Insights

Executive Summary CVE-2026-21643 is a critical SQL injection vulnerability affecting FortiClient Endpoint Management Server. The vulnerability has progressed rapidly from disclosure to active exploitation, with confirmed attack activity targeting exposed EMS instances. The flaw allows unauthenticated attackers to execute arbitrary SQL queries via the EMS web interface, leading to privilege escalation and potential remote code execution on the EMS host. Given EMS's role as a centralized management system for endpoint security, successful exploitation provides a high-value foothold for lateral movement and persistence within enterprise environments. Organizations operating vulnerable versions of FortiClient EMS should treat this as an active compromise risk and prioritize immediate remediation. Vulnerability Overview Identifier: CVE-2026-21643Vulnerability Type: SQL InjectionAttack Vector: Remote, unauthenticated via HTTP(S)Impact: Unauthorized database access Privilege escalation Remote code execution Full system compromise of EMS host The vulnerability exists within the EMS web interface due to improper sanitization of user-supplied input. Attackers can craft HTTP requests…

Critical IP-KVM Vulnerabilities Enable Full Remote System Takeover Executive Summary A newly disclosed set of nine critical vulnerabilities impacting IP-KVM (Keyboard, Video, Mouse over IP) devices introduces a significant and often overlooked risk to enterprise environments. These vulnerabilities allow unauthenticated attackers to gain root-level access and execute arbitrary code, effectively granting full control over both the KVM device and any connected systems. This is not a traditional edge vulnerability.This is out-of-band compromise at the hardware control layer. Threat Overview Security researchers identified multiple vulnerabilities across IP-KVM devices from several vendors. These issues stem from improper authentication controls, insecure configurations, and exposed management interfaces. Successful exploitation allows attackers to: Bypass authentication mechanisms entirely Execute arbitrary commands remotely Gain root-level access to the device Pivot into connected systems and infrastructure Because IP-KVM devices operate outside the operating system, compromise provides direct console-level access, independent of traditional security controls. Below is a shortened…

Date: March 19, 2026Severity: HighAffected Product: ConnectWise ScreenConnect (versions prior to 26.1) Executive Summary Critical Path Security is advising clients of a recently disclosed security concern impacting ConnectWise ScreenConnect related to the potential abuse of ASP.NET machine key material used for authentication trust. If cryptographic material associated with a ScreenConnect instance is exposed, a threat actor may be able to forge or manipulate trusted application data. This could result in unauthorized access, session hijacking, and privilege escalation within the platform. ConnectWise has released version 26.1 to address this risk through enhanced protection and rotation of cryptographic material. Immediate action is recommended. Technical Overview ScreenConnect relies on ASP.NET machine keys to sign and validate protected application data, including authentication tokens and session state. Under normal conditions, these keys ensure: Data integrity Authenticity of session information Protection against tampering However, if machine key material becomes accessible through: Misconfigured backups Exposed configuration files…

Security Bulletin Cisco Firewall Zero-Day Exploitation in Ransomware Campaigns Date: March 2026Severity: CriticalThreat Type: Initial Access / Infrastructure Compromise Executive Summary A recently disclosed set of Cisco firewall and management interface vulnerabilities are now being actively exploited in the wild, including in ransomware campaigns associated with the Interlock group. These vulnerabilities allow unauthenticated attackers to gain control of firewall infrastructure, effectively bypassing traditional security controls and gaining direct access into internal networks. This represents a significant shift in attacker behavior, targeting core network infrastructure rather than endpoints or users. What's Going On Cisco has disclosed multiple critical vulnerabilities affecting firewall management platforms, including Cisco Secure Firewall Management Center (FMC). These vulnerabilities enable attackers to: Execute arbitrary code remotely Bypass authentication mechanisms Obtain root-level access to affected systems In some observed cases, exploitation can occur through crafted HTTP requests sent directly to exposed management interfaces. This means an externally accessible firewall…