From Late March to Early April 2026: Active Exploits and Supply Chain Attacks Intensify Across Enterprise Platforms

The threat landscape this week reflected continued exploitation of critical vulnerabilities across enterprise infrastructure, development tools, and widely used software platforms. Multiple high-impact flaws were observed being actively leveraged in real-world attacks, highlighting persistent adversary focus on high-value targets.  

Four vulnerabilities were added to the CISA KEV catalog, affecting Citrix NetScaler ADC, Google Dawn, Trivy, and F5 BIG-IP APM. In parallel, active exploitation was detected in TrueConf video conferencing software, Fortinet FortiClient EMS, and Oracle WebLogic Server, involving vulnerabilities enabling remote code execution and privilege escalation.

In parallel, a large-scale supply chain attack targeted Trivy, an open-source tool widely used in CI/CD pipelines, where a vulnerability was exploited by the threat group TeamPCP, with activity first observed on March 19, 2026. Additionally, Check Point Research reported that a vulnerability in TrueConf was exploited as a zero-day in early 2026 as part of the “TrueChaos” campaign, targeting government entities across Southeast Asia, including Thailand, Vietnam, Indonesia, and Malaysia.

Key points:

• 4 vulnerabilities added to the CISA KEV catalog  
• Active exploitation detected in TrueConf, Oracle and Fortinet vulnerabilities
• TrueChaos operation leveraged zero-day vulnerability in TrueConf
• Supply Chain Attack via Trivy Impacts CI/CD Pipelines Across Multiple Projects

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-3055 - Out-of-Bounds Read vulnerability in Citrix NetScaler

An Out-of-Bounds Read vulnerability was identified in Citrix NetScaler ADC and Citrix NetScaler Gateway, allowing remote attackers to leak sensitive memory data when devices are configured as a SAML Identity Provider (SAML IDP). The flaw stemmed from insufficient input validation in SAML-related endpoints, including /saml/login and /wsfed/passive, resulting in memory overread and exposure of Base64-encoded data via cookies. Active exploitation was observed in the wild, with attackers sending crafted SAML requests to trigger memory disclosure, following prior reconnaissance activity targeting authentication endpoints. Citrix released patched versions 14.1-66.59, 13.1-62.23, and 13.1-NDcPP 13.1-37.262 to remediate the issue. The vulnerability was subsequently added to the CISA KEV catalog, highlighting its critical impact and exploitation risk.

CVE-2026-3502 - Download of Code Without Integrity Check vulnerability in TrueConf client video conferencing software

A Download of Code Without Integrity Check vulnerability in TrueConf Windows Client (versions prior to 8.5.3) allowed attackers to distribute tampered updates, resulting in arbitrary code execution across connected systems. The flaw stemmed from missing integrity validation in the update mechanism, enabling attackers controlling an on-premises server to push malicious packages without requiring endpoint-level compromise. According to Check Point Software Technologies, the vulnerability was actively exploited in early 2026 as part of the “TrueChaos” campaign, attributed with moderate confidence to a Chinese-nexus threat actor. The attack chain involved DLL side-loading using “7z-x64.dll,” retrieval of additional payloads (“iscsiexe.dll”) from external infrastructure, and execution via “poweriso.exe” to maintain persistence. The campaign is assessed to ultimately deploy the Havoc command-and-control (C2) framework, highlighting abuse of trusted update channels as a scalable malware distribution vector. The vulnerability was patched in version 8.5.3, released in March 2026.

CVE-2026-5281 - Use-After-Free vulnerability in Google Dawn

A Use-After-Free vulnerability was identified in Google Dawn, allowing a remote attacker with a compromised renderer process to execute arbitrary code via a crafted HTML page. The flaw affected multiple Chromium-based browsers, including Google Chrome, Microsoft Edge, and Opera, and could lead to browser crashes, data corruption, and abnormal behavior. Google confirmed in-the-wild exploitation but did not disclose details about the threat actors or attack methods. The vulnerability was patched in stable releases (version 146.0.7680.177/178) across Windows, macOS, and Linux, and was subsequently added to the CISA KEV catalog, highlighting its active exploitation and critical risk.

CVE-2026-21643 - SQL Injection vulnerability in Fortinet's FortiClient EMS

An SQL Injection vulnerability was identified in Fortinet FortiClient EMS, allowing unauthenticated attackers to execute arbitrary code via crafted HTTP requests targeting the web interface. The flaw enabled attackers to inject SQL statements through the “Site” header, facilitating low-complexity exploitation. Active exploitation was observed in the wild, as reported by Defused Cyber in X. The issue affected version 7.4.4 and was patched in version 7.4.5. Active exploitation was observed in the wild, as reported by Defused in X. The issue affected version 7.4.4 and was patched in version 7.4.5. With thousands of exposed instances tracked by Shadowserver Foundation, the vulnerability posed significant risk, prompting urgent recommendations to upgrade affected systems and restrict external exposure.

CVE-2026-21962 - Unauthenticated Remote Code Execution vulnerability in Oracle WebLogic Server

An Unauthenticated Remote Code Execution vulnerability in Oracle WebLogic Server allows attackers to execute arbitrary OS commands via crafted HTTP requests due to improper input validation in console web components. According to CloudSEK, the flaw posed a critical risk as exploitation required no authentication and granted full control over the affected server and host system. Following the public release of exploit code on January 22, 2026, rapid in-the-wild exploitation was observed, with initial attacks detected the same day and broader scanning activity beginning shortly after. CloudSEK’s honeypot data revealed attackers leveraging VPS infrastructure to conduct coordinated exploitation attempts. Oracle Corporation addressed the vulnerability in its January 2026 Critical Patch Update advisory; however, the flaw enabled data theft, malware deployment, and persistent backdoor installation, emphasizing the urgency of immediate patching to prevent full system compromise.

CVE-2026-33634 - Embedded Malicious Code vulnerability in Aquasecurity Trivy

An Embedded Malicious Code vulnerability in Trivy enabled a large-scale supply chain attack, allowing attackers to access sensitive CI/CD data including tokens, SSH keys, cloud credentials, and database secrets. The campaign, attributed to TeamPCP, began on March 19, 2026, leveraging previously stolen credentials to gain persistent access to Aqua Security’s repositories and inject malicious code into trusted pipeline components. Attackers tampered with GitHub Action tags, distributed a malicious Trivy binary, and deployed credential-stealing malware, backdoors in Kubernetes clusters, and the self-propagating CanisterWorm, with destructive logic targeting specific regions. The campaign later expanded to compromise Checkmarx tools and malicious LiteLLM PyPI packages, affecting over 20,000 repositories and hundreds of thousands of accounts. Aqua Security, Checkmarx, and LiteLLM rapidly remediated the compromises by removing malicious artifacts, rotating credentials, and securing affected components. Due to its widespread impact and active exploitation, the vulnerability was added to the CISA KEV catalog.

CVE-2025-53521 - Remote Code Execution vulnerability in F5 BIG-IP

A Remote Code Execution vulnerability was identified in F5 BIG-IP APM, where malicious traffic targeting systems with configured access policies could enable unauthorized code execution. Initially classified as a denial-of-service issue, the flaw was later reclassified as RCE following new findings in March 2026, with confirmed in-the-wild exploitation. F5 released patched versions and shared indicators of compromise, including suspicious file artifacts, modified binaries, audit log anomalies, and evidence of webshell or in-memory execution activity. The vulnerability can lead to full system compromise, persistence, and data exposure. According to Shadowserver Foundation, over 240,000 BIG-IP instances remain exposed online, highlighting the scale of potential risk. The vulnerability was subsequently added to the CISA KEV catalog.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

TrueChaos operation leveraged zero-day vulnerability in TrueConf

According to Check Point Research, CVE-2026-3502 was exploited as a zero-day in early 2026 as part of the “TrueChaos” campaign targeting government entities in Southeast Asia, including countries such as Thailand, Vietnam, Indonesia, and Malaysia. The vulnerability in the TrueConf Windows Client update mechanism allowed attackers controlling on-premises servers to distribute malicious updates, enabling arbitrary code execution across connected endpoints without authentication. The campaign leveraged DLL side-loading techniques, deploying implants such as “7z-x64.dll” for reconnaissance, persistence, and payload retrieval from external infrastructure. Attribution to a Chinese-nexus threat actor was supported by tactics including the use of Alibaba Cloud and Tencent infrastructure, along with overlaps with ShadowPad activity targeting the same victims. The operation is assessed to ultimately deploy the Havoc command-and-control (C2) framework, demonstrating how trusted update channels can be weaponized for large-scale compromise.

Supply Chain Attack via Trivy Impacts CI/CD Pipelines Across Multiple Projects

According to Sysdig, a sophisticated and wide-reaching supply chain attack was carried out by the threat group TeamPCP beginning March 19,2026, targeting Trivy, an open-source vulnerability scanning tool widely integrated into CI/CD pipelines.  TeamPCP leveraged credentials stolen during a prior Trivy compromise in late February 2026 to forcibly override 76 out of 77 version tags in the aquasecurity/trivy-action repository and all 7 tags in aquasecurity/setup-trivy, silently redirecting trusted pipeline versions to malicious commits while release metadata showed no visible changes. The group subsequently expanded their campaign to compromise Checkmarx KICS GitHub Actions, Checkmarx AST, and OpenVSX extensions, and directly published malicious versions of the LiteLLM AI gateway library (v1.82.7 and v1.82.8) to PyPI on March 24, 2026, embedding credential-stealing malware in proxy_server.py that exfiltrated stolen data to models.litellm[.]cloud. As part of their post-exploitation activity, TeamPCP deployed the PCP InfoStealer across compromised environments to harvest SSH keys, cloud access tokens, and cryptocurrency wallets, while also deploying persistent backdoors in Kubernetes clusters and launching the self-replicating CanisterWorm worm across the JavaScript npm ecosystem. Notably, the attackers' code contained destructive logic that wiped entire Kubernetes clusters and all associated nodes if Farsi was detected as the primary language or the Tehran time zone was identified on the compromised system. In total, more than 20,000 repositories were considered potentially vulnerable, with the attackers claiming to have exfiltrated hundreds of gigabytes of data and over 500,000 compromised accounts.  

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

Collectively, these developments highlight a threat landscape driven by active exploitation, supply chain compromises, and coordinated campaigns targeting critical platforms. The convergence of KEV-listed vulnerabilities and real-world attacks underscores the need for rapid remediation and continuous visibility. Leveraging platforms like Loginsoft Vulnerability Intelligence (LOVI) enables organizations to track exploited vulnerabilities in real time, prioritize risks, and strengthen proactive defense strategies.

FAQs:

1) What is Google Dawn?

Google Dawn is an open-source implementation of the WebGPU standard, developed by Google to enable high-performance graphics and compute operations in web browsers. It acts as a bridge between web applications and the system’s GPU, allowing developers to build advanced graphics, gaming, and machine learning workloads directly in the browser. Dawn is used in Chromium-based browsers and plays a key role in modern web rendering and GPU acceleration.

2) What is F5 BIG-IP?

F5 BIG-IP is an application delivery and security platform developed by F5 that manages traffic, ensures availability, and protects applications and APIs. It provides capabilities such as load balancing, SSL offloading, access control, and web application firewall (WAF) functionality. BIG-IP is widely used by enterprises to secure and optimize application performance across on-premises and cloud environments.

2) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

A) Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

3) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

4) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.