Nightwatch

Last Updated On

DDAAIILLYY--22002266--00441144
CCrriittiiccaall
AAccttiivvee  EExxppllooiittaattiioonn  CCoonnffiirrmmeedd
the adobe logo on a red background

Daily CTI Brief Tuesday, 14 April 2026

9.8

CVSS Score

9

IOC Count

7

Source Count

88

Confidence Score

CVEs

Actors

UNC1069, UNC6780

Sectors

Regions

Chapter 01 - Executive Overview

Over the last 24 hours, the threat landscape has been dominated by actively exploited vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and a critical Adobe Acrobat Reader zero-day that is now patched but was abused in the wild for months. Concurrently, telemetry highlights ongoing scanning for EncystPHP webshell deployments on FreePBX systems, a high‑profile Axios npm supply chain compromise impacting OpenAI’s macOS code-signing workflow, and a newly disclosed Booking.com data breach exposing reservation data.

Acrobat Reader Zero‑Day — Critical — Cross‑Platform PDF Users

  • Threat overview. Adobe patched CVE-2026-34621, a prototype‑pollution flaw in Acrobat and Reader for Windows and macOS that allows arbitrary code execution when a user opens a malicious PDF, with Adobe and multiple vendors confirming active in‑the‑wild exploitation since at least late 2025.

  • Strategic risk context. Because Reader is ubiquitous across enterprises and consumers, this zero‑day creates a broad attack surface for targeted intrusions, data theft, and potential follow‑on ransomware if endpoints remain unpatched.

  • Severity and business impact. Successful exploitation enables code execution in the user context and, in observed campaigns, system fingerprinting and data exfiltration via malicious JavaScript in PDFs, with CISA adding the CVE to KEV and setting an April 27 remediation deadline for U.S. federal agencies.

  • Confidence in intelligence. The assessment is based on Adobe’s security bulletin, NVD, multiple vendor analyses, and reporting from several independent security outlets, providing high confidence in both the vulnerability details and active exploitation.

  • Executive decision. Prioritize emergency patching of Acrobat/Reader across managed fleets and treat unpatched PDF endpoints as high‑risk until remediation and verification are complete.

Fortinet EMS SQLi & Legacy KEV Batch — Critical — Enterprise Endpoint Management & Core Infrastructure

  • Threat overview. CISA added a Fortinet FortiClientEMS SQL injection flaw (CVE-2026-21643) and multiple legacy Microsoft and Adobe vulnerabilities to KEV, confirming active exploitation and elevating these issues to mandatory patch status for U.S. federal agencies.

  • Strategic risk context. FortiClientEMS is a central point of control for enterprise endpoints, so unauthenticated SQL injection and RCE on EMS can cascade into broad policy manipulation, malware deployment, and lateral movement across managed devices; legacy Microsoft and Adobe KEV entries underscore attackers’ continued leverage of older but reliable bugs.

  • Severity and business impact. CVE-2026-21643 is scored at up to 9.8 (critical) and allows pre‑auth remote code execution over the network, while the KEV additions for Windows, Exchange, Acrobat, and VBA map to privilege escalation and remote code execution paths widely present in enterprise estates.

  • Confidence in intelligence. Vendor advisories, NVD, national CERT alerts, and CISA KEV listings converge on active exploitation and critical severity, providing high confidence in technical details and exploitation status.

  • Executive decision. Mandate accelerated patch and compensating‑control programs for all KEV‑listed products in scope, with explicit deadlines and exception governance aligned to CISA timelines.

EncystPHP Webshell Scanning — High — VoIP/Telephony Infrastructure Using FreePBX

  • Threat overview. SANS ISC observed active scanning from 160.119.76.250 for EncystPHP webshell deployments on vulnerable FreePBX systems, reusing URL patterns and payloads previously documented by Fortinet, including downloading and executing a webshell via a k.php script.

  • Strategic risk context. FreePBX often underpins SME and contact‑center telephony; successful compromise via EncystPHP introduces full server control, credential theft, and pivot opportunities into voice and back‑office networks that are frequently less monitored than core application stacks.

