

Actionable guidance

It’s uncommon for non-IT or administrative users to receive Azure Monitor alerts, typically limited to system metrics for cloud infrastructure. Exceptions may include managers responsible for financial oversight. Emails with “Alert Monitor alert rule…” in the subject or description, when received by non-authorized users, may indicate phishing.

A mismatch between alert rule metadata and description may also indicate suspicious activity. Administrators should verify alerts directly within their environment and avoid calling provided numbers. RMM software like AnyDesk should be prevented from installation. If used normally, monitor heavily and require administrator approval for new installations.


4. US Bans Foreign Consumer Grade Routers

Summary

The U.S. is banning new foreign-made consumer-grade network routers due to national security concerns, though existing models are unaffected.

Category

Situational Awareness

Industry

Multiple (Primarily effects US-based organizations)

Analyst comments

The United States is banning new consumer-grade routers made in foreign countries per Federal Communications Commission updates under The Secure Networks Act. This decision targets foreign-produced routers for posing cybersecurity risks and potential critical infrastructure disruptions but doesn’t affect previously authorized models.

Consumer routers have been exploited in past cyberattacks like Volt Typhoon and Salt Typhoon through botnet-associated exploitation. Exemptions exist for devices approved by the Department of Defense or Homeland Security.

The covered list includes vendors historically supplying router and network products, covering hardware and software, plus IP camera and video surveillance products from brands like Dahua and Hangzhou Hikvision, Kaspersky security software, and Huawei phones.

Organizations may continue using older products to avoid migration costs and complexity, increasing attack surface and legacy device exploitation opportunities. The FCC has set March 1st, 2027 as the expiration date for patches and firmware support for approved foreign-made routers, indicating future approval requirements.

Actionable guidance

Organizations should review current vendor dependencies and begin planning for alternative options. Assess which systems rely on these products and identify migration candidates. Prepare for possible changes after March 1st, 2027, developing transition plans with timelines for migration and decommissioning.

Priority should be given to critical infrastructure such as networking and edge devices, especially those difficult to isolate. Early evaluation and phased planning will help manage risk while maintaining operational stability.


5. PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug

Summary

PTC Inc. has identified a critical vulnerability (CVE-2026-4681) in Windchill and FlexPLM enabling remote code execution through data deserialization. German authorities issued alerts to affected companies while PTC develops patches.

Category

Critical Vulnerabilities

Industry

Manufacturing

Analyst comments

PTC Inc. identified a critical vulnerability in Windchill and FlexPLM allowing remote code execution through trusted data deserialization, prompting emergency action from German authorities, including direct alerts by federal police. No patches are currently available. PTC recommends applying a mitigation rule to deny access to the affected servlet path.

Indicators of Compromise:

# User-Agent when combined with other indicators
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36

# Suspicious HTTP patterns
run?p=
.jsp?p=
run?c=
.jsp?c=

# Dropped files
GW.class - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1
payload.bin - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1

# Any .jsp files with random naming: dpr_<8-hex-digits>.jsp

Gen.class - 9856FCFC71099646F4E705BC906BD1BB170871290D364CA20C716E566257E264
HTTPRequest.class - 6B015D40D3E6A2B3425797B9B75B8F3868A7A6EAD155686E4AE0D9BFC87F4E57
HTTPResponse.class - 6F0472C8D83C0F85DFF106028F7ABB754631F7B585078B3919DAE99E3672C389
IXBCommonStreamer.class - B1B141130718FFF5A2F8E6A048165338DDBC50DA3A2464C43B FCA0476BAC4CC7
IXBStreamer.class - E207BDC91D172012AF28B028E9DD21C8B377E78286AD8C8E4E085F2D6E9C0C03
MethodFeedback.class - 6A88AB22B35C9D4DB9A582B6F386968355E4A4362235A6CDC038B672F9EC9372
MethodResult.class - 21A2AD61FC72E1256BBD037CBD5AD4279A916F9E4ADF0D197177BA95A22C881D
WTContextUpdate.class - 06E166A84701D430ADCDC19BA8DA2124CA223637919D6E89068219433BB9073F

# Log artifacts in '<APACHE_HOME>/logs' and '<WINDCHILL_HOME>/logs'
run?c=echo%20GW_READY_OK
c=echo%20GW_READY_OK
c=echo 20GW_READY_OK
GW_READY_OK
ClassNotFoundException for GW
Windchill Error or HTTP Gateway Exception

Actionable guidance

Implement the current workaround by denying access to affected servlet endpoints until patches are available. The provided indicators of compromise suggest active exploitation is already occurring, increasing the urgency of applying workarounds. Checking against the IOCs may identify past breaches requiring investigation.


6. Magento ‘PolyShell’ Vulnerability Abused By Threat Actors

Summary

Hackers are exploiting the ‘PolyShell’ vulnerability in Magento installations, affecting over half of all vulnerable stores, and delivering a novel WebRTC-based payment card skimmer that evades security controls.

Category

Known Exploited Vulnerabilities

Industry

Retail, Automotive

Analyst comments

Hackers are actively exploiting the PolyShell vulnerability in Magento Open Source and Adobe Commerce version 2, affecting more than half of vulnerable stores as of March 19th. The exploitation primarily targets retail and e-commerce organizations, likely driven by financially motivated threat actors.

The vulnerability lies within Magento’s REST API, allowing remote code execution or account takeover through polyglot files if web server configuration permits it. Though a fix was released in version 2.4.9-beta1, no stable release is available from Adobe.

A financially motivated threat actor deployed a WebRTC-based payment card skimmer bypassing CSP controls using DTLS encrypted UDP for data exfiltration. The skimmer was identified on a major automaker’s website, sending WebRTC traffic over UDP port 3479 to C2 server 202.181.177[.]177 (ASN210083, Privex, Belize). The automotive retail focus suggests targeting of high-value transactions.

Actionable guidance

Version 2.4.9-beta1 is available as a pre-release patch, but a stable patch hasn’t been released. Third-party patches exist but aren’t recommended until official stable patches are available. The vulnerability stems from unrestricted uploads affecting multiple endpoints. Mitigate by blocking write access to folder locations in Apache/Nginx via .htaccess files, allowing only .png, .svg, or .jpg extensions.

More briefs
Weekly Situation Report — 6/15/26Jun 18, 2026Weekly Situation Report — 6/8/26Jun 11, 2026Weekly Situation Report — 6/1/26Jun 4, 2026
Talk to an expert