CISA KEV: Hikvision, Rockwell, Apple Flaws Found in Coruna Kit; FBI Investigates Breach in Digital Collection System

The Cybersecurity and Infrastructure Security Agency (CISA) has seen evidence of active exploitation of a nine-year-old flaw in Hikvision cameras and a five-year-old flaw in Rockwell Automation Logix controllers. CVE-2017-7921, CVSS score 10.0, allows an attacker to escalate privileges due to improper authentication in seven Hikvision products. In a September 2025 SANS Internet Storm Center diary, Dr. Johannes Ullrich observed possible brute forcing attacks targeting Hikvision cameras vulnerable to CVE-2017-7921, also noting that the flaw "is supposed to be some kind of backdoor (Hikvision's description of it as "privilege escalation" was considered euphemistic at the time)." CVE-2021-22681, CVSS score 9.8, allows a remote unauthenticated attacker to authenticate with Logix controllers and possibly change their configuration and/or application code, by discovering an improperly protected key and bypassing the verification mechanism. This flaw affects Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20, which could communicate with ranges of CompactLogix, ControlLogix, DriveLogix, Compact GuardLogix, GuardLogix, and SoftLogix controllers. Hikvision users should update their devices with the correct firmware, and Rockwell users should consult the mitigation table in the advisory to take the appropriate actions; updates alone are not sufficient to protect the controllers. Federal Civilian Executive Branch (FCEB) agencies are required to address these flaws by March 26, 2026.

Three patched flaws in Apple products have been added to the Cybersecurity and Infrastructure Security's Known Exploited Vulnerabilities catalog (CISA KEV) following a threat intelligence report from Google that describes campaigns targeting iOS 13.0 to iOS 17.2.1 with a "comprehensive collection" of exploits. In February 2025, Google Threat Intelligence Group (GTIG) discovered a JavaScript framework that conducted fingerprinting and loaded relevant iOS exploits including a zero-day patched the previous year, used by a customer of a surveillance company. In July, GTIG observed the framework again delivering the same exploits in a watering hole attack on Ukrainian websites, and in December, GTIG was able to collect and analyze a debug version of the complete kit from scam websites hosted in China, finding that internal documentation calls the kit "Coruna." GTIG discovered five full exploit chains and 23 total exploits in Coruna. Three of these exploits must be patched by federal agencies by March 26, 2026, per the CISA KEV. CVE-2021-30952 is an integer overflow vulnerability allowing arbitrary code execution, and CVE-2023-43000 is a use-after-free issue allowing memory corruption; both affect multiple Apple products and carry CVSS score 8.8. CVE-2023-41974 is a use-after-free issue allowing arbitrary code execution with kernel privileges in iOS and iPadOS, carrying CVSS score 7.8. GTIG provides indicators of compromise (IoCs), and CISA recommends users "apply mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

The FBI is investigating suspicious activity on its Digital Collection System Network, which is used for managing wiretaps and foreign intelligence surveillance warrants. The FBI began investigating anomalous log information on February 17. In a notification letter sent to US legislators and obtained by The Associated Press, the FBI writes: "The affected system is unclassified and contains law enforcement sensitive information, including returns from legal process, such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations." The letter also said that the intruder appears to have gained access to the system through an internet service provider (ISP) that is an agency vendor. In a statement on Thursday, March 5, the FBI said they had "identified and addressed suspicious activities on FBI networks, and ... leveraged all technical capabilities to respond." It is unclear whether this incident is related to Salt Typhoon activity. The incident was first reported by CNN.

During a March 5, 2026 security review of user-authored code on Wikimedia projects, staff accidentally activated a "dormant" JavaScript worm that attempted to propagate through personal and global common[.]js files and edit random wiki pages. In the 23 minutes that the code was active, "approximately 3,996 pages were modified, and around 85 users had their common.js files replaced," according to BleepingComputer, but the Wikimedia Foundation has stated that only pages on Meta-Wiki, a wiki for project coordination and discussion, were affected. In response, administrators temporarily set all Wikimedia projects to read-only for about two hours and disabled all user JavaScript for most of the day; both functionalities have now been re-enabled, and the malicious script has been removed. The Foundation states that "affected pages have since been restored, and we believe no permanent damage has occurred as a result of this code. [...] We are actively developing further security mitigations for user JavaScript in consultation with the community."

The FBI's Internet Crime Complaint Center (IC3) has published an alert warning of a phishing scheme that involves the impersonation of city and county officials fraudulently seeking payment for planning and zoning permits. The cybercriminals target businesses and individuals with active permit applications. The communications reference permit information, zoning application numbers, and/or property addresses, and demand the fees be paid through wire transfer, peer-to-peer payment, or cryptocurrency. The scheme has affected individuals across the country. Individuals and businesses are urged to use caution when receiving such communication. Ensure that the email address is coming from the appropriate domain, that it matches the email address used in prior communications, and that it does not contain misspellings or extraneous information, and call the city at the number on their official website to verify outstanding fees. IC3 also asks any victims of this scheme to file a complaint at www.ic3.gov.

Smart electric vehicle (EV) charger manufacturer ELECQ is warning customers that their personal data may have been compromised in a ransomware attack. In a notification sent to customers on Monday, March 9 and seen by The Register, ELECQ says the company noticed "unusual activity" on its AWS platform on Saturday, March 7. An investigation revealed that the company had suffered a ransomware attack. Some company databases were copied prior to being encrypted. The stolen data include names, email addresses, physical addresses, and phone numbers. ELECQ has taken affected servers offline and is restoring systems from backups. The company has taken additional measures to improve security, including shutting down remote access services like Telnet and SSH, and improving encryption. ELECQ has brought in third-party specialists to conduct a forensic investigation and look for additional vulnerabilities. The company has also notified regulators, including the UK's Information Commissioner's Office and Germany's Federal Commissioner for Data Protection and Freedom of Information.

Ericsson Inc. has sent notification letters to an undisclosed number of individuals to inform them that their personal information was compromised in a cyberattack on one of the company's service providers. Ericsson Inc. is the US subsidiary of the Swedish networking and telecommunications company. The breach affects both customers and employees. According to the letter filed with the California Attorney General, the service provider "became aware of a suspicious event" on April 28, 2025; at that time, the provider notified the FBI of the incident and implemented security enhancements. A subsequent investigation determined that intruders had access to the systems between April 17 and 22, 2025. A third-party specialist conducted a comprehensive review of the compromised data, and that investigation was completed on February 23, 2026.

Possible customer negligence does not exempt banks from immediately refunding unauthorized transactions, such as in phishing scams, according to Advocate General Athanasios Rantos, who issued this Opinion to the Court of Justice of the European Union (CJEU) on March 5, 2026. Rantos is commenting on the case of a Polish phishing victim whose bank refused to refund her unauthorized payment because the bank believed she "had been grossly negligent in disclosing her bank details" to the fraudulent site. Under EU law, unless the bank suspects customer fraud, the first step for a payment service provider must always be to refund the transaction, contends Rantos. Afterward, however, if the bank provides evidence establishing failure or gross negligence by the customer in their obligations to protect their own data, the customer may be required to bear the losses or enter litigation with the bank. Rantos's formal Opinion represents a legal recommendation, but the CJEU must still make a final ruling.

When the US National Institute of Standards and Technology (NIST) announced in January that it was starting the fourth revision of its OT Security Guidance, the agency sought input from private sector companies and others. The most recent version of the guidance, also known as Special Publication 800-82, was published in September 2023. Three major vendors — Dragos, Claroty, and Armis — shared their NIST input with Gov Infosecurity parent company Information Security Media Group (ISMG). All three asked "for more detailed, specific guidance for OT owners and operators, especially on issues like vulnerability management." Dragos Vice President of Public Policy and Government Affairs Kate Diemidio noted that "The more granular and specific these frameworks and guidelines can get, the more helpful it is." The feedback also called for "more sector-specific guidance for emerging OT verticals like smart building management and distributed energy systems, such as electric vehicle charging networks." The vendors also voiced agreement with NIST's proposal to move some appendices online and make them "dynamic web resources." Claroty's comments urge NIST to "emphasize the importance of vendor transparency regarding patch validation," and to encourage vendors to issue disclosures in machine-readable formats "that map specific fixes to specific hardware/firmware variations."