🔴 Critical April 2, 2026 · 10 min read · KENSAI Security Briefing

Cisco IMC 9.8 Auth Bypass, 14K F5 BIG-IP Exposed to Active RCE, ShareFile Pre-Auth Exploit Chain, Chrome Zero-Day Patched

Cisco drops emergency patches for two CVSS 9.8 flaws in IMC and SSM. Over 14,000 F5 BIG-IP APM instances remain exposed to actively exploited RCE. Progress ShareFile pre-auth exploit chain threatens 30,000 instances. Google patches actively exploited Chrome zero-day. Stryker recovers from Iranian wiper attack. Lapsus$ claims 4TB Mercor breach via LiteLLM supply chain.


1. Cisco IMC & SSM: Dual CVSS 9.8 Critical Patches

⚠️ CRITICAL — CVSS 9.8 — CVE-2026-20093 & CVE-2026-20160

Two maximum-severity flaws allow unauthenticated remote attackers to bypass authentication and execute arbitrary commands with root privileges on Cisco infrastructure.

Cisco released patches Wednesday for two critical vulnerabilities that could give remote attackers full control of affected systems without any authentication.

IMC Authentication Bypass (CVE-2026-20093)

The first flaw resides in Cisco's Integrated Management Controller (IMC), the out-of-band management interface used across multiple Cisco hardware platforms. The vulnerability stems from incorrect handling of password change requests — an attacker can send a crafted HTTP request to bypass authentication entirely, alter any user's password (including Admin), and gain full system access.

Affected products include:

SSM On-Prem Command Injection (CVE-2026-20160)

The second critical flaw affects Smart Software Manager On-Prem (SSM On-Prem), where an unintentionally exposed internal service API allows unauthenticated attackers to execute arbitrary OS commands with root-level privileges. Fixed in SSM On-Prem version 9-202601.

Neither flaw has been exploited in the wild yet, but given the recent weaponization of Cisco vulnerabilities by threat actors, immediate patching is essential.


2. 14,000+ F5 BIG-IP APM Instances Under Active RCE Attack

⚠️ ACTIVELY EXPLOITED — CVE-2025-53521

Originally classified as DoS, now reclassified as RCE. CISA has added it to the Known Exploited Vulnerabilities catalog. Over 14,000 instances remain unpatched.

A 5-month-old vulnerability in F5's BIG-IP Access Policy Manager (APM) has been reclassified from denial-of-service to remote code execution after F5 confirmed active exploitation in the wild.

Shadowserver's latest scans reveal over 17,100 IPs with BIG-IP APM fingerprints exposed to the internet, with more than 14,000 remaining vulnerable. This is despite CISA ordering federal agencies to patch by March 31.

F5 has published IOCs and recommends defenders check disk contents, logs, and terminal history for signs of compromise. Critically, F5 warns that UCS backups created after compromise may contain persistent malware — affected systems should be rebuilt from scratch using known-good configurations.

Key action: If you run BIG-IP APM with access policies on virtual servers, patch immediately. Don't trust backups — rebuild from known-good sources. F5 serves 48 of the Fortune 50.


3. Progress ShareFile Pre-Auth RCE Exploit Chain

🟠 HIGH RISK — CVE-2026-2699 & CVE-2026-2701

Authentication bypass + RCE chain enables unauthenticated attackers to compromise ShareFile Storage Zone Controllers. ~30,000 instances exposed.

Researchers at watchTowr have disclosed a devastating exploit chain in Progress ShareFile, the enterprise file-sharing platform widely used by large organizations. Two vulnerabilities in the Storage Zones Controller (SZC) component can be chained for pre-authentication remote code execution.

The Attack Chain

  1. CVE-2026-2699 (Auth Bypass) — Improper handling of HTTP redirects grants access to the ShareFile admin interface
  2. Attacker modifies Storage Zone configuration, including file storage paths and zone passphrase secrets
  3. CVE-2026-2701 (RCE) — File upload and extraction functionality is abused to plant ASPX webshells in the application webroot

watchTowr's scans identified approximately 30,000 Storage Zone Controller instances exposed on the public internet, while Shadowserver tracks about 700 directly exposed instances, primarily in the US and Europe.

Progress released patches in ShareFile 5.12.4 on March 10. Given the history of file-transfer vulnerabilities being exploited by ransomware gangs (Clop's attacks on MOVEit, GoAnywhere, Cleo, etc.), organizations should treat this as urgent.


4. Chrome Zero-Day CVE-2026-5281 Actively Exploited

⚠️ ZERO-DAY — CVE-2026-5281

Exploited in the wild. Affects Chrome's Dawn (WebGPU) component. Patched alongside 20 other vulnerabilities.

Google has released a Chrome update patching 21 vulnerabilities, including CVE-2026-5281, a zero-day in the Dawn WebGPU implementation that is being actively exploited. The Dawn component handles GPU abstraction for web graphics, making this a particularly dangerous attack vector for drive-by exploitation through malicious web pages.

Users should update Chrome immediately. Enterprise admins should push the update through their management systems.


5. Stryker Recovers from Iranian Wiper Attack — 80,000 Devices Wiped

Medical technology giant Stryker Corporation (Fortune 500, $22.6B revenue) announced it is fully operational again three weeks after a devastating data-wiping attack by the Iranian-linked Handala hacktivist group.

The attackers compromised a Windows domain admin account, created a new Global Administrator account, and wiped nearly 80,000 devices on March 11. Handala claimed to have exfiltrated 50 terabytes of data before the wipe.

The aftermath triggered coordinated responses from CISA (issuing Intune hardening guidance), Microsoft (publishing best practices for Intune security), and the FBI (seizing Handala's data leak sites). Investigators also discovered a previously unknown malicious file used to hide attacker activity within the network.


6. Lapsus$ Claims 4TB Mercor Breach via LiteLLM Supply Chain

AI recruiting firm Mercor is investigating a breach claimed by the Lapsus$ group, who say they stole 4 terabytes of data. The attack vector appears to be a supply chain compromise through LiteLLM, an open-source LLM proxy library used by many AI companies to route API calls across providers.

This highlights the growing risk of AI supply chain attacks — as companies integrate LLM tooling into their infrastructure, each dependency becomes a potential entry point. Organizations using LiteLLM should audit their deployments and check for indicators of compromise.


Also on the Radar

StoryImpact
CrystalRAT MaaS — New malware-as-a-service on Telegram with RAT, stealer, keylogger, and clipboard hijacker capabilitiesMedium
CERT-UA Impersonation — UAC-0255 sent 1M phishing emails posing as CERT-UA to distribute AGEWHEEZE RATMedium
Apple Expands iOS 18.7.7 — DarkSword exploit kit protection now available for more iPhone modelsAdvisory
Residential Proxies — Research shows 78% of 4B sessions using residential proxies evade IP reputation checksIntel
Nacogdoches Memorial Hospital Breach — 250,000 affected by January 2026 network intrusionMedium
Hasbro Cyberattack — Toy giant investigating scope of incident and potential data compromiseMedium
FBI Warns on China-Made Apps — Advisory on data security risks from foreign-developed mobile applicationsAdvisory

Patch Priority Matrix

CVEProductCVSSStatusAction
CVE-2026-20093Cisco IMC9.8Patch AvailablePatch Now
CVE-2026-20160Cisco SSM On-Prem9.8Patch AvailablePatch Now
CVE-2025-53521F5 BIG-IP APMCriticalActively ExploitedEmergency
CVE-2026-2699Progress ShareFileHighPatch AvailablePatch Now
CVE-2026-2701Progress ShareFileHighPatch AvailablePatch Now
CVE-2026-5281Google Chrome (Dawn)HighActively ExploitedEmergency

Stay Ahead of Threats

Daily security briefings delivered by KENSAI — AI-powered threat intelligence for cybersecurity professionals.

Explore KENSAI →

Published by KENSAI Security Briefing · April 2, 2026

Sources: BleepingComputer, The Hacker News, SecurityWeek, Cisco, F5, watchTowr, Google, Shadowserver Foundation

Related Articles

CISAがパッチ期限を短縮、ホワイトハウスがサイバー戦略を改定 AI系统遭受攻击:Gemini Chrome漏洞利用 NIST Cybersecurity Framework Vulnerability Scanning & Assessment