Executive Summary
- Adobe Reader CVE-2026-34621 (CVSS 8.6) and Marimo pre-auth RCE actively exploited in the wild; immediate patching required
- CPUID.com supply-chain compromise distributed STX RAT via trojanized CPU-Z and HWMonitor for 24 hours; affected users need forensic review
- Russian state actors harvesting Microsoft Office authentication tokens via exploited router vulnerabilities; enterprise credential compromise likely
- Iranian-linked APT targeting 4,000+ exposed U.S. industrial control systems (Rockwell Automation PLCs); critical infrastructure at elevated risk
- GlassWorm campaign evolved with Zig dropper targeting developer IDEs; software supply-chain risk expanding
Top Threats Today
1. Adobe Reader Zero-Day Active Exploitation (CVE-2026-34621)
Severity: Critical Affected: Technology
Adobe has released emergency patches for a critical vulnerability (CVSS 8.6) in Acrobat Reader that is currently under active exploitation. Successful exploitation allows arbitrary code execution. This vulnerability has been exploited for months before patching.
Recommended Action
- Deploy Adobe Reader patches immediately across all endpoints; treat as critical priority
- Check endpoint detection and response (EDR) logs for suspicious PDF activity in past 90 days
- Consider temporarily disabling PDF opening in email clients until full patch deployment confirmed
2. CPUID Supply-Chain Compromise – STX RAT Distribution
Severity: Critical Affected: Technology
Unknown threat actors compromised CPUID.com and distributed trojanized versions of CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor containing the STX remote access trojan for approximately 24 hours. Any user who downloaded these tools during the compromise window has likely been infected with RAT malware.
Recommended Action
- Issue organization-wide alert to identify any downloads of affected CPUID tools in past 30 days
- Initiate forensic investigation and reimaging of any affected systems; assume RAT presence
- Review network traffic logs for C2 beaconing and suspicious outbound connections from affected hosts
- Force password resets for any user who accessed sensitive systems from affected machines
3. Russian APT – Router-Based Microsoft Office Token Theft
Severity: Critical Affected: Government, Finance
Russian military intelligence-linked hackers are exploiting known vulnerabilities in older internet routers to mass harvest authentication tokens from Microsoft Office users. This campaign allows attackers to maintain persistent access to Office 365 and other Microsoft services without user interaction.
Recommended Action
- Audit all network routers for known vulnerabilities; prioritize patching or replacement of end-of-life models
- Implement conditional access policies requiring MFA for all Office 365 access, with focus on impossible travel detection
- Hunt for suspicious token usage patterns in Office 365 audit logs; look for anomalous login locations and IP addresses
- Consider blocking legacy authentication protocols and enforcing modern OAuth2 flows
4. Iranian APT – 4,000+ U.S. Industrial Control Systems Exposed
Severity: Critical Affected: Energy, Manufacturing, Defense
Iranian-linked cyber actors are actively targeting nearly 4,000 internet-exposed Rockwell Automation programmable logic controllers (PLCs) in U.S. critical infrastructure networks. This represents a direct threat to water systems, power generation, and manufacturing facilities.
Recommended Action
- Immediately audit all OT/ICS environments for exposed PLCs; air-gap any critical systems if exposure confirmed
- Deploy network segmentation and zero-trust access controls around all industrial control systems
- Patch Rockwell Automation systems to latest versions; prioritize any systems accessible from untrusted networks
- Establish 24/7 monitoring for ICS anomalies and implement aggressive rate-limiting on PLC access ports
5. GlassWorm Campaign – Zig Dropper Targeting Developer IDEs
Severity: High Affected: Technology, Finance
An evolved variant of the GlassWorm campaign employs a new Zig-based dropper designed to stealthily compromise all integrated development environments on a developer’s machine. This was discovered in Open VSX extensions, creating software supply-chain risk.
Recommended Action
- Audit all IDE extensions (VSCode, IntelliJ, etc.) for suspicious or unknown extensions; remove any untrusted packages
- Review Open VSX and other extension marketplace accounts for unauthorized activity
- Monitor developer workstations for unusual file creation/modification in IDE configuration directories
- Implement endpoint detection rules to flag Zig compiler activity in IDE contexts
Today’s Action Checklist
- ☐ URGENT: Deploy Adobe Reader CVE-2026-34621 patches to all endpoints today
- ☐ URGENT: Search organization for CPUID tool downloads; isolate and reimage affected systems
- ☐ URGENT: Audit network routers for known vulnerabilities; create remediation timeline for end-of-life devices
- ☐ URGENT: Scan all ICS/OT environments for exposed Rockwell PLCs; implement emergency segmentation if found
- ☐ HIGH: Enable MFA on all Office 365 accounts; deploy conditional access policies for impossible travel
- ☐ HIGH: Review developer workstations and IDE extensions; remove suspicious packages
- ☐ HIGH: Brief executive leadership on Russian token theft and Iranian ICS targeting campaigns
- ☐ MEDIUM: Review CISA KEV database for any known vulnerabilities in your environment; prioritize patching based on active exploitation indicators