Hybrid Cloud
Cybersecurity
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity Weekly Briefing, 21-27 March
Oracle patches critical vulnerability CVE-2026-21992, which allows remote code execution without authentication
Oracle has released out-of-cycle updates to mitigate CVE-2026-21992 (CVSSv3 9.8 according to the vendor), a critical remote code execution (RCE) vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager, both components of Oracle Fusion Middleware.
The flaw allows an unauthenticated attacker to compromise systems via HTTP access, enabling complete takeover of the affected products. The official advisory highlights that exploitation is straightforward, although Oracle has not confirmed any malicious activity. However, the vendor has a recent history of patching zero-day vulnerabilities without acknowledging immediate exploitation, as occurred in November 2025 with another critical flaw in Identity Manager.
This context comes on the heels of recent incidents affecting Oracle E-Business Suite (EBS), where actors such as Cl0p exploited zero-day flaws in data-stealing campaigns that compromised over 100 organisations.
TeamPCP exploits Trivy to inject malware into LiteLLM and exfiltrate secrets in Kubernetes and CI/CD environments
Endor Labs has identified a supply chain compromise in LiteLLM, a Python package with over 3.4 million daily downloads and more than 95 million in the last month, used as an API gateway for multiple AI providers, following the publication on PyPI of the malicious versions 1.82.7 and 1.82.8 on 24 March 2026.
These versions incorporate a three-stage payload: a credential stealer, a Kubernetes lateral movement toolkit that spreads to all nodes in the cluster, and a persistent backdoor disguised as the System Telemetry Service. The attack is attributed to the actor TeamPCP, who is believed to have obtained the deployment credentials by exploiting the integration of Trivy, which had previously been compromised, into LiteLLM’s CI/CD pipeline.
The exfiltrated data includes SSH keys, AWS and GCP credentials, Kubernetes secrets, cryptocurrency wallets, .env files, CI/CD tokens, private TLS keys and shell histories. Users who have installed these versions are advised to immediately rotate all credentials, check for the presence of litellm_init.pth, downgrade to version 1.82.6 and audit any recent CI/CD runs. It is believed that the breach in Trivy triggered a series of attacks affecting Aqua Security’s Docker images, the Checkmarx KICS project and, now, LiteLLM.
Police operation in Germany over the critical vulnerability CVE-2026-4681 in Windchill and FlexPLM
PTC has issued a warning regarding the critical vulnerability CVE-2026-4681 (CVSSv4 9.3 according to the vendor) in Windchill and FlexPLM, caused by the deserialisation of trusted data and with the potential for remote code execution. The manufacturer does not yet have definitive patches, although it states that it is developing them for all supported versions of Windchill.
As an immediate containment measure, it recommends applying Apache or IIS rules to block the affected servlet path in all deployments, including file servers and replicas, prioritising those exposed to the internet. If this mitigation cannot be applied, it advises temporarily disconnecting internet-facing instances or shutting down the service. The flaw has triggered an extraordinary police response in Germany following an alert from the BKA, the German Federal Criminal Police Office, which mobilised police officers to personally inform administrators at over a thousand companies, visiting corporate offices even at night.
Although PTC maintains that “there is no evidence of confirmed exploitation”, the bulletin includes several specific IoCs, such as the presence of GW.class or dpr_<8-hex-digits>.jsp files, which indicate preparation for an RCE attack, creating concern about the potential exploitation of this vulnerability in industrial settings and critical supply chains.
AI is ushering in a new era of fraud in the retail sector through the manipulation of automated buying bots
Unit42 has analysed the emerging risks of AI-enabled fraud in the retail sector following the adoption of commerce via AI agents and protocols such as the Universal Commerce Protocol (UCP) and the Agent Payments Protocol (AP2), introduced by Google in 2025–2026 to enable tokenised payments and verifiable credentials between agents and commercial systems.
Studies by Bain and McKinsey estimate that AI agents will handle between 15% and 25% of e-commerce and generate between $3 trillion and $5 trillion in global revenue by 2030. The analysis warns that the exploitation of agents could lead to a significant number of data breaches by 2028, with prompt injection—particularly in its indirect form—being the most critical vector, as it allows for the manipulation of memory, logic and tools within UCP agents.
Unit42 describes two scenarios: gift card theft via covert modification of the Cart Mandate, where a hidden payload instructs the agent to add an unauthorised gift card in the attacker’s favour; and return fraud via logic hijacking, where malicious HTML content induces the agent to bypass checks and execute an immediate refund without a legitimate return.
The analysis highlights the need for controls such as Know Your Agent (KYA) to validate agent identities, behavioural reputation systems and stricter authentication protocols in transaction flows.
SmartApeSG expands its arsenal: Remcos, NetSupport, StealC and Sectop in a single ClickFix operation
Brad Duncan, from the Internet Storm Center, has analysed the SmartApeSG campaign, which deploys multiple malware families in different time phases. After executing the ClickFix script from a compromised website, Remcos RAT activity was observed after 2 minutes, followed by NetSupport RAT after 4 minutes, StealC approximately one hour later and Sectop RAT one hour and 18 minutes later.
The operational flow involves downloading an HTA file that executes a ZIP containing Remcos RAT, followed by payloads of NetSupport RAT, StealC and Sectop RAT, all employing DLL sideloading via legitimate executables, except for NetSupport, which uses a modified configuration. The recovered artefacts feature stage-specific SHA256 hashes and distinct local storage paths.
The infrastructure, domains and artefacts vary daily, but the pattern confirms SmartApeSG’s ability to deploy multiple secondary payloads sequentially and at staggered times.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
