CISA: US Critical Infrastructure PLCs Actively Disrupted; OpenClaw Vulnerabilities are "Staggering"; React2Shell Exploited in Credential Harvesting

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a joint cybersecurity advisory alongside federal intelligence and infrastructure agencies, warning organizations of ongoing attacks targeting programmable logic controllers (PLCs) in multiple US critical infrastructure sectors including "Government Services and Facilities (to include local municipalities), Water and Wastewater Systems (WWS), and Energy." The attacker is believed to be an Iran-affiliated advanced persistent threat (APT) exploiting Rockwell Automation/Allen-Bradley PLCs and possibly other PLC brands such as Siemens S7 "through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss." The advisory urges organizations to disconnect PLCs from the public internet and deploy secure gateways and firewalls; to query logs from within the attack time frame for indicators of compromise (IoCs), including suspicious traffic on ports 44818, 2222, 102, 22, and 502; and to place the physical mode switch on Rockwell Automation controllers to the run position. CISA strongly recommends organizations check the full provided mitigation and hardening instructions as well as IoCs and attacker tactics, techniques, and procedures (TTPs). The advisory calls on manufacturers to create default settings that prevent internet exposure, to not charge for basic security features, and to support phishing-resistant MFA, stating "it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default." Users who may be affected should contact their PLC manufacturer and report the malicious activity to CISA, the FBI, and/or the NSA.

The developers of AI agent OpenClaw have released a patch for a critical vulnerability. CVE-2026-33579, CVSS score 9.4, allows a low-privileged attacker to escalate privileges to full admin access by approving device requests that ask for broader scopes, due to missing scope validation in the /pair approve command path of OpenClaw before 2026.3.28. AI app building platform Blink notes in their blog post on this flaw that "It is the sixth pairing-related vulnerability disclosed in six weeks — a pattern that reveals systemic CWE-863 (Incorrect Authorization) design debt in OpenClaw's entire device pairing and scope management subsystem." What's more, Blink estimates "63% of the 135,000+ publicly exposed OpenClaw instances run without any authentication layer," meaning any visitor to the network can obtain the basic privileges needed to exploit this flaw. Blink's overview of OpenClaw CVEs characterizes the quantity and severity of vulnerabilities in the first quarter of 2026 alone as "staggering." Updating to the latest version patched for this flaw (OpenClaw 2026.3.28 or later) will also address a CVSS 9.9 token rotation race condition flaw allowing full admin access and remote code execution, disclosed on March 29, the most critical flaw in OpenClaw to date. Blink notes that an advantage of managed hosting over self-hosting is prompt application of patches.

Researchers at Talos Intelligence have discovered "a large-scale automated credential harvesting campaign carried out by a threat cluster [they] are tracking as UAT-10608." The campaign involves targeting Next.js applications vulnerable to the React2Shell vulnerability (CVE-2025-55182), a critical pre-authentication remote code execution vulnerability in React Server Components. Talos says the threat actors have compromised more than 760 systems and that more than 10,000 files have been taken.

The FBI’s Internet Crime Complaint Center (IC3) has published its Internet Crime Report for 2025. Phishing or spoofing accounted for the largest number of complaints (191,561), followed by extortion (89,129), investment (72,984), and personal data breach (67,456). The greatest losses were attributed to investment scams at $8.65 billion, business email compromise at $3.05 billion, and tech/customer support at $2.13 billion. Total losses reported to IC3 in 2025 exceeded $20 billion, a 26 percent increase over losses reported in 2024. When broken down by age, the largest number of complaints was submitted by individuals over the age of 60; the same group accounted for the greatest losses ($7.75 billion), more than twice the amount reported by individuals between the ages of 50 and 59. IC3 receives an average of nearly 3,000 complaints every day.

Certificate authority D-Trust, a subsidiary of German company Bundesdruckerei, announced on Saturday, April 4 that it is recalling all TLS certificates issued between March 12, 2025 and April 2, 2026. The certificates in question must be exchanged by 5pm local time on Monday, April 6, at which time they will be declared invalid. The recall is not due to a security issue, i.e., cyberattack; instead, the certificates suffer from a linting issue. Specifically, according to a Bugzilla Preliminary incident Report: "After conducting an in-depth internal analysis, supplemented by external expert review, D-Trust has concluded that its current RA-side configuration checks do not meet the definition of a 'linting tool' as intended by the industry."

CERT-EU has released an update following the European Commission's (EC's) March 26, 2026 disclosure of a data breach, adding details about the attack's timing, nature, scope, impact, and attribution. Data amounting to about 340 GB uncompressed were exfiltrated from a compromised AWS account following an initial compromise March 19, and then were leaked online on March 28, including names, email addresses, and email content belonging to "42 internal clients of the European Commission, and at least 29 other Union entities." CERT-EU first received alerts from the EC on March 25 indicating misuse of Amazon APIs and a high volume of network traffic, and subsequent investigation revealed with high confidence that a threat actor had stolen an AWS API key as a result of the March 19 Trivy supply chain compromise. "The European Commission was unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels." CERT-EU notes that the threat actor also "obtained management rights for the compromised AWS secret, which could have allowed them to move laterally to other AWS accounts belonging to the European Commission," though lateral movement has not yet been observed. Upon discovery, the EC secured the stolen AWS key and disabled the threat actor's newly created access keys; notified the EC's Data Protection Controller and Union entities' Data Protection Officers as well as the European Data Protection Supervisor; and on March 31 began communicating directly with those affected. CERT-EU urges organizations to follow Aqua Security's instructions to address the Trivy supply chain compromise and to also audit and rotate AWS credentials. The notice offers recommendations for immediately and continuously hardening and monitoring CI/CD pipelines.

Colorado's Consumer Right to Repair Digital Electronic Equipment Act took effect earlier this year and has already met with proposed legislation limiting its scope. Following an April 2 hearing, members of the Colorado Senate Business, Labor, and Technology committee voted unanimously to move the Exempt Critical Infrastructure from Right to Repair bill out of committee and into the state senate and house for voting. The new bill would "exempt information technology equipment that is intended for use in critical infrastructure from Colorado’s consumer right to repair laws." Tech companies lobbying for the exemptions cite cybersecurity concerns among their arguments to limit who can perform repairs. In an emailed response to request for comment, an IBM spokesperson told WIRED that "Given the critical and often sensitive nature of enterprise-level products, any legislation should be clearly scoped to consumer devices." Speaking at the hearing, right to repair advocates say the new bill at best vaguely defines both "information technology" and "critical infrastructure," leaving it to the manufacturers to decide what products would be exempt from the current right to repair law.

Over the weekend, Fortinet released emergency fixes to address a critical improper access control vulnerability (CVE-2026-35616) in FortiClient Endpoint Management Server (EMS) that is being actively exploited. The flaw could be exploited to allow an unauthenticated attacker to execute unauthorized code or commands with maliciously crafted requests. Hotfixes are available for FortiClient EMS 7.4.5 and 7.4.6. The issue will also be fixed in FortiClient EMS 7.4.7, which is listed as "upcoming." The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35616 to the Known Exploited vulnerabilities (KEV) catalog on Monday, April 6, with a mitigation deadline for Federal Civilian Executive Branch (FCEB) agencies of Thursday, April 9. The Cyber Security Agency of Singapore (CSA) has also published an alert warning that the vulnerability is under active exploitation and urging users and admins to apply the hotfix.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high severity Download of Code Without Integrity Check Vulnerability (CVE-2026-3502) in the TrueConf video conferencing tool to the Known Exploited Vulnerabilities (KEV) database with a mitigation deadline of April 16 for Federal Civilian Executive Branch (FCEB) agencies. Researchers at Check Point say, "the flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints." In their report, they say that hackers with ties to China have been exploiting the vulnerability since the beginning of this calendar year. They observed "a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment." Check Point disclosed the vulnerability to TrueConf, and the company released a fix for the issue last month.

The same researchers from the University of Toronto who in 2025 demonstrated the efficacy of the Rowhammer effect on NVIDIA A6000 GPUs with GDDR6 memory have now developed an attack using Rowhammer to conduct both GPU-side and CPU-side escalation and achieve a root shell, even with an input–output memory management unit (IOMMU) enabled. The Rowhammer effect is a type of disturbance error observed for over a decade, where repeatedly reading ("hammering") memory locations in densely celled dynamic random-access memory (DRAM) can leak an electrical charge that may cause bits to flip in an adjacent memory row. The new attack, dubbed "GPUBreach" corrupts GPU page tables to enable an unprivileged Compute Unified Device Architecture (CUDA) kernel to "gain arbitrary GPU memory read/write, and then chain that capability into CPU-side escalation by exploiting newly discovered memory-safety bugs in the NVIDIA driver." Two other research papers published independently at nearly the same time (GDDRHammer and GeForge) also detail Rowhammer attacks that lead to privilege escalation, but both are mitigated by enabling IOMMU, which is off by default. Error correction code (ECC) can also be enabled to defend against the Rowhammer effect, but may reduce performance and memory capacity. The researchers will present their full findings at the IEEE Symposium on April 13, 2026.