  • Severity and business impact. The observed scans include creation of multiple local accounts with the same password hash across common usernames (root, asterisk, freepbxuser, supermaint, etc.), enabling persistent backdoor access and potential denial‑of‑service or toll fraud if left undetected.

  • Confidence in intelligence. The diary is based on live honeynet telemetry with concrete HTTP requests and payload snippets, corroborated by prior Fortinet research, yielding high confidence in the IOCs and attack behavior.

  • Executive decision. Require an immediate review of all externally reachable FreePBX instances and related VoIP infrastructure, with a directive to either harden, segment, or decommission unsupported deployments.

Axios Supply Chain Campaign & OpenAI macOS Cert Rotation — High — Software Supply Chain & Developer Ecosystems

  • Threat overview. Google Cloud Threat Intelligence and others attribute the Axios npm package compromise to North Korea‑nexus threat actor UNC1069, who weaponized trojanized Axios versions to deploy the WAVESHAPER.V2 backdoor across macOS, Windows, and Linux developer environments; OpenAI has since rotated macOS code‑signing certificates after a malicious Axios package executed within its GitHub Actions pipeline.

  • Strategic risk context. The incident illustrates how targeted social engineering of a single maintainer and short‑lived malicious releases in a ubiquitous library can cascade into high‑trust CI/CD workflows, code‑signing infrastructure, and downstream customers that transitively depend on Axios.

  • Severity and business impact. While OpenAI reports no evidence of certificate misuse or data compromise, attackers with access to such certificates could distribute malware that appears legitimate, and the broader Axios campaign potentially exposed thousands of environments to a DPRK‑linked backdoor.

  • Confidence in intelligence. Multiple elevated sources (Google GTIG, Tenable, Huntress, The Hacker News, and Axios reporting) converge on UNC1069 attribution, infection chain details, and campaign scope, supporting high confidence in attribution and TTPs.

  • Executive decision. Direct engineering and security leadership to inventory Axios usage (direct and transitive), validate CI/CD and signing key hygiene, and implement stronger maintainer‑account hardening and supply‑chain monitoring controls.

Booking.com Breach — Medium — Online Travel Platforms & Customer Data

  • Threat overview. Booking.com confirmed that unauthorized third parties accessed some customers’ reservation data, forcing PIN resets on affected reservations and triggering direct notifications to impacted users.

  • Strategic risk context. Exposure of reservation metadata and communications between guests and properties enables credible social engineering and payment‑fraud campaigns against travelers, hotels, and support staff, with potential spillover into loyalty‑point theft and brand damage.

  • Severity and business impact. Compromised data includes customer names, contact details, and reservation communications; while Booking.com has not disclosed scale or root cause, early reports already show scammers abusing booking details to solicit unauthorized payments.

  • Confidence in intelligence. Information comes directly from Booking.com’s statement to BleepingComputer and corroborating practitioner commentary, but key details such as intrusion vector and total affected population remain undisclosed, lowering overall confidence to medium.

  • Executive decision. Require risk and fraud teams to update anti‑phishing and customer‑contact playbooks for travel‑related communications and ensure contracts with similar platforms include timely breach‑notification and data‑sharing obligations.

Today’s Intelligence Quality

Today’s brief draws on vendor advisories, NVD and KEV entries, primary threat‑research blogs, practitioner telemetry (SANS), and reputable news outlets, with multiple independent sources supporting the highest‑severity items. Gaps remain around detailed victimology for the Booking.com breach and the full downstream impact of the Axios campaign, and there is still no public MITRE ATT&CK mapping for the observed activity, which slightly tempers overall confidence.

Chapter 02 - Threat & Exposure Analysis

Chapter 2 — Threat & Exposure Analysis

The current threat picture is anchored by two classes of exposure: actively exploited, KEV‑listed vulnerabilities in widely deployed products, and supply‑chain and web‑shell activity that abuses trusted software and telephony platforms.

