Published: 2026-03-04
CISA flags VMware Aria Operations RCE as actively exploited. Microsoft exposes a sophisticated OAuth redirect attack bypassing MFA. LexisNexis confirms hackers stole 2GB of data including government employee records. Plus: AkzoNobel hit by Anubis ransomware and fake IT support campaigns deploy Havoc C2.
CISA has added a VMware Aria Operations command injection vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw allows unauthenticated attackers to execute arbitrary commands, leading to full remote code execution.
CVSS Score: 8.1 (High) | Deadline: March 24, 2026 for federal agencies
The vulnerability exists in the migration service component of VMware Aria Operations. During support-assisted product migration, an unauthenticated actor can inject commands that run as root via a sudoers misconfiguration in vmware-casa-workflow.sh.
Broadcom released patches on February 24 along with a temporary workaround script (aria-ops-rce-workaround.sh) that disables the vulnerable migration components. The company acknowledged reports of active exploitation but stated it "cannot independently confirm their validity."
| CVE | Type | Impact |
|---|---|---|
| CVE-2026-22719 | Command Injection | Unauthenticated RCE |
| CVE-2026-22720 | Stored XSS | Session hijacking |
| CVE-2026-22721 | Privilege Escalation | Admin access |
Microsoft Defender researchers have uncovered a sophisticated campaign where threat actors abuse the legitimate OAuth 2.0 redirect mechanism to bypass email and browser phishing protections. The attacks primarily target government and public-sector organizations.
prompt=none, forcing authentication errorsIn some variants, victims are redirected to a /download path that auto-delivers ZIP files containing malicious .LNK files. These launch PowerShell for reconnaissance before DLL side-loading deploys the final payload.
Key takeaway: This attack abuses intended behavior in the OAuth framework. The error handling mechanism works exactly as the standard specifies — attackers simply weaponize the redirect flow.
Legal data giant LexisNexis Legal & Professional has confirmed hackers breached its AWS infrastructure on February 24 by exploiting the React2Shell vulnerability in an unpatched React frontend application.
Threat actor "FulcrumSec" leaked 2GB of structured data from the breach, claiming access to:
LexisNexis stated the compromised data was "mostly legacy, deprecated data from prior to 2020" and did not include SSNs, financial information, or active passwords. The company says the intrusion has been contained.
Dutch paint and coatings giant AkzoNobel ($12B+ revenue, 35,000 employees, 150+ countries) confirmed a network breach at one of its U.S. sites. The Anubis ransomware gang claims to have exfiltrated 170GB of data including:
Anubis, a RaaS operation active since December 2024, offers affiliates 80% of ransom payments and added a destructive data wiper capability in mid-2025.
Huntress researchers identified a campaign across five organizations where attackers masquerade as IT support staff to deploy the Havoc command-and-control framework. The playbook closely mirrors tactics used by former Black Basta ransomware affiliates:
The speed of lateral movement suggests end goals of data exfiltration or ransomware deployment.
| Story | Impact |
|---|---|
| Iranian strikes on AWS data centers in UAE | Physical infrastructure vulnerability exposed; two facilities directly struck |
| University of Hawaii Cancer Center breach | 1.2M individuals affected; SSNs, health data, voter records stolen |
| Quantum RSA breakthrough | New algorithm suggests RSA decryption feasible sooner than expected |
| Android Qualcomm zero-day patched | Integer overflow in graphics component leads to memory corruption |
| SloppyLemming targets Pakistan & Bangladesh | Dual malware chains targeting government infrastructure |
| Facebook worldwide outage | Accounts unavailable globally on March 3 |
✅ Real-time CVE Monitoring — CVE-2026-22719 indexed and flagged within hours of KEV addition
✅ OAuth Attack Detection — Monitor suspicious OAuth app registrations and redirect patterns
✅ Cloud Infrastructure Scanning — Detect React2Shell and similar web app vulnerabilities before attackers do
✅ Ransomware Readiness — Continuous exposure management against threats like Anubis RaaS
AI-powered vulnerability management with 335,000+ CVEs indexed.
Start Free TrialStay secure. Stay vigilant.
🗡️ KENSAI Security Team