Weekly Situation Report : 4/6/26

EXECUTIVE SUMMARY

This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.

KEY TAKEAWAYS

• A critical memory overread vulnerability in Citrix NetScaler is being actively exploited in real-world attacks.
• Hackers are targeting a critical F5 BIG-IP vulnerability to gain unauthorized access to affected systems.
• Researchers have attributed the axios supply chain attack to a North Korean state-linked threat group.
• Cisco source code was stolen following a breach of a development environment linked to Trivy scanning tools.
• A proof-of-concept exploit has been released for a remote code execution chain affecting Progress ShareFile.
• The Google “Dawn” vulnerability is being actively exploited in the wild to compromise targeted systems.

1. Critical Citrix NetScaler memory flaw actively exploited in attacks

SUMMARY

Hackers are exploiting a critical vulnerability (CVE-2026-3055) in Citrix NetScaler ADC and Gateway appliances to obtain sensitive data, with confirmed attack activity beginning on March 27th.

Category

Known Exploited Vulnerabilities

Industry

Multiple

Sources

https://www.bleepingcomputer.com/news/security/critical-citrix-netscaler-memory-flaw-actively-exploited-in-attacks/

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

ANALYST COMMENTS

Hackers are exploiting a critical severity vulnerability (CVE-2026-3055) in Citrix NetScaler ADC and Gateway appliances to access sensitive data, specifically affecting versions configured as SAML IDPs. Exploitation has been observed in the wild since March 27, and analysis indicates the issue stems from multiple memory overread flaws impacting both SAML and WS-Federation authentication endpoints. 

Exploiting this vulnerability is trivial and will make requests to the following endpoints:

/saml/login
/wsfed/passive?wctx

By executing a SAML request to the endpoints with a minimal content and a crafted ID parameter, a threat actor is able to execute multiple requests in order to leak the memory of the vulnerable server in the NSC_TASS cookie in response. Excessively long base64 strings of this cookie may indicate evidence of exploitation. If this exploit is in use when an administrator logs into the device, this will result in the administrator session cookie being leaked.

# Request to trigger exploitation

POST /saml/login HTTP/1.1
Host: 192.168.80.125
Content-Length: 510

SAMLRequest=PHNhbWxwOkF1dGhuUm...snip

# Contents of base64 encoded SAML
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"  
ID="_1"
Version="2.0" ProviderName="my provider" 
Destination="http://watchtowr/saml.php" 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
>
  <saml:Issuer>http://watchtowr/saml.php</saml:Issuer>
</samlp:AuthnRequest>

ACTIONABLE GUIDANCE

Patching should be applied in order to remediate this issue. The following versions are fixed and not vulnerable to the issue:

• NetScaler ADC and NetScaler Gateway 14.1-60.58
• NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP

If a patch cannot be applied, a recommended workaround is to disable SAML IDP and restrict the SAML endpoints noted above. Additionally, blocking the identified IOC noted above is also recommended, however organizations should expect continued exploitation attempts and should monitor the /saml/login and /wsfed/passive?wctx endpoints for signs of activity.

2. Hackers exploiting critical F5 BIG-IP flaw in attacks

SUMMARY

F5 Networks reclassified a critical vulnerability in BIG-IP APM from a denial-of-service flaw to a remote code execution flaw, with active exploitation observed. Attackers are using it to deploy webshells on unpatched devices, creating significant risk.

Category

Known Exploited Vulnerabilities

Industry

Technology, Public Sector and Government Administration

Sources

https://www.bleepingcomputer.com/news/security/hackers-now-exploit-critical-f5-big-ip-flaw-in-attacks-patch-now/

https://my.f5.com/manage/s/article/K000160486

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-53521

https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor

https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm-defender-guide

ANALYST COMMENTS

Cybersecurity firm F5 Networks has reclassified a vulnerability in BIG-IP APM from a denial-of-service flaw to a critical remote code execution (RCE) issue, with attackers exploiting it to deploy webshells on unpatched devices. This RCE flaw, tracked as CVE-2025-53521, can be exploited by unauthorized users when targeting BIG-IP APM systems configured on virtual servers. F5 has issued an advisory update warning of the vulnerability's exploitation and provided indicators of compromise for defenders to check their systems' disks, logs, and terminal history for malicious activity signs. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed the flaw as actively exploited, ordering federal agencies to secure their BIG-IP APM systems by a specified deadline due to significant risks posed to the federal enterprise.

At this time, no publicly available proof of concept has been identified, and there is no confirmed attribution to any specific threat actor exploiting this vulnerability.

The vendor provided IOCs to identify malicious activity can be seen below:

# Files written to disk
/run/bigtlog.pipe
/run/bigstart.ltm

# Files with mismatches filesize or hashes when compared with known good versions
/usr/bin/umount
/usr/sbin/httpd

# Generated log entries

/var/log/restjavad-audit.<NUMBER>.log
[ForwarderPassThroughWorker{"user":"local/f5hubblelcdadmin","method":"POST","uri":"http://localhost:8100/mgmt/tm/util/bash","status":200,"from":"Unknown"}

This entry shows a local user accessing the iControl REST API from localhost.

/var/log/auditd/audit.log.<NUMBER>
msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

This entry shows a local user accessing the iControl REST API from localhost to disable SELinux.

/var/log/audit
user=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash <VARIABLE_COMMAND>

These log messages show an echo of Base64-encoded data written into a file and the execution of /run/bigstart.ltm. This entry shows an example of a command being run in the audit log, correlated to the iControl REST request above.

# Identifying malicous file
lsof -n and looking for entries with bigtlog.pipe

# Network traffic
Unknown network locations sending HTTP requests with 201 code.

ACTIONABLE GUIDANCE

Applying the patches for this vulnerability should be prioritized. The following versions are fixed:

• Big-IP APM versions
• 17.5.1.3
• 17.1.3
• 16.1.6.1
• 15.1.10.8

In addition to applying the patch, these devices should be monitored for anomalous behavior including activity matching the IOCs noted above, unexpected reboots or other system instability, and network traffic from unknown sources. This vulnerability primarily affects APM when configured on a virtual server.

3. Axios supply chain attack Linked to North Korean group

SUMMARY

North Korean hackers attributed to UNC1069 compromised the widely used JavaScript library Axios through a supply chain attack. The actors published malicious versions of the package that included a remote access trojan capable of executing arbitrary commands and exfiltrating data across various operating systems before self-deleting to evade detection.

Category

Supply Chain Risk

Industry

Technology, Financial and Fintech

Sources

https://therecord.media/google-links-axios-supply-chain-attack-north-korea

https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/

https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package

https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff

https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

https://safedep.io/axios-npm-supply-chain-compromise/

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

Internal OSec Collection

ANALYST COMMENTS

Hackers associated with North Korea have compromised the widely-used HTTP client library Axios through a supply chain attack, impacting front-end and back-end systems globally. Researchers attributed this to UNC1069, a financially motivated group known for using sophisticated malware like WAVESHAPER in previous attacks. The malicious versions of Axios injected new dependencies that installed malware capable of executing arbitrary commands, exfiltrating data, and persisting on infected machines across Windows, macOS, and Linux systems.

The Axios supply chain attack is likely to have caused multiple downstream effects to projects. The only indication that the package was malicious was due to an added package within the package.json and package-lock.json files noted as being “plain-crypto-js”. Once installed, the package detects the host operating system and deploys backdoors tailored to that environment. The initial supply chain compromise occurred through credential theft of the package maintainer’s Github and npm accounts. The currently known network IOCs associated with this campaign include the following:

sfrclak[.]com - AS54290, Hostwinds LLC
142.11.206.73:8000 - AS54290, Hostwinds LLC - Beacons out every 60 seconds

The attack window of the supply chain compromise lasted 3 hours and 19 minutes, between 2026-03-31T00:21:58Z - 2026-03-31T03:40:46Z.

