// CIO Briefings
68 briefings — page 4 of 4
Critical Ivanti MDM Vulnerability Puts Every Managed Device at Risk
A critical unauthenticated remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited. CISA has mandated federal agencies patch by 11 April. A compromised MDM platform exposes the management layer for an organisation's entire mobile device fleet — including device certificates, VPN credentials, and configuration profiles pushed to thousands of employee devices.
Cisco Discloses Two CVSS 9.8 Vulnerabilities Affecting Enterprise Server and Licence Infrastructure
Cisco has patched two critical unauthenticated remote code execution and authentication bypass flaws in widely-deployed enterprise infrastructure. Organisations running Cisco UCS rack servers or managing software licences on-premises face complete compromise of affected systems if patches are not applied urgently.
North Korean State Actors Poisoned 1,700+ Open-Source Packages Used by Your Development Teams
North Korea's UNC1069 threat group has systematically planted malicious code across five major software package registries, targeting developer credentials, cloud infrastructure tokens, and CI/CD pipeline secrets. Organisations whose development teams install open-source software packages — which is effectively every technology organisation — are in scope.
Microsoft Secure Boot Certificates Expire June 2026 — Enterprise Fleet Action Required Before Deadline
Microsoft's foundational Secure Boot signing certificates expire on 26 June 2026, with the Windows bootloader certificate following in October. Organisations that miss the OEM firmware update window will permanently lose the ability to receive boot-level security patches, leaving systems exposed to UEFI bootkit attacks that survive OS reinstallation. The update process requires OEM firmware coordination and cannot be deferred to the final week.
Third-Party Analytics Tool Breach Exposes Snowflake Customer Data — SaaS Supply Chain Risk Materialises
The breach of Anodot, a business analytics integration platform, has resulted in data theft from over a dozen organisations that use Snowflake cloud data warehouses. Attackers stole authentication credentials held by Anodot and used them to access customer data directly — a supply chain attack that bypassed the victim organisations' own security controls entirely.
Citrix Network Infrastructure Under Active Attack — Session Tokens Being Stolen
Attackers are actively exploiting a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway, the network infrastructure used by many organisations to provide secure remote access and application delivery. Stolen session tokens allow attackers to impersonate legitimate users across connected enterprise applications without requiring passwords.
Ransomware Attack on ChipSoft Disrupts Patient Records Across 80% of Dutch Hospitals
A ransomware attack on ChipSoft, the vendor behind the HiX electronic patient record system used by approximately 80% of Dutch hospitals, has forced eleven hospitals offline and into emergency paper procedures. Patient data has potentially been accessed. The incident is a landmark illustration of healthcare supply chain concentration risk and the cascading consequences of a single vendor compromise.
Ransomware Groups Now Routinely Disabling Security Software Before Attacking — EDR No Longer a Reliable Last Line of Defence
Qilin and Warlock ransomware operations have incorporated a technique that systematically disables endpoint security software across an entire organisation before deploying the ransomware payload. The technique exploits a trusted but vulnerable kernel driver to terminate over 300 security products at the operating system level — including the market's leading EDR solutions. Organisations whose ransomware defence relies primarily on endpoint security tools face significantly elevated risk.
Critical RCE in F5 Network Access Infrastructure — US Government Confirms Active Attacks
A vulnerability in F5 BIG-IP Access Policy Manager, the network gateway used by many organisations to control remote worker and partner access, has been reclassified as critical remote code execution with a CVSS score of 9.8. The US government has confirmed real-world attacks and mandated patching within three days. Organisations using BIG-IP APM for VPN, zero trust, or SSO access control should treat this as an emergency patching situation.
Backdoored AI Library on PyPI Exposes Cloud Credentials and Kubernetes Access
A coordinated supply chain attack backdoored LiteLLM — an AI gateway library with three million daily downloads — on the Python Package Index on 24 March 2026. Any system that installed the package during a 40-minute window received malware that silently harvested cloud credentials, Kubernetes secrets, and CI/CD tokens. The attacker gained access by first compromising a security scanning tool used in LiteLLM's own build pipeline.
Industrial PLM Platform Under Imminent Attack Threat — German Police Mobilised, No Patch Available
A critical unauthenticated RCE vulnerability in PTC Windchill, the PLM platform holding engineering designs and supply chain data for industrial manufacturers, prompted German federal police to physically visit companies to deliver emergency warnings this weekend. No patch exists. A temporary server configuration workaround is available and must be applied immediately across all Windchill instances.
Ransomware Group Controlled Enterprise Firewalls for 36 Days Via Cisco FMC Zero-Day
Interlock ransomware exploited a CVSS 10.0 zero-day in Cisco Firepower Management Center for 36 days before Cisco issued a patch, gaining root-level control of the platform that manages enterprise firewall policy, segmentation, and VPN configurations. Cisco patched the vulnerability on 4 March 2026. Any organisation running FMC with network-accessible management interfaces should treat the February period as a potential compromise window.
DarkSword: State-Grade iOS/macOS Exploit Chain Now Actively Targeting Enterprise Devices
The DarkSword exploit framework chains six Apple vulnerabilities to take full control of any iPhone, iPad, Mac, Apple Watch, or Apple TV with no user interaction beyond loading a webpage. CISA confirmed active exploitation on 20 March and mandated federal patching by 3 April. Three of the six chain components are now in CISA's Known Exploited Vulnerabilities catalogue — exploitation requires only that a user visits a malicious link.
China-Nexus Actors Exploited Dell Backup Appliances for Over a Year — Patch and Hunt Required
A CVSS 10.0 vulnerability in Dell RecoverPoint disaster recovery appliances was exploited by a Chinese state-linked threat group for over 12 months before public disclosure, enabling backdoor deployment and potential access to replicated data. CISA ordered federal remediation in February. Organisations running Dell RecoverPoint must patch immediately and investigate for prior compromise.