Executive summary
This week’s developments for partners and clients: breaches, emerging vulnerabilities, research findings, threat actor movement, and mitigation guidance.
Key takeaways
- VMware released patches for remote code execution vulnerabilities in Aria Operations allowing complete system compromise
- Iranian-linked attacks targeted internet-connected IP cameras, likely involving state actors and affiliated groups
- APT28 exploited MSHTML vulnerability CVE-2026-21513 as a zero-day before Microsoft’s February Patch Tuesday
- Juniper JunOS vulnerability CVE-2026-21902 enables remote code execution on network devices
- LexisNexis suffered a breach exposing legacy data through the React2Shell vulnerability
- Threat actors abuse OAuth error-handling flows to manipulate users into granting malicious permissions
- Cisco confirmed active exploitation of privilege escalation vulnerabilities in SD-WAN products
1. (UPDATED) VMware Addresses Aria Operations Remote Code Execution Vulnerabilities
Summary
Broadcom released patches for high-severity vulnerabilities in VMware Aria Operations, including a critical command injection flaw (CVE-2026-22719) permitting remote code execution by unauthenticated attackers, plus stored XSS and privilege escalation issues.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
- https://www.securityweek.com/vmware-aria-operations-vulnerability-could-allow-remote-code-execution/
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
- https://www.securityweek.com/vmware-aria-operations-vulnerability-exploited-in-the-wild/
- https://nvd.nist.gov/vuln/detail/CVE-2026-22719
Analyst comments
Broadcom patched several high-severity flaws in VMware Aria Operations. CVE-2026-22719 is a command injection issue allowing unauthenticated remote code execution during product migration. CVE-2026-22720 represents a stored cross-site scripting vulnerability enabling administrative actions through script injection, potentially creating custom benchmarks. CVE-2026-22721, a medium-severity privilege escalation flaw, can grant administrative access. Updates apply to VMware Cloud Foundation, vSphere Foundation, and Aria Operations.
Previously, these vulnerabilities showed no evidence of wild exploitation. The command injection flaw poses the greatest risk, though exploitation complexity involves support-assisted product migration. Currently, no public proof-of-concept or attributed threat actor activity exists. A likely exploitation scenario could mirror social engineering tactics employed by groups like ShinyHunters using remote management tools.
Update 3/9/25
CVE-2026-22719 has now been exploited in the wild. Neither public nor internal honeypot data shows scanning activity attributable to specific known threat actors. Public honeypot data indicates a slight traffic increase beginning March 1st, primarily targeting Europe and North American regions.
Actionable guidance
Apply vendor patches to remediate these issues. Abuse may appear as network traffic containing Unix or Windows command line strings within web requests to the device.
| Product | Fixed |
|---|---|
| VMWare Cloud Foundation | 9.0.2.0 |
| VMWare vSphere Foundation | 9.0.2.0 |
| VMWare Aria Operations | 8.18.6 |
2. Iranian Hacking Attempts Hit IP Cameras—Likely Allied Hacktivists and Iranian Military
Summary
Reports indicate Iranian hacking groups, likely aligned hacktivists or potential military actors, targeted Hikvision and Dahua CCTV systems in Israel and other Middle Eastern countries since February 28. Compromised camera feeds may support kinetic attacks.
Category
Emerging Threats
Industry
Government, Military Contractors, Multiple
Sources
- https://www.theregister.com/2026/03/04/iranian_hacking_attempts_ip_cameras/
- https://research.checkpoint.com/2026/interplay-between-iranian-targeting-of-ip-cameras-and-physical-warfare-in-the-middle-east/
- https://mastodon.social/@netblocks/116175384626062914
- Internal OSec Collection
Analyst comments
While initial reports suggested ongoing exploitation by Iranian actors against IP cameras, current intelligence indicates this assessment requires revision. Internet blackouts imposed in Iran, continuing through the 5th, severely restrict operational capacity of non-military organizations and individuals launching cyberattacks. Internal honeypot data corroborates this, showing stark traffic reduction coinciding with Iran’s blackout timing. Unverified activity likely originates from the Iranian government or military, as civilian internet access remains restricted.
Observed hacktivist activity appears driven primarily by external actors claiming Iranian affiliation rather than domestic entities. These groups have conducted months-long DDoS campaigns and exploited operational technology systems against Israel, with renewed focus following war escalation.
