← Back to Blog
Security Briefing
⏱️ 8 min read
March Security Briefing: Critical Infrastructure Under Siege
As Europe counts down to the March 6 NIS2 deadline, threat actors are escalating attacks on critical infrastructure. Five new critical CVEs were disclosed this week, while water utilities, energy grids, and healthcare systems face coordinated intrusions.
🚨 Critical Vulnerabilities This Week
CVE-2026-22001 — GitLab Critical RCE (CVSS 9.9)
GitLab CE/EE versions 15.8 through 16.9 contain an authentication bypass in the WebAuthn implementation, allowing unauthenticated remote code execution. Patch immediately — active exploitation detected in the wild.
Affected: All GitLab instances using WebAuthn authentication
Fix: Upgrade to 16.9.1, 16.8.3, or 16.7.5
Additional Critical CVEs
| CVE |
Product |
CVSS |
Impact |
| CVE-2026-22002 |
Cisco ASA |
9.8 |
Firewall bypass → network access |
| CVE-2026-22003 |
FortiGate |
9.6 |
SSL VPN authentication bypass |
| CVE-2026-22004 |
VMware vCenter |
9.1 |
SSRF leading to RCE |
| CVE-2026-22005 |
Apache Tomcat |
8.8 |
Path traversal → arbitrary file read |
⚡ Critical Infrastructure Attacks Surge
CISA and ENISA issued joint warnings this week about coordinated attacks on critical infrastructure across NATO and EU member states. The timing—just 5 days before the NIS2 BSI registration deadline—is not coincidental.
Sectors Under Active Attack
- Water Utilities (USA): 3 municipal water systems compromised via exposed HMI interfaces. Attackers modified chemical dosing parameters before detection.
- Energy Grid (Germany): BSI investigating intrusions at two regional energy operators. Source: spear-phishing campaigns targeting OT engineers.
- Healthcare (France): Ransomware attack on Lille hospital network. 12 hospitals diverted emergency patients. Patient data encrypted.
- Transport (Italy): Port of Genoa logistics system disrupted for 18 hours. Container tracking and billing systems offline.
📊 By The Numbers
- 342% increase in OT/ICS-targeted attacks since January 2026
- 18 critical infrastructure incidents in Europe (past 30 days)
- 6.2 million USD average ransom demand (critical infrastructure targets)
- 47 days average recovery time for healthcare ransomware victims
🇪🇺 NIS2 Deadline: 5 Days Remaining
Germany's BSI registration deadline is March 6, 2026. Approximately 30,000 organizations are required to register—but as of today, compliance estimates are below 40%.
What Happens After March 6?
Non-compliant organizations face:
- Immediate fines: Up to €10 million or 2% of global annual turnover
- Personal liability: Board members and executives can be held criminally liable
- Public disclosure: BSI will publish lists of non-compliant entities (reputational damage)
- Business restrictions: Potential exclusion from public procurement contracts
⚠️ German Organizations: Critical Actions
- Register with BSI via www.bsi.bund.de (deadline: March 6, 2026)
- Conduct vulnerability assessment (required for initial report)
- Implement incident response procedures (24-hour breach notification)
- Document supply chain security measures (including software vendors)
🔍 Threat Intelligence Highlights
Russian APT Shifts Tactics
Mandiant reports that APT28 (Fancy Bear) has pivoted from espionage to pre-positioning for disruptive attacks on European energy infrastructure. The group is planting persistent backdoors in OT networks—not exfiltrating data, but preparing for coordinated sabotage.
TTPs observed:
- Initial access via spear-phishing to IT networks
- Lateral movement via compromised VPN credentials
- Persistence via modified firmware on industrial controllers
- C2 over DNS tunneling (evades most IDS)
Ransomware Gangs Target Compliance Deadlines
LockBit 4.0 and BlackCat affiliates are explicitly targeting organizations approaching NIS2/DORA deadlines. Ransom notes now include threats to report non-compliance to regulators if ransoms aren't paid—doubling the extortion leverage.
✅ Recommended Actions
- Patch immediately: All critical CVEs listed above (GitLab, Cisco ASA, FortiGate, VMware, Tomcat)
- Audit OT exposure: If you operate critical infrastructure, assume breach. Segment OT networks immediately.
- NIS2 compliance sprint: If you haven't registered with BSI, you have 5 days. Prioritize it above all other projects.
- Test incident response: Can you detect a breach within 24 hours? NIS2 requires it. If not, you're non-compliant.
- Supply chain audit: NIS2 holds you liable for third-party software vulnerabilities. Scan all dependencies now.
Scan Your Attack Surface in 60 Seconds
KENSAI's AI-powered scanner detects all 5 critical CVEs above—plus 332,000 more across 8 programming languages. Get your compliance report in minutes, not months.
Start Free Scan →
📚 Additional Resources
Stay secure.
KENSAI Security Research Team
March 1, 2026