Cyber Threat Brief — March 27 2026
⚠️ This report is AI-generated. Always validate findings.
1. Trivy Supply Chain Compromise Hits CISA KEV — CVE-2026-33634
TL;DR: CISA added CVE-2026-33634 (CVSS 9.4) to the KEV catalog on March 26 after the TeamPCP actor weaponized Trivy’s GitHub Actions CI/CD pipeline, exfiltrating CI secrets via typosquatted domain and GitHub release fallback. Federal deadline: April 9.
What’s New:
- CISA KEV addition March 26 elevates from supply-chain advisory to mandated remediation
- Malicious Trivy binaries v0.69.4–0.69.6 published via hijacked release automation; 76/77 trivy-action tags and all 7 setup-trivy tags force-pushed to malicious commits
- Exfil channel: HTTPS POST to
scan.aquasecurtiy[.]org(45.148.10[.]212, Amsterdam) — note intentional typosquat of “aquasecurity” - Fallback exfil: creates public repo
tpcp-docsunder victim GitHub account, uploads encrypted bundle as release asset if primary C2 returns non-2XX - Commit
1885610cin aquasecurity/trivy added--skip=validateto GoReleaser, disabling integrity checks on build artifacts
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
scan.aquasecurtiy[.]org | C2 domain (typosquat) | T1071.001 | DNS / proxy logs | Block |
45.148.10.212 | C2 IP | T1071.001 | Firewall / netflow | Block |
| Trivy v0.69.4, v0.69.5, v0.69.6 | Malicious binary | T1195.002 | CI/CD artifact logs | Remove, pin to v0.69.3 |
tpcp-docs repo creation | Exfil fallback | T1567.001 | GitHub audit logs | Hunt |
--skip=validate in GoReleaser | Tampered build config | T1195.002 | Git commit history | Hunt |
INPUT_GITHUB_PAT access | Credential theft | T1552.001 | GitHub Actions logs | Rotate all PATs exposed in CI |
| trivy-action tags (76 repointed) | Tag poisoning | T1195.002 | GitHub Actions workflow logs | Pin to full SHA, not tags |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for GitHub Actions tag repointing or CI secret exfil to typosquat domains |
| Elastic | None | No rule for GitHub release-based exfiltration or trivy-action compromise |
| Sigma | None | Need: DNS query for aquasecurtiy[.]org; GitHub audit log alert for tpcp-docs repo creation; CI runner outbound to non-allow-listed domains |
Sources: CISA KEV Alert March 26 · CrowdStrike Analysis · Microsoft Detection Guide · Aqua Security Disclosure
2. PTC Windchill/FlexPLM Pre-Auth RCE — CVE-2026-4681
TL;DR: CVSS 10.0 deserialization RCE in PTC Windchill PDMLink and FlexPLM with no production patch available. PTC warns of credible imminent exploitation threat by an unnamed third-party group; specific file and request IOCs published for hunting.
What’s New:
- PTC advisory updated March 26 with “imminent threat” language citing credible third-party exploitation intelligence
- Exploitation via unsafe Java deserialization in a publicly accessible servlet — unauthenticated, network-exploitable
- PTC published specific IOCs: presence of
GW.class,payload.bin, ordpr_<8-hex>.jspon the server indicates successful weaponization - Suspicious request patterns
run?p=and.jsp?c=in web access logs indicate active exploitation attempts - No patch available; only mitigation is Apache/IIS rewrite rules to deny access to the affected servlet path
- Affects Windchill PDMLink 11.0–13.1.3.0 and FlexPLM 11.0–13.0.3.0 (all CPS before 11.0 M030 also vulnerable)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
GW.class on Windchill server | Webshell/payload | T1505.003 | File integrity monitoring | Hunt, quarantine |
payload.bin on Windchill server | Staged payload | T1105 | File integrity monitoring | Hunt, quarantine |
dpr_[0-9a-f]{8}\.jsp | Generated webshell | T1505.003 | File integrity monitoring / web logs | Hunt, quarantine |
Requests matching run?p= | Exploitation attempt | T1190 | WAF / web access logs | Block via servlet deny rule |
Requests matching .jsp?c= | Webshell interaction | T1505.003 | WAF / web access logs | Block, investigate |
GW_READY_OK in error logs | Gateway exploitation artifact | T1190 | Application logs | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Windchill-specific rules; need: file creation alert for GW.class/payload.bin/dpr_*.jsp; URI pattern match for run?p= |
| Elastic | Web Shell Detection: Script Process Child of Common Web Processes (partial) | Gap: no Windchill servlet-specific coverage |
| Sigma | Webshell Detection via File Creation (generic, partial) | Gap: need Windchill-specific file paths and URI patterns |
Sources: PTC Advisory · BleepingComputer · Kudelski Security
Status Updates
- CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing; no new IOCs since March 26. Public PoC remains available. Original brief.
- CVE-2026-3055 (Citrix NetScaler): Still no public PoC or ITW exploitation; Rapid7/Arctic Wolf maintain high weaponization likelihood. Patch urgency unchanged. Original brief.
- CVE-2026-33017 (Langflow): CISA KEV added March 25 (federal deadline April 8); exploitation ongoing per Sysdig. Original brief.