Microsoft issues an emergency out-of-band hotpatch for a critical Windows 11 RRAS remote code execution flaw affecting enterprise hotpatch deployments. AppsFlyer's Web SDK is hijacked in a supply-chain attack injecting crypto-stealing JavaScript. Google patches two actively exploited Chrome zero-days in Chrome 146. And Palo Alto Networks reveals a Chinese state-backed APT campaign targeting Southeast Asian militaries with custom malware since 2020.
Microsoft has released an out-of-band (OOB) security update specifically for Windows 11 Enterprise devices using the hotpatch update mechanism. The vulnerability affects the Routing and Remote Access Service (RRAS), enabling remote code execution. Enterprise environments relying on hotpatch deployments β designed for rebootless patching β are directly exposed.
Regulation Impact: NIS2 β Patch Management β DORA ICT Risk β CRA Vulnerability Handling
Microsoft took the unusual step of releasing an out-of-band security update on March 14 to address a critical remote code execution vulnerability in Windows 11's Routing and Remote Access Service (RRAS). The patch targets specifically Windows 11 Enterprise systems enrolled in hotpatch updates β the streamlined update mechanism that applies security fixes without requiring a reboot.
The irony is sharp: the hotpatch system designed to keep enterprises continuously protected had itself introduced a gap. Organizations that opted into hotpatching instead of receiving the standard March 2026 Patch Tuesday cumulative updates were left vulnerable to RRAS exploitation until this OOB fix.
RRAS is a critical networking component used by enterprises for VPN connectivity, NAT routing, and remote access services. A remote code execution flaw in RRAS means attackers could potentially compromise VPN gateways and remote access infrastructure β the very systems designed to secure remote connectivity.
German, Austrian, and Swiss enterprises running Windows 11 Enterprise with hotpatch enabled should apply this OOB update immediately. Organizations using RRAS for VPN or remote access β common in DACH's hybrid work environments β face direct exposure. The BSI should issue a technical advisory on hotpatch-specific risk assessment. DACH financial institutions under DORA must document this vulnerability assessment and patch timeline.
The AppsFlyer Web SDK, used by thousands of websites for mobile attribution and analytics, was temporarily compromised with malicious JavaScript code designed to steal cryptocurrency. The attack injected crypto-stealing code through the SDK's legitimate distribution channel, affecting every website loading the compromised version.
Regulation Impact: CRA Software Supply Chain β NIS2 Third-Party Risk β eIDAS Trust Services
AppsFlyer, a major mobile attribution and analytics platform used by brands worldwide, confirmed this week that its Web SDK was temporarily hijacked with malicious JavaScript code designed to steal cryptocurrency from end users. The attack represents a classic supply-chain compromise: by injecting malicious code into a trusted third-party SDK, attackers gained access to every website that loaded the affected version.
The crypto-stealing JavaScript intercepted cryptocurrency wallet interactions on compromised websites, redirecting transactions to attacker-controlled wallets. The attack was detected and the malicious code removed, but the window of exposure affected an unknown number of websites and end users.
This attack follows the same playbook as the Polyfill.io compromise in 2024 and the event-stream npm attack β targeting widely-used JavaScript libraries that are loaded directly into millions of web pages. The difference: AppsFlyer is an enterprise analytics platform, meaning the affected websites are likely major brands with significant traffic.
DACH e-commerce and fintech companies using AppsFlyer should immediately audit their SDK versions and check for indicators of compromise. German data protection authorities (LfDIs) may investigate if EU user financial data was compromised. Swiss FINMA-regulated entities using AppsFlyer on customer-facing sites should assess DORA-equivalent obligations. Implement Subresource Integrity for all third-party JavaScript β it's a one-line defense against supply-chain SDK hijacks.
Google has released Chrome 146 with patches for two zero-day vulnerabilities that were actively exploited in the wild. The flaws allow attackers to manipulate data and bypass security restrictions, potentially leading to arbitrary code execution. Both vulnerabilities were discovered being used in targeted attacks.
Regulation Impact: NIS2 Patch Management β ENISA Vulnerability Reporting β Browser Security
Google shipped an urgent Chrome 146 update patching two zero-day vulnerabilities that were being actively exploited in targeted attacks. The vulnerabilities allow attackers to manipulate browser data and bypass Chrome's security sandbox restrictions, potentially achieving remote code execution on victim machines.
