Insights

March 2026 Cyber activity in March reflects a continued shift toward more visible, coordinated, and operationally impactful threats. What stands out is not just the techniques being used, but how intentionally they are being applied - aligning with broader geopolitical tension, supply chain exposure, and business disruption. Attackers are no longer just trying to get in. They are thinking about how their activity will be seen, felt, and amplified once they do. What We're Seeing This Month Threat Activity Is Becoming More Visible Cyber operations are increasingly designed to be noticed. In many cases, attackers are not just executing intrusions, they are shaping narratives through data exposure, public disclosures, and targeted messaging. This creates a dual-layered impact. Organizations are dealing with both the technical incident and the external perception of it at the same time. For security teams, this means response plans can't stop at containment. There needs to be…

Executive Summary The termination of the VMware Cloud Service Provider (VCSP) program represents a significant shift in how organizations access and operate VMware-based infrastructure. This change is not limited to licensing or partner relationships. It introduces structural impacts to cost models, service delivery, and long-term infrastructure strategy. Organizations that relied on VCSP partners for hosted or managed VMware environments must now reassess their architecture, vendor dependencies, and operational approach. The decision forces organizations into a defined set of paths: remain within a constrained VMware ecosystem, transition to alternative service providers, or undertake a broader migration to new platforms or cloud models. Immediate action is required to assess exposure, define a transition strategy, and avoid operational or financial disruption. Background The VCSP program historically enabled service providers to deliver VMware-based infrastructure as a service. This model provided: Flexible consumption-based pricing Partner-managed infrastructure operations Access to enterprise virtualization without full ownership of…

Executive Summary CVE-2026-21643 is a critical SQL injection vulnerability affecting FortiClient Endpoint Management Server. The vulnerability has progressed rapidly from disclosure to active exploitation, with confirmed attack activity targeting exposed EMS instances. The flaw allows unauthenticated attackers to execute arbitrary SQL queries via the EMS web interface, leading to privilege escalation and potential remote code execution on the EMS host. Given EMS's role as a centralized management system for endpoint security, successful exploitation provides a high-value foothold for lateral movement and persistence within enterprise environments. Organizations operating vulnerable versions of FortiClient EMS should treat this as an active compromise risk and prioritize immediate remediation. Vulnerability Overview Identifier: CVE-2026-21643Vulnerability Type: SQL InjectionAttack Vector: Remote, unauthenticated via HTTP(S)Impact: Unauthorized database access Privilege escalation Remote code execution Full system compromise of EMS host The vulnerability exists within the EMS web interface due to improper sanitization of user-supplied input. Attackers can craft HTTP requests…

Critical IP-KVM Vulnerabilities Enable Full Remote System Takeover Executive Summary A newly disclosed set of nine critical vulnerabilities impacting IP-KVM (Keyboard, Video, Mouse over IP) devices introduces a significant and often overlooked risk to enterprise environments. These vulnerabilities allow unauthenticated attackers to gain root-level access and execute arbitrary code, effectively granting full control over both the KVM device and any connected systems. This is not a traditional edge vulnerability.This is out-of-band compromise at the hardware control layer. Threat Overview Security researchers identified multiple vulnerabilities across IP-KVM devices from several vendors. These issues stem from improper authentication controls, insecure configurations, and exposed management interfaces. Successful exploitation allows attackers to: Bypass authentication mechanisms entirely Execute arbitrary commands remotely Gain root-level access to the device Pivot into connected systems and infrastructure Because IP-KVM devices operate outside the operating system, compromise provides direct console-level access, independent of traditional security controls. Below is a shortened…