Actionable guidance
This threat primarily impacts Israeli organizations holding military or intelligence contracts utilizing Hikvision and Dahua cameras. Mitigation includes ensuring firmware updates and segregating camera systems from corporate networks via dedicated VLANs or network segments. IP cameras should remain non-publicly accessible unless required for public service; verify exposures align with organizational security policies and best practices.
3. APT28 Abused CVE-2026-21513 MSHTML Zero-Day Before February Patch Tuesday
Summary
A high-severity security flaw (CVE-2026-21513) in Microsoft’s MSHTML Framework was exploited as a zero-day by Russia-linked APT28. This flaw allows unauthorized attackers to bypass security features via manipulated HTML or LNK files, potentially executing malicious code.
Category
Threat Actor Activity
Industry
Government and Public Administration, Multiple (primarily Western and Central Europe)
Sources
- https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html
- https://www.akamai.com/blog/security-research/2026/feb/inside-the-fix-cve-2026-21513-mshtml-exploit-analysis
- https://www.clearskysec.com/wp-content/uploads/2026/03/BadPaw_and_MeowMeow.pdf
- https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit
Analyst comments
APT28 exploited CVE-2026-21513 affecting the MSHTML Framework as a zero-day before the February 2026 Microsoft update. The vulnerability allows attackers to bypass browser security features and execute code through crafted HTML or LNK files manipulating Windows Shell handling. Researchers identified forensic artifacts on January 30, 2026, tied to APT28 infrastructure. The flaw stems from insufficient hyperlink navigation validation within “ieframe.dll,” enabling trust boundary manipulation bypassing security configurations like Mark of the Web and IE Enhanced Security Configuration.
Researchers identified vulnerability context within a .lnk file:
{ h1 = new window[0].ActiveXObject('htmlfile'); };
('<html><body><iframe src=%22about:blank%22></iframe><iframe
src=%22about:blank%22></iframe>%3cscript
defer%3ewindow[1].document.Script.open(%22http:///%22,%22_parent%22)%3c/script%3e
</body></html>'));
While this context appears within a .lnk file, any document running MSHTML faces vulnerability.
This activity may represent evolution of the recent Neusploit campaign targeting Central and Western Europe attributed to this threat actor.
Actionable guidance
Apply necessary Microsoft patches for supported Windows products to remediate vulnerabilities actively exploited by this threat actor. The actor uses domains and IP addresses in Russia and Moldova. Geoblocking these locations, if unnecessary for operations, reduces compromise risk. The actor targets organizations in Ukraine supply chains or providing financial aid to the country, relying primarily on phishing for initial access. Recent samples impersonate government or judicial entities in targeted countries (Romania, Slovakia, Ukraine, Spain). Unknown third parties sometimes direct victims to open malicious RTF attachments.
4. Juniper JunOS CVE-2026-21902 Remote Code Execution Disclosed
Summary
Juniper Networks released an emergency patch for a critical remote code execution vulnerability (CVE-2026-21902) affecting PTX routers running Junos OS Evolved. The company urges immediate patching to prevent unauthenticated attackers from gaining complete control of affected devices.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
- https://securityaffairs.com/188609/security/juniper-issues-emergency-patch-for-critical-ptx-router-rce.html
- https://labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/
Analyst comments
Juniper Networks released an emergency patch for Junos OS Evolved addressing CVE-2026-21902, a critical remote code execution vulnerability affecting PTX Series routers. This flaw allows unauthenticated remote attackers to execute code as root due to incorrect permissions in the On-Box Anomaly Detection framework, which should remain internally accessible but is improperly exposed externally.
Current assessment indicates no active wild exploitation. However, vulnerability disclosure mechanics suggest exploitation will likely follow shortly. Public honeypot data shows minimal traffic targeting Juniper devices overall, with no activity isolated to this specific vulnerability. A slight traffic increase toward US and Asia-based targets occurred starting February 27, though overall activity remains limited. Following newly disclosed vulnerability patterns, exploitation likelihood increases after public disclosure.
Actionable guidance
Apply patches promptly or implement workarounds including service disabling or access restriction via ACLs. These hosts should not expose themselves on the public internet, as exposure increases near-term exploitation risk. If exploitation is suspected, the first POST request in the exploitation chain calls /config/<command>/<command name> with JSON body content containing “type”: “RE-SHELL” and “syntax”: "<OS command string here>". Monitoring controls should alert on requests using type RE-SHELL to identify potential malicious behavior before network impact occurs. This issue affects versions prior to 25.4R1-S1-EVO and 25.4R2-EVO.
