CISA Warns of Exploited SolarWinds, Notepad++, Microsoft Vulnerabilities
CISA flagged multiple vulnerabilities as actively exploited, spanning SolarWinds Web Help Desk, Notepad++ update integrity issues, and Microsoft Configuration Manager. The practical takeaway is that these are not theoretical bugs, defenders should treat them as “patch and hunt” items. If you run any of the affected products, validate patch status, review logs around the timeframes noted by vendors, and look for signs of webshells, suspicious service creation, and unexpected outbound traffic. Also expect copycat scanning as the KEV list drives attacker prioritization.
BT26-02: Remote code execution in Remote Support and Privileged Remote Access
BeyondTrust disclosed CVE-2026-1731, a pre-auth remote code execution issue affecting Remote Support and older Privileged Remote Access versions. Successful exploitation requires no login and can enable full system compromise, including data access and service disruption. SaaS customers were patched automatically, but self-hosted customers need to manually apply the patch or upgrade if they are on older major versions. If your instance is internet-facing, treat this as urgent and assume opportunistic scanning.
Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA
KnowBe4 describes a phishing campaign that abuses the OAuth device code flow to get users to authenticate on a real Microsoft login page with an attacker-provided code. The user completes MFA normally, but the attacker ends up with valid access and refresh tokens, so there is no password theft to detect. The defensive angle is to tighten controls on device code flow, audit recently consented OAuth apps, and monitor for unusual token use and new app authorizations. This is a good story to share internally because it explains how “MFA was on” and the account still got popped.
Senegal confirms breach of national ID card department after ransomware claims
Senegal reported a cyber incident impacting the government office responsible for national IDs, passports, and other biometric-related systems. A ransomware group claimed theft of a large data set and shared samples, while officials said they were restoring systems and asserted data integrity remains intact. The reporting highlights the real-world impact when identity infrastructure is disrupted, even before full details are confirmed. It is also a reminder that public-sector identity services are now mainstream ransomware targets, not edge cases.
Malicious 7-Zip site distributes installer laced with proxy tool
Attackers set up a fake 7-Zip website and served a trojanized installer that still installs 7-Zip but also drops malware to turn the host into a residential proxy node. That proxy capacity can then be rented to other actors to mask phishing, credential stuffing, and other abuse behind a victim’s IP. This is a clean example of why software downloads should be pinned to official domains, and why IT should block lookalike domains and monitor for unexpected proxy services. If you have endpoint telemetry, look for new services and odd inbound or outbound proxy behavior following new software installs.
European Commission hit by cyberattackers targeting mobile management platform
The European Commission said its mobile device management environment was attacked, potentially exposing some staff names and phone numbers, with no confirmed device compromise. The incident was detected by CERT-EU and reportedly contained quickly, but it underscores why MDM backends are high-value targets due to their administrative control over devices. The reporting also ties attention to ongoing scrutiny of Ivanti EPMM-related issues and the “assume compromise” posture some national authorities have advised in similar cases. Expect follow-on phishing and social engineering attempts using the harvested staff details.