The Axios version affected included 1.14.1 and 0.30.4. The second stage payloads of the malware will create persistence objects in the following locations:

# Windows
%PROGRAMDATA%\system.bat - Persistence/ pointing to in the MicrosoftUpdate registry key
%PROGRAMDATA%\wt.exe - Persistence
%TEMP%\6202033.vbs
%TEMP%\6202033.ps1
Registry: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate - Persistence

#Linux
/tmp/ld.py
/tmp/.XXXXXX (random 6-char name)

#macOS
/Library/Caches/com.apple.act.mond
/private/tmp/.XXXXXX
/tmp/.XXXXXX.scpt

ACTIONABLE GUIDANCE

Organizations that suspect they have been compromised should check for network communications that run every 60 seconds to domains and addresses over port 8000, to a URL ending in a numerical value (i.e. /6612345) and contain base64 encoded content in a POST request. Projects should be audited against the known exploitation window, including reviewing logs for npm package installations, particularly any installation or update of the Axios package during that period. Proactive security measures should focus on enforcing package inventory controls through defined processes and policies. Any addition or upgrade of packages should go through a vetting process, ideally integrated into development pipelines with auditable change management logs.

4. Cisco source code stolen in Trivy-linked dev environment breach

SUMMARY

Cisco suffered a cyberattack due to stolen credentials from the previous Trivy compromise.

Category

Supply Chain Risk

Industry

Technology, Financial and Fintech, Public Sector and Government Administration, Multiple

Sources

https://www.bleepingcomputer.com/news/security/cisco-source-code-stolen-in-trivy-linked-dev-environment-breach/

https://hackread.com/shinyhunters-hackers-cisco-records-data-leak/

Internal OSec Collection

ANALYST COMMENTS

Cisco experienced a cyberattack where stolen credentials from the Trivy supply chain attack were used to access its internal development environment, resulting in the theft of source code for both Cisco and its customers. The attackers exploited a malicious "GitHub Action plugin" that allowed them to steal data and credentials from the company's build environment, affecting numerous devices including developer workstations. Additionally, over 300 GitHub repositories were cloned during the incident, including those related to AI-powered products like AI Assistants and AI Defense, as well as repositories belonging to corporate customers including banks, BPOs, and US government agencies. Cisco has contained the breach by isolating affected systems, initiating reimaging processes, and rotating compromised credentials.

Regarding Trivy, multiple packages have been compromised, and the full scope of the attack is not yet fully understood. Below is a compiled list of indicators of compromise associated with this activity:

scan.aquasecurtiy.org Primary C2 domain — typosquat of aquasecurity
aquasecurtiy C2 domain fragment — catches partial references
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io - ICP blockchain C2
tdtqy-oyaaa-aaaae-af2dq-cai - ICP canister ID
45.148.10.212 - C2 IP
45.148.10.122 - C2 IP
models.litellm.cloud - LiteLLM exfiltration
checkmarx.zone - Secondary C2/payload server
souls-entire-defined-routes.trycloudflare.com - Cloudflare tunnel C2
investigation-launches-hearings-copying.trycloudflare.com - Cloudflare tunnel C2
championships-peoples-point-cassette.trycloudflare.com - Cloudflare tunnel C2
create-sensitivity-grad-sequence.trycloudflare.com - Cloudflare tunnel C2
plug-tab-protective-relay.trycloudflare.com - Cloudflare tunnel C2
recv.hackmoltrepeat.com - Theft exfiltration
83.142.209.11 KICS chain C2 IP — resolves checkmarx.zone
/tmp/runner_collected_ - code snippet
tpcp.tar.gz - exfiltration file sent via C2 servers

# Vulnerable Trivy versions during attack: March 19th to the 23rd

Trivy 0.69.4 
Trivy 0.69.5 
Trivy 0.69.6 

ACTIONABLE GUIDANCE

Organizations should prioritize blocking and hunting for IOCs related to the Trivy and associated campaigns to determine if a compromise has occurred. Longer term, CI/CD pipelines should incorporate stronger controls such as package inventory management, approved package lists, and private repositories to reduce supply chain risk. Given the recent Cisco incident, organizations should assess where Cisco products are deployed and prioritize monitoring for suspicious activity, including unusual login events, unexpected reboots, and unauthorized access to management interfaces. Access to sensitive administrative functions should be restricted to internal networks with minimal exposure to the public internet.

5. Progress Sharefile RCE Chain Vulnerability POC Disclosed

SUMMARY

Two critical vulnerabilities (CVE-2026-2699 and CVE-2026-2701) in Progress ShareFile's Storage Zones Controller enable unauthenticated attackers to gain access and execute remote code, potentially allowing file exfiltration from affected enterprise environments.

Category

Supply Chain Risk

Industry

Multiple

Sources

https://labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/

Internal OSec Collection

ANALYST COMMENTS

Two vulnerabilities (CVE-2026-2699 and CVE-2026-2701) discovered in Progress ShareFile's Storage Zones Controller component can allow attackers to bypass authentication and execute remote code. These flaws were identified by researchers, who responsibly disclosed them to Progress. The attack chain involves exploiting an authentication bypass flaw to access admin interfaces and then leveraging remote code execution to deploy malicious webshells.

The attack is relatively simple but would require an attacker to make multiple requests to the vulnerable host to fully exploit. It would also require an attacker to create a zone that points to a malicious file storage location for webshell staging, which may provide detection opportunities if zone configurations are regularly audited. While the vulnerable version of the Controller prompts for a current password within the UI, the old password is not validated when requests are sent directly to the API, allowing unauthorized changes. Exploitation requires that the server is authenticated with the ShareFile SaaS. An attacker would need to interact with two primary endpoints to fully exploit this chain:

GET request to /ConfigService/Admin.aspx
GET request to /ConfigService/api/StorageZoneConfig?h=<hmac based on new passphrase>

The following steps are needed in order to successfully chain the vulnerabilities and achieve RCE:

1. Initial GET to /ConfigService/Admin.aspx
2. Modify ZoneController URL with POST to /ConfigService/Admin.aspx
3. ShareFile connects to malicious zone and verifies passphrase
4. Join zone and use /ConfigService/api/StorageZoneConfig?h=<hmac leak of tempdata2>
5. Decrypt tempdata2 hmac of zone secret and calculate
6. Upload webshell with .zip file
7. Access webshell via <Network-Storage-Location>/files/ul-<query-string-uploadid>/1/

File sharing applications have historically been targeted by threat actors. While this attack is relatively complex, it remains likely to see future exploitation. Current estimates indicate around 30,000 ShareFile hosts are exposed to the internet, primarily in the US and Europe. At this time, public honeypot data shows only minimal targeting of this product

ACTIONABLE GUIDANCE

Patching this vulnerability should be a priority. There is always a high likelihood of exploitation taking place soon after a disclosure and file share products such as this one have been targeted by threat actors in the past. The currently known fixed versions include:

• ShareFile 5.12.4

Exploitation attempts can also be disrupted by restricting access to the identified endpoints and monitoring configuration changes, particularly the creation of new zones. Compromise is likely indicated by requests to the /ConfigService related endpoints followed by the upload of a .zip file via upload.aspx.

6. Google Dawn Vulnerability Exploited in the Wild

SUMMARY

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical use-after-free flaw in Google Chrome's Dawn component, tracked as CVE-2026-5281, to its Known Exploited Vulnerabilities catalog.

Category

Critical Vulnerability

Industry

Multiple

Sources

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://securityaffairs.com/190282/security/u-s-cisa-adds-a-flaw-in-google-dawn-to-its-known-exploited-vulnerabilities-catalog.html

Internal OSec Collection

ANALYST COMMENTS

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-5281, a use-after-free flaw in Google Chrome's Dawn component prior to version 146.0.7680.178, to its Known Exploited Vulnerabilities catalog due to its potential for remote code execution through crafted HTML pages. Google has released updates to fix this and other vulnerabilities, urging immediate browser updates to mitigate attack risks. CISA mandates federal agencies to address the identified CVE by April 15, 2026, while experts recommend private organizations also review and remediate these vulnerabilities in their systems.

ACTIONABLE GUIDANCE

Administrators should apply the update to all browsers to ensure that the latest versions of Chrome are running to prevent abuse of this issue. This primarily affects Chrome installations that do not have auto-update enabled and use the WebGPU API. Fixed versions of this vulnerability include Chrome Version 146.0.7680.178 or later. As this vulnerability is triggered through malicious web pages, users should carefully validate links and sites before visiting them. This includes avoiding suspicious email links and verifying that search results and domains are legitimate and not impersonating trusted brands or software.

Get the Complete Report

The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS