Saturday May 09, 2026

Advisory ID:   ngCERT-2026-030003

SUMMARY

ngCERT has identified exposed Accessible Advanced Message Queuing Protocol (AMQP) services in certain Critical National Infrastructures. This vulnerability may permit unauthorized access and operational disruption, particularly in IoT environments. Organisations are advised to secure and remediate their systems promptly.

DESCRIPTION

Accessible AMQP is an open standard, broker-based messaging protocol that enables secure and reliable communication between producers and consumers through exchanges and queues, supporting message acknowledgement, persistence, and routing. A successful exploitation of Accessible AMQP may result in traffic flooding, denial of service, resource exhaustion, Man-in-the-Middle (MitM) attacks, and unauthorized access through misconfigured virtual hosts or queues. Such vulnerabilities are especially critical in operational technology, industrial automation, healthcare, energy, financial services, and other essential sectors where message integrity and availability are mission-critical.

Damage:      Critical 

Probability:  High

Platform(s):  IoT

CONSEQUENCES

If successfully exploited, the vulnerability may result in:

    1. Disruption of IoT services and operational downtime
    2. Resource exhaustion affecting system performance and availability
    3. Unauthorized interception or manipulation of sensitive data
    4. Execution of malicious or unauthorized commands
    5. Compromise of system integrity, leading to reputational, financial, regulatory, and potential national security impacts in Critical National Infrastructure environments.

SOLUTION/MITIGATION

ngCERT recommends the following:

    1. Restrict public exposure of Accessible AMQP services and limit access to trusted networks.
    2. Enforce TLS encryption and strong authentication mechanisms.
    3. Remove default credentials and apply network segmentation and traffic controls.
    4. Enable continuous monitoring and logging for suspicious activities.
    5. Regularly update and patch IoT devices and AMQP broker software, and report confirmed incidents to " data-linkindex="0"> or 090 5555 4499.

HYPERLINK

Advisory ID:   ngCERT-2026-020003

SUMMARY/DESCRIPTION

ngCERT is issuing an urgent advisory on the compromise of critical infrastructure by multiple variants of Remote Access Trojans (RAT). In particular, variants such as Adwind, AsyncRAT, Firebird, Imminent Monitor, NetWire, Orcus, Remcos, Warzone, and WSH RATs can enable unauthorised remote control of infected systems. These tools are distributed through phishing, malicious attachments, exploit kits, or fake downloads, establishing persistence through registry modifications, scheduled tasks, or process injection. Their capabilities include keylogging, credential theft, screen capture, webcam/microphone access, file exfiltration, command execution, and evasion of antivirus or sandboxes. These have implications for data breaches, financial fraud and theft, cyber espionage, and operational disruption. ngCERT strongly recommends conducting immediate vulnerability scans and deploying endpoint detection tools to mitigate the threats posed by these RATs.

Damage:      Critical 

Probability:  High

Platform(s):  Mostly Windows, macOS, Linux and Android.

CONSEQUENCES

Successful exploitation may result in:

    1. Unauthorised remote control and data breaches.
    2. Financial fraud and theft.
    3. Surveillance and cyber espionage.
    4. Operational disruption.

SOLUTION/MITIGATION

Organisations are strongly advised to:

    1. Apply timely patches to their OS and applications.
    2. Enforce Multi-Factor Authentication (MFA) for accounts and restrict unnecessary ports/services like Remote Desktop Protocol (RDP).
    3. Deploy endpoint detection and response (EDR).
    4. Use network segmentation to limit lateral movement and maintain offline, encrypted backups.
    5. Train users to recognise phishing attempts and implement email filtering to block malicious content.
    6. Monitor indicators like registry changes or connections to malicious Command and Control (C2) servers.
    7. Upon detection of system compromise, isolate systems, reset passwords, and report to authorities.
    8. Adopt Zero-Trust models and Threat Intelligence for enhanced resilience.

HYPERLINK

Advisory ID:   ngCERT-2026-010003-1

SUMMARY/DESCRIPTION

ngCERT is aware of a potential router implant campaign targeting Cisco Catalyst and IOS-based routers via weak SNMP, outdated firmware, and unsecured management services. Cisco Catalyst switches and IOS‑based routers are being targeted globally by Advanced Persistent Threat (APT) groups seeking to utilize Cisco Catalyst switches and IOS-based routers by abusing weak or misconfigured SNMP settings for tasking, control, and device modification. The implant can enable unauthorized access, configuration changes, credential theft, and data exfiltration. The implant may also maintain long-term persistence while avoiding detection, indicating a sophisticated threat actor skilled in exploiting network infrastructure. Its TTPs include SNMP‑based reconnaissance, exploitation of outdated IOS firmware, misuse of open or misconfigured services (HTTP, Telnet, SNMP), credential harvesting through insecure HTTP Basic Authentication, and data exfiltration over unencrypted channels. Organisations and users are advised to apply the mitigation detailed in this advisory to strengthen device security and resolve exploitable weaknesses..

Damage:      Critical 

Probability:  High

Platform(s):  Cisco Catalyst switches and IOS-based routers. (1900, 2900, and 3900 series devices).

CONSEQUENCES

The observed activity may lead to a range of potential impacts, such as:

    1. Unauthorized access to network infrastructure.
    2. Manipulation of routing and network traffic.
    3. Theft of credentials.
    4. Long-term persistence on devices.
    5. Data leakage or exfiltration.
    6. Potential service disruption or outages.

SOLUTION/MITIGATION

The following are recommended to mitigate this exploitable weakness:

    1. Harden SNMP using SNMPv3, strong credentials, and restricted access.
    2. Update and patch Cisco firmware, removing legacy or unpatched versions.
    3. Disable insecure services and rely on encrypted management (HTTPS, SSH).
    4. Improve access controls, segment management networks, and enforce strong passwords.
    5. Monitor SNMP activity, log configuration changes, and watch for traffic anomalies.
    6. Rotate credentials regularly and conduct incident response with configuration review and device rebuilding if needed.

HYPERLINK

Advisory ID:   ngCERT-2026-010003

SUMMARY/DESCRIPTION

ngCERT is aware of a potential router implant campaign targeting Cisco Catalyst and IOS-based routers via weak SNMP, outdated firmware, and unsecured management services. Cisco Catalyst switches and IOS‑based routers are being targeted globally by Advanced Persistent Threat (APT) groups seeking to utilize Cisco Catalyst switches and IOS-based routers by abusing weak or misconfigured SNMP settings for tasking, control, and device modification. The implant is capable of enabling unauthorized access, configuration changes, credential theft, and data exfiltration. The implant may also maintain long-term persistence while avoiding detection, indicating a sophisticated threat actor skilled in exploiting network infrastructure.Its TTPs include SNMP‑based reconnaissance, exploitation of outdated IOS firmware, misuse of open or misconfigured services (HTTP, Telnet, SNMP), credential harvesting through insecure HTTP Basic Authentication, and data exfiltration over unencrypted channels. Organisations and users are advised to apply mitigation detailed in this advisory to strengthen device security and resolve exploitable weaknesses.

Damage:      Critical 

Probability:  High

Platform(s):  Cisco Catalyst switches and IOS-based routers.

CONSEQUENCES

The observed activity may lead to a range of potential impacts, such as:

    1. Unauthorized access to network infrastructure.
    2. Manipulation of routing and network traffic.
    3. Theft of credentials.
    4. Long-term persistence on devices.
    5. Data leakage or exfiltration.
    6. Potential service disruption or outages.

SOLUTION/MITIGATION

The following are recommended to mitigate this exploitable weakness:

    1. Harden SNMP using SNMPv3, strong credentials, and restricted access.
    2. Update and patch Cisco firmware, removing legacy or unpatched versions.
    3. Disable insecure services and rely on encrypted management (HTTPS, SSH).
    4. Improve access controls, segment management networks, and enforce strong passwords.
    5. Monitor SNMP activity, log configuration changes, and watch for traffic anomalies.
    6. Rotate credentials regularly and conduct incident response with configuration review and device rebuilding if needed.

HYPERLINK

Advisory ID:   ngCERT-2026-010002

SUMMARY/DESCRIPTION

ngCERT alerts organisations and users to an actively exploited zero-day vulnerability affecting Microsoft Windows Desktop Window Manager (DWM). DWM is a core Windows service responsible for managing visual effects, window composition, and graphical rendering in the operating system. The Vulnerability tracked as CVE-2026-20805 arises from improper handling of Advanced Local Procedure Call (ALPC) messages within the DWM service. An attacker with local access can send crafted ALPC requests that trigger memory disclosure, returning internal pointers and heap/base address details. While it does not directly permit remote code execution or privilege escalation in isolation, it can be leveraged to bypass core exploit mitigations such as Address Space Layout Randomization (ASLR). This significantly increases the reliability of subsequent exploit chains. This advisory provides details on the issue, its impact and recommended solutions.

Damage:      Critical 

Probability:  High

Platform(s):  Windows

CONSEQUENCES

Successful exploitation of this vulnerability could lead to:

    1. SLR Bypass: Leaking memory layout information directly undermines ASLR, a fundamental memory-hardening technique used to defend against buffer overflows and ROP attacks.
    2. Facilitated Exploitation: By revealing internal addresses, attackers can craft reliable exploits for other locally or remotely accessible vulnerabilities, increasing the likelihood of full system compromise.
    3. Exploit Chaining: It initiates multi-stage exploit chains, particularly in post-compromise lateral movement, privilege escalation, or persistence scenarios.
    4. Enterprise Risk: In corporate environments where attackers may already have footholds (e.g., via phishing or compromised credentials), this vulnerability strengthens the adversary’s ability to deepen access.
    5. Active Exploitation: Public reporting confirms active exploitation in the wild before patch deployment, underscoring real-world risk.

SOLUTION/MITIGATION

The following are recommended:

    1. Apply security updates immediately: Microsoft’s January 2026 Patch Tuesday updates for CVE-2026-20805 should be applied immediately to remediate the flaw.
    2. Restrict Local Access: Limit user accounts with local login to trusted personnel and use endpoint access controls to reduce exploit opportunities.
    3. Harden Processes: Employ Endpoint Detection and Response (EDR) with ALPC/DWM monitoring rules to detect suspicious interactions with DWM.
    4. Least Privilege: Review and enforce least privilege for all user accounts and services.
    5. Behavioural Monitoring: Monitor systems for unusual ALPC traffic patterns or unauthorized inter-process communications with dwm.exe
    6. ASLR-Aware Protections: Ensure other Microsoft security features, such as Virtualisation-Based Security (VBS) and Hypervisor Enforcement Code Integrity (HVCI), are enabled where supported.
    7. Patch Management: Incorporate timely patch deployment and vulnerability scanning into standard operations.

HYPERLINK

  1. TLP: CLEAR - ADVISORY on Attackers Using Windows Screensavers to Drop Malware & RMM Tools
  2. TLP: CLEAR - ADVISORY on Ransomware Gang Using ISPsystem VMs for Stealthy Payload Delivery
  3. ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
  4. TLP: CLEAR - ADVISORY on CISA Flagged Actively Exploited VMware vCenter Flaw CVE-2024-37079 in Known Exploited Vulnerabilities (KEV) Catalogue

Page 4 of 39