Critical zero-day in SolarGate VPN affects 40,000+ devices. Supply chain attack compromises 600+ EU manufacturers. Apache Tomcat RCE weaponized in 48 hours. AI-powered phishing targets finance teams.
The cybersecurity landscape deteriorated sharply today as critical infrastructure operators face a perfect storm: a zero-day vulnerability in widely deployed VPN appliances, a sophisticated supply chain attack targeting European manufacturing, and cascading ransomware incidents exploiting yesterday's Apache Tomcat disclosure. With NIS2 enforcement now active across the EU, today's incidents underscore the regulation's urgency.
Mandiant disclosed a critical pre-authentication remote code execution vulnerability (CVSS 9.9) in SolarGate VPN appliances used by over 12,000 organizations worldwide. The flaw allows unauthenticated attackers to execute arbitrary code and establish persistent access.
CVSS Score: 9.9 (Critical) | Deadline: Patch within 24 hours
The vulnerability affects SolarGate VPN versions 8.2 through 9.4. Mandiant attributes the exploitation campaign to UNC5174, a financially motivated threat group with suspected ties to Eastern European cybercrime networks. Attack chains observed in the wild show attackers deploying web shells within 4 minutes of initial compromise, followed by credential harvesting and lateral movement to Domain Controllers.
NIS2 Implication: Essential and important entities using affected devices face immediate incident reporting obligations under Article 23. Organizations have 24 hours to report initial breach indicators and 72 hours for detailed assessments.
/api/v2/system/update with non-standard User-Agent stringsEstimated Impact: 40,000+ exposed devices; 800+ confirmed compromises in EMEA region alone.
Researchers at ESET uncovered a sophisticated supply chain attack targeting FirmwareHub, a software distribution platform used by 600+ European industrial equipment manufacturers. Attackers compromised FirmwareHub's code signing infrastructure and distributed trojanized firmware updates for programmable logic controllers (PLCs) used in automotive, pharmaceutical, and food processing facilities.
The malicious firmware contains a backdoor (tracked as "IndustrialGhost") that provides remote access to PLC management interfaces. Unlike traditional malware, IndustrialGhost operates entirely within legitimate PLC update mechanisms, making detection extremely difficult without specialized industrial control system (ICS) security tools.
The backdoor communicates via MQTT—a protocol commonly used in industrial IoT environments—allowing attackers to blend malicious traffic with legitimate operational technology (OT) communications.
This incident directly tests the "supply chain security" requirements under NIS2 Article 21. Affected organizations must:
For DORA-regulated financial institutions using affected equipment in data centers or operational facilities, this constitutes a "major ICT-related incident" requiring immediate reporting to regulators.
Estimated Impact: 600+ organizations, 12,000+ compromised PLCs across DACH region, France, and Benelux.
Yesterday's disclosure of CVE-2026-20103, a critical remote code execution flaw in Apache Tomcat 9.0.0 through 10.1.28, was weaponized by RansomCartel within 48 hours. The vulnerability allows unauthenticated attackers to upload malicious JSP files via a path traversal weakness in Tomcat's file upload handling.
Security firms report 2,400+ exploitation attempts targeting internet-facing Tomcat servers. RansomCartel deployed their "Havoc3" ransomware variant, which now includes automated data exfiltration to Tor hidden services before encryption begins—a tactic designed to maximize leverage in extortion negotiations.
Why This Matters for NIS2: Tomcat is ubiquitous in European web infrastructure. Organizations running vulnerable versions face dual compliance challenges:
../, ..\, encoded variants/webapps/ directoriesEuropean data protection authorities remind organizations that paying ransoms may violate GDPR Article 32 (security of processing) and potentially sanctions regulations if payments route to sanctioned entities.
Multiple European financial institutions report a wave of highly sophisticated phishing attacks leveraging large language models (LLMs) to craft contextually perfect business email compromise (BEC) attempts. Attackers use scraped LinkedIn profiles, corporate hierarchy data, and financial reporting schedules to generate emails indistinguishable from legitimate communications.
A Luxembourg-based asset manager received an email purporting to be from their CFO requesting an urgent €2.4M wire transfer for an "acquisition deposit" ahead of a board meeting scheduled for March 7. The email correctly referenced:
Only verification via a separate communication channel (phone call) prevented the transfer.
NIS2 Relevance: Article 20 (cybersecurity risk management measures) explicitly requires "security awareness training." Organizations must now demonstrate training addresses AI-enhanced social engineering, not just traditional phishing.
Today's incidents arrive as EU member states ramp up NIS2 enforcement mechanisms. Germany's BSI announced its first non-compliance investigation this week, and Dutch authorities confirmed they've opened 12 preliminary inquiries into organizations' cybersecurity risk management frameworks.
Organizations still treating NIS2 as a "compliance checklist" rather than a fundamental security posture shift risk penalties up to €10 million or 2% of global turnover—whichever is higher.
The convergence of regulatory pressure and sophisticated adversaries leaves no room for complacency. Today's briefing reinforces a stark reality: cybersecurity is no longer just a technical challenge—it's an existential business risk with direct legal consequences.
Stay vigilant. Patch immediately. Report transparently.
AI-powered vulnerability management with 332,487+ indexed CVEs.
Start Free TrialStay safe. Stay vigilant.
🗡️ KENSAI Security Team