5. LexisNexis Breached by Hackers with Legacy Data Accessed Using React2Shell
Summary
LexisNexis confirmed a security incident where a threat actor accessed legacy data from before 2020. Exposed data includes customer names, user IDs, business contact information, products used, customer surveys with IP addresses, and support tickets. No financial information or Social Security numbers were compromised.
Category
Confirmed Breach
Industry
Multiple, Education, Real Estate
Sources
- https://therecord.media/lexisnexis-says-hackers-accessed-legacy-data
- https://www.reddit.com/r/Scams/comments/1piw9lc/fulcrumsec_is_this_ascam_then_how_it_works/
- https://infosec.exchange/@briankrebs/116167069307320473
- Internal OSec Collection
Analyst comments
LexisNexis confirmed that cybercriminal forum data originated from a recent security incident. Unauthorized access affected a limited number of servers containing mostly legacy data from before 2020. The breach involved stealing 2 GB of information including millions of records and contact details: .gov email addresses, government agency and law firm account records, passwords, IT incident tickets, customer names, user IDs, business contact information, product usage history, customer surveys with IP addresses, and support tickets. The company engaged cybersecurity firms for investigation and informed impacted customers but did not answer questions regarding ransom demands or initial intrusion detection timing. LexisNexis maintains no evidence of product and service compromise, with breached data excluding sensitive information such as Social Security numbers, financial data, or customer search details.
Actionable guidance
Prioritize patching externally facing web and VPN infrastructure, especially since public proof-of-concept code exists. Follow with regular audits of cloud permissions and roles preventing overly permissive access enabling lateral movement. Sensitive internal data must remain unexposed to the public internet. Permissions, roles, users, and controls require consistent review ensuring adequate infrastructure hardening against potential attacks.
The group actively seeks leaking secrets and server-side request forgery opportunities, targeting .env files, abusing outdated IMDSv1 endpoints, or utilizing tools like TruffleHog harvesting credentials. They may leverage this data pressuring customers via email demanding action from previously breached companies. The group employs social engineering techniques and known VPN vendors within tactics and infrastructure, similar to exploitation and extortion campaigns by SLSH.
Organizations within major technology supply lines and medium to large revenue-generating companies with substantial customer bases face increased targeting likelihood. Since the group prioritizes one-click vulnerabilities and public proof-of-concept for initial access, patching exposed infrastructure becomes critical. The group demonstrates high cloud infrastructure proficiency exploiting misconfigurations. Organizations should prioritize hardening practices: securing metadata endpoints, preventing environment file exposure through web applications, ensuring CDNs do not expose sensitive static data, reviewing and hardening folder and web permissions, and provisioning roles and users according to least privilege or zero trust principles. Spikes in IT support calls or individuals claiming IT status contacting help desks may indicate active attacks or targeting by this threat actor or similar groups like SLSH.
6. Hackers Abuse OAuth Error Flows to Spread Malware
Summary
Attackers abuse legitimate OAuth redirection processes tricking users into authenticating malicious applications. This typically occurs through deceptive URLs in phishing emails targeting government and public sector organizations. The technique enables multi-factor authentication bypass and malware delivery while appearing as legitimate authorization requests.
Category
Phishing
Industry
Government and Public Administration
Sources
- https://www.bleepingcomputer.com/news/security/microsoft-hackers-abuse-oauth-error-flows-to-spread-malware/
- https://x.com/rst_cloud/status/2028976957287788661
Analyst comments
Hackers exploited OAuth’s redirection mechanism bypassing phishing protections, leading users to pages mimicking legitimate requests such as e-signature or financial notifications. These attacks involve creating unauthorized OAuth applications with redirect URIs pointing to attacker-controlled infrastructure, causing authentication errors redirecting users to phishing sites or malware download paths. Misuse includes auto-filling victim email addresses on phishing pages and using malicious shortcut files loading payloads into memory, bypassing multi-factor authentication protections. Organizations should tighten OAuth application permissions and enforce strong identity protection measures.
