A CVSS 9.1 SQL injection flaw in Fortinet's FortiClient Endpoint Management Server is now being exploited in the wild - four days before anyone flagged it publicly. An attacker only needs one crafted HTTP request with a malicious Site header to execute arbitrary SQL against the backing PostgreSQL database, no credentials required. Roughly 1,000 to 2,400 FortiClient EMS instances are exposed to the internet, mostly in the US and Europe.
The Citrix NetScaler flaw we reported under active recon two days ago has escalated fast. Attackers are now sending crafted SAMLRequest payloads that trigger memory leaks exposing sensitive data through session cookies. CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog on March 30 with an unusually tight April 2 remediation deadline - just three days for federal agencies.
Researchers at Censys discovered a previously undocumented Russian-origin toolkit called CTRL, distributed through Windows shortcut files disguised as private key folders. Once a victim double-clicks the LNK file, a multi-stage chain deploys credential harvesting through a fake Windows Hello PIN prompt, a keylogger, RDP session hijacking, and reverse proxy tunneling. All stolen data exits through the RDP tunnel, leaving minimal forensic traces compared to traditional command-and-control patterns.
Blackpoint discovered a new Node.js-based implant called RoadK1ll during an incident response engagement. It's not a traditional RAT - it carries no large command set. Instead, it does one thing well: turn a compromised machine into a controllable relay point that lets attackers pivot to internal systems that would normally be unreachable from outside. It communicates over WebSocket, blends into normal web traffic, supports multiple concurrent connections, and auto-reconnects if disrupted.
Apple shipped an undocumented security feature in macOS Tahoe 26.4 that directly targets ClickFix attacks - the social engineering technique behind the Infinity Stealer campaign we covered last week. When a user tries to paste a potentially harmful command into Terminal, macOS now intercepts it with a warning before anything executes. The feature only covers Apple's built-in Terminal app, not third-party alternatives like iTerm2. A 'Paste Anyway' option remains for power users.
A flaw in Smart Slider 3 - one of WordPress's most popular slider plugins with over 800,000 active installations - lets anyone with a basic subscriber account download arbitrary files from the server. That includes wp-config.php, which contains database credentials, encryption keys, and salt data. An attacker only needs the lowest level of authenticated access to trigger the vulnerable export function and package sensitive files into a downloadable ZIP.
Remember that F5 BIG-IP APM bug from last year everyone treated as a denial-of-service issue? Turns out it's pre-auth remote code execution - CVSS 9.3. F5 quietly reclassified it after new findings in March 2026 and confirmed exploitation in the wild. CISA added it to the KEV catalog with a March 30 patch deadline. That's tomorrow.
Attackers are scanning internet-facing Citrix NetScaler ADC and Gateway appliances right now, probing the /cgi/GetAuthMethods endpoint to find which ones are configured as SAML identity providers - the exact setup needed to trigger this CVSS 9.3 memory-leak flaw. Not full exploitation yet, but researchers at watchTowr warn the jump from recon to attack could happen any day.
A new macOS infostealer called Infinity Stealer tricks users through fake Cloudflare CAPTCHA pages - a technique called ClickFix. Victims paste a command into Terminal thinking they're verifying their identity, but it silently installs malware. The payload is compiled with Nuitka - turning Python into native macOS binaries that are much harder for security tools to detect. It steals browser credentials, Keychain data, and crypto wallets.
The leaked DarkSword iOS exploit kit is already being weaponized. Proofpoint attributes a new spear-phishing campaign to TA446 (also known as COLDRIVER/Star Blizzard), a Russian FSB-linked group that has never previously targeted Apple devices. The emails spoof Atlantic Council discussion invitations and redirect iPhone users to the exploit kit, which deploys the GHOSTBLADE dataminer. Proofpoint warns the targeting is unusually broad - hitting government, finance, legal, and education sectors.
TrustStrike Labs