CVE-2026-34621: Acrobat/Reader Prototype Pollution Leading to Code Execution

  • Attack progression. Attackers deliver malicious PDF files that, when opened in vulnerable Acrobat/Reader versions, trigger a prototype‑pollution bug in Acrobat’s JavaScript engine, allowing manipulation of object prototypes and execution of attacker‑controlled scripts in the context of the reader process.

  • Exploitability. Exploitation requires the victim to open a crafted PDF but no additional interaction; NVD and Adobe classify the issue as critical with a CVSS 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), and Adobe has confirmed exploitation in the wild since at least November 2025.

  • Campaign indicators. Analysis of malicious samples shows heavily obfuscated JavaScript that fingerprints the host, exfiltrates system information, and can fetch and execute second‑stage payloads; some observed activity focused on data theft even without a full RCE chain.

  • Threat actor identity. Public reporting has not tied CVE-2026-34621 exploitation to a specific named actor; multiple vendors treat it as broadly available tradecraft rather than a single group’s hallmark.

  • Infrastructure fingerprinting. Researchers noted command‑and‑control servers receiving exfiltrated data, but specific domains and IPs are not consistently published in the sources reviewed, limiting reusable infrastructure indicators.

  • Sector and geographic exposure. Because Acrobat/Reader are used globally across sectors, exploitation opportunities are effectively ubiquitous; however, no source provides a sector‑ or region‑specific breakdown of victims.

CVE-2026-21643 & KEV Batch: Fortinet EMS SQLi and Legacy Vulnerabilities

  • Attack progression (CVE-2026-21643). In FortiClientEMS 7.4.4, an SQL injection flaw in the web interface allows unauthenticated attackers to send crafted HTTP requests to /api/v1/init_consts or similar endpoints, leading to arbitrary SQL execution and, in practice, remote code execution on the EMS server.

  • Exploitability. Vendor and third‑party analyses describe a network‑exposed, pre‑authentication attack path with low complexity, no user interaction, and full compromise of the EMS host, yielding a CVSS v3 score up to 9.8; CISA’s KEV entry confirms active exploitation.

  • Campaign indicators. Open‑source reporting notes public proof‑of‑concept exploit code and scanning for vulnerable EMS instances, but specific infrastructure indicators are not consistently documented in the material reviewed.

  • Legacy KEV entries. The same KEV batch includes older vulnerabilities in Acrobat Reader (CVE-2020-9715), Windows CLFS (CVE-2023-36424), Microsoft Exchange (CVE-2023-21529), Windows Host Process (CVE-2025-60710), and VBA (CVE-2012-1854), illustrating attackers’ preference for chaining reliable legacy bugs rather than exclusively chasing new CVEs.

  • Threat actor identity. While multiple ransomware and intrusion campaigns have historically abused similar classes of vulnerabilities, the KEV alert and secondary reporting do not tie this specific batch to named groups, so attribution remains generic “malicious cyber actors.”

  • Sector and geographic exposure. These products underpin a wide range of enterprise and government environments; public reporting does not narrow exposure beyond generic “federal enterprise” and enterprise deployments, so no precise sector or regional breakdown can be asserted.

EncystPHP Webshell on FreePBX: Opportunistic VoIP Targeting

  • Attack progression. Attackers first exploit FreePBX vulnerabilities to download and execute a script from http://45.95.147.178/k.php, which installs the EncystPHP webshell and creates a series of local accounts with a shared password hash, establishing multiple redundant backdoors.

  • Exploitability. SANS notes active scanning for the EncystPHP access URL /admin/modules/phones/ajax.php?md5=cf710203400b8c466e6dfcafcf36a411 from 160.119.76.250, indicating that unpatched or weakly configured FreePBX systems exposed to the internet are at immediate risk.

  • Campaign indicators. The diary provides a clear combination of HTTP request patterns, IP addresses, and specific username/password hash pairs used for local account creation, all of which are directly usable as hunting IOCs.

  • Threat actor identity. No actor naming is provided; the behavior is best characterized as opportunistic exploitation of known FreePBX weaknesses by commodity attackers rather than a specific APT.

  • Sector and geographic exposure. FreePBX deployments are common in SME telephony, call centers, and hosted PBX environments globally, but the diary only explicitly identifies the scanning IP as being located in the Netherlands, not the victim geography.

Axios Supply Chain Attack (UNC1069) & OpenAI macOS Certificates

  • Attack progression. UNC1069 compromised the maintainer account of the Axios npm package through a sophisticated social‑engineering campaign involving fake collaboration setups and malicious “update” prompts during a video call, then published trojanized Axios versions (1.14.1, 0.30.4) that pulled in a malicious plain-crypto-js dependency to deploy WAVESHAPER.V2.

  • Exploitability. Any developer or CI system that installed the compromised Axios versions during the roughly three‑hour window on March 31 potentially executed the post‑install script and received a cross‑platform RAT capable of system enumeration, data exfiltration, and command execution.

  • Campaign indicators. Google GTIG and others highlight C2 infrastructure such as sfrclak[.]com resolving to 142.11.206.73, WAVESHAPER.V2 fingerprints, and specific PowerShell downloader patterns used on Windows hosts, along with YARA rules for hunting associated binaries.

  • Threat actor identity and aliases. GTIG attributes the attack to UNC1069, a financially motivated North Korea‑nexus cluster active since at least 2018, while Microsoft maps related activity to Sapphire Sleet (also tracked as BlueNoroff/APT38 variants), underlining strong consensus around DPRK attribution.

  • Sector and geographic exposure. Axios is estimated to be used in roughly 80% of cloud and code environments and receives over 100 million weekly downloads, implying global multi‑sector exposure; however, precise victim counts and sectors affected remain unclear in public reporting.

Booking.com Reservation Data Breach

  • Attack progression. Booking.com detected suspicious activity indicating that unauthorized parties accessed booking information tied to customer reservations and responded by forcing PIN resets and notifying affected users via email.

  • Exploitability. Possession of reservation metadata enables attackers to convincingly impersonate hotels or Booking.com to request last‑minute payments or collect payment‑card data, especially where users rely on email content and reservation details as proof of legitimacy.

  • Campaign indicators. Early community reports describe phishing attempts that reference genuine reservation numbers, dates, and property details, but no technical intrusion vector or infrastructure indicators have been publicly disclosed.

  • Threat actor identity. Neither Booking.com nor open reporting attributes the breach to a specific group; activity is currently characterized generically as “unauthorized third parties.”

  • Sector and geographic exposure. As a global online travel platform, Booking.com serves users worldwide, but neither the company nor secondary reporting provides a geographic breakdown of affected customers.

Chapter 03 - Operational Response

Defender Priority Order Today

  1. Patch KEV‑listed vulnerabilities, led by CVE-2026-21643 and CVE-2026-34621, across all exposed systems.

  2. Harden and monitor FreePBX and similar VoIP infrastructure against EncystPHP‑style webshell deployments.

  3. Assess and remediate Axios npm and related supply‑chain exposure in CI/CD and developer endpoints.

  4. Coordinate fraud‑prevention and user‑notification measures for Booking.com‑like reservation data exposure.

Acrobat Reader Zero‑Day (CVE-2026-34621): Immediate Response & Containment

  • Do this now (0–24 hours).

    1. Deploy Adobe’s emergency updates for Acrobat and Reader across all supported platforms, prioritizing high‑risk user groups (executives, finance, legal, developers).

    2. Implement temporary email and web‑gateway policies to flag or sandbox PDF attachments from untrusted senders pending patch rollout.

    3. Task SOC to monitor for HTTP/S traffic with “Adobe Synchronizer” in the User‑Agent string as recommended by researchers, and block known malicious C2 endpoints where available.

  • Do this within 24–72 hours.

    1. Validate patch coverage via endpoint management and vulnerability‑scanning tools, explicitly confirming that vulnerable Acrobat/Reader builds are no longer present.

    2. Conduct targeted threat‑hunting on high‑value endpoints for signs of suspicious PDF execution chains and anomalous Reader‑spawned processes.

  • Internal coordination. Brief application owners, desktop engineering, and the CISO on KEV status, patch deadlines, and any preliminary signs of compromise, aligning expectations on potential downtime or forced restarts.

Fortinet EMS & KEV Batch: Immediate EMS Hardening and KEV Program

  • Do this now (0–24 hours).

    1. Identify all FortiClientEMS instances and immediately restrict management interfaces to administrative networks or VPN‑protected access only.

    2. Patch or upgrade FortiClientEMS deployments running vulnerable versions (especially 7.4.4) to vendor‑recommended fixed releases, and validate removal of exposed /api/v1/init_consts attack paths.

    3. Cross‑reference the newly added KEV CVEs against vulnerability‑management inventories and flag systems running affected Windows, Exchange, and Acrobat/VBA components for emergency remediation.

  • Do this within 24–72 hours.

    1. Review EMS logs for anomalous authentication‑less access patterns, SQL errors, or command‑execution attempts around known exploit windows; escalate any suspicious findings to incident response.

    2. Update compensating controls (WAF rules, IPS signatures, EDR detections) for Fortinet EMS and KEV‑listed products where patching cannot be completed immediately.

  • Internal coordination. Ensure network, endpoint, and vulnerability‑management teams jointly track KEV remediation progress, with regular status updates to security leadership and business owners of affected systems.

EncystPHP/FreePBX Scanning: VoIP Environment Triage

  • Do this now (0–24 hours).

    1. Enumerate all FreePBX instances and PBX‑like systems exposed to the internet and place them behind VPN or reverse proxies with strong authentication, or temporarily disable external access where possible.

    2. Search for the specific EncystPHP access URL and associated k.php retrieval path in web‑server logs, along with traffic from or to 160.119.76.250 and 45.95.147.178.

    3. Audit local accounts on FreePBX hosts for the listed backdoor usernames (e.g., root, hima, freepbxuser, supermaint, supports, juba) sharing the same password hash, and immediately disable or reset any suspicious entries.

  • Do this within 24–72 hours.

    1. Apply all outstanding FreePBX security updates and vendor‑recommended hardening guides, including segmentation of voice infrastructure from general IT networks.

    2. Implement continuous monitoring for anomalous dial patterns, unexpected call‑routing changes, or spikes in outbound traffic that could suggest toll fraud.

  • Internal coordination. Coordinate between network, voice/telecom, and SOC teams to ensure detections and firewall changes do not disrupt critical telephony services while closing exposure.

Axios Supply Chain & OpenAI macOS Certificates: Developer & CI/CD Response

  • Do this now (0–24 hours).

    1. Inventory where Axios is used (directly or via transitive dependencies) across repositories and CI/CD pipelines, focusing first on JavaScript/TypeScript services with internet‑facing roles.

    2. Confirm that no systems installed Axios versions 1.14.1 or 0.30.4 during the March 31 compromise window; if they did, treat those environments as potentially compromised and collect forensic artifacts.

    3. For macOS code‑signing workflows, follow OpenAI’s model by reevaluating where signing keys are accessible from build systems and revoking or rotating certificates that may have been exposed in automated workflows.

  • Do this within 24–72 hours.

    1. Harden maintainer and CI/CD accounts with hardware security keys, phishing‑resistant MFA, and strict device hygiene requirements; adopt least‑privilege access for publishing tokens.

    2. Deploy supply‑chain security tooling capable of detecting anomalous dependency changes, post‑install scripts, and suspicious package metadata.

  • Internal coordination. Align security engineering, DevOps, and open‑source program offices on ownership of dependency risk and post‑incident monitoring responsibilities, especially for critical libraries like Axios.

Booking.com Data Breach: Fraud & Customer‑Contact Playbooks

  • Do this now (0–24 hours).

    1. Notify fraud and customer‑support teams about the Booking.com breach and likely TTPs (phishing using real reservation details and requests for last‑minute payments), and update scripts to avoid processing payments initiated via email or messaging apps.

    2. If your organization relies on Booking.com or similar platforms for travel, instruct employees to verify any payment‑related communications by logging directly into their account or calling the property via trusted contact details.

  • Do this within 24–72 hours.

    1. Review vendor‑risk assessments for major travel and hospitality providers and ensure contracts include clear notification and data‑sharing obligations during security incidents.

    2. Monitor for spikes in travel‑related phishing reports and feed observed lures into email‑security and awareness training programs.

  • Internal coordination. Coordinate between security, procurement, and HR/travel functions to communicate safe‑booking guidance to employees and maintain situational awareness as more details emerge.

  • 2025-11-11. Earliest known malicious PDF samples exploiting what became CVE-2026-34621 submitted to EXPMON, indicating long‑running zero‑day abuse.

  • 2026-02-06. Fortinet publishes CVE-2026-21643 details; third‑party research and advisories follow over subsequent weeks.

  • 2026-03-31. UNC1069 compromises Axios maintainer account and publishes trojanized releases; malicious versions live for roughly three hours.

  • 2026-04-08–11. Public reporting on the Marimo and Adobe Reader zero‑days intensifies as emergency patches are released; NVD and major vendors update their CVE entries.

  • 2026-04-13. CISA adds CVE-2026-34621 and multiple other CVEs to KEV; SANS publishes EncystPHP FreePBX scanning diary; BleepingComputer reports on the OpenAI certificate rotation and Booking.com breach.

Chapter 04 - Detection Intelligence

CVE-2026-34621 — Prototype Pollution in Acrobat/Reader

  • Attack mechanism. CVE-2026-34621 is an Improperly Controlled Modification of Object Prototype Attributes (CWE-1321) in Acrobat Reader’s JavaScript handling, allowing malicious PDFs to alter base object prototypes and execute arbitrary code in the context of the logged‑in user.

  • Affected versions. Acrobat/Reader DC versions 26.001.21367 and earlier and Acrobat 2024 versions 24.001.30356 and earlier on Windows and macOS are affected, with patched builds available in 26.001.21411 and 24.001.30362/24.001.30360 respectively.

  • Observed behavior. Malicious samples use obfuscated JavaScript to fingerprint the host via legitimate APIs, exfiltrate local files over HTTP(S), and, in some cases, pull additional malicious code, potentially escaping Reader’s sandbox and escalating to full RCE using follow‑on exploits.

  • KEV status. NVD explicitly notes that CVE-2026-34621 has been added to CISA’s KEV catalog with a remediation deadline of April 27, 2026, confirming reliable exploitation evidence.

CVE-2026-21643 — FortiClientEMS SQL Injection

  • Attack mechanism. FortiClientEMS 7.4.4’s multi‑tenant mode exposes an API endpoint that interpolates untrusted input directly into SQL queries, enabling unauthenticated attackers to issue arbitrary SQL statements and pivot to remote code execution on the EMS server.

  • Affected versions and scope. Analyses concur that version 7.4.4 is uniquely impacted due to refactoring that introduced unsafe string interpolation, and Fortinet fixed the issue in 7.4.5; EMS 7.4.5–7.4.6 are affected by related but distinct issues, while 7.2.x/8.0.x branches are not impacted by this specific CVE.

  • Exploit characteristics. Public proof‑of‑concept code targets endpoints such as /api/v1/init_consts, leveraging error‑based SQLi to extract data and ultimately trigger command execution; the network‑exposed, pre‑auth nature of the flaw explains its KEV inclusion and high EPSS scores.

EncystPHP Webshell on FreePBX

  • Indicators and infrastructure. SANS documents HTTP GET requests to /admin/modules/phones/ajax.php?md5=cf710203400b8c466e6dfcafcf36a411 from 160.119.76.250, followed by a wget of http://45.95.147.178/k.php and execution of the downloaded script, which deploys EncystPHP and seeds multiple local accounts with identical password hashes.

  • Persistence model. The scripted addition of multiple usernames (root, hima, asterisk, sugarmaint, spamfilter, asteriskuser, supports, freepbxuser, supermaint, juba) all sharing a single hashed password provides resilience against partial remediation efforts that only remove some accounts.

Axios Supply Chain: WAVESHAPER.V2 Backdoor

  • Malware behavior. WAVESHAPER.V2, delivered via the malicious plain-crypto-js dependency, collects host information, enumerates directories, and can execute further payloads; C2 communication uses HTTP(S) with JSON‑encoded commands, and Windows droppers often rely on PowerShell invocation patterns captured in GTIG YARA rules.

  • Infrastructure IOCs. Google GTIG and others identify sfrclak[.]com (resolving to 142.11.206.73) and related infrastructure on shared ASNs as C2 endpoints, with evidence of reuse across UNC1069 campaigns.

Booking.com Breach — Technical Unknowns

  • Knowns. Public reporting confirms unauthorized access to reservation data and subsequent PIN resets but does not disclose technical intrusion details (e.g., credential stuffing, API abuse, supply‑chain compromise, or internal access misuse).

  • Gaps. Without technical indicators or vectors, defenders must focus on fraud‑response and user‑education controls rather than specific infrastructure‑level mitigations at this time.

Indicators of Compromise

Type

Value

Context

IP Address

160.119.76.250

Source of EncystPHP/FreePBX scanning traffic

IP Address

45.95.147.178

Host serving k.php EncystPHP installer

CVE ID

CVE-2026-34621

Acrobat/Reader prototype‑pollution zero‑day

CVE ID

CVE-2026-21643

FortiClientEMS SQL injection

CVE ID

CVE-2020-9715

Acrobat Reader use‑after‑free (legacy)

CVE ID

CVE-2023-36424

Windows CLFS privilege‑escalation

CVE ID

CVE-2023-21529

Microsoft Exchange deserialization RCE

CVE ID

CVE-2025-60710

Host Process link resolution EoP

CVE ID

CVE-2012-1854

VBA insecure library loading

Infrastructure Patterns

  • FreePBX targets. Attackers leverage a small set of hard‑coded usernames with a shared password hash for persistence, suggesting shared tooling across campaigns and a focus on reusing known footholds rather than bespoke implants per victim.

  • Axios campaign. C2 infrastructure for WAVESHAPER.V2 shows overlaps with prior UNC1069 operations and uses hosting providers and VPN exit nodes previously documented in DPRK‑linked attacks, reinforcing attribution confidence.

CVE-2026-34621 — Detection Opportunities

  • Endpoint behavior.

    • Monitor for Acrobat/Reader processes spawning unusual child processes (e.g., command shells, scripting engines) shortly after opening PDFs, especially from email or web downloads.

    • Alert on Reader processes initiating outbound HTTP(S) connections to unfamiliar domains immediately after a document is opened.

  • Hunting hypothesis (this week). Search EDR/SIEM logs for sequences where Acrobat/Reader loads JavaScript‑heavy PDFs followed by network connections and file‑read operations on sensitive directories (e.g., user profiles, document repositories).

CVE-2026-21643 — EMS SQLi and RCE

  • Detection logic.

    • Inspect web‑server logs on FortiClientEMS hosts for anomalous requests to EMS API endpoints with SQL‑like payloads, unusual query parameters, or patterns known from public PoCs.

    • Alert on EMS host processes initiating network connections or command shells that deviate from normal management activity.

  • Hunting hypothesis (this week). Identify any EMS hosts that experienced abnormal spikes in HTTP 500/SQL error responses or sudden changes in EMS service binaries around disclosure dates.

EncystPHP Webshell — FreePBX

  • Immediate detection actions.

    • Create detection rules for the EncystPHP access URL and k.php download path in proxy, WAF, and web‑server logs.

    • Flag any creation or modification of the specific usernames listed in the SANS diary on PBX servers.

  • Hunting hypothesis (this week). Examine historical logs for connections from 160.119.76.250 and related IP ranges, correlating with unusual account creation or configuration changes on FreePBX hosts.

Axios / UNC1069 — Supply Chain Backdoor

  • Detection logic.

    • Deploy YARA or equivalent pattern‑matching for the WAVESHAPER.V2 PowerShell dropper and associated indicators published by Google GTIG.

    • Monitor npm install logs and dependency trees for historical retrieval of Axios versions 1.14.1 or 0.30.4 and the plain-crypto-js package.

  • Hunting hypothesis (this week). Identify hosts where developer tooling executed npm installs during the attack window and cross‑check for unusual outbound connections to recorded C2 domains or suspicious PowerShell execution.

Booking.com Breach — Behavioral Signals

  • Detection focus.

    • Emphasize mail‑security analytics around travel‑themed phishing that references real booking details and requests for bank transfers or card data, using content and header analysis rather than infrastructure IOCs alone.

NO CONFIRMED MITRE MAPPING IN SOURCES. Public reporting reviewed for today’s incidents does not provide explicit ATT&CK technique IDs, so no techniques are listed to avoid inference.

Chapter 05 - Governance, Risk & Compliance

Acrobat/Reader zero‑day (CVE‑2026‑34621)
Organizations that process personal or sensitive data on endpoints using Acrobat/Reader face potential breach‑notification duties if exploitation leads to data theft, because the flaw enables arbitrary code execution when users open malicious PDFs. Since the vulnerability is now in CISA’s Known Exploited Vulnerabilities (KEV) catalog with a fixed remediation deadline, U.S. federal agencies and entities aligned to CISA guidance are expected to patch within that window or document formal risk acceptance, and failure to do so may be viewed as negligent in post‑incident reviews. Governance teams should ensure vulnerability‑management SLAs explicitly cover KEV‑listed issues and that endpoint hardening standards treat unpatched PDF readers as high‑risk assets.

FortiClientEMS SQL injection (CVE‑2026‑21643) and KEV batch
Compromise of FortiClientEMS exposes a central control plane for enterprise endpoints, allowing attackers to manipulate policies, push malicious configurations, and potentially disable security controls across large fleets, which raises systemic risk beyond a single server breach. CISA’s KEV inclusion of CVE‑2026‑21643 and several legacy Microsoft/Adobe vulnerabilities formalizes expectations that agencies and many critical‑infrastructure operators treat these flaws as priority remediation items, with documented patching or compensating controls by specified dates. Governance functions should confirm that KEV deadlines are integrated into risk registers and that exceptions (e.g., for legacy systems) have explicit business‑owner sign‑off and time‑bound mitigation plans.

Axios npm supply‑chain attack (UNC1069) and OpenAI certificate rotation
The Axios compromise demonstrates that a single maintainer‑account takeover in a widely used library can cascade into CI/CD pipelines and even code‑signing workflows at major AI vendors, raising software‑supply‑chain risk well beyond traditional perimeter controls. OpenAI’s proactive rotation of macOS code‑signing certificates after detecting malicious Axios execution within its GitHub Actions pipeline illustrates a governance model where signing keys and build systems are treated as critical assets requiring rapid incident‑driven key management. Boards and risk committees should expect formal policies around open‑source dependency governance, SBOM usage, and signing‑key protection, with clear accountability across engineering and security leadership.

Booking.com reservation‑data breach
Booking.com’s disclosure that unauthorized parties accessed reservation data and forced PIN resets underscores third‑party and supply‑chain risk in hospitality and travel workflows, especially where employees or customers rely heavily on platform emails as authoritative. Even without full technical details, organizations that use such platforms for business travel need vendor‑risk processes that ensure timely incident notifications, clarity on data roles (controller vs processor), and shared responsibilities for customer communication during fraud campaigns leveraging exposed booking details.

Governance priorities today
Risk and compliance leaders should focus on ensuring that KEV‑driven remediation is governed with clear deadlines and accountability, that software‑supply‑chain controls (dependency governance and signing‑key protection) are explicitly in scope of internal policies, and that third‑party breach scenarios like Booking.com are covered in vendor‑risk and fraud‑response playbooks.

Chapter 06 - Adversary Emulation

NO CONFIRMED ATT&CK MAPPING — adversary emulation chapter requires confirmed MITRE ATT&CK technique evidence. Field intentionally blank. None of today’s reviewed sources provide explicit technique IDs or authoritative ATT&CK mappings for the incidents, so no emulation scenarios are defined to avoid inference.

Intelligence Confidence88%

Create a free website with Framer, the website builder loved by startups, designers and agencies.