April 30 / 2026 / Reading Time: 14 minutes
Weekly Situation Report : 4/27/26
EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
- Threat actors are deploying malicious document sharing and meeting invites as phishing lures to trick users into downloading and executing the ScreenConnect remote access tool.
- A security incident at Vercel has been claimed by a group impersonating the well-known ShinyHunters, resulting in possible supply-chain compromise.
- CISA has issued urgent warnings regarding critical vulnerabilities in SD-WAN solutions that are currently being exploited by malicious actors to compromise network infrastructure.
- Updated guidance in regards to Defender vulnerabilities as part of Nightmare-Eclipse, to indicate currently known exploitation in the wild.
- A supply chain compromise has disrupted the integrity of the Bitwarden npm package distribution, potentially exposing users to malware or credential leakage.
- Critical vulnerabilities in serial-to-IP converters are known to bypass security controls and gain unauthorized access to operational technology.
1. Phishing Lures Use Meeting Invites to Drop ScreenConnect RAT
SUMMARY
Phishing domains using lures mimicking Teams, Zoom, Adobe, and Docusign fake invites and shared links to serve Screenconnect RAT payloads.
Category
Threat Actor Activities
Industry
Multiple (Primarily speaking regions such as North America and Europe)
Sources
Internal OSec Research
https://sublime.security/blog/advanced-fake-zoom-installer-used-for-delivering-malware/
https://www.netcraft.com/blog/remote-access-delivery-via-fake-meetings
https://www.huntress.com/blog/uptick-bomgar-exploitation
ANALYST COMMENTS
OSec observed threat actor activity using phishing sites that mimic popular meeting applications and services that serve RMM software for C2 activities. This is likely related to known exploitation that has been operating since February of this year. The sites analyzed mimic brands and services such as Zoom, Teams, Google Meet, and document signing and reading services such as Docusign and Adobe Reader. The activity is likely related to a cluster discovered earlier in the year primarily using fake meeting invites as a primary lure. The use of English language content and North American style naming suggests the cluster is primarily targeting victims in North America and English speaking regions of Europe.
Research indicates, with high confidence, that initial access is achieved primarily through phishing emails containing fake meeting invites or document-sharing links. These lures redirect users to download a malicious file, either through document sharing themed prompts or fake meeting links that claim the associated software is out of date and requires an update, with the file disguised as an installer. Once executed, a version of ScreenConnect is installed, a remote monitoring and management (RMM) tool pre-configured with attacker-controlled callback locations to establish command-and-control connectivity. A key indicator of this cluster is the consistent use of Shock Hosting (ASN395092) for its network infrastructure. Furthermore, while the phishing landing pages utilize various PHP endpoints, the majority rely on invite.php and download.php, with the latter specifically serving the malicious RMM payload.
There were some variations in the filenames and payloads provided, however a majority of them were variations of the ScreenConnect binary with preconfigured callback locations. Typical callback locations used the screenconnect[.]com domain with a custom set company name. The below sample used the callback domain instance-npfqo0-relay.screenconnect[.]com.
Overall, public sources and malware exchange data indicate an increase in ScreenConnect submissions, with a notable spike of activity around April 18th to the 21st. Broader remote monitoring and management tool exploitation is also increasing, with recent vendor reporting noting the use of compromised Bomgar instances in active attacks.
ACTIONABLE GUIDANCE
The threat actor uses legitimate RMM software in their attacks, which is abused to help evade detection while performing their activities. Detecting differing versions of RMM software or installations not attributable to administrator activity should generate alerts and be treated with elevated urgency due to recent exploitation trends. Restrict software installation for non IT users by blocking downloads of executable file types such as .exe and .msi unless explicitly required. Restricting local administrator privileges is essential, as this is a common vector for privilege escalation, particularly concerning RMM software. Without group policy restrictions, threat actors can leverage these tools to execute processes with elevated rights and access sensitive data such as credentials and cached secrets, enabling lateral movement. Blocking the Shock Hosting ASN can likely be enforced with minimal disruption and will reduce the risk of this attack being successful.
2. Vercel Breach Claimed by Fake ShinyHunters Group
SUMMARY
Vercel experienced a security breach after a third-party AI tool, Context.ai, was compromised, allowing attackers to access an employee’s Google Workspace account and gain access to some internal systems and non-sensitive data.
