Originally reported by Security Affairs
TL;DR
Threat actors are actively exploiting critical vulnerabilities across multiple enterprise platforms this week. A Fortinet FortiClient EMS SQL injection flaw enables remote code execution, while Russian APT TA446 deploys iOS exploit kits against iPhone users.
Multiple critical vulnerabilities are being actively exploited, including a CVSS 9.1 Fortinet RCE flaw and a CVSS 9.3 NetScaler memory leak, both with confirmed threat actor activity.
Threat actors are actively exploiting a critical vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) platform. The flaw, tracked as CVE-2026-21643 with a CVSS score of 9.1, enables remote code execution through SQL injection attacks.
Defused researchers first identified the active exploitation, warning that attackers have weaponized the vulnerability to compromise enterprise networks through the FortiClient EMS management interface. The SQL injection vector allows unauthenticated remote attackers to execute arbitrary code on vulnerable systems.
Organizations running FortiClient EMS should immediately apply available patches and review network logs for signs of compromise. The vulnerability's high CVSS score reflects both its ease of exploitation and potential for complete system compromise.
Russian-linked APT group TA446 (also tracked as SEABORGIUM, ColdRiver, Callisto, and Star Blizzard) has expanded its mobile targeting capabilities with the DarkSword exploit kit. Security researchers report the group is conducting targeted spear-phishing campaigns specifically designed to compromise iOS devices.
The attacks leverage malicious emails containing exploit payloads that target iPhone users. TA446's adoption of mobile-specific exploit frameworks signals a strategic shift toward compromising devices that organizations often consider more secure than traditional endpoints.
This campaign represents a concerning evolution in nation-state mobile targeting, as iOS exploits are typically more complex and expensive to develop. The group's investment in iPhone compromise capabilities suggests high-value targets are the primary objective.
Citrix NetScaler ADC and Gateway devices face active reconnaissance from threat actors probing a critical memory disclosure vulnerability. The flaw, designated CVE-2026-3055 with a CVSS score of 9.3, allows attackers to extract sensitive data through memory overread conditions.
Citrix released security updates addressing this vulnerability alongside another NetScaler flaw this week. However, security researchers report that scanning activity targeting the memory leak bug began shortly after the advisory's publication, indicating rapid weaponization.
The vulnerability's potential for sensitive data exposure makes it particularly attractive to both cybercriminal and nation-state actors. Organizations should prioritize patching NetScaler systems and monitor for unusual memory access patterns or data exfiltration attempts.
Originally reported by Security Affairs
