📌 Executive Summary
- VMware ESXi critical RCE vulnerability (CVE-2026-21985) is being actively exploited by ransomware operators targeting virtualization infrastructure.
- BlackSuit ransomware group claims breach of a major U.S. healthcare system, threatening to release patient records.
- CISA adds 3 new CVEs to the Known Exploited Vulnerabilities catalog, including Fortinet FortiOS and Cisco IOS XE flaws.
- Microsoft patches Windows kernel zero-day (CVE-2026-1723) used in targeted attacks against government entities.
- New phishing kit “PhishRelay” enables real-time MFA bypass targeting financial services employees.
🔴 Top Threats Today
1. VMware ESXi Remote Code Execution – Active Exploitation
Severity: ● Critical Affected: Healthcare Finance Technology
A critical remote code execution vulnerability in VMware ESXi (CVE-2026-21985, CVSS 9.8) is being actively exploited by at least two ransomware groups. The flaw allows unauthenticated attackers to execute arbitrary code on ESXi hosts via a crafted network packet targeting the OpenSLP service.
⚡ Recommended Action
- Apply VMware patch VMSA-2026-0004 immediately.
- If patching is not possible within 24 hours, disable the OpenSLP service on all ESXi hosts as a temporary mitigation.
- Monitor ESXi host logs for signs of exploitation or lateral movement.
2. BlackSuit Ransomware Claims Healthcare Breach
Severity: ● High Affected: Healthcare
The BlackSuit ransomware group has posted a claim on their dark web leak site alleging a breach of a major U.S. healthcare system with over 200 facilities. The group claims to have exfiltrated approximately 2.3 TB of data including patient medical records.
⚡ Recommended Action
- Healthcare organizations should verify their backup systems and incident response plans.
- Review indicators of compromise associated with BlackSuit.
- Ensure network segmentation between clinical and administrative systems.
3. PhishRelay – Real-Time MFA Bypass Kit
Severity: ● High Affected: Finance
Security researchers have identified a new phishing-as-a-service toolkit dubbed “PhishRelay” that enables real-time interception and relay of multi-factor authentication tokens targeting financial institutions.
⚡ Recommended Action
- Transition from SMS/TOTP-based MFA to phishing-resistant methods (FIDO2, hardware keys).
- Implement client certificate-based authentication for high-value applications.
- Deploy browser isolation for accessing sensitive web applications.
✅ Today’s Action Checklist
- ☐ URGENT: Patch or mitigate VMware ESXi CVE-2026-21985 on all hosts.
- ☐ Review CISA KEV additions and cross-reference with your asset inventory.
- ☐ Verify Windows Server systems are patched for CVE-2026-1723.
- ☐ Check Fortinet FortiOS deployments for CVE-2026-0891 exposure.
- ☐ Brief security team on PhishRelay MFA bypass technique.
- ☐ Healthcare organizations: Review BlackSuit IOCs and verify backup integrity.