Threat Alerts

Cisco has released security updates addressing four critical vulnerabilities affecting its Cisco Webex Services and identity infrastructure components, with the most severe flaw enabling unauthenticated access through single sign-on (SSO) abuse. The primary issue, CVE-2026-20184 (CVSS 9.8), resides in the SSO integration and could allow remote attackers to impersonate users and access legitimate Webex services by supplying a crafted authentication token. Additional critical flaws—CVE-2026-20147, CVE-2026-20180 and CVE-2026-20186 impact Cisco Identity Services Engine (ISE) and ISE-PIC, enabling remote code execution under certain conditions. Together, these vulnerabilities present significant risk to enterprise environments relying on centralized identity and collaboration platforms.

CVE-2026-20184 can be exploited by interacting with exposed service endpoints and submitting a manipulated token, bypassing authentication controls and granting unauthorized access. While Cisco has deployed patches, organizations using SSO must manually update their SAML certificates in identity provider configurations to ensure full remediation. The remaining vulnerabilities affect Cisco Identity Services Engine, where exploitation could lead to arbitrary command execution on underlying systems. In parallel, Cisco also disclosed a separate issue affecting Cisco IOS XE-based access points, where a logging defect can cause storage bloat and prevent devices from downloading updates, potentially resulting in boot loops.

Threat actors are exploiting the n8n AI workflow automation platform to deliver malware and conduct device fingerprinting through phishing campaigns, with email volume containing n8n webhook URLs surging 686% between January and March 2026. Attackers abuse the platform’s trusted domain reputation to bypass security filters.

The attack leverages n8n’s webhook functionality to mask malicious payload sources while appearing to originate from legitimate n8n.cloud domains. Attackers register free developer accounts creating subdomains and exploit URL-exposed webhooks that dynamically serve different data streams based on request headers. Observed campaigns delivered modified remote monitoring tools through self-contained phishing pages protected with CAPTCHAs, with payloads disguised as document readers and self-extracting archives.

The malware deployment process involves JavaScript-encapsulated downloads within HTML documents delivered by webhooks, making downloads appear to browsers as originating from trusted n8n infrastructure rather than actual malicious hosts. Device fingerprinting campaigns embed invisible tracking pixels using HTML image tags with webhook URLs containing victim email addresses, automatically triggering HTTP requests when email clients load images. This technique allows attackers to exploit legitimate automation platform infrastructure while evading traditional security detection mechanisms.

A novel social engineering campaign has been identified that abuses the popular note-taking application Obsidian as an initial access vector, targeting through elaborate outreach on LinkedIn and Telegram. The attack culminates in the deployment of a previously undocumented remote access trojan — a heavily AI-generated, full-featured backdoor featuring blockchain-based command-and-control (C2) resolution and advanced process injection techniques, with a separate execution path for macOS that deploys an obfuscated dropper with a messaging-platform-based fallback C2 mechanism.

The threat actors operate under the guise of a venture capital firm, initiating contact with targets via professional networking platforms before moving conversations to group messaging, where multiple purported partners lend credibility to the interaction. The discussion centers on financial services and cryptocurrency, and targets are eventually asked to use Obsidian — presented as the firm’s internal management database — with credentials provided to access a cloud-hosted vault controlled by the attacker. Once the target enables community plugin sync within the application, trojanized plugins silently execute the attack chain without further interaction. A downloaded PowerShell script then implements a loader-delivery mechanism, using file transfer services to pull down the next-stage binary while reporting progress back to the C2.

Once executed, the loader extracts an encrypted payload from its own resources, decrypts it, and loads it directly into memory, after which the final implant is deployed via internal execution routines. The loader leverages runtime API resolution and timer-based execution to evade detection. The implant uses a decentralized method to retrieve its C2 instructions from public data sources, with a fallback communication channel if retrieval fails. However, this design introduces a notable weakness, as the malware does not validate the origin of the retrieved data, meaning external parties could potentially manipulate the response and redirect infected systems away from the attacker’s infrastructure.

A large-scale malicious browser extension campaign has been identified involving 108 Chrome extensions published under multiple developer identities but operated through a shared command-and-control (C2) infrastructure. Once installed, they silently harvest sensitive data including user identities, session tokens, and browsing activity, transmitting it to attacker-controlled servers. The campaign combines multiple threat vectors credential theft, session hijacking, ad injection and persistent backdoor access making it a broad and impactful threat within the browser ecosystem.

The extensions embed malicious logic that activates independently of user interaction, maintaining continuous communication with the C2 server. A significant subset abuses OAuth2 flows to extract Google account data capturing tokens, user profiles and identifiers which are exfiltrated in real time. Some variants target messaging platforms by repeatedly stealing session data and enabling account takeover through forced session replacement. Others include persistent backdoor mechanisms that trigger on browser startup, allowing attackers to open arbitrary URLs or inject content without user awareness. Additional capabilities include stripping browser security headers such as Content Security Policy and CORS protections, enabling further manipulation of web content. Backend analysis reveals a structured platform with user accounts and payment mechanisms, indicating a malware-as-a-service model where stolen data and access are monetized. This campaign highlights how attackers continue to exploit the trusted nature of browser extensions to achieve scalable, multi-layered compromise.

SAP’s April 2026 Security Patch Day includes a critical vulnerability, CVE-2026-27681 (CVSS 9.9), affecting SAP Business Planning and Consolidation and SAP Business Warehouse. The flaw stems from insufficient authorization checks and allows an authenticated user to execute crafted SQL statements against backend databases. Successful exploitation can lead to full compromise of sensitive enterprise data, enabling attackers to read, modify, or delete information, with significant impact on confidentiality, integrity, and availability.

The risk is particularly high as the affected systems are central to financial planning, reporting, and analytics processes, making them attractive targets for both insider threats and attackers leveraging compromised credentials. By abusing low-privileged access, threat actors can manipulate critical business data and potentially disrupt downstream operations and decision-making workflows.

In addition to CVE-2026-27681, SAP’s April release includes multiple other vulnerabilities, including high-severity authorization flaws in SAP ERP and SAP S/4HANA, highlighting a broader pattern of access control weaknesses across SAP environments. Organizations are strongly advised to prioritize remediation of the critical SQL injection issue while also reviewing and addressing the wider set of vulnerabilities disclosed in this patch cycle.

Fortinet has released security updates addressing two critical vulnerabilities in FortiSandbox, tracked as CVE-2026-39813 and CVE-2026-39808, which could allow unauthenticated attackers to bypass authentication and execute arbitrary code or commands on affected systems. Both vulnerabilities can be exploited באמצעות specially crafted HTTP requests, posing a significant risk to unpatched deployments. CVE-2026-39813 is a path traversal flaw in the JRPC API that enables authentication bypass, while CVE-2026-39808 stems from improper input neutralization in an API, leading to remote command execution.

Given FortiSandbox’s role in analyzing suspicious files and providing verdicts to other Fortinet security products, successful exploitation could have broader implications across enterprise environments. A compromised instance may allow attackers to manipulate threat analysis results, potentially marking malicious files as benign or using the system as a foothold for lateral movement within the network.