← Back to Threat Briefs

Cyber Threat Brief — March 30 2026

⚠️ This report is AI-generated. Always validate findings.

No new threats meeting all triage gates (24-hour disclosure, actionable artifacts, identifiable log sources) were identified today. All candidates evaluated are documented in the audit ledger.

Status Updates

  • CVE-2025-53521 (F5 BIG-IP APM): CISA KEV federal remediation deadline is today (March 30). UNC5221 BRICKSTORM exploitation ongoing via HTTP/2-to-WebSocket C2. Patch to 17.1.0.4/16.1.4.3/15.1.10.2 immediately. CISA/NSA MAR YARA rules available. March 28 brief.
  • CVE-2026-4681 (PTC Windchill): Still no patch available as of March 26 PTC update. CVSS 10.0 pre-auth Java deserialization RCE. Apply Apache/IIS servlet path deny rules now. Monitor for GW.class, payload.bin, dpr_*.jsp on servers. March 27 brief.
  • CVE-2026-3055 (Citrix NetScaler): Active /cgi/GetAuthMethods SAML IdP fingerprinting continues per Defused Cyber and watchTowr honeypots. No confirmed memory overread exploitation yet. Exploitation historically follows recon rapidly for NetScaler. Patch 14.1-66.59+ / 13.1-62.23+. March 29 brief.
  • CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing since January 26. Public PoC available. No new artifacts. CISA KEV deadline passed March 22. March 19 brief.
  • CVE-2026-33017 (Langflow): Exploitation ongoing per Sysdig. CISA KEV federal deadline April 8. No new IOCs. March 21 brief.
  • TeamPCP supply chain (Trivy/litellm/Telnyx): No new ecosystem compromises since Telnyx (March 27). Monitor for cascading token theft into additional PyPI packages. March 29 brief.