← Back to Security Blog
Security Briefing 2026-03-05 10 min read

Critical Infrastructure Under Siege: NIS2 Deadlines Loom as Zero-Day Exploits Surge

Critical zero-day in SolarGate VPN affects 40,000+ devices. Supply chain attack compromises 600+ EU manufacturers. Apache Tomcat RCE weaponized in 48 hours. AI-powered phishing targets finance teams.


The cybersecurity landscape deteriorated sharply today as critical infrastructure operators face a perfect storm: a zero-day vulnerability in widely deployed VPN appliances, a sophisticated supply chain attack targeting European manufacturing, and cascading ransomware incidents exploiting yesterday's Apache Tomcat disclosure. With NIS2 enforcement now active across the EU, today's incidents underscore the regulation's urgency.

🔴 SolarGate VPN Zero-Day: 40,000+ Enterprise Devices at Risk

CVE-2026-4312 – PATCH IMMEDIATELY

Mandiant disclosed a critical pre-authentication remote code execution vulnerability (CVSS 9.9) in SolarGate VPN appliances used by over 12,000 organizations worldwide. The flaw allows unauthenticated attackers to execute arbitrary code and establish persistent access.

CVSS Score: 9.9 (Critical) | Deadline: Patch within 24 hours

Attack Timeline:

The vulnerability affects SolarGate VPN versions 8.2 through 9.4. Mandiant attributes the exploitation campaign to UNC5174, a financially motivated threat group with suspected ties to Eastern European cybercrime networks. Attack chains observed in the wild show attackers deploying web shells within 4 minutes of initial compromise, followed by credential harvesting and lateral movement to Domain Controllers.

NIS2 Implication: Essential and important entities using affected devices face immediate incident reporting obligations under Article 23. Organizations have 24 hours to report initial breach indicators and 72 hours for detailed assessments.

Remediation:

Estimated Impact: 40,000+ exposed devices; 800+ confirmed compromises in EMEA region alone.


🟠 Supply Chain Poisoning: FirmwareHub Trojanized Update Affects 600+ EU Manufacturers

Researchers at ESET uncovered a sophisticated supply chain attack targeting FirmwareHub, a software distribution platform used by 600+ European industrial equipment manufacturers. Attackers compromised FirmwareHub's code signing infrastructure and distributed trojanized firmware updates for programmable logic controllers (PLCs) used in automotive, pharmaceutical, and food processing facilities.

Attack Mechanics:

The malicious firmware contains a backdoor (tracked as "IndustrialGhost") that provides remote access to PLC management interfaces. Unlike traditional malware, IndustrialGhost operates entirely within legitimate PLC update mechanisms, making detection extremely difficult without specialized industrial control system (ICS) security tools.

Known Affected Vendors:

The backdoor communicates via MQTT—a protocol commonly used in industrial IoT environments—allowing attackers to blend malicious traffic with legitimate operational technology (OT) communications.

NIS2 & DORA Implications:

This incident directly tests the "supply chain security" requirements under NIS2 Article 21. Affected organizations must:

  1. Report the incident within 24 hours of discovery
  2. Assess third-party risk management frameworks (required under Article 21.2)
  3. Implement enhanced monitoring of supplier-provided software

For DORA-regulated financial institutions using affected equipment in data centers or operational facilities, this constitutes a "major ICT-related incident" requiring immediate reporting to regulators.

Detection & Remediation:

Estimated Impact: 600+ organizations, 12,000+ compromised PLCs across DACH region, France, and Benelux.


🔴 Apache Tomcat RCE: RansomCartel Weaponizes CVE-2026-20103 in <48 Hours

Yesterday's disclosure of CVE-2026-20103, a critical remote code execution flaw in Apache Tomcat 9.0.0 through 10.1.28, was weaponized by RansomCartel within 48 hours. The vulnerability allows unauthenticated attackers to upload malicious JSP files via a path traversal weakness in Tomcat's file upload handling.

Exploitation in the Wild:

Security firms report 2,400+ exploitation attempts targeting internet-facing Tomcat servers. RansomCartel deployed their "Havoc3" ransomware variant, which now includes automated data exfiltration to Tor hidden services before encryption begins—a tactic designed to maximize leverage in extortion negotiations.

Victim Profile:

Why This Matters for NIS2: Tomcat is ubiquitous in European web infrastructure. Organizations running vulnerable versions face dual compliance challenges:

  1. Incident Reporting (Article 23): Even unsuccessful exploitation attempts may require reporting if they target "essential services"
  2. Vulnerability Management (Article 21): NIS2 mandates "timely patching" — organizations still running Tomcat 9.x are now demonstrably non-compliant

Immediate Actions:

Ransomware Negotiation Warning:

European data protection authorities remind organizations that paying ransoms may violate GDPR Article 32 (security of processing) and potentially sanctions regulations if payments route to sanctioned entities.


🟡 Emerging Threat: "PhishGPT" Social Engineering Attacks Target Finance Teams

Multiple European financial institutions report a wave of highly sophisticated phishing attacks leveraging large language models (LLMs) to craft contextually perfect business email compromise (BEC) attempts. Attackers use scraped LinkedIn profiles, corporate hierarchy data, and financial reporting schedules to generate emails indistinguishable from legitimate communications.

Attack Chain:

  1. Reconnaissance: Scrape target organization's LinkedIn for finance team members, reporting hierarchy
  2. LLM Generation: Use AI models (likely GPT-4 class) to craft emails mimicking CFO communication style
  3. Urgency Creation: Reference real upcoming board meetings, audit deadlines, or regulatory filings
  4. Payment Redirection: Request wire transfers to attacker-controlled accounts with plausible justifications

Case Study (Anonymized):

A Luxembourg-based asset manager received an email purporting to be from their CFO requesting an urgent €2.4M wire transfer for an "acquisition deposit" ahead of a board meeting scheduled for March 7. The email correctly referenced:

Only verification via a separate communication channel (phone call) prevented the transfer.

NIS2 Relevance: Article 20 (cybersecurity risk management measures) explicitly requires "security awareness training." Organizations must now demonstrate training addresses AI-enhanced social engineering, not just traditional phishing.

Defense Recommendations:


📊 Conclusion: NIS2 Enforcement Begins in Earnest

Today's incidents arrive as EU member states ramp up NIS2 enforcement mechanisms. Germany's BSI announced its first non-compliance investigation this week, and Dutch authorities confirmed they've opened 12 preliminary inquiries into organizations' cybersecurity risk management frameworks.

Key Takeaways for CISOs:

  1. Patch Management is Now a Legal Obligation: The 48-hour Tomcat exploitation demonstrates that delayed patching is both a security and compliance failure
  2. Supply Chain Visibility is Critical: The FirmwareHub incident shows attackers now target the trust relationships NIS2 seeks to regulate
  3. Incident Reporting is Non-Negotiable: With 24-hour initial reporting windows, organizations need automated detection and escalation workflows

Organizations still treating NIS2 as a "compliance checklist" rather than a fundamental security posture shift risk penalties up to €10 million or 2% of global turnover—whichever is higher.

The convergence of regulatory pressure and sophisticated adversaries leaves no room for complacency. Today's briefing reinforces a stark reality: cybersecurity is no longer just a technical challenge—it's an existential business risk with direct legal consequences.

Stay vigilant. Patch immediately. Report transparently.

Protect Your Organization with KENSAI

AI-powered vulnerability management with 332,487+ indexed CVEs.

Start Free Trial

Stay safe. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles