Microsoft Emergency RRAS Hotpatch, AppsFlyer SDK Supply-Chain Hijack, Chrome Two Zero-Days Patched, Chinese APT Targets SE Asian Militaries
Microsoft issues an emergency out-of-band hotpatch for a critical Windows 11 RRAS remote code execution flaw affecting enterprise hotpatch deployments. AppsFlyer's Web SDK is hijacked in a supply-chain attack injecting crypto-stealing JavaScript. Google patches two actively exploited Chrome zero-days in Chrome 146. And Palo Alto Networks reveals a Chinese state-backed APT campaign targeting Southeast Asian militaries with custom malware since 2020.
🔧 Microsoft Releases Emergency OOB Hotpatch for Windows 11 RRAS RCE Flaw
⚠️ CRITICAL — REMOTE CODE EXECUTION
Microsoft has released an out-of-band (OOB) security update specifically for Windows 11 Enterprise devices using the hotpatch update mechanism. The vulnerability affects the Routing and Remote Access Service (RRAS), enabling remote code execution. Enterprise environments relying on hotpatch deployments — designed for rebootless patching — are directly exposed.
Regulation Impact: NIS2 — Patch Management — DORA ICT Risk — CRA Vulnerability Handling
Microsoft took the unusual step of releasing an out-of-band security update on March 14 to address a critical remote code execution vulnerability in Windows 11's Routing and Remote Access Service (RRAS). The patch targets specifically Windows 11 Enterprise systems enrolled in hotpatch updates — the streamlined update mechanism that applies security fixes without requiring a reboot.
The irony is sharp: the hotpatch system designed to keep enterprises continuously protected had itself introduced a gap. Organizations that opted into hotpatching instead of receiving the standard March 2026 Patch Tuesday cumulative updates were left vulnerable to RRAS exploitation until this OOB fix.
RRAS is a critical networking component used by enterprises for VPN connectivity, NAT routing, and remote access services. A remote code execution flaw in RRAS means attackers could potentially compromise VPN gateways and remote access infrastructure — the very systems designed to secure remote connectivity.
Patch Management Under NIS2 and DORA
- NIS2 mandates timely patching. Article 21 requires essential and important entities to implement vulnerability handling and disclosure policies, including applying security updates without undue delay. An OOB patch for a critical RCE in enterprise VPN infrastructure demands immediate action.
- Hotpatch adoption creates new risk surface. Organizations adopting hotpatch for continuous protection must now factor in that hotpatch-specific vulnerabilities can create windows where they are less protected than standard update recipients.
- DORA ICT risk management applies. Financial institutions using Windows 11 Enterprise with RRAS for remote access must assess this vulnerability under DORA's ICT risk management framework. The OOB nature signals elevated severity.
- CRA implications for update mechanisms. The EU Cyber Resilience Act requires manufacturers to ensure security updates are delivered effectively. A scenario where an update mechanism itself creates a vulnerability gap raises questions about update pipeline security.
⚡ DACH Takeaway
German, Austrian, and Swiss enterprises running Windows 11 Enterprise with hotpatch enabled should apply this OOB update immediately. Organizations using RRAS for VPN or remote access — common in DACH's hybrid work environments — face direct exposure. The BSI should issue a technical advisory on hotpatch-specific risk assessment. DACH financial institutions under DORA must document this vulnerability assessment and patch timeline.
🔗 AppsFlyer Web SDK Hijacked in Crypto-Stealing Supply-Chain Attack
⚠️ SUPPLY-CHAIN ATTACK — ACTIVE EXPLOITATION
The AppsFlyer Web SDK, used by thousands of websites for mobile attribution and analytics, was temporarily compromised with malicious JavaScript code designed to steal cryptocurrency. The attack injected crypto-stealing code through the SDK's legitimate distribution channel, affecting every website loading the compromised version.
Regulation Impact: CRA Software Supply Chain — NIS2 Third-Party Risk — eIDAS Trust Services
AppsFlyer, a major mobile attribution and analytics platform used by brands worldwide, confirmed this week that its Web SDK was temporarily hijacked with malicious JavaScript code designed to steal cryptocurrency from end users. The attack represents a classic supply-chain compromise: by injecting malicious code into a trusted third-party SDK, attackers gained access to every website that loaded the affected version.
The crypto-stealing JavaScript intercepted cryptocurrency wallet interactions on compromised websites, redirecting transactions to attacker-controlled wallets. The attack was detected and the malicious code removed, but the window of exposure affected an unknown number of websites and end users.
This attack follows the same playbook as the Polyfill.io compromise in 2024 and the event-stream npm attack — targeting widely-used JavaScript libraries that are loaded directly into millions of web pages. The difference: AppsFlyer is an enterprise analytics platform, meaning the affected websites are likely major brands with significant traffic.
