Cybershorts | Top 5 Cybersecurity Alerts

A CVSS 9.8 unauthenticated remote code execution flaw in Weaver E-cology, a widely used enterprise office automation platform, has been under active exploitation since March 17. Attackers craft POST requests to an exposed debug endpoint to execute arbitrary commands. The Shadowserver Foundation confirmed active exploitation by March 31. Patches shipped on March 12. If you have not applied them, someone else has already applied the exploit.

St. Fox Take

A debug endpoint. In production. Exposed to the internet. If your OA platform has never had a security review, this is the quiet signal that it is overdue.

Progress Software patched CVE-2026-4670, a CVSS 9.8 authentication bypass in MOVEit Automation used by over 3,000 enterprise organisations. Remote attackers can bypass auth on the service backend command port with no credentials and minimal effort. A second flaw, CVE-2026-5174, enables privilege escalation on the same systems. Over 1,400 instances are internet-facing. A dozen are tied to US state and local government agencies.

St. Fox Take

MOVEit keeps showing up on these lists. Clop proved what attackers do with MFT flaws. Patch now. Verify all instances are patched. Then check your file transfer architecture.

Cybersecurity vendor Trellix confirmed unauthorised access to a portion of its source code repository. The company notified law enforcement and engaged forensic experts. No evidence of exploitation has been found so far. Trellix says its code release and distribution process was not affected. The company has not disclosed how long attackers had access, or who was responsible.

St. Fox Take

A security vendor's source code in attacker hands is a roadmap. No exploitation found yet does not mean the research has not started. Watch for targeted Trellix product exploits over the next 90 days.

Between April 14 and 16, a credential theft campaign targeted 35,000 users across 13,000 organisations in 26 countries. Attackers used code-of-conduct-themed lures routed through legitimate email services, then harvested Microsoft credentials and session tokens in real time using adversary-in-the-middle techniques. MFA was bypassed entirely. Healthcare, financial services, and tech firms were the primary targets. 92% of victims were in the US.

St. Fox Take

MFA bypassed. Tokens stolen in real time. The phishing kit did the heavy lifting. Conditional access policies and phishing-resistant MFA are no longer optional in high-value environments.

A CVSS 8.7 command injection flaw in GitHub allowed an authenticated user with push access to execute arbitrary code on backend infrastructure with a single git push. Unsanitised push options were injected into internal service headers, bypassing sandbox protections. On GitHub.com, the flaw enabled cross-tenant exposure across shared storage nodes. 88% of Enterprise Server instances were vulnerable at time of disclosure. GitHub patched GitHub.com within two hours of receiving the Wiz report.

St. Fox Take

A git push that reads other organisations' private repositories. This one is patched fast, but it shows the blast radius when shared infrastructure gets hit. Update your Enterprise Server instances now.