Category
Supply Chain Risk
Industry
Technology
Sources
https://vercel.com/kb/bulletin/vercel-april-2026-security-incident
https://vercel.com/docs/environment-variables/sensitive-environment-variables
https://www.reddit.com/r/webdev/comments/1sqy1k4/holy_crap_vercel_got_hacked_rotate_your_keys_if/
ANALYST COMMENTS
Vercel experienced a security breach due to the compromise of a third-party AI tool, Context.ai. This led to an attacker accessing an employee's Google Workspace account and gaining entry into limited internal systems and non-sensitive data, according to the advisory by Vercel. The attacker demonstrated significant technical skill, moving quickly and effectively within Vercel’s infrastructure, but sensitive environment variables, as defined by the customer,were not compromised due to secure storage methods. In response, Vercel is collaborating with a cybersecurity firm and law enforcement to investigate the breach and recommends users check for suspicious activity, rotate exposed secrets, and enhance security measures.
Vercel stated that credentials and keys have been rotated and have found no evidence of tampering in their package repositories, suggesting that any exposed repository credentials may now be stale, as reflected in the reduced data pricing. However, this is still likely to affect customers that are using Vercel and have not rotated environment keys, particularly organizations that have not marked environment variables as sensitive and may store secrets within them.
ACTIONABLE GUIDANCE
Organizations using Vercel that have not rotated their keys should do so immediately. Especially customers that have keys or secrets within their environment variables but have not marked them as sensitive. While it is unlikely that the Vercel repositories are at risk, having an inventory or SBOM (Secure Bill of Materials) is also recommended, in addition to enhanced monitoring of used Vercel and Next.js packages over the coming months. Additionally, OAuth applications found within an organization’s environment that matches the noted IoC above should be investigated and may warrant activating incident response investigations.
3. CISA Flags SD-WAN Flaws as Actively Exploited in Attacks
SUMMARY
A group of CiscoCatalyst SD-WAN vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities catalog. This includes vulnerability entries CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128.
Category
Known Exploited Vulnerabilities
Industry
Public Sector and Government Administration, Multiple
Sources
https://www.reddit.com/r/sysadmin/comments/1rm660l/cisco_catalyst_sd_wan_just_got_hit_with_active/
https://www.vulncheck.com/blog/cisco-sd-wan-manager-vulns
https://www.darkreading.com/vulnerabilities-threats/fake-pocs-risks-cisco-sd-wan
ANALYST COMMENTS
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated government agencies to secure their systems against the actively exploited Catalyst SD-WAN Manager vulnerabilities. The exploited vulnerabilities include CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128. This brings the total to four vulnerabilities exploited in the Catalyst SD-WAN appliance this year. Below is a brief description of each vulnerability:
CVE-2026-20122 Cisco Catalyst SD-WAN Manager API File Overwrite 5.4 (Medium)
CVE-2026-20128 Cisco Catalyst SD-WAN Manager DCA User Takeover 7.5 (High)
CVE-2026-20133 Cisco Catalyst SD-WAN Manager API Information Disclosure 7.5 (High)According to public honeypot data, exploitation against Cisco-related devices spiked about two months ago, with a majority of the traffic between March 3rd and March 20th. This trend is supported by our internal honeypot data and aligns with reports on public forums where system administrators warned of active exploitation. CVE-2026-20128 and CVE-2026-20122 have been exploited since March 5th, 2026. Cisco PSIRT advisories were updated this week to reflect current exploitation and the addition of CVE-2026-20133, which was likely exploited in earlier attacks.
ACTIONABLE GUIDANCE
Patches are available from the vendor that should be applied immediately. Additionally, geoblocking should be implemented, as IPs used for exploitation were related to Russia-based sources and likely used for mass scanning to identify vulnerable systems. If compromise is suspected, web logs should be examined for artifacts attempting to navigate to the .dca file and suspicious logins with user “viptela-reserved-dca”. Hosts that have confirmed incidents of compromise should be immediately isolated from the network and trigger an incident response investigation. Given the public availability of the PoC and the ease of exploitation, there is high confidence that multiple threat actors are actively exploiting these vulnerabilities across regions. When conducting investigations, organizations should review activity within the March 1 to April 1 timeframe based on observed honeypot data.
4. UPDATE: Trio of Local Windows Defender Bugs Exploited in the Wild
SUMMARY
Threat actors have taken advantage of a recently disclosed trio of bugs following their public disclosure. The vulnerabilities, which were released by security researcher Nightmare-Eclipse, include two local privilege escalation (LPE) and one Denial of Service (DoS) PoC targeting Defender.