Supply-Chain Security Under the CRA
- CRA mandates supply-chain due diligence. The Cyber Resilience Act requires manufacturers to exercise due diligence when integrating third-party components. Websites embedding third-party SDKs must assess the security of those dependencies.
- Subresource Integrity (SRI) would have prevented this. SRI allows browsers to verify that fetched resources haven't been tampered with. Most websites loading third-party SDKs still don't implement SRI — a trivially deployable defense against exactly this class of attack.
- NIS2 third-party risk management. Essential and important entities must assess supply chain security under NIS2 Article 21(2)(d). An analytics SDK compromise demonstrates why third-party JavaScript is a critical risk vector.
- Financial impact triggers reporting. If cryptocurrency theft from the compromised SDK reaches significant levels, NIS2 and DORA incident reporting obligations may be triggered for affected entities.
⚡ DACH Takeaway
DACH e-commerce and fintech companies using AppsFlyer should immediately audit their SDK versions and check for indicators of compromise. German data protection authorities (LfDIs) may investigate if EU user financial data was compromised. Swiss FINMA-regulated entities using AppsFlyer on customer-facing sites should assess DORA-equivalent obligations. Implement Subresource Integrity for all third-party JavaScript — it's a one-line defense against supply-chain SDK hijacks.
🌐 Chrome 146 Patches Two Actively Exploited Zero-Days
⚠️ ZERO-DAY — ACTIVE EXPLOITATION IN THE WILD
Google has released Chrome 146 with patches for two zero-day vulnerabilities that were actively exploited in the wild. The flaws allow attackers to manipulate data and bypass security restrictions, potentially leading to arbitrary code execution. Both vulnerabilities were discovered being used in targeted attacks.
Regulation Impact: NIS2 Patch Management — ENISA Vulnerability Reporting — Browser Security
Google shipped an urgent Chrome 146 update patching two zero-day vulnerabilities that were being actively exploited in targeted attacks. The vulnerabilities allow attackers to manipulate browser data and bypass Chrome's security sandbox restrictions, potentially achieving remote code execution on victim machines.
Chrome zero-days are high-value targets for both nation-state actors and commercial spyware vendors. Google's Threat Analysis Group (TAG) has consistently attributed Chrome zero-day exploitation to surveillance vendors selling to governments — a practice the EU has increasingly scrutinized.
With Chrome commanding over 65% of global browser market share, these vulnerabilities represent an enormous attack surface. Every unpatched Chrome installation — on desktops, laptops, and Android devices — is a potential entry point.
Browser Zero-Days and Regulatory Response
- NIS2 demands immediate browser patching. For essential and important entities, browsers are a primary attack vector. NIS2's vulnerability handling requirements mean organizations must have processes to deploy critical browser updates within hours, not days.
- ENISA's vulnerability database role. Under the CRA, ENISA will maintain a European vulnerability database. Actively exploited browser zero-days will be priority entries, creating regulatory pressure for rapid response.
- Commercial spyware connection. If these zero-days are linked to commercial spyware (as many Chrome zero-days are), it feeds into the EU's ongoing debate about spyware regulation following the Pegasus/Predator scandals.
- Enterprise browser management is now compliance. Organizations that cannot demonstrate rapid browser update deployment may face NIS2 compliance gaps. Browser patch management must be part of the documented security posture.
⚡ DACH Takeaway
All DACH organizations — especially NIS2 essential entities — must verify Chrome 146 deployment across their environments immediately. German federal agencies should follow BSI guidance on browser hardening. Swiss financial institutions must document Chrome patch timelines for FINMA audit readiness. Enterprise Chrome management policies should target sub-24-hour deployment for actively exploited zero-days.
🐉 Chinese State-Backed APT Targets Southeast Asian Militaries with Custom Malware
Regulation Impact: NIS2 Defense Sector — EU Cyber Diplomacy — NATO Cyber Defense
Palo Alto Networks Unit 42 has uncovered a long-running Chinese state-backed cyber espionage campaign targeting Southeast Asian military organizations, tracked as CL-STA-1087. The operation, active since at least 2020, deployed two previously unknown malware families — AppleChris and MemFun — specifically designed for military intelligence collection.
Unlike bulk data exfiltration campaigns, CL-STA-1087 demonstrated "strategic operational patience" — the attackers carefully searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces. This targeting of Western military cooperation documents has direct implications for NATO and EU defense partnerships.
The campaign used carefully crafted delivery methods, advanced defense evasion techniques, stable operational infrastructure, and custom tooling — hallmarks of a well-resourced, state-directed operation rather than opportunistic cybercrime.
Implications for EU Defense and Cyber Diplomacy
- Western military cooperation documents targeted. The specific interest in collaboration with Western armed forces means intelligence collected could be used to undermine EU and NATO defense partnerships in the Indo-Pacific.
- NIS2 defense sector applicability. While NIS2 primarily targets civilian infrastructure, member states can extend its requirements to defense-adjacent entities. The CL-STA-1087 campaign demonstrates why defense supply chains need equivalent protection.
- EU Cyber Diplomacy Toolbox activation potential. A sustained, five-year cyber espionage campaign targeting military allies could trigger EU diplomatic responses under the Cyber Diplomacy Toolbox framework.
- Custom malware evades commodity defenses. AppleChris and MemFun were unknown prior to this discovery. Organizations relying solely on signature-based detection would miss these threats entirely — reinforcing the NIS2 emphasis on advanced detection capabilities.
⚡ DACH Takeaway
Germany's Bundeswehr Cyber and Information Domain Service (CIR) should assess whether similar APT activity targets German military cooperation programs in Southeast Asia. Switzerland's defense sector, though neutral, maintains partnerships that could be intelligence targets. Austrian defense cooperation with EU PESCO projects may also be in scope. DACH defense contractors should hunt for AppleChris and MemFun indicators of compromise published by Unit 42.
🏢 HPE AOS-CX Critical Vulnerability Allows Remote Admin Password Reset
Regulation Impact: NIS2 Network Security — CRA Device Security — KRITIS
A critical vulnerability in HPE Aruba AOS-CX network switches allows remote, unauthenticated attackers to reset administrator passwords, effectively taking complete control of enterprise network infrastructure. The flaw bypasses existing authentication controls entirely — no credentials required.
HPE Aruba AOS-CX powers enterprise campus networks, data centers, and branch offices worldwide. A vulnerability that allows unauthenticated admin password reset is as severe as network security flaws get: an attacker who can reach the management interface can take over the entire switching infrastructure.
Network Infrastructure Under NIS2
- Network switches are NIS2 critical assets. Enterprise switching infrastructure is foundational to every NIS2 essential entity's operations. A remotely exploitable admin takeover vulnerability requires immediate patching and compensating controls.
- CRA applies to network equipment. The Cyber Resilience Act covers products with digital elements, explicitly including network devices. HPE must provide timely security updates and vulnerability disclosure under CRA requirements.
- Management interface exposure is the key risk. If AOS-CX management interfaces are exposed to the network (or worse, the internet), this vulnerability is trivially exploitable. Network segmentation of management planes is a basic NIS2 hygiene requirement.
- KRITIS operators must act immediately. German critical infrastructure operators running HPE Aruba switches should treat this as a P1 incident requiring same-day remediation.
⚡ DACH Takeaway
DACH enterprises running HPE Aruba AOS-CX should patch immediately and audit management interface exposure. Verify that switch management planes are on isolated management VLANs not reachable from user networks. German KRITIS operators must document remediation timelines. The BSI should add this to its actively exploited vulnerability advisories.
☕ Starbucks Employee Data Breach via Phishing Attack
Regulation Impact: GDPR Employee Data — NIS2 Incident Reporting — Social Engineering
Starbucks has disclosed a data breach affecting employee personal information after phishing attacks targeted an internal employee portal. The incident affected hundreds of employees, with attackers using social engineering to compromise login credentials for the portal.
While Starbucks is a US company, the breach has implications for its European operations — Starbucks operates thousands of locations across the EU and employs tens of thousands of workers subject to GDPR protections.
Employee Data Protection Under GDPR
- GDPR Article 33 notification obligation. If EU employee data was compromised, Starbucks must notify the relevant supervisory authority within 72 hours. Employee personal data — names, addresses, tax information — is GDPR-protected regardless of the employer's headquarters location.
- Phishing remains the top initial access vector. Despite billions spent on cybersecurity, phishing continues to be the primary way attackers breach organizations. NIS2's requirement for security awareness training (Article 21(2)(g)) directly addresses this.
- Employee portals are high-value targets. HR and employee self-service portals contain sensitive personal data and are increasingly targeted. Multi-factor authentication on employee portals should be non-negotiable.
- Supply chain data exposure. Starbucks' employee data breach may also expose data about suppliers and partners integrated into employee systems.
⚡ DACH Takeaway
DACH organizations should use this breach as a prompt to audit their own employee portal security. Verify MFA enforcement on all HR and employee self-service systems. German works councils (Betriebsräte) have co-determination rights on employee data processing — a breach of employee data requires works council notification in addition to DPA reporting. Swiss employers must comply with the revised FADP's breach notification requirements.