Daily Threat Briefing — 2026-03-30

Attackers are actively exploiting a critical vulnerability in Fortinet's FortiClient EMS platform according to Defused threat intelligence. This represents an immediate threat to organizations using FortiClient for endpoint management.

Citrix NetScaler ADC, Gateway, and FIPS appliances configured as SAML IDP contain an out-of-bounds read vulnerability leading to memory overread. Added to CISA KEV catalog indicating active exploitation or significant threat.

Critical server-side template injection in Contact Form by Supsystic plugin (all versions up to 1.7.36) allows remote code execution through unsandboxed Twig template engine exploitation.

OpenOLAT's OpenID Connect implementation fails to verify JWT signatures, silently discarding signatures and accepting unsigned tokens. Enables complete authentication bypass.

Multiple SQL injection vulnerabilities in CI4MS method and group/role management functionality allow attackers to execute arbitrary SQL commands without proper input sanitization.

Vim versions before 9.2.0272 execute arbitrary code immediately upon opening crafted files in default configuration through %{expr} injection in tabpanel lacking P_MLE protection.

The /mcp_message endpoint in Nginx UI MCP integration bypasses authentication while /mcp requires IP whitelisting and auth. Enables unauthorized access to model context protocol functionality.

Reflected XSS in add_stock.php via msg parameter allows remote attackers to inject arbitrary web script or HTML through unsanitized input.

Unauthenticated privilege escalation in Debugger & Troubleshooter plugin (up to 1.3.2) accepts user ID directly from cookie without cryptographic validation, enabling complete account takeover.

Multiple IP addresses distributing Mozi botnet payloads targeting MIPS and ARM architectures through IoT device exploitation. 25+ unique distribution URLs identified across compromised routers and cameras.

Widespread distribution campaign using fake Google verification pages hosted on multiple domains (fabledrift.in.net, skyl1tfern.in.net, mistlatch.in.net, silvershade.in.net, quillspire.in.net, ashenkite.in.net) delivering ACRStealer and ClearFake malware. 25+ malicious URLs identified.

The European Commission confirmed a data breach after the Europa.eu web platform was compromised. ShinyHunters extortion gang claimed responsibility, demonstrating continued targeting of government entities for data theft and extortion operations.

FreeRDP versions prior to 3.24.2 contain multiple heap-buffer-overflow and use-after-free vulnerabilities (CVE-2026-33987, CVE-2026-33986, CVE-2026-33984, CVE-2026-33982) affecting cache and codec handling.

The iconv() function in glibc 2.43 and earlier crashes on IBM1390/IBM1399 character set conversions, enabling remote application crashes. Mitigated by removing affected character sets.

Multiple stack-based buffer overflow vulnerabilities (CVE-2026-5155, CVE-2026-5154, CVE-2026-5152) in Tenda CH22 router firmware affecting parameter handlers, exploitable remotely with public exploits.

Insecure Direct Object Reference in Nginx UI allows authenticated users to access, modify, and delete resources belonging to other users through flawed Model struct implementation.

Authenticated authors in OpenOLAT can inject Velocity directives into reminder email templates, leading to code execution when reminders are processed.

ZTE ZXHN H188A router wizard interface exposes administrator password, WLAN PSK, and other credentials to unauthenticated attackers on the local network.

SQL injection flaws identified in code-projects Accounting System (CVE-2026-5150), YunaiV yudao-cloud (CVE-2026-5147), and SchemaHero (CVE-2026-33643) enabling database compromise.

Server-Side Request Forgery flaws in Invoice Ninja (CVE-2026-29925) and KubePlus (CVE-2026-29954) enable internal network reconnaissance and resource access.