Daily Digest

Critical PTC Flaw Triggers Police Mobilization; CISA Adds Exploited AI & Scanner Bugs to KEV Catalog

Critical PTC Flaw Triggers Police Mobilization; CISA Adds Exploited AI & Scanner Bugs to KEV Catalog

March 27, 2026
9 articles (9 new)
27 min read

Summary

This intelligence briefing for March 27, 2026, covers a critical RCE vulnerability (CVE-2026-4681) in PTC Windchill that led to an unprecedented police mobilization in Germany to warn companies. CISA has added two actively exploited flaws to its KEV catalog: a critical RCE in the Langflow AI framework (CVE-2026-33017) and a supply chain vulnerability in the Trivy scanner (CVE-2026-33634). Additionally, reports detail new APT activity from China-linked 'Red Menshen' using the BPFDoor backdoor and Russia's 'Pawn Storm' deploying new 'PRISMEX' malware with a Windows zero-day. Other major events include the emergence of 'Uragan' ransomware, significant cyberattacks on the Port of Vigo and a US Sheriff's office, and a major policy shift by the US Intelligence Community towards a Zero Trust architecture.

Filter by Category

New Articles (9)

Police Physically Warn Firms of Critical Unpatched RCE Flaw in PTC Windchill

CRITICAL

Unprecedented Police Mobilization in Germany Over Critical RCE Flaw (CVE-2026-4681) in PTC Windchill

A critical remote code execution (RCE) vulnerability in PTC's Windchill and FlexPLM software, tracked as CVE-2026-4681 with a CVSS score of 10.0, has prompted an unprecedented response in Germany. Police officers were physically dispatched, some in the middle of the night, to warn companies of the imminent threat. The flaw, which allows unauthenticated remote code execution, has not yet been patched by PTC, though mitigation guidance is available. The U.S. CISA has since issued its own advisory, highlighting the global risk to manufacturing and aerospace sectors.

March 27, 2026
4 min read
CVE-2026-4681PTC WindchillRCEDeserializationCISA +1 more
Police Physically Warn Firms of Critical Unpatched RCE Flaw in PTC Windchill
Vulnerability
Industrial Control Systems
Patch Management

China-Linked 'Red Menshen' APT Creates 'Digital Sleeper Cells' in Telecoms with BPFDoor

HIGH

Chinese APT 'Red Menshen' Uses Stealthy BPFDoor Backdoor for Espionage in Global Telecom Networks

A long-running espionage campaign attributed to a China-linked threat actor dubbed 'Red Menshen' has been uncovered targeting telecommunications providers across the Middle East and Asia. Active since at least 2021, the group utilizes a highly sophisticated and passive Linux backdoor known as BPFDoor. This implant operates at the kernel level and only activates upon receiving a specific 'magic packet,' allowing it to remain dormant and evade detection while creating 'digital sleeper cells' for persistent surveillance and high-level espionage.

March 27, 2026
5 min read
Red MenshenBPFDoorAPTChinaTelecommunications +2 more
China-Linked 'Red Menshen' APT Creates 'Digital Sleeper Cells' in Telecoms with BPFDoor
Threat Actor
Malware
Cyberattack

CISA KEV Alert: Actively Exploited Flaws in Langflow AI Framework and Trivy Scanner

CRITICAL

CISA Adds Actively Exploited Trivy (CVE-2026-33634) and Langflow (CVE-2026-33017) Flaws to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The first, CVE-2026-33017, is a critical unauthenticated RCE in the popular AI framework Langflow, which was reportedly exploited within 20 hours of disclosure. The second, CVE-2026-33634, is a supply chain compromise in Aqua Security's Trivy vulnerability scanner where malicious code was embedded. Federal agencies are now required to patch these flaws on an accelerated timeline.

March 27, 2026
5 min read
CISAKEVCVE-2026-33634CVE-2026-33017Langflow +4 more
CISA KEV Alert: Actively Exploited Flaws in Langflow AI Framework and Trivy Scanner
Vulnerability
Supply Chain Attack
Patch Management

Ransomware Dip Masks Alarming Rise in Nation-State Attacks on Critical Infrastructure

HIGH

Waterfall Threat Report 2026: Nation-State Attacks on Critical Infrastructure Double Despite Ransomware Dip

The Waterfall Threat Report 2026 reveals a complex shift in the industrial cyberattack landscape. While publicly recorded cyber incidents against heavy industry with physical consequences fell by 25% in 2025, this masks a more dangerous trend: attacks by nation-states and hacktivists on critical infrastructure doubled during the same period. The report suggests the slowdown in ransomware, the primary cause of such incidents in recent years, is temporary and that these attacks are expected to rebound in 2026.

March 27, 2026
4 min read
Threat ReportNation-StateHacktivismCritical InfrastructureICS +2 more
Ransomware Dip Masks Alarming Rise in Nation-State Attacks on Critical Infrastructure
Threat Intelligence
Industrial Control Systems
Ransomware

New 'Uragan' Ransomware Emerges, Using Double Extortion Against Windows Systems

HIGH

CYFIRMA Discovers New 'Uragan' Ransomware Strain with Double Extortion Tactics

Researchers at CYFIRMA have discovered a new strain of ransomware named 'Uragan' on underground forums. This file-encrypting malware targets Windows systems, appending a '.uragan' extension to encrypted files and dropping a ransom note named 'README.txt'. The operators employ double extortion tactics, threatening to leak sensitive data exfiltrated from the victim's network if the ransom is not paid. No decryption tool is currently available.

March 27, 2026
4 min read
Uragan RansomwareDouble ExtortionWindowsCYFIRMAMalware
New 'Uragan' Ransomware Emerges, Using Double Extortion Against Windows Systems
Ransomware
Malware
Threat Intelligence

Ransomware Attack Cripples Indiana Sheriff's Office, Forcing Full System Rebuild

HIGH

Jackson County, Indiana Sheriff's Office Network Destroyed by Ransomware Attack

The Jackson County Sheriff's Office in Indiana has suffered a devastating ransomware attack that has completely disabled its entire computer network. The attack, believed to have originated from a malicious email, has corrupted all computers, Wi-Fi, and the department's report filing system. Officials have stated they will not pay the ransom and are in the process of wiping all machines, replacing hardware, and rebuilding their IT infrastructure from scratch. Deputies have resorted to manual processes and working from a neighboring police department's facility.

March 27, 2026
5 min read
RansomwareLocal GovernmentIndianaPhishingCyberattack
Ransomware Attack Cripples Indiana Sheriff's Office, Forcing Full System Rebuild
Ransomware
Cyberattack
Phishing

Sophisticated AiTM Phishing Campaign Targets TikTok for Business Accounts to Bypass MFA

HIGH

Adversary-in-the-Middle (AiTM) Phishing Campaign Steals TikTok for Business Credentials and MFA

A sophisticated phishing campaign is actively targeting TikTok for Business accounts using adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication. According to researchers at Push Security, the attack uses a multi-stage process involving Google Storage URLs and Cloudflare CAPTCHA challenges to evade detection and filter out bots. The AiTM phishing kit allows attackers to steal not only usernames and passwords but also session cookies and MFA codes in real-time, enabling complete account takeover for use in fraudulent advertising or malware distribution.

March 27, 2026
5 min read
PhishingAiTMMFA BypassTikTokSession Hijacking +1 more
Sophisticated AiTM Phishing Campaign Targets TikTok for Business Accounts to Bypass MFA
Phishing
Threat Actor
Cloud Security

Ransomware Attack on Spain's Port of Vigo Disrupts Cargo Operations, Forces Manual Processes

HIGH

Ransomware Attack Disrupts Digital Cargo Systems at Spain's Port of Vigo

The Port of Vigo, a major fishing port in Spain, has been hit by a ransomware attack that disrupted its digital cargo management systems. The port authority detected the attack on Tuesday, immediately isolating affected servers to contain the threat. The incident, which involved a ransom demand, has forced some logistical operations to revert to manual, paper-based processes. While physical ship and cargo movements continue, the attack highlights the significant operational strain placed on critical infrastructure when digital systems are compromised.

March 27, 2026
4 min read
RansomwarePort of VigoSpainMaritime SecurityCritical Infrastructure
Ransomware Attack on Spain's Port of Vigo Disrupts Cargo Operations, Forces Manual Processes
Ransomware
Cyberattack
Industrial Control Systems

Russia's Pawn Storm (APT28) Targets Defense Supply Chain with New 'PRISMEX' Malware and Zero-Day

CRITICAL

Pawn Storm (APT28) Deploys New PRISMEX Malware, Exploits Windows Zero-Day (CVE-2026-21513)

The prolific Russia-aligned threat group Pawn Storm (also known as APT28 or Fancy Bear) is conducting a new campaign targeting the defense supply chain of Ukraine and its allies. According to Trend Micro, the group is deploying a new modular malware collection called PRISMEX. This sophisticated toolkit uses advanced evasion techniques like steganography and COM hijacking. The campaign has actively exploited multiple vulnerabilities, including a confirmed zero-day in Microsoft Windows, CVE-2026-21513, underscoring the group's high level of capability and determination.

March 27, 2026
5 min read
Pawn StormAPT28PRISMEXZero-DayCVE-2026-21513 +2 more
Russia's Pawn Storm (APT28) Targets Defense Supply Chain with New 'PRISMEX' Malware and Zero-Day
Threat Actor
Malware
Supply Chain Attack

📢 Share This Publication

Help others stay informed about cybersecurity threats