Chrome zero-days are high-value targets for both nation-state actors and commercial spyware vendors. Google's Threat Analysis Group (TAG) has consistently attributed Chrome zero-day exploitation to surveillance vendors selling to governments β a practice the EU has increasingly scrutinized.
With Chrome commanding over 65% of global browser market share, these vulnerabilities represent an enormous attack surface. Every unpatched Chrome installation β on desktops, laptops, and Android devices β is a potential entry point.
All DACH organizations β especially NIS2 essential entities β must verify Chrome 146 deployment across their environments immediately. German federal agencies should follow BSI guidance on browser hardening. Swiss financial institutions must document Chrome patch timelines for FINMA audit readiness. Enterprise Chrome management policies should target sub-24-hour deployment for actively exploited zero-days.
Regulation Impact: NIS2 Defense Sector β EU Cyber Diplomacy β NATO Cyber Defense
Palo Alto Networks Unit 42 has uncovered a long-running Chinese state-backed cyber espionage campaign targeting Southeast Asian military organizations, tracked as CL-STA-1087. The operation, active since at least 2020, deployed two previously unknown malware families β AppleChris and MemFun β specifically designed for military intelligence collection.
Unlike bulk data exfiltration campaigns, CL-STA-1087 demonstrated "strategic operational patience" β the attackers carefully searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces. This targeting of Western military cooperation documents has direct implications for NATO and EU defense partnerships.
The campaign used carefully crafted delivery methods, advanced defense evasion techniques, stable operational infrastructure, and custom tooling β hallmarks of a well-resourced, state-directed operation rather than opportunistic cybercrime.
Germany's Bundeswehr Cyber and Information Domain Service (CIR) should assess whether similar APT activity targets German military cooperation programs in Southeast Asia. Switzerland's defense sector, though neutral, maintains partnerships that could be intelligence targets. Austrian defense cooperation with EU PESCO projects may also be in scope. DACH defense contractors should hunt for AppleChris and MemFun indicators of compromise published by Unit 42.
Regulation Impact: NIS2 Network Security β CRA Device Security β KRITIS
A critical vulnerability in HPE Aruba AOS-CX network switches allows remote, unauthenticated attackers to reset administrator passwords, effectively taking complete control of enterprise network infrastructure. The flaw bypasses existing authentication controls entirely β no credentials required.
HPE Aruba AOS-CX powers enterprise campus networks, data centers, and branch offices worldwide. A vulnerability that allows unauthenticated admin password reset is as severe as network security flaws get: an attacker who can reach the management interface can take over the entire switching infrastructure.
DACH enterprises running HPE Aruba AOS-CX should patch immediately and audit management interface exposure. Verify that switch management planes are on isolated management VLANs not reachable from user networks. German KRITIS operators must document remediation timelines. The BSI should add this to its actively exploited vulnerability advisories.
Regulation Impact: GDPR Employee Data β NIS2 Incident Reporting β Social Engineering
Starbucks has disclosed a data breach affecting employee personal information after phishing attacks targeted an internal employee portal. The incident affected hundreds of employees, with attackers using social engineering to compromise login credentials for the portal.
While Starbucks is a US company, the breach has implications for its European operations β Starbucks operates thousands of locations across the EU and employs tens of thousands of workers subject to GDPR protections.
DACH organizations should use this breach as a prompt to audit their own employee portal security. Verify MFA enforcement on all HR and employee self-service systems. German works councils (BetriebsrΓ€te) have co-determination rights on employee data processing β a breach of employee data requires works council notification in addition to DPA reporting. Swiss employers must comply with the revised FADP's breach notification requirements.
From SDK hijacks to network switch takeovers, today's threats target your dependencies. KENSAI scans your entire attack surface β including third-party components β before attackers find the gaps.
Start Free Security Scan βThe KENSAI Intelligence Desk publishes daily security briefings covering NIS2, DORA, GDPR, EU AI Act, and CRA developments across the threat landscape. Compliance is not optional β it is infrastructure.
π‘οΈ Is your website secure?
Discover vulnerabilities before attackers do.
Scan your website for free β