April 2 / 2026 / Reading Time: 11 minutes
Weekly Situation Report : 3/30/26
EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
- A critical Oracle Identity Manager vulnerability (CVE-2026-21992) enables remote code execution on affected systems.
- TEAMPCP supply chain attacks are escalating following the compromise of a security tool used in development environments.
- Attackers are abusing Microsoft Azure Monitor alerts to conduct callback phishing campaigns against targeted users.
- The United States has announced a ban on certain foreign consumer-grade routers over national security concerns.
- PTC has warned customers of an imminent threat from a critical remote code execution flaw in Windchill and FlexPLM.
- Threat actors are actively exploiting the Magento “PolyShell” vulnerability to compromise e-commerce platforms.
1. Oracle Identity Manager Flaw CVE-2026-21992 Results in RCE
SUMMARY
Oracle released an urgent security update to address a severe unauthenticated remote code execution vulnerability (CVE-2026-21992) in Oracle Identity Manager and Web Services Manager.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
https://docs.oracle.com/cd/E52734_01/oim/OMDEV/apis.htm#OMDEV2841
https://docs.oracle.com/en/middleware/idm/identity-governance/14.1.2/oigap/rest-endpoints.html
https://docs.oracle.com/en/middleware/idm/ws-manager/14.1.2/owapi/rest-endpoints.html
Internal OSec Collection
ANALYST COMMENTS
Oracle released an out-of-band security update to address a critical unauthenticated remote code execution vulnerability (CVE-2026-21992) in Oracle Identity Manager and Web Services Manager. The vulnerability is easily exploitable over HTTP without requiring authentication or user interaction. The security update strongly recommends customers apply patches as soon as possible to remediate risks associated with remote code execution. This fix was distributed through Oracle's Security Alert program. However, patches are only available for versions under Premier or Extended Support, leaving older unsupported versions vulnerable. The following versions are affected by this vulnerability:
Oracle Identity Manager, versions 12.2.1.4.0, 14.1.2.1.0
Oracle Web Services Manager, versions 12.2.1.4.0, 14.1.2.1.0ACTIONABLE GUIDANCE
Patching is seen as a first line of defense in remediating this issue. Work-arounds are not detailed in the security advisory but restriction of API endpoints from the public internet may help reduce the attack surface that might be taken advantage of by threat actors. Defenders should look for traffic from non-standard API REST endpoints for Oracle Identity manager or Oracle Web Services manager. There are no details on how this vulnerability is being exploited. However, any unauthenticated user attempting to access atypical URL paths within the affected products should be regarded as suspicious and investigated to confirm if an intrusion has occurred. If the affected Oracle products do not require public internet access, restrict them to internal networks accessible via VPN or similar solutions until the necessary patches are applied.
2. TEAMPCP Supply Chain Attacks Ramp Up After Security Tool Compromise
SUMMARY
TeamPCP, also known as Shellforce, compromised Aqua Security's GitHub organization and pushed malicious Docker images for Trivy, a widely-used vulnerability scanner, leading to supply-chain attacks. Earlier that week, the group also compromised Checkmarx KICS, another automated security tool.
Category
Supply Chain Risk
Industry
Technology
Sources
https://news.ycombinator.com/item?id=47501729
https://github.com/krrishdholakia/betterprompt/commit/bf5c10811d4530b6342fef9127592892d5b9eaf0
https://github.com/aquasecurity/trivy/discussions/10420
https://www.endorlabs.com/learn/teampcp-isnt-done
https://github.com/krrishdholakia
https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-canisterworm
https://github.com/NousResearch/hermes-agent/issues/2791
https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran
https://github.com/aquasecurity/trivy/discussions/10425
Internal OSec Collection
ANALYST COMMENTS
TeamPCP, also known as Shellforce, targeted Aqua Security by pushing malicious Docker images and tampering with GitHub repositories following a supply-chain attack that included compromising Trivy's build pipeline to deliver infostealer malware. The compromised artifacts appeared as new image tags 0.69.5 and 0.69.6 on Docker Hub, indicating a breach of the company’s GitHub organization, likely due to incomplete containment from an earlier incident. The attackers exploited a service account named Argon-DevOps-Mgt to change repository descriptions and add a prefix across Aqua Security's repositories, demonstrating a high level of access. Previously, the group had also compromised Checkmarx KICS on March 23rd, along with their OpenVSX extensions: cx-dev-assist 1.7.0 and ast-results 2.53.0.
This attack has already led to two downstream attacks, compromising PyPI packages LiteLLM and Telnyx’s python SDK package. The latest compromise uses steganography in .wav files, where base64 encoded Python code downloads a .wav file containing a hidden base64 payload that is then executed for credential theft. Posts from the threat actor’s Telegram channels indicate discussions with potential ransomware partners such as Vect on dark web forums, suggesting a role as an initial access broker focused on credential theft. These sources also indicate a focus on targeting automated security and technology tools, which aligns with the observed supply chain compromises
The following packages and versions are known to have been compromised by this threat actor:
# PYPI packages
telnyx==4.87.1
telnyx==4.87.2
Exposure window = March 27th
litellm==1.82.7
litellm==1.82.8
Exposure window = March 24th
# Trivy tools
trivy==0.69.4
trivy==0.69.5
trivy==0.69.6
trivy-action==0.35.0
setup-trivy==All releases
Exposure window = March 19th-March 22nd
#Checkmarx KICS Packages downloaded from OpenVSX
ast-results==2.53.0
cx-dev-assist==1.7.0
Exposure window = March 23rdACTIONABLE GUIDANCE
Organizations and developers should audit their projects to determine if compromised versions of the above noted packages were installed. If so, it is recommended to remove the packages and audit projects for added code, commits, or other unattributable activity. Additionally, cloud credentials, secrets, and other associated sensitive access information should be rotated immediately to reduce the risk of further compromise. This should be treated as a priority, as there is credible information that these attacks may precede ransomware attacks in the near future. The newest iteration of the malware primarily targets Windows hosts and will drop file msbuild.exe in the startup folder of the current user for persistence. Exfiltrated data occurs via a POST request with X-Filename header set as tpcp.tar.gz. Developers should also review repository history for suspicious changes, especially code that relies heavily on base64 encoded content. The recent Telnyx compromise is a direct result of LiteLLM supply-chain exploitation.
3. Microsoft Azure Monitor alerts abused for callback phishing attacks
SUMMARY
Microsoft Azure Monitor is being exploited by threat actors to send convincing phishing emails that mimic alerts from the Microsoft Security Team. These messages prompt recipients to call fraudulent support numbers about supposed unauthorized charges on their accounts, allowing attackers to bypass standard email security protocols and potentially gaining access to corporate networks.
Category
Phishing
Industry
Multiple
Sources
https://www.reddit.com/r/phishing/comments/1rg6wu0/microsoft_azure_email_not_sure_if_phishing/
https://800notes.com/Phone.aspx/1-864-347-4846
https://anydesk.com/en/abuse-prevention
ANALYST COMMENTS
Microsoft's Azure Monitor is being exploited in a phishing campaign where attackers send legitimate-looking alerts about unauthorized charges, urging recipients to call specific numbers to verify transactions. These alerts are crafted by creating false conditions in the Azure Monitor platform and using its legitimate email system, thus bypassing typical email security checks like SPF, DKIM, and DMARC. The scam involves entering fraudulent messages into alert descriptions that mimic automated billing notifications, designed to create a sense of urgency and trick users into calling numbers controlled by threat actors.
While the emails will typically bypass standard security rules, testing in our lab showed that they still include alert metadata in addition to the customized title and description, which can help with identification. Public forum discussions indicate that these phishing emails warn users of a billing issue and instruct them to call a provided number. The attacker then guides the victim to install AnyDesk as part of the next stage of attack.
ACTIONABLE GUIDANCE
The fraudulent Azure Monitor alert emails typically follow a consistent structure, and may show mismatches between standard alert content and the customized titles or descriptions. It is uncommon for non IT or administrator users to receive Azure Monitor alerts, as they are typically limited to system metrics for cloud infrastructure. An exception may include managers or users responsible for financial or billing oversight of the environment. Based on this information, emails that include “Alert Monitor alert rule…” in the subject or description, when received by users who are not administrators, IT staff, or cloud billing managers, may indicate a phishing attempt.
Additionally, a mismatch between the alert rule metadata and the description may also indicate suspicious activity. Administrators, IT staff, and billing managers should verify alerts directly within their environment to confirm legitimacy and avoid calling any number provided in the email. Additionally, RMM software such as AnyDesk should be prevented from being downloaded or installed. If AnyDesk is being used normally in the environment, it should be heavily monitored and additional agents should only be installed by an administrator. Detection of the AnyDesk.exe binary can be detected from its sha256 hash value in case the binary has been renamed.
4. US Bans Foreign Consumer Grade Routers
SUMMARY
The U.S. is banning new foreign-made consumer-grade network routers due to national security concerns, though existing models are unaffected.
Category
Situational Awareness
Industry
Multiple (Primarily effects US-based organizations)
Sources
https://www.theregister.com/2026/03/24/fcc_foreign_routers/
https://www.fcc.gov/supplychain/coveredlist
https://docs.fcc.gov/public/attachments/DA-26-286A1.pdf
ANALYST COMMENTS
The United States is banning new consumer-grade network routers made in foreign countries due to national security concerns, as per updates to the Federal Communications Commission’s (FCC) Covered List under The Secure Networks Act. This decision targets foreign-produced routers for posing cybersecurity risks and potential disruptions to critical infrastructure but does not affect previously authorized models. Consumer routers have been exploited in past cyberattacks like Volt Typhoon and Salt Typhoon, in the form of botnet associated exploitation. An exemption exists for devices approved by the Department of Defense or Homeland Security, aiming to reduce dependency on foreign-made core components as per President Trump’s National Security Strategy.
The list contains several vendors that have historically supplied router and network products to the US, covering both hardware and software. This is not limited to network and communications devices and also includes IP camera and video surveillance products from brands such as Dauhau and Hangzhou Hikvision, security software from Kaspersky, and products including phones from Huawei. While this may not remove these products and companies from the US market entirely, it will likely increase costs if production shifts to the United States and may also cause supply chain delays. Consumer grade routers and networking products will primarily impact consumer and small business markets, while enterprise environments may be more affected by restrictions on video surveillance products used in office settings.
Organizations may continue using older products to avoid the cost and complexity of migration and upgrades. This combination increases the attack surface and creates more opportunities for threat actors to exploit legacy devices that cannot be updated or replaced. As a result, more compromised devices may be leveraged in botnets for additional campaigns and malicious activity. The impact could increase further if vendors withdraw from the US market entirely. Additionally, while this does not affect patches and firmware updates at this time for currently approved routers and similar products manufactured abroad, the FCC has set an expiration of March 1st, 2027 for patches and firmware. This indicates government approval required for continued support for older, already in-use foreign made routers and other devices. Likely increasing the risk of operating older legacy devices.
ACTIONABLE GUIDANCE
Potential pricing and supply changes may impact foreign made products, which could affect IT budgets. Organizations should review current vendor dependencies and begin planning for alternative options where needed. This includes assessing which systems rely on these products and identifying candidates for migration or replacement.
While existing products are expected to continue receiving patches and firmware updates in the near term, organizations should prepare for possible changes after March 1st of next year. Developing a transition plan will help avoid disruption, including timelines for migration, decommissioning end of life devices, or isolating systems where replacement is not immediately feasible.
Priority should be given to critical infrastructure such as networking and edge devices, especially those that are more difficult to isolate. Early evaluation and phased planning will help manage risk while maintaining operational stability.
5. PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug
SUMMARY
PTC Inc. has identified a critical vulnerability (CVE-2026-4681) in Windchill and FlexPLM that could enable remote code execution through data deserialization. This prompted German authorities to issue alerts to affected companies, while PTC works on patches and recommends specific mitigations to prevent potential exploitation.
Category
Critical Vulnerabilities
Industry
Manufacturing
Sources
https://www.heise.de/news/WTF-Polizei-rueckte-Samstagnacht-wegen-Zero-Day-aus-11221345.html
ANALYST COMMENTS
PTC Inc. has identified a critical vulnerability (CVE-2026-4681) in Windchill and FlexPLM that allows for remote code execution through the deserialization of trusted data. This prompted emergency action from German authorities, including direct alerts to affected companies by federal police agents. No patches are currently available. PTC is actively developing security updates and recommends applying a mitigation rule to deny access to the affected servlet path until patches are released. The IOCs from the advisory have been compiled here:
#User-Agent when combined with other indicators of compromise
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
#Suspicious HTTP patterns to correlate:
run?p=
.jsp?p=
run?c=
.jsp?c=
# Dropped files
GW.class - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1
payload.bin - C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1
Any *.jsp files with a random naming convention that follows the format: “dpr_<8-hex-digits>.jsp”
Gen.class- 9856FCFC71099646F4E705BC906BD1BB170871290D364CA20C716E566257E264
HTTPRequest.class - 6B015D40D3E6A2B3425797B9B75B8F3868A7A6EAD155686E4AE0D9BFC87F4E57
HTTPResponse.class - 6F0472C8D83C0F85DFF106028F7ABB754631F7B585078B3919DAE99E3672C389
IXBCommonStreamer.class - B1B141130718FFF5A2F8E6A048165338DDBC50DA3A2464C43BFCA0476BAC4CC7
IXBStreamer.class - E207BDC91D172012AF28B028E9DD21C8B377E78286AD8C8E4E085F2D6E9C0C03
MethodFeedback.class - 6A88AB22B35C9D4DB9A582B6F386968355E4A4362235A6CDC038B672F9EC9372
MethodResult.class - 21A2AD61FC72E1256BBD037CBD5AD4279A916F9E4ADF0D197177BA95A22C881D
WTContextUpdate.class - 06E166A84701D430ADCDC19BA8DA2124CA223637919D6E89068219433BB9073F
Gen.java – F2C8EB4A4F4BB2344DC0E41C2717B7B0D22F923A1CDBBE61EBF415759F757DAD
GW.java – 330433BC430CB40E7BC4D17BEBABD521572AD5077F614484FEE9442EEE793477
HTTPRequest.java – 1CB7A011880958A1A8797D720495646BA8B0601AF09352E4118FCB0E09475E95
HTTPResponse.java – E697AFEAF83ED975D5B5D2A6604F08E7496D99F9775F33407B0B02530516D88D
IXBCommonStreamer.java – AFEDA8E680639FE58343AE7A67B92C36E44A67A6BB7DC3C1FC239DF29CF225E0
IXBStreamer.java – AD388F887F2EB0114AA672EC0D9EE9201916F257EB982C96EC4867727C52082C
MethodFeedback.java – 305241D4D27B07CFDD566AA16B22CF79116EE9BC254D6D8A8032443ABA2EC985
MethodResult.java – 69E41E4B68A1097143C394DE25B2E1D33A819AED0C61F3DF891485A98B5AAA07
WTContextUpdate.java -78473ABBECDFF2BDC30BCB96B0B3EAC3BD6493E6960D11D03277509EFDA188F2
# Log artifacts
Unusual error messages in log files, ‘<APACHE_HOME>/logs’ and/or ‘<WINDCHILL_HOME>/logs’, referencing:
run?c=echo%20GW_READY_OK
c=echo%20GW_READY_OK
c=echo 20GW_READY_OK
GW_READY_OK
ClassNotFoundException for GW
Windchill Error or HTTP Gateway ExceptionACTIONABLE GUIDANCE
Organizations should implement the current workaround by denying access to the affected servlet endpoints until a patch is available. The provided indicators of compromise suggest that active exploitation is likely already occurring, which increases the urgency of applying workarounds to restrict access to the vulnerable servlet. Checking against the IOCs mentioned above may identify a past breach. If any indicators are found, an investigation should be conducted.
6. Magento ‘PolyShell’ Vulnerability Abused By Threat Actors
SUMMARY
Hackers are exploiting the 'PolyShell' vulnerability in Magento installations, affecting over half of all vulnerable stores, and delivering a novel WebRTC-based payment card skimmer that evades security controls.
Category
Known Exploited Vulnerabilities
Industry
Retail, Automotive
Sources
https://sansec.io/research/webrtc-skimmer
https://sansec.io/research/magento-polyshell#live-polyshell-attacks
ANALYST COMMENTS
Hackers are actively exploiting the PolyShell vulnerability in Magento Open Source and Adobe Commerce version 2, affecting more than half of all vulnerable stores as reported by researchers on March 19th. The exploitation primarily targets retail and e-commerce organizations that use Magento in their technology stack and is likely driven by financially motivated threat actors. The vulnerability lies within Magento’s REST API, allowing for remote code execution or account takeover through polyglot files if the web server configuration permits it. Though a fix was released in version 2.4.9-beta1, no stable release is available yet from Adobe.
A financially motivated threat actor using PolyShell deployed a WebRTC based payment card skimmer that bypasses CSP controls by using DTLS encrypted UDP for data exfiltration. The skimmer was identified on a major car manufacturer’s website. The malware sends WebRTC traffic over UDP port 3479 and will transmit over a C2 server 202.181.177[.]177 that is associated with ASN210083 under organization Privex with geolocated to Belize. The focus on automotive retail suggests targeting of high value transactions and may indicate expansion to other retail sectors with similarly high value goods.
ACTIONABLE GUIDANCE
A pre-release patch, version2.4.9-beta1, is available. However, a stable patch has not yet been released. Additionally, a third party patch is referenced, but until an official stable patch is released, applying non vendor supplied patches is not recommended. The vulnerability stems from unrestricted uploads, with the researchers indicating that multiple endpoints may be affected. To mitigate this, block write access to the folder location in Apache/Nginx for example by editing the .htaccess file and allowing only .png, .svg, or .jpg extensions.
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS