Executive Summary A critical vulnerability, CVE-2026-2329 , has been identified in the Grandstream GXP1600 series of VoIP phones, exposing organizations to severe risks including remote code execution, credential theft, and real-time call interception. This stack-based buffer overflow flaw, rated CVSS 9.3, allows unauthenticated attackers to gain root-level access to affected devices over the network. The vulnerability is trivial to exploit, with public Metasploit modules an

Executive Summary A sophisticated, AI-assisted threat campaign has compromised over 600 FortiGate devices in 55 countries, marking a significant escalation in the use of artificial intelligence by cybercriminals. The campaign, first identified by Amazon Threat Intelligence , did not exploit any inherent vulnerabilities in FortiGate software. Instead, the attackers leveraged exposed management interfaces and weak, single-factor credentials, automating reconnaissance and expl

Executive Summary On February 17, 2026, a supply chain attack targeted the Cline CLI open-source package, resulting in the unauthorized installation of OpenClaw —an autonomous AI agent, on developer and CI/CD systems. The attack was executed by publishing a malicious version ( cline@2.3.0 ) to the npm registry using a compromised publish token. This version included a post-install script that silently installed OpenClaw globally on affected machines. The incident window las

Executive Summary On February 15, 2026, Advantest Corporation , a leading Japanese supplier of semiconductor test equipment, detected unusual activity within its IT environment. The company immediately activated its incident response protocols, isolated affected systems, and engaged third-party cybersecurity experts. On February 19, 2026, Advantest publicly disclosed that it was responding to a ransomware attack that may have impacted certain systems within its network. As o

Executive Summary The ClickFix campaign represents a significant escalation in the abuse of compromised legitimate websites to deliver advanced malware, culminating in the deployment of the custom MIMICRAT Remote Access Trojan. First identified by Elastic Security Labs and corroborated by multiple open-source intelligence channels, this campaign leverages a multi-stage infection chain, sophisticated defense evasion, and post-exploitation techniques that enable persistent a

Executive Summary Between January 11 and February 18, 2026, a Russian-speaking, financially motivated threat actor leveraged multiple commercial generative AI services to compromise over 600 Fortinet FortiGate firewalls across more than 55 countries. The campaign did not exploit any known FortiGate vulnerabilities; instead, it targeted exposed management interfaces and weak credentials lacking multi-factor authentication. The attacker used AI-assisted tools to automate scan

Executive Summary On February 13, 2026, at 22:00 local time, the Washington Hotel chain in Japan experienced a ransomware attack that resulted in the compromise of various business data and temporary disruption of operations across multiple properties. The incident was publicly disclosed between February 16 and 17, 2026. Immediate containment actions included disconnecting affected servers from the internet and engaging both law enforcement and external cybersecurity experts

Executive Summary In February 2026, the data extortion group ShinyHunters published a dataset containing over 600,000 customer records associated with the luxury outerwear brand Canada Goose . The dataset, totaling 1.67 GB in JSON format, includes customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, order histories, partial payment card data (including card brand, last four digits, and in some cases the first six digits/BIN), payment

Executive Summary A critical zero-day vulnerability, CVE-2026-2441 , has been identified in the Google Chrome web browser, specifically within its CSS engine. This vulnerability is currently being actively exploited in the wild, allowing remote attackers to execute arbitrary code within the browser sandbox by enticing users to visit malicious or compromised websites. Google has responded by releasing emergency security patches for all major platforms, including Windows, mac

Executive Summary Microsoft has issued a critical advisory regarding a sophisticated social engineering campaign known as the ClickFix attack, which leverages DNS lookups as a covert channel to deliver and execute malware. This attack is notable for its abuse of legitimate Windows utilities, particularly nslookup , to bypass traditional security controls and deliver multi-stage payloads. The campaign is highly effective due to its reliance on user interaction, typically tri

Executive Summary South Korea’s Personal Information Protection Commission (PIPC) has imposed a combined fine of approximately KRW 36 billion (US$25 million) on the Korean subsidiaries of Louis Vuitton , Christian Dior Couture , and Tiffany following significant data breaches that exposed the personal information of over 5.5 million customers. The breaches, which occurred between June and September 2025, were facilitated by inadequate security controls in the companies’ clou

Executive Summary A critical pre-authentication remote code execution (RCE) vulnerability, CVE-2024-12356 [VERIFIED - NVD], has been identified and patched in BeyondTrust 's flagship products: Privileged Remote Access (PRA) and Remote Support (RS) [VERIFIED - NVD]. This vulnerability enables unauthenticated attackers to execute arbitrary operating system commands as the site user, potentially resulting in full system compromise, data exfiltration, and lateral movement with

Executive Summary The exploitation of SolarWinds Web Help Desk (WHD) for unauthenticated remote code execution (RCE) in multi-stage attacks represents a critical threat to organizations with internet-exposed WHD servers. Multiple vulnerabilities, including CVE-2024-23476 , CVE-2024-23477 , and related deserialization and authentication bypass flaws, have been weaponized by threat actors to gain initial access, establish persistence, and escalate privileges within enterprise

Executive Summary Fortinet has recently addressed a critical security vulnerability, identified as CVE-2026-21643 , in its FortiClientEMS product. This flaw, classified as a SQL injection vulnerability, enables unauthenticated remote attackers to execute arbitrary code or system commands on affected systems by sending specially crafted HTTP requests. With a CVSS v3.1 base score of 9.1, this vulnerability is considered critical and poses a significant risk to organizations r

Executive Summary In late January 2026, Dutch authorities, including the Dutch Data Protection Authority and the Council for the Judiciary , confirmed that a sophisticated cyberattack leveraging a zero-day exploit in Ivanti Endpoint Manager Mobile (EPMM) resulted in unauthorized access to employee contact data. This incident is part of a broader campaign targeting European governmental and critical infrastructure entities, with the European Commission and Finnish governmen

Executive Summary On January 29, 2026, the Warlock ransomware group, also known as Gold Salem and Storm-2603 , successfully breached the network of SmarterTools by exploiting unpatched authentication bypass vulnerabilities in SmarterMail (CVE-2026-23760 and CVE-2026-24423). The attackers gained initial access through a single, unpatched SmarterMail virtual machine, moved laterally within the Windows-centric infrastructure using Active Directory , and attempted to deploy r

Executive Summary Publication Date: July 5, 2024 This report details the service disruption experienced by Microsoft Exchange Online beginning on June 20, 2024, where legitimate emails were incorrectly flagged as phishing and subsequently quarantined. The incident, which persisted for at least two weeks, was caused by a change in Exchange Online ’s phishing detection system that misidentified certain domain creation dates, resulting in widespread false positives. Microsoft

Executive Summary The threat actor known as Bloody Wolf has recently intensified a spear-phishing campaign targeting organizations in Uzbekistan and Russia, leveraging the legitimate remote administration tool NetSupport RAT for malicious purposes. This campaign, active since at least 2023, demonstrates a sophisticated attack chain involving custom Java-based loaders, multi-layered persistence mechanisms, and infrastructure overlap with IoT malware such as the Mirai botnet

Executive Summary The emergence of the TeamPCP worm marks a significant escalation in the threat landscape targeting cloud-native infrastructure. Since late 2025, this highly automated, worm-driven campaign has systematically exploited misconfigured and vulnerable cloud services, including Docker , Kubernetes , Ray , and Redis , as well as critical vulnerabilities in React and Next.js applications, most notably the React2Shell vulnerability ( CVE-2025-55182 , CVSS 10.0).

Executive Summary On January 30, 2026, the European Commission detected traces of a cyberattack targeting its central infrastructure responsible for managing staff mobile devices. The incident was contained and the affected system was cleaned within nine hours, with no evidence found of compromise to the mobile devices themselves. However, unauthorized access to staff names and mobile numbers of some Commission employees may have occurred. The attack is strongly linked to ex