Several patterns emerge in this campaign. The threat actor abuses web page creation and similar hosting services, likely reducing domain registration and rotation needs. Most domains used appear as powerappsportals[.]com, with recent samples using this domain. Other domains include github[.]io, surge[.]sh, and custom domains with .im, .top, and .br extensions:
https://dynamic-entry[.]powerappsportals[.]com/dynamics/
https://westsecure[.]powerappsportals[.]com/security/
https://gbm234[.]powerappsportals[.]com/auth/
https://email-services[.]powerappsportals[.]com/divisor/
https://memointernals[.]powerappsportals[.]com/auth/
https://calltask[.]im/cpcounting/via-secureplatform/quick/
https://ouviraparelhosauditivos[.]com[.]br/auth/entry[.]php
https://abv-abc3[.]top/abv2/css/red[.]html
https://weds101[.]siriusmarine-sg[.]com/minerwebmailsecure101/
https://mweb-ssm[.]surge[.]sh
https://login-web-auth[.]github[.]io/red-auth/
https://ssmapp[.]github[.]io/web
https://ssmview-group[.]gitlab[.]io/ssmview
Researchers attempted identifying additional network infrastructure by reviewing newly uploaded samples and URLs containing “prompt=none” in OAuth redirect requests.
Actionable guidance
Users should exercise caution regarding unsolicited email messages requesting file downloads or attachments. Links redirecting via OAuth with “prompt=none” warrant suspicion, especially if error conditions trigger further page redirection. Files downloaded during this sequence likely indicate malware consistent with campaign tactics. URL links using known website building and hosting services leading to file or archive downloads should receive suspicious designation. Alerts should trigger for activity involving surge[.]sh, powerappsportals[.]com, or unfamiliar github[.]io domains. Generate alerts for “prompt=none” in authorization URLs, and conduct application permission auditing and review. Organizations should implement strict conditional access policies, disable user-driven app consent, and alert on suspicious application integrations.
7. Cisco SD-WAN Privilege Escalation Vulnerabilities Exploited in the Wild
Summary
Cisco warned that two recently patched Catalyst SD-WAN vulnerabilities (CVE-2026-20128 and CVE-2026-20122) are undergoing active exploitation. The company urges organizations applying latest security updates to mitigate risks related to potential system access, privilege escalation, and file overwrite exploits.
Category
Known Exploited Vulnerabilities
Industry
Technology
Sources
- https://securityaffairs.com/189056/security/cisco-flags-ongoing-exploitation-of-two-recently-patched-catalyst-sd-wan-flaws.html
- https://github.com/PyramidOfPain/CISA-ED-26-03
- https://thehackernews.com/2026/03/cisco-confirms-active-exploitation-of.html
- https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v#:~:text=Exploitation%20and%20Public%20Announcements
- https://github.com/BugFor-Pings/CVE-2026-20127_EXP
- https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/
- https://www.team-cymru.com/post/tracking-cyberstrikeai-usage
- https://www.darkreading.com/threat-intelligence/600-fortigate-devices-hacked-ai-amateur
Analyst comments
Cisco issued warnings regarding two recently patched Catalyst SD-WAN flaws (CVE-2026-20128 and CVE-2026-20122) undergoing active exploitation. These vulnerabilities could allow attackers elevating privileges, accessing sensitive information, or overwriting arbitrary files in Cisco’s SD-WAN Manager software.
Currently, no public proof-of-concept exists for these two vulnerabilities and the responsible threat actor remains unconfirmed.
Actionable guidance
Apply patches remediating these issues. Prioritize patch application as threat actors actively exploit these vulnerabilities compromising systems. No workarounds exist beyond patching mitigating these issues. If immediate patching proves impossible, isolate vulnerable versions preventing public internet exposure until patches apply. The following illustrates fixed versions of these Cisco hosts:
| Cisco Catalyst SD-WAN Manager Release | First Fixed Release |
|---|---|
| Earlier than 20.9 | Migrate to a fixed release |
| 20.9 | 20.9.8.2 |
| 20.11 | 20.12.6.1 |
| 20.12 | 20.12.5.3 |
| 20.12.6.1 | 20.12.6.1 |
| 20.13 | 20.15.4.2 |
| 20.14 | 20.15.4.2 |
| 20.15 | 20.15.4.2 |
| 20.16 | 20.18.2.1 |
| 20.18 | 20.18.2.1 |