Quest KACE has a year-old maximum-severity authentication bypass (CVE-2025-32975, CVSS 10.0). Hunt.io researchers now report that an attacker exploited an unpatched KACE appliance at a Boston-area managed services provider called HIQ - then left their entire toolkit on a publicly accessible server with directory listing turned on. The exfiltrated 512 MB MariaDB dump turned out to contain the full appliance-managed endpoint list for over 60 named client organizations spanning law enforcement, government, healthcare, education, and private companies. None of those 60-plus organizations had any KACE relationship of their own - they were just customers of the MSP that ran it unpatched.
Update on the cPanel ransomware wave covered May 3: attackers have shifted focus and are now targeting governments and managed service providers exploiting CVE-2026-41940. Security Affairs reports the operation is no longer just opportunistic mass-encryption of small business websites - the actors are deliberately looking for hosting accounts owned by government agencies and IT firms that manage downstream customers. CISA added the cPanel flaw to its KEV catalog Friday with a federal patch deadline of May 21. With 44,000 cPanel hosts already compromised in the initial wave, the secondary phase targeting MSPs has the potential to multiply impact through customer-tenant relationships - much like the 2023 Kaseya VSA campaign.
La Repubblica reported a significant breach at Sistemi Informativi, a wholly-owned IBM Italy subsidiary that manages IT infrastructure for Italian public agencies and key industries. Multiple intelligence sources attribute the attack to Salt Typhoon, the China-linked espionage group that has hit US telecoms (AT&T, Verizon, Viasat), Canadian telecom firms, the US Army National Guard, Dutch government networks, and now Italian critical infrastructure. Salt Typhoon's hallmark is patience - prolonged data exfiltration, silent network observation, and infrastructure compromise rather than fast theft. The group has been active since at least 2019 and has reportedly hit 200+ companies across 80 countries.