* Updated April 27th, 2026 with new in the wild exploitation data.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://www.huntress.com/blog/nightmare-eclipse-intrusion
Internal OSec Research
ANALYST COMMENTS
A security researcher, NightMare-Eclipse, recently disclosed a trio of Windows related bugs that affect Microsoft Defender. Two of the bugs (BlueHammer and RedSun) result in local privilege escalation, with the third (UnDefend) resulting in Denial of Service (DoS) of Microsoft Defender. According to security researcher reports on social media, all three vulnerabilities have been exploited in the wild. BlueHammer is currently the only vulnerability known to have a patch available (recently released in April’s Patch Tuesday as CVE-2026-33825).
These bugs have public PoC code available and are known to have been exploited in the wild. RedSun and UnDefend currently are not known to have patching available to them. Currently no data is available on specific threat actors that have taken advantage of the bugs; however it is highly likely that multiple groups have taken advantage of the disclosed vulnerabilities.
Both LPE vulnerabilities (BlueHammer and RedSun) generate EICAR related detections before full execution, which can serve as a strong indicator of exploitation. Currently known post-exploitation activity includes typical reconnaissance consistent with common threat actor behavior. Based on lab testing and external research, all Windows versions are likely affected, with greater risk to Windows 10 and 11 workstations.
*Update: New in the wild exploitation data added below.
New data suggests that threat actors targeting Fortinet devices are also using these vulnerabilities within their attack chains, with activity observed following the compromise of Fortigate SSL VPN access in known cases. The following indicators have been recorded:
212.232.23[.]69 Singapore AS215381 ROCKHOSTER PRIVATE LIMITED Rockhoster Private Limited ip-212-232-23-69.rockhoster.net
179.43.140[.]214 Switzerland AS51852 Private Layer INC Private Layer Inc hostedby.privatelayer.com
78.29.48[.]29 Russia AS8369 Intersvyaz-2 JSC Intersvyaz-2 JSC pool-78-29-48-29.is74.ru
staybud.dpdns[.]org - Used for proxy tunneling traffic over 443
The attackers also have overlap of exploiting ActiveMQ (CVE-2026-34197) vulnerabilities recently added to the CISA KEV catalog. It should be added that while the threat actors attempted to use all three of the vulnerabilities (RedSun, BlueHammer, and UnDefend), reported attempts were not successful.
ACTIONABLE GUIDANCE
Keeping Microsoft Defender and Windows systems up to date will ensure the latest protections are applied, including hot fixes released since the vulnerabilities were disclosed. Organizations that suspect compromise should look for instances of Defender that have been disabled or EICAR related detections in Defender’s protection history. Further investigation should focus on reviewing the identified events, particularly those involving the TieringServiceEngine.exe binary. As the vulnerabilities are likely used after initial access, organizations should also look for other indicators such as credential re-use, phishing activity, or other exploitation methods. Any confirmed compromised hosts should be isolated from the network and handled through formal incident response procedures.
*Update
Blocking newly identified malicious network locations is recommended, in addition to the previously provided guidance.
5. Checkmarx Supply Chain Attack Impacts Bitwarden npm Distribution Path
SUMMARY
Bitwarden CLI version 2026.4.0 was compromised by the Checkmarx supply chain attack, incorporating malicious code that harvested sensitive data, but only users who installed it during a brief window were affected and no vault or production data was compromised.
Category
Supply Chain Risk
Industry
Technology, Financial and Fintech, Public Sector and Government Administration
Sources
https://www.aikido.dev/blog/shai-hulud-npm-bitwarden-cli-compromise
https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html
https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
ANALYST COMMENTS
The Bitwarden CLI was compromised in a Checkmarx supply chain attack, with malicious code in bw1.js introduced through a compromised GitHub Action. The affected version, @bitwarden/cli 2026.4.0, contained a malicious preinstall hook that automatically triggers during npm installation. During installation, the malicious files bw_setup.js and bw1.js employ credential harvesting techniques and exhibit worm-like propagation behavior. This malware steals sensitive data, including SSH keys, cloud credentials, and npm tokens, which it exfiltrates to a fake Checkmarx domain. Bitwarden confirmed the incident, removed the malicious package, and initiated remediation steps, noting no evidence of compromised vault or production data.
The supply chain incident is likely to cause further downstream disruption. Stolen passwords from recent campaigns will likely be used to identify and access additional GitHub or other package repositories to continue exploitation. These attacks are typically a pre-positioning tactic for major organization compromise.
Attribution points to Team PCP and the Checkmarx compromise as is stated by multiple reports from vendors and the media. However the code found within the compromised package includes the string “Shai-Hulud: The Third Coming” which points to an earlier supply-chain compromise campaign. The malware behavior aligns more closely with Shai Hulud tactics, while the use of Team PCP associated domains suggests either collaboration or overlap between the groups. As with similar campaigns, the objective is to steal credentials and secrets, including the following:
- SSH
- Git
- Npm
- Env
- Bash and shell history
- AWS,GCP
- Claude, MCP
The malicious commits that the threat actors have used included the string “LongLiveTheResistanceAgainstMachines” or “beautifulcastle” along with “gh auth token” shell command used when checking for active Github CLI tokens.
ACTIONABLE GUIDANCE
The noted time of the compromise was on April 22nd (approximately 5:57 PM – 7:30 PM ET) with an exploitation window of approximately 90 to 93 minutes. The timing may result in limited exposure to this malware, however it is a substantial enough time to infect multiple users, packages, and repositories. If a compromise is suspected, organizations and users should check the primary exfiltration point identified above for suspicious traffic. Those who have confirmed exposure via this campaign or installed the compromised Bitwarden version must immediately rotate all credentials and secrets, while also monitoring their repositories, packages, and accounts for any unauthorized changes. This is likely to target individual developers over organizations, however this is typically a pre-positioning tactic for further compromise of larger organizations and individuals. This also supports implementing SBOM inventory and management within enterprise environments to audit changes and updates, along with a safelist of approved packages and libraries used within developer projects. If not already in place, ensure that MFA controls exist as an extra layer of security for sensitive accounts, passwords, or secrets.
6. Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking
SUMMARY
Serial-to-IP converters, which bridge legacy serial equipment to modern networks, contain serious security flaws identified by Forescout Technologies that could enable remote attacks, including device takeover, data tampering, and Denial of Service.
Category
Critical Vulnerabilities
Industry
Manufacturing, Healthcare, Energy, Logistics and Shipping, and environments with heavy IoT/OT use.
Sources
https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02
https://www.silex.jp/support/security-advisories/2026-001
https://www.forescout.com/resources/bridgebreak-report/
https://www.dragos.com/blog/poland-power-grid-attack-electrum-targets-distributed-energy-2025
Internal OSec Research
ANALYST COMMENTS
Serial-to-IP converters, which bridge legacy serial equipment to modern Ethernet/IP networks, are affected by numerous vulnerabilities, collectively known as BRIDGE:BREAK. This can be exploited for various attacks including OS command injection, remote code execution and firmware tampering. These devices, used across sectors such as industrial, healthcare, and energy, can expose critical infrastructure to threats from both internet-exposed systems and local network vulnerabilities. Researchers found 20 new vulnerabilities, impacting devices from vendors like Silex and Lantronix, which have the potential to severely disrupt operations by causing data tampering and denial-of-service conditions. The following vulnerabilities are the most recent affecting Lantronix and Silex devices:
Silex Vulnerabilities:
- CVE-2026-32955 – SD-330AC Ver.1.42: Stack overrun in authenticated login redirect URL; memory corruption/unintended actions possible; CVSS 8.8 HIGH
- CVE-2026-32956 – SD-330AC Ver.1.42: Heap overrun in unauthenticated login redirect URL; memory corruption/unintended actions possible; CVSS 9.8 CRITICAL
- CVE-2026-32957 – SD-330AC Ver.1.42: File upload restriction bypass; unauthenticated arbitrary file upload to temporary memory; CVSS 5.3 MEDIUM
- CVE-2026-32963 – SD-330AC Ver.1.42: Reflected XSS on system status page; malicious JavaScript injection via web page links; CVSS 6.1 MEDIUM
- CVE-2026-32958 – SD-330AC Ver.1.42: Hardcoded firmware signing key; tampered firmware accepted as legitimate; CVSS 6.5 MEDIUM
- CVE-2015-5621 – SD-330AC Ver.1.42: DoS via net-snmp vulnerability; SNMP agent can be prematurely terminated; CVSS 7.5 HIGH
- CVE-2026-32959 – SD-330AC / AMC Manager Ver.5.0.2: Encryption using constant keystream; man-in-the-middle interception of config data; CVSS 5.9 MEDIUM
- CVE-2026-32960 – SD-330AC / AMC Manager Ver.5.0.2: Authentication bypass via credential reuse; unauthenticated admin privilege escalation; CVSS 6.5 MEDIUM
- CVE-2026-32961 – SD-330AC / AMC Manager Ver.5.0.2: Heap overrun via unvalidated data length; potential DoS or remote code execution; CVSS 5.3 MEDIUM
- CVE-2026-32965 – SD-330AC / AMC Manager Ver.5.0.2: No admin password enforcement; attacker can set password and gain admin privileges; CVSS 7.5 HIGH
- CVE-2026-32962 – SD-330AC Ver.1.42: Unauthenticated product settings tampering via Serial Device Server Setup; CVSS 5.3 MEDIUM
- CVE-2024-24487 – SD-330AC Ver.1.42: Unauthenticated product restart via Serial Device Server Setup; DoS possible; CVSS 5.3 MEDIUM
- CVE-2026-32964 – SD-330AC Ver.1.42: Config injection via Serial Device Server Setup; arbitrary entries insertable into system config files; CVSS 6.5 MEDIUM
Lantronix Vulnerabilities:
- CVE-2025-67034 – EDS5000 2.1.0.0R3: OS command injection via SSL credential deletion "name" parameter; root execution; CVSS 7.2 HIGH
- CVE-2025-67035 – EDS5000 2.1.0.0R3: OS command injection on SSH Client/Server pages via delete actions; root execution; CVSS 7.2 HIGH
- CVE-2025-67036 – EDS5000 2.1.0.0R3: OS command injection via Log Info page filename parameter; root execution; CVSS 7.2 HIGH
- CVE-2025-67037 – EDS5000 2.1.0.0R3: OS command injection via tunnel kill "tunnel" parameter; root execution; CVSS 7.2 HIGH
- CVE-2025-67038 – EDS5000 2.1.0.0R3: OS command injection via unsanitized username in failed auth logging; root execution; CVSS 9.8 CRITICAL
- CVE-2025-67039 – EDS3000PS 3.1.0.0R2: Authentication bypass on management pages via URL suffix + "admin" header; CVSS 9.8 CRITICAL
- CVE-2025-70082 – EDS3000PS 3.1.0.0R2: Admin password changeable without current password knowledge; chainable with auth bypass; CVSS 2.7 LOW
- CVE-2025-67041 – EDS3000PS 3.1.0.0R2: OS command injection via unsanitized TFTP client host parameter; root execution; CVSS 7.2 HIGH
It is currently not known if these vulnerabilities have been abused in the wild. The report data confirms that over 8000 Lantronix devices are publicly exposed according to Shodan, while only four Silex Technology devices were confirmed through exposed FTP ports and banner information. As a result, threat actors may prioritize the Lantronix devices due to their significantly higher level of exposure. Publicly available research in the vendor report for both Silex Technology and Lantronix devices provides enough detail for threat actors to develop or execute exploits in the short term.
Historically, threat actors have leveraged these devices to target critical infrastructure, most notably Poland's power grid. Additionally, over the past year, hacktivist groups have increasingly focused on disrupting OT technology, a trend evidenced by discussions and posts on their Telegram channels and social media platforms. This is especially true of hacktivists such as noname057(16) (and by extension volunteers of DDoSia), Z-Pentest-Alliance, Nullsechackers, and vulture_001, who have been linked to exploitation of both OT systems and IP cameras since March. Many of the groups mentioned are likely to have direct or indirect links to Russia state aligned agencies.
ACTIONABLE GUIDANCE
Both Lantronix and Silex have released patches for the affected devices. Given the high-risk threat profile and the targeted nature of attacks against this technology, it is strongly recommended to deny public internet access. Instead, access should be restricted to internal networks or physical connections where feasible to minimize the risk of compromise. This is especially true for environments and sectors in manufacturing where patch management cycles are inconsistently enforced or cannot be enforced due to the expense of migrating physical devices and equipment. Any OT technology with network connectivity should be monitored for suspicious activity, particularly across TFTP, web, and HMI interfaces that are commonly targeted by threat actors. Access logs and timestamps should be retained to maintain an auditable record of activity and support investigations if an intrusion or compromise is confirmed. The vulnerabilities in Lantronix are likely to be abused first given the simplicity in executing a majority of the issues and the larger attack surface exposed online. Most involve operating system command injection through TFTP ports and HTTP services, so these devices should be prioritized for patching, reducing public exposure, and restricting unnecessary ports.
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS