March 12 / 2026 / Reading Time: 11 minutes
Weekly Situation Report : 3/9/26
EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
- VMware has released updated patches to address remote code execution vulnerabilities in its Aria Operations platform that could allow full system compromise.
- Iranian-linked hacking attempts have targeted internet-connected IP cameras, likely involving state actors and affiliated hacktivist groups.
- APT28 exploited the MSHTML vulnerability CVE-2026-21513 as a zero-day prior to Microsoft’s February Patch Tuesday release.
- A newly disclosed vulnerability in Juniper JunOS (CVE-2026-21902) enables remote code execution on affected network devices.
- LexisNexis suffered a breach in which attackers accessed legacy data by exploiting the React2Shell vulnerability.
- Threat actors are abusing OAuth error-handling flows to trick users into granting malicious permissions and spreading malware.
- Cisco has confirmed that privilege escalation vulnerabilities in its SD-WAN products are being actively exploited in the wild.
1. (UPDATED) VMware Addresses Aria Operations Remote Code Execution Vulnerabilities
SUMMARY
Broadcom has released patches for high-severity vulnerabilities in VMware Aria Operations. This includes a critical command injection flaw (CVE-2026-22719) that allows remote code execution by unauthenticated attackers. Patches also included stored XSS and privilege escalation-related vulnerabilities.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://www.securityweek.com/vmware-aria-operations-vulnerability-could-allow-remote-code-execution/
https://www.securityweek.com/vmware-aria-operations-vulnerability-exploited-in-the-wild/
https://nvd.nist.gov/vuln/detail/CVE-2026-22719
ANALYST COMMENTS
Broadcom has released patches for vulnerabilities in VMware Aria Operations, addressing several high-severity flaws. This includes CVE-2026-22719, a command injection issue that allows unauthenticated remote code execution during product migration. CVE-2026-22720, is a stored cross-site scripting (XSS) vulnerability that permits administrative actions through script injection by attackers, capable of creating custom benchmarks. Finally, a medium severity privilege escalation issue, CVE-2026-22721, can be exploited to gain administrative access. The patches are included in version updates for VMware Cloud Foundation, vSphere Foundation, and Aria Operations.
To our knowledge these vulnerabilities have not been exploited in the wild. The command injection vulnerability is the most severe of the vulnerabilities and the one most likely to be taken advantage of by threat actors. However, complicating potential exploitation, the advisory states that the vulnerability can be abused during support-assisted product migration, potentially minimizing the risk involved with such a vulnerability. Currently we are not aware of a PoC in the wild or public research. Based on the information available to us, a likely scenario would most likely involve RMM or similar IT support social engineering similar to tactics employed by groups such as ShinyHunters.
UPDATE 3/9/25
CVE-2026-22719 is now known to have been exploited in the wild by threat actors. Neither public nor internal honeypot data currently shows evidence of scanning activity related to this vulnerability that can be attributed to any specific known threat actor. However, in regards to public honeypot data, there is a slight increase in traffic starting on March 1st, primarily targeting Europe and North American regions.
ACTIONABLE GUIDANCE
Apply the patches from the vendor to remediate these issues. Abuse may be observed as network traffic containing Unix or Windows command line strings within web requests when interacting with the device.
Fixed versions of vulnerable products are noted below:
| Product | Fixed |
| VMWare Cloud Foundation | 9.0.2.0 |
| VMWare vSphere Foundation | 9.0.2.0 |
| VMWare Aria operations | 8.18.6 |
2. Iranian hacking attempts hit IP cameras Likely Allied Hacktivists and Iranian Military
SUMMARY
Reports indicate that Iranian hacking groups, likely aligned hacktivists or potential military actors, have been targeting Hikvision and Dahua CCTV systems in Israel and other Middle Eastern countries since February 28. The compromised camera feeds may be used to support kinetic attacks.
Category
Emerging Threats
Industry
Government, Military Contractors, Multiple
Sources
https://www.theregister.com/2026/03/04/iranian_hacking_attempts_ip_cameras/
https://mastodon.social/@netblocks/116175384626062914
Internal OSec Collection
ANALYST COMMENTS
While initial reports suggested ongoing exploitation attempts by Iranian actors against IP cameras, current intelligence indicates this is unlikely. The imposition of internet blackouts in Iran, which remain in effect through the 5th, severely restricts the operational capacity of non-military organizations and individuals to launch cyberattacks. Our own internal honeypot data corroborates this information, with a stark drop off in traffic coinciding with the timing of Iran’s internet blackout. Any other activity, though unverified, is likely attributed to the Iranian government or military as civilian internet access at this time is unlikely.
Consequently, observed hacktivist activity appears to be driven primarily by external actors claiming close ties to Iran rather than domestic Iranian entities. These groups have been conducting DDoS campaigns and exploiting Operational Technology (OT) systems against Israel for months, with a notable refocusing of efforts following the escalation of the war.
ACTIONABLE GUIDANCE
This threat primarily impacts organizations in Israel holding military or intelligence contracts, specifically those utilizing Hikvision and Dahua cameras. To mitigate risk, ensure all firmware is updated and segregate camera systems from the internal corporate network via dedicated VLANs or network segments. Furthermore, IP cameras should generally remain non-publicly accessible unless required for public service; verify that all exposures align with organizational policy and security best practices.
3. APT28 Abused CVE-2026-21513 MSHTML 0-Day Before the February Patch Tuesday
SUMMARY
A high-severity security flaw (CVE-2026-21513) in Microsoft's MSHTML Framework was exploited as a zero-day by Russia-linked APT28. This flaw allows unauthorized attackers to bypass security features via manipulated HTML or LNK files, and potentially execute malicious code.
Category
Threat Actor Activity
Industry
Government and Public Administration, Multiple (primarily Western and Central Europe)
Sources
https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html
https://www.clearskysec.com/wp-content/uploads/2026/03/BadPaw_and_MeowMeow.pdf
https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit
ANALYST COMMENTS
A high-severity security flaw (CVE-2026-21513) affecting the MSHTML Framework was exploited as a zero-day by APT28 before being patched in Microsoft's February 2026 update. The vulnerability allows attackers to bypass browser security features and execute code via crafted HTML or LNK files, which manipulate Windows Shell handling to run malicious content. Researchers identified a forensic artifact on January 30, 2026, tied to APT28's infrastructure. The flaw's root cause lies in insufficient validation of hyperlink navigation within "ieframe.dll," enabling trust boundary manipulations that bypass security configurations like MotW and IE ESC.
The researchers identified the context of the vulnerability within a .lnk file using the document.script.open() seen below:
{ h1 \= new window\[0\].ActiveXObject('htmlfile'); };
('\<html\>\<body\>\<iframe src=%22about:blank%22\>\</iframe\>\<iframe
src=%22about:blank%22\>\</iframe\>%3cscript
defer%3ewindow\[1\].document.Script.open(%22http:///%22,%22\_parent%22)%3c/script%3e
\</body\>\</html\>'));
While the context above is within a .lnk file, any file or document that can run MSHTML is affected by this vulnerability.
This activity may represent an evolution of the recent Neusploit campaign targeting Central and Western Europe that is currently attributed to the threat actor.
ACTIONABLE GUIDANCE
Applying the necessary Microsoft patches for supported Windows products is recommended to remediate these vulnerabilities, which are being actively used by this threat actor. The threat actor uses domains and IP addresses located in Russia and Moldova. Geoblocking these locations, if they are not required for business operations, can help reduce the risk of compromise. The actor primarily targets organizations that are part of Ukraine supply chains or that have provided financial or other forms of aid to the country. The threat actor primarily relies on phishing as the initial access vector. Recent samples show lures that impersonate government or judicial entities in the targeted country, including Romania, Slovakia, Ukraine, and Spain. In some cases, unknown third parties direct victims to open malicious RTF attachments.
4. Juniper JunOS CVE-2026-21902 Remote Code Execution Disclosed
SUMMARY
Juniper Networks released an emergency patch for a critical remote code execution vulnerability (CVE-2026-21902) affecting PTX routers running Junos OS Evolved. The company urges immediate patching to prevent unauthenticated attackers from taking full control of affected devices.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
ANALYST COMMENTS
Juniper Networks released an emergency patch for Junos OS Evolved to address CVE-2026-21902, a critical remote code execution vulnerability that affects PTX Series routers. This flaw allows unauthenticated remote attackers to execute code as root due to incorrect permissions assigned in the On-Box Anomaly Detection framework. This service should only be accessible internally but is improperly exposed externally.
We are currently not aware of active exploitation in the wild. However, due to the disclosure of how the vulnerability works, exploitation will likely follow in the short term. Public honeypot data shows minimal traffic targeting Juniper devices overall, and no activity can currently be isolated to this specific vulnerability. A slight increase in traffic toward US and Asia based targets was observed starting February 27, though overall activity remains limited. As with many newly disclosed vulnerabilities, exploitation is likely to increase after disclosure.
ACTIONABLE GUIDANCE
Apply patches promptly or implement workarounds such as disabling the service or restricting access via ACLs. These hosts should not be exposed on the public internet, their exposure will likely increase risk of exploitation in the near-term. If exploitation is suspected, the first POST request executed within the 4 request chain will make calls to /config/<command>/<command name> with json body content containing “type”: “RE-SHELL” and “syntax”: “<OS command string here>”. Additionally, monitoring controls and rulesets should be implemented to alert and identify requests using type RE-SHELL in order to detect potential malicious behavior, before it is able to cause impact to the host or network environment. The issue affects versions prior to 25.4R1-S1-EVO and 25.4R2-EVO.
5. LexisNexis Breached By Hackers with Legacy Data Accessed Using React2Shell
SUMMARY
LexisNexis confirmed a security incident where a threat actor gained access to legacy data from before 2020. The exposed data includes customer names, user IDs, business contact information, products used, customer surveys with IP addresses, and support tickets. No financial information or Social Security numbers were compromised.
Category
Confirmed Breach
Industry
Multiple, Education, Real estate
Sources
https://therecord.media/lexisnexis-says-hackers-accessed-legacy-data
https://www.reddit.com/r/Scams/comments/1piw9lc/fulcrumsec_is_this_ascam_then_how_it_works/
https://infosec.exchange/@briankrebs/116167069307320473
Internal OSec Collection
ANALYST COMMENTS
LexisNexis confirmed that data posted on a cybercriminal forum is legitimate and originated from a recent security incident. The incident involved unauthorized access to a limited number of servers containing mostly legacy data from before 2020. The breach involved the theft of 2 GB of information including millions of records and contact details. Exposed information included .gov email addresses, account records for government agencies and law firms, passwords, IT incident tickets, customer names, user IDs, business contact information, product usage history, customer surveys with IP addresses, and support tickets. The company engaged a cybersecurity firm to assist in the investigation and has informed impacted customers. However, they did not respond to questions regarding whether a ransom was demanded or when the intrusion was initially detected. LexisNexis maintains that there is no evidence of compromise to their products and services, and the breached data did not include sensitive information such as Social Security numbers, financial data, or customer search details.
ACTIONABLE GUIDANCE
Prioritize patching externally facing web and VPN infrastructure, especially as public PoC code exists. This should be followed by regular audits of cloud permissions and roles to prevent overly permissive access that could enable lateral movement. Sensitive internal data must never be exposed to the public internet. Permissions, roles, users, and controls require consistent review to ensure infrastructure remains adequately hardened against potential attacks.
The group actively seeks leaking secrets and SSRF opportunities, targeting .env files, abusing outdated IMDSv1 endpoints, or utilizing tools like TruffleHog to harvest credentials. They may leverage this data to pressure customers via email, demanding action from previously breached companies. The group will likely use social engineering techniques and known VPN vendors as part of their tactics and infrastructure. This is similar in nature to exploitation and extortion campaigns by SLSH.
Based on this information, organizations within major technology supply lines and medium to large revenue generating organizations with large customer bases are more likely to be targeted by the group. As the group prioritizes one-click vulnerabilities and public PoC for initial access, patching exposed infrastructure should be a priority. The group is also highly adept at cloud infrastructure and will take advantage of misconfigurations. Organizations should prioritize hardening practices such as securing metadata endpoints, preventing environment files from being exposed through web applications, ensuring CDNs do not expose sensitive data as static files, reviewing and hardening folder and web permissions, and provisioning roles and users according to least privilege or zero trust practices. Spikes in calls to IT support or persons claiming to be IT contacting the help desk may indicate an active attack or targeting by this threat actor or similar groups such as SLSH.
6. Hackers abuse OAuth error flows to spread malware
SUMMARY
Attackers abuse the legitimate OAuth redirection process to trick users into authenticating malicious applications. This is often done through deceptive URLs in phishing emails that target government and public sector organizations. The technique can enable MFA bypass and malware delivery while appearing as a legitimate authorization request.
Category
Phishing
Industry
Government and Public Administration
Sources
https://x.com/rst_cloud/status/2028976957287788661
ANALYST COMMENTS
Hackers exploited OAuth's redirection mechanism to bypass phishing protections, leading users to malicious pages designed to mimic legitimate requests such as e-signature or financial notifications. These attacks involve creating unauthorized OAuth applications with redirect URIs pointing to attacker-controlled infrastructure. This causes authentication errors that redirect users to phishing sites or download paths for malware delivery. The misuse includes auto-filling victim email addresses on phishing pages and using malicious shortcut files to load payloads into memory, bypassing MFA protections in the process. To mitigate these risks, organizations are advised to tighten OAuth application permissions and enforce strong identity protection measures.
Several patterns appear in this campaign. The threat actor abuses web page creation and similar hosting services, likely to reduce the need to register and rotate new domain names. Most of the domains used in this activity were powerappsportals[.]com, with the most recent samples using this domain. Other domains include github[.]io, surge[.]sh, and several custom domains with .im, .top, and .br extensions.
https[:]//dynamic-entry[.]powerappsportals[.]com/dynamics/
https[:]//westsecure[.]powerappsportals[.]com/security/
https[:]//westsecure[.]powerappsportals[.]com/security/
https[:]//gbm234[.]powerappsportals[.]com/auth/
https[:]//email-services[.]powerappsportals[.]com/divisor/
https[:]//memointernals[.]powerappsportals[.]com/auth/
https[:]//calltask[.]im/cpcounting/via-secureplatform/quick/
https[:]//ouviraparelhosauditivos[.]com[.]br/auth/entry[.]php
https[:]//abv-abc3[.]top/abv2/css/red[.]html
https[:]//calltask[.]im/cpcounting/via-secureplatform/quick/
https[:]//weds101[.]siriusmarine-sg[.]com/minerwebmailsecure101/
https[:]//mweb-ssm[.]surge[.]sh
https[:]//login-web-auth[.]github[.]io/red-auth/
https[:]//ssmapp[.]github[.]io/web
https[:]//ssmview-group[.]gitlab[.]io/ssmviewWe attempted to identify additional network infrastructure related to this campaign by reviewing newly uploaded samples and URLs that contain “prompt=none” in the OAuth redirect request
ACTIONABLE GUIDANCE
Users should be cautious of unsolicited email messages that request the download of files or attachments. Links within emails that redirect via OAuth with “prompt=none” should be regarded as suspicious, especially if an error condition occurs and the page is further redirected. If files are downloaded during this sequence of events, it is highly likely to be malicious and consistent with the tactics used in this campaign. URL links that use known website building and hosting services and lead to file or archive downloads should be treated as suspicious. Alerts should be generated for activity involving surge[.]sh, powerappsportals[.]com, or unfamiliar github[.]io domains. Alerts should also be made for the use of “prompt=none” in authorization URLs, and auditing and reviewing application permissions should be conducted. Organizations should also implement strict conditional access policies, disable user-driven app consent, and alert on suspicious application integrations.
7. Cisco SD-WAN Privilege escalation Vulnerabilities Exploited in the Wild
SUMMARY
Cisco has warned that two recently patched Catalyst SD-WAN vulnerabilities (CVE-2026-20128 and CVE-2026-20122) are being actively exploited. The company urges organizations to apply the latest security updates to remediate risks related to potential system access, privilege escalation, and file overwrite exploits.
Category
Known Exploited Vulnerabilities
Industry
Technology
Sources
https://github.com/PyramidOfPain/CISA-ED-26-03
https://thehackernews.com/2026/03/cisco-confirms-active-exploitation-of.html
https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf
https://github.com/BugFor-Pings/CVE-2026-20127_EXP
https://www.team-cymru.com/post/tracking-cyberstrikeai-usage
https://www.darkreading.com/threat-intelligence/600-fortigate-devices-hacked-ai-amateur
ANALYST COMMENTS
Cisco has issued a warning about two recently patched Catalyst SD-WAN flaws (CVE-2026-20128 and CVE-2026-20122) that are being actively exploited. These vulnerabilities could allow attackers to elevate privileges, access sensitive information, or overwrite arbitrary files in Cisco's SD-WAN Manager software.
At this time, no public PoC has been identified for these two vulnerabilities and the responsible threat actor has not been confirmed.
ACTIONABLE GUIDANCE
Patches should be applied in order to remediate these issues. Applying these patches should be prioritized as threat actors are actively exploiting these vulnerabilities in order to compromise systems. There are no workarounds beyond patching that will mitigate these issues. If patching cannot be conducted immediately, vulnerable versions should be isolated and not exposed to the public internet until the patch is applied. The below illustrates the fixed versions of these Cisco hosts:
| Cisco Catalyst SD-WAN Manager Release | First Fixed Release |
| Earlier than 20.9 | Migrate to a fixed release. |
| 20.9 | 20.9.8.2 |
| 20.111 | 20.12.6.1 |
| 20.12 | 20.12.5.3 20.12.6.1 |
| 20.131 | 20.15.4.2 |
| 20.141 | 20.15.4.2 |
| 20.15 | 20.15.4.2 |
| 20.161 | 20.18.2.1 |
| 20.18 | 20.18.2.1 |
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS