Cyble Research & Intelligence Labs (CRIL) weekly vulnerability report tracked 1,675 vulnerabilities, last week, reflecting continued high disclosure volume across enterprise software, cloud services, and emerging AI ecosystems.

Of these, more than 205 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of exploitation and shortening attacker weaponization timelines.

Additionally, 2 vulnerabilities were actively discussed across underground forums and hidden communities, demonstrating continued adversarial focus on high-impact enterprise targets.

A total of 111 vulnerabilities were rated critical under CVSS v3.1, while 34 received critical severity under CVSS v4.0, underscoring the seriousness of newly disclosed issues.

Furthermore, CISA added 10 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

On the industrial side, CISA issued 3 ICS advisories covering 4 vulnerabilities, impacting Mitsubishi Electric, Contemporary Controls, Sedona Alliance, and GPL Odorizers.

Weekly Vulnerability Report’s Top Flaws

CVE-2026-32201 — Microsoft SharePoint Server (Critical)

CVE-2026-32201 is an actively exploited vulnerability affecting Microsoft SharePoint Server and was included in April 2026 Patch Tuesday disclosures.

Successful exploitation could allow attackers to compromise collaboration environments, access sensitive enterprise content, and establish persistent footholds inside corporate networks.

CVE-2026-21643 — Fortinet FortiClient EMS (Critical)

CVE-2026-21643 is a critical vulnerability affecting Fortinet FortiClient Endpoint Management Server (EMS).

Because EMS platforms centrally manage endpoints, successful exploitation can enable attackers to disrupt security operations, deploy malicious configurations, and gain broad enterprise access.

CVE-2026-35652 — OpenClaw AI Agent Framework (High)

CVE-2026-35652 is a high-severity authorization bypass vulnerability in OpenClaw, an open-source autonomous AI agent framework.

The flaw allows unauthorized external parties to manipulate the AI agent into executing restricted actions without proper authentication, creating risk of workflow abuse, credential exposure, and downstream compromise.

CVE-2026-27304 — Adobe ColdFusion (Critical)

CVE-2026-27304 is a critical improper input validation vulnerability in Adobe ColdFusion.

Attackers can exploit vulnerable web application environments to execute malicious actions, compromise servers, and move laterally through connected systems.

CVE-2026-29145 — Microsoft 365 Outlook Desktop Client (Critical)

CVE-2026-29145 affects Microsoft 365, specifically the Outlook desktop client.

Given Outlook’s role in enterprise communications, exploitation may enable phishing enhancement, malicious payload execution, or unauthorized access to user data.

Trending Exploitation Activity

CVE-2025-0520 — ShowDoc (Critical)

A remote code execution vulnerability in ShowDoc, a popular open-source IT documentation platform, saw a sharp rise in exploitation during April 2026. Attackers are reportedly targeting unpatched servers to deploy web shells and seize control of documentation environments.

CVE-2025-59528 — Flowise (Critical)

A remote code execution flaw in Flowise, a low-code platform for building AI agents and LLM workflows, has been linked to large-scale exploitation targeting more than 12,000 internet-exposed instances.

These cases reinforce the rapid expansion of the AI and developer tooling attack surface.

Vulnerabilities Added to CISA KEV

CISA expanded its KEV catalog with 10 newly listed vulnerabilities this week.

Notable additions include:

• CVE-2026-32201 — Microsoft SharePoint Server
• CVE-2026-21643 — Fortinet FortiClient EMS
• CVE-2026-1340 — Ivanti Endpoint Manager Mobile (EPMM)

The inclusion of collaboration tools, endpoint management systems, and mobile management platforms shows attackers are prioritizing centralized enterprise control layers.

Critical ICS Vulnerabilities

CISA issued 3 ICS advisories covering 4 vulnerabilities, with the majority falling into the high-severity category.

CVE-2025-13926 — Contemporary Controls BASControl20 (Critical)

This vulnerability affects a building automation controller widely deployed across energy facilities, manufacturing plants, and commercial buildings. With a CVSS score of 9.8 and no patch available because the product is obsolete, organizations face limited remediation options beyond replacement or network isolation.

Successful exploitation could allow attackers to manipulate physical systems, disrupt operations, or pivot deeper into OT networks.

CVE-2025-14815 / CVE-2025-14816 — Mitsubishi Electric Platforms (High)

These vulnerabilities expose sensitive configuration and authentication data in plaintext across multiple Mitsubishi Electric products.

An attacker with minimal access could harvest credentials and escalate privileges rapidly, broadening the impact of an initial compromise.

CVE-2026-4436 — GPL Odorizers (High)

A missing authentication flaw in GPL Odorizers could allow unauthorized access to critical functions in systems used within industrial environments.

Impacted Critical Infrastructure Sectors

Analysis of ICS disclosures shows:

• Critical Manufacturing was impacted in all reported cases
• Additional cross-sector exposure affected:
  • Commercial Facilities
  • Energy

This concentration highlights how industrial vulnerabilities can create cascading operational risk across interconnected sectors.

Conclusion

This week’s findings highlight several major trends:

• Continued high-volume vulnerability disclosures
• Active exploitation confirmed through KEV additions
• Rising attacks against AI frameworks and developer tooling
• Persistent weaknesses in industrial control environments
• Increased focus on centralized enterprise management systems

With 205+ public PoCs, active underground interest, and exploitable OT exposures, organizations face heightened risk across both IT and operational technology environments.

Key Recommendations

• Prioritize remediation of KEV-listed vulnerabilities immediately
• Patch externally exposed enterprise systems and collaboration platforms
• Secure AI agents, automation tools, and developer workflows
• Harden endpoint and mobile device management infrastructure
• Segment IT and OT environments to reduce lateral movement
• Replace or isolate obsolete industrial devices lacking patches
• Continuously monitor underground forums and threat intelligence feeds
• Conduct regular vulnerability assessments and penetration testing

Cyble’s attack surface management and vulnerability intelligence solutions help organizations identify exposed assets, prioritize remediation, and detect early indicators of compromise. By combining threat intelligence with proactive defense strategies, organizations can strengthen resilience across enterprise and critical infrastructure environments.

The post The Week in Vulnerabilities: SharePoint, Fortinet, OpenClaw, and GPL Odorizers appeared first on Cyble.

Cyble Research & Intelligence Labs (CRIL) in its monthly threat landscape analysis observed a highly active threat environment throughout March 2026, shaped by large-scale ransomware campaigns, persistent data breach activity, growing initial access brokerage markets, and exploitation of critical vulnerabilities affecting widely deployed enterprise systems.

Threat actors continued to prioritize financial extortion, credential access, and operational disruption, while increasingly targeting sectors rich in sensitive data or dependent on business continuity.

Quick Summary

Key threat trends identified during March 2026 include:

• 702 ransomware attacks recorded globally.
• 54 major data breach and leak incidents observed.
• 20 compromised access sale listings tracked across cybercrime forums.
• High concentration of attacks against Professional Services, Manufacturing, Retail, and Government sectors.
• Continued exploitation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

These trends indicate a mature cybercriminal ecosystem where access brokers, ransomware operators, and data leak actors increasingly operate in parallel.

Ransomware Activity Remained the Dominant Threat

CRIL recorded 702 ransomware attacks worldwide in March 2026, reflecting sustained aggression from both established groups and emerging operators.

Top Ransomware Groups

Qilin, Akira, The Gentlemen, Dragonforce, and INC Ransom were the top five most active ransomware actors in March 2026.

Together, the top five groups accounted for more than 56% of observed ransomware activity, highlighting strong operational scale and affiliate ecosystems.

Most Targeted Industries

Construction, Professional Services, Manufacturing, Healthcare, and Energy & Utilities were the most targeted sectors by ransomware actors in March 2026.

Threat actors continued using data theft + operational disruption as dual-extortion pressure tactics.

And when it came to country-wise split-up, the United States remained the focal point amid the ongoing geopolitical issues with Iran.

Compromised Access Market Expanded

CRIL tracked 20 distinct incidents involving the sale of unauthorized network access on underground forums.

Most Targeted Sectors

• Professional Services – 25%
• Retail – 20%
• IT & ITES
• Manufacturing

Leading Access Sellers

A small group of actors dominated this market:

• vexin
• holyduxy
• algoyim

These three actors were responsible for over 55% of observed access listings.

This reinforces the role of access brokers as upstream enablers for ransomware, espionage, and fraud operations.

Data Breaches and Leak Markets Remained Active

CRIL observed 54 significant breach and leak incidents during the month.

Most Targeted Sectors

• Government & Law Enforcement
• Retail
• Technology

Notable Incidents

Hospitality Holdings – TA Claimed 5TB Leak

Threat actor “nightly” claimed theft of over 5TB of data, including biometric records, CCTV footage, and financial documents.

South African Government Dataset for Sale

Threat actor XP95 advertised 3.8TB of allegedly stolen provincial government data.

Travel Data Leak

Over 95,000 travel-related records were reportedly exposed, including passports and payment data.

Exploited Vulnerabilities Accelerated Risk

March also saw active exploitation of critical vulnerabilities affecting enterprise technologies.

Notable KEV-listed vulnerabilities included:

• CVE-2026-20131 – Cisco Secure Firewall Management Center
• CVE-2025-53521 – F5 BIG-IP APM
• CVE-2026-20963 – Microsoft SharePoint Server
• CVE-2026-33017 – Langflow AI
• CVE-2021-22681 – Rockwell Automation ICS

Key Trend

Attackers exploited both:

• Newly disclosed zero-days
• Legacy vulnerabilities from prior years

This showcases widespread failures in patch management and exposure reduction.

Emerging Strategic Threat Developments

AI-Augmented Offensive Operations

Threat actors reportedly used CyberStrikeAI, an open-source AI-native security testing framework, in attacks against Fortinet FortiGate devices across 55 countries, compromising more than 600 appliances.

Supply Chain Malware via npm

North Korean actors were linked to 26 malicious npm packages distributing RAT malware through Pastebin/Vercel-based infrastructure.

Geopolitical Cyber Risk

Iran-linked cyber operations were assessed as likely to increase following regional tensions, with potential ransomware and hacktivist targeting across the Middle East.

Industries Facing Highest Risk

Based on March activity, organizations in the following sectors faced elevated risk:

• Professional Services
• Government
• Manufacturing
• Retail
• Healthcare
• Critical Infrastructure
• Transportation & Logistics

These sectors combine valuable data, high uptime requirements, or complex supply chains.

Conclusion

The March 2026 threat landscape was defined by scale, specialization, and speed.

Threat actors increasingly leveraged:

• Access brokerage markets
• High-volume ransomware operations
• Large-scale data theft
• Rapid weaponization of critical vulnerabilities
• AI-enhanced offensive tooling

The combination of concentrated criminal ecosystems and widespread enterprise exposure creates a sustained high-risk environment for organizations globally.

Key Recommendations

• Prioritize remediation of KEV-listed vulnerabilities
• Strengthen identity security and MFA across remote access platforms
• Monitor for exposed credentials and access sale activity
• Segment critical networks to reduce lateral movement
• Conduct tabletop exercises for ransomware response
• Improve backup resilience and recovery testing
• Monitor software supply chain ecosystems
• Expand threat intelligence coverage across dark web and leak forums

Cyble’s threat intelligence, ransomware monitoring, vulnerability intelligence, and attack surface management solutions help organizations proactively identify risks, prioritize remediation, and defend against evolving global threats.

Book your demo now to see it in action!!!

The post Threat Landscape March 2026: Ransomware Dominance, Access Brokers, Data Leaks, and Critical Exploitation Trends appeared first on Cyble.

Cyble Research & Intelligence Labs (CRIL) in its weekly vulnerability report tracked 1,431 bugs last week.

Of these, over 270 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly accelerating exploitation timelines and increasing real-world attack likelihood.

Additionally, 3 vulnerabilities were actively discussed across underground forums, signaling strong adversarial interest and rapid weaponization.

A total of 130 vulnerabilities were rated critical under CVSS v3.1, while 45 were rated critical under CVSS v4.0, reflecting the severity of disclosed issues.

Furthermore, CISA added 3 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

On the industrial front, CISA issued 5 ICS advisories covering 6 vulnerabilities, impacting vendors such as Siemens, Hitachi Energy, and Yokogawa.

Weekly Vulnerability Report’s Top 5 Vulnerabilities

CVE-2026-32213 — Microsoft Azure AI Foundry (Critical)

CVE-2026-32213 is a critical authorization bypass vulnerability in Microsoft Azure AI Foundry.

The flaw exists in the platform’s authorization logic, allowing unauthenticated attackers to bypass security checks and grant themselves administrative privileges. Successful exploitation enables full control over AI environments and associated resources.

CVE-2026-35022 — Claude Code CLI / Agent SDK (Critical)

CVE-2026-35022 is a critical OS command injection vulnerability affecting Anthropic’s Claude Code CLI and Agent SDK.

The vulnerability allows attackers to inject malicious commands into development workflows, resulting in remote code execution and potential compromise of AI pipelines.

CVE-2026-22738 — Spring AI (Critical)

CVE-2026-22738 is a remote code execution vulnerability in Spring AI caused by improper input sanitization in expression evaluation.

Attackers can inject malicious expressions that are executed by the Spring Expression Language, leading to complete application and server compromise.

CVE-2026-4631 — Cockpit (Critical)

CVE-2026-4631 is an unauthenticated remote code execution vulnerability in Cockpit, a web-based Linux server management interface.

The flaw allows attackers to execute arbitrary commands without authentication, potentially leading to full system takeover in enterprise environments.

CVE-2026-35616 — Fortinet FortiClient EMS (Critical)

CVE-2026-35616 is a critical authentication bypass vulnerability in Fortinet FortiClient EMS.

Attackers can bypass authentication and execute arbitrary commands, leading to complete compromise of endpoint management systems.

Vulnerabilities Added to CISA KEV

CISA continues to expand its KEV catalog, reflecting real-world exploitation trends.

Notable addition:

CVE-2026-35616 — Fortinet FortiClient EMS
This vulnerability enables authentication bypass and remote command execution, making it a high-priority remediation target.

The inclusion of enterprise security tools in KEV highlights attackers’ focus on compromising centralized management systems.

Critical ICS Vulnerabilities

CISA issued 5 ICS advisories covering 6 vulnerabilities, many of which impact critical infrastructure environments.

CVE-2026-1579 — PX4 Autopilot (Critical)

A missing authentication vulnerability allowing attackers to execute critical functions without credentials.

This flaw poses risks to autonomous and unmanned systems, potentially enabling unauthorized control.

CVE-2026-3356 — Anritsu Systems (Critical)

This vulnerability involves missing authentication in Anritsu devices, allowing attackers to gain unauthorized access.

CVE-2025-10492 — Hitachi Energy Ellipse (Critical)

A deserialization vulnerability enabling attackers to execute arbitrary code within industrial systems.

Siemens SICAM 8 (Chained Risk)

Two vulnerabilities affecting Siemens SICAM 8 systems—resource exhaustion and out-of-bounds write—can be chained together.

This creates a denial-of-service risk capable of disrupting industrial processes and operational visibility.

CVE-2025-7741 — Yokogawa CENTUM VP (Medium)

A hard-coded password vulnerability that weakens authentication mechanisms and increases risk of unauthorized access.

Critical Infrastructure Sectors Spotlight

Analysis indicates:

• Critical Manufacturing appears in 66.7% of vulnerabilities
• Cross-sector exposure spans:
  • Transportation Systems
  • Emergency Services
  • Defense Industrial Base
  • Communications

This highlights interconnected infrastructure risks, where a single vulnerability can cascade across multiple sectors.

Conclusion

This week’s findings highlight several critical trends:

• Expansion of vulnerabilities into AI and development ecosystems
• Increasing exploitation of enterprise management platforms
• Continued weaknesses in industrial control systems
• Cross-sector risk amplification in critical infrastructure

With 270+ PoCs, KEV-confirmed exploitation, and emerging threats in AI frameworks, organizations face heightened risk across both digital and physical environments.

Key Recommendations

• Prioritize vulnerabilities with PoCs and KEV inclusion
• Secure AI development environments and pipelines
• Patch enterprise management and remote access systems immediately
• Implement strict authentication and access control mechanisms
• Segment IT and OT networks to prevent lateral movement
• Apply compensating controls for unpatched ICS vulnerabilities
• Monitor underground forums and threat intelligence feeds
• Conduct continuous vulnerability assessments and penetration testing

Cyble’s attack surface management and vulnerability intelligence solutions help organizations proactively identify risks, prioritize remediation, and detect emerging threats. By integrating intelligence-driven security strategies, organizations can strengthen resilience across enterprise and critical infrastructure environments.

The post The Week in Vulnerabilities: Azure AI, Spring AI, Fortinet, and Critical ICS Exposure appeared first on Cyble.

Cyble Research & Intelligence Labs (CRIL) weekly vulnerability report tracked 1,960 vulnerabilities last week, reflecting a continued surge in vulnerability disclosures across enterprise and cloud ecosystems.

Of these, 248 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks and accelerating exploitation timelines.

Additionally, at least 5 vulnerabilities were actively discussed across underground forums, indicating strong attacker interest and rapid weaponization.

A total of 214 vulnerabilitieswere rated critical under CVSS v3.1, while 57 were rated critical under CVSS v4.0.

Furthermore, CISA added 4 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

On the industrial side, CISA issued 7 ICS advisories covering 10 vulnerabilities, impacting vendors such as Schneider Electric, WAGO, and PTC.

Weekly Vulnerability Report's Top 5 CVE's

CVE-2026-32917 — OpenClaw (Critical)

CVE-2026-32917 is a critical remote command injection vulnerability affecting OpenClaw, an AI agent framework.

The flaw occurs in the iMessage attachment staging workflow, allowing attackers to inject commands into remote systems. Successful exploitation enables arbitrary command execution, potentially leading to full system compromise.

CVE-2026-4747 — FreeBSD RPCSEC_GSS (Critical)

CVE-2026-4747 is a critical stack-based buffer overflow vulnerability in FreeBSD caused by improper bounds checking in packet handling.

Attackers can send specially crafted requests to trigger a stack overflow, resulting in remote code execution with kernel-level privileges, enabling full system takeover.

CVE-2026-31883 — FreeRDP (Critical)

CVE-2026-31883 is a heap-based buffer overflow vulnerability in FreeRDP’s audio decoding components.

A malicious RDP server or man-in-the-middle attacker can exploit this flaw to execute arbitrary code, potentially compromising remote desktop clients and enterprise environments.

CVE-2026-1207 — Django (High)

CVE-2026-1207 is a SQL injection vulnerability in Django applications using PostGIS RasterField lookups.

Insufficient input validation allows attackers to inject malicious SQL queries, leading to data exposure, modification, and potential lateral movement within backend systems.

CVE-2025-53521 — F5 BIG-IP APM (Critical)

CVE-2025-53521 is a critical vulnerability in F5 BIG-IP Access Policy Manager, initially classified as a DoS flaw but later reclassified as unauthenticated remote code execution following active exploitation.

This vulnerability allows attackers to gain full control of access management systems, posing significant risks to enterprise networks.

Vulnerabilities Added to CISA KEV

CISA continued expanding its KEV catalog, reflecting active exploitation trends.

Notable addition:

CVE-2025-53521 — F5 BIG-IP APM
Initially considered a denial-of-service flaw, it was reclassified as a remote code execution vulnerability after evidence of active exploitation emerged.

This shows how vulnerabilities can evolve in severity over time, reinforcing the need for continuous reassessment and monitoring.

Critical ICS Vulnerabilities

CISA issued 7 ICS advisories covering 10 vulnerabilities, with several rated critical.

CVE-2026-2417 — Pharos Controls (Critical)

This vulnerability involves missing authentication for critical functions in Mosaic Show Controller firmware.

Attackers can exploit this flaw to gain unauthorized control over industrial systems, potentially disrupting operations.

CVE-2025-49844 — Schneider Electric Plant iT/Brewmaxx (Critical)

A use-after-free vulnerability in Schneider Electric’s industrial automation platform can lead to memory corruption and system compromise.

The presence of multiple vulnerabilities in this platform reflects systemic risk across widely deployed industrial environments.

CVE-2026-3587 — WAGO Managed Switches (Critical)

This vulnerability exposes hidden functionality in industrial switches, potentially enabling attackers to bypass controls and gain unauthorized access.

CVE-2026-4681 — PTC Windchill PDMLink (Critical)

This vulnerability involves improper control of code generation and currently has no available patch, leaving organizations exposed.

Grassroots DICOM (High, Unpatched)

A memory management flaw in Grassroots DICOM impacts healthcare imaging systems, with no vendor patch available, increasing risk to medical infrastructure.

Impacted Critical Infrastructure Sectors

Analysis shows that:

Commercial Facilities appear in 70% of ICS vulnerabilities

Critical Manufacturing and Energy each account for 60%

Healthcare, communications, and transportation sectors also face exposure.

This distribution shows the strong cross-sector dependencies, where vulnerabilities in industrial platforms can cascade into multiple critical infrastructure domains.

Conclusion

This week’s findings highlight a convergence of:

• Increasing vulnerability volume and severity
• Rapid exploitation cycles driven by PoC availability
• Active underground discussion and weaponization
• Persistent weaknesses in industrial control systems

With 248 publicly available PoCs, KEV additions confirming active exploitation, and unpatched ICS vulnerabilities, organizations face significant risk across both enterprise IT and operational technology environments.

Key Recommendations

• Prioritize vulnerabilities based on exploit availability and operational impact
• Patch critical enterprise systems and externally exposed services immediately
• Implement strong input validation and secure coding practices
• Harden remote access and RDP environments
• Segment IT and OT networks to limit lateral movement
• Apply compensating controls for unpatched ICS vulnerabilities
• Continuously monitor threat intelligence and underground forums
• Conduct regular vulnerability assessments and penetration testing

Cyble’s attack surface management and vulnerability intelligence solutions enable organizations to identify exposed assets, prioritize remediation, and detect early indicators of compromise. By combining threat intelligence with proactive defense strategies, organizations can effectively mitigate evolving risks across enterprise and critical infrastructure environments

The post The Week in Vulnerabilities: OpenClaw, FreeBSD, F5 BIG-IP, and Critical ICS Bugs appeared first on Cyble.