AUSCERT Week in Review for 13th March 2026

Greetings,

Salesforce customers are being urged to investigate their Experience Cloud configurations after a spike in data theft activity linked to the ShinyHunters cybercrime group. In recent alerts, Salesforce confirmed it is tracking an active campaign targeting public-facing Experience Cloud sites where guest user access has been misconfigured, potentially exposing more data than intended.

According to reporting from IT Pro and BleepingComputer, attackers are not exploiting a flaw in Salesforce itself but are instead abusing overly permissive guest user profiles. These profiles are designed to allow unauthenticated visitors limited access to public content. When permissions are set too broadly, however, threat actors can directly query underlying CRM objects and extract sensitive information without logging in. ShinyHunters has claimed responsibility for the ongoing campaign and alleges that hundreds of organisations have been affected, with stolen data often repurposed for follow-on phishing and voice-based social engineering attacks.

Salesforce says the attackers are using a modified version of AuraInspector, an open-source tool originally developed to help administrators identify misconfigurations. In the wrong hands, this tooling has been adapted to automate large-scale scanning of Experience Cloud sites and harvest exposed data.

In response, Salesforce has published a detailed advisory outlining essential actions to reduce risk. These include auditing guest user permissions, applying the principle of least privilege, disabling unnecessary API access and closely monitoring for unusual activity.

Veeam warns of critical flaws exposing backup servers to RCE attacks
Date: 2026-03-12
Author: Bleeping Computer

[AUSCERT has contacted affected members where applicable]
Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities.
VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures.
Three RCE security flaws patched today (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks.

Critical Nginx UI flaw CVE-2026-27944 exposes server backups
Date: 2026-03-08
Author: Security Affairs

A critical vulnerability in Nginx UI, tracked as CVE-2026-27944 (CVSS score of 9.8), allows attackers to download and decrypt full server backups without authentication. The flaw poses a serious risk to organizations exposing the management interface, potentially revealing sensitive configuration data, credentials, and encryption keys.
“The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header.” reads the advisory. “

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
Date: 2026-03-10
Author: The Hacker News

Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks.
The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information, SentinelOne said in a report published today. The security outfit said the campaign has singled out environments tied to healthcare, government, and managed service providers.

‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating Payload
Date: 2026-03-11
Author: Security Week

An ongoing campaign, probably originating from a Russian-speaking threat actor, uses social engineering to trick victims into downloading an ISO file from cloud storage services such as Dropbox. Once mounted, the ISO file seems to be a legitimate part of the system and can be directly accessed by the victim. Opening a file within it will trigger a chain that downloads malware, including a module that discovering firm Aryaka has dubbed BlackSanta.

CISA Warns SolarWinds and Ivanti Vulnerabilities Are Actively Exploited
Date: 2026-03-10
Author: Security Boulevard

Organizations often prioritize patching vulnerabilities based on severity scores, assuming that lower-rated issues pose limited risk. In practice, attackers frequently exploit vulnerabilities that remain unpatched in real environments, regardless of their official severity rating.
New reporting from The Hacker News highlights that the Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities affecting products from SolarWinds, Ivanti, and other vendors to its Known Exploited Vulnerabilities (KEV) catalog, confirming that these flaws are actively being abused in the wild

Hackers abuse .arpa DNS and ipv6 to evade phishing defenses
Date: 2026-03-08
Author: Bleeping Computer

Threat actors are abusing the special-use ".arpa" domain and IPv6 reverse DNS in phishing campaigns that more easily evade domain reputation checks and email security gateways.
The .arpa domain is a special top-level domain reserved for internet infrastructure rather than normal websites. It is used for reverse DNS lookups, which allow systems to map an IP address back to a hostname.

ESB-2026.2410 – Splunk AppDynamics On-Premises Enterprise Console: CVSS (Max): 9.8

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics On-Premises Enterprise Console version 26.1.1, and higher.

ESB-2026.2399 – GitLab Community and Enterprise Edition: CVSS (Max): 8.7

GitLab releases fixes for vulnerabilities in patch releases, versions 18.9.2, 18.8.6, 18.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

ESB-2026.2395 – Cisco IOS XR Software: CVSS (Max): 8.8

Multiple vulnerabilities in Cisco IOS XR Software could allow an authenticated, local attacker to execute commands as root on an underlying operating system or gain full administrative control of an affected device.

ESB-2026.2330 – Adobe Experience Manager: CVSS (Max): 9.8*

Adobe has released updates for Adobe Experience Manager (AEM). This update resolves vulnerabilities rated important. Successful exploitation of these vulnerabilities could result in arbitrary code execution.

ESB-2026.2313 – Zoom: CVSS (Max): 9.6

External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via network access.

Stay safe, stay patched and have a good weekend!

The AUSCERT team