At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
BeyondTrust Releases Fix for Critical Remote Code Execution Flaw
BeyondTrust has released one critical security fix addressing CVE-2026-1731, which affects Remote Support (RS) versions 25.3.1 and earlier and Privileged Remote Access (PRA) versions 24.3.4 and earlier.
The vulnerability is a critical pre-authentication remote code execution flaw that may allow an unauthenticated remote attacker to exploit specially crafted requests to execute operating system commands under the context of the site user.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Microsoft Addresses Critical Semantic Kernel Vulnerability
Microsoft has released a critical security update to fix a vulnerability in the Microsoft Semantic Kernel. This is a tool used to build and manage AI agents and multi-agent systems.
The update addresses a critical vulnerability (CVE-2026-25592) that allows unauthorized file writing in the Semantic Kernel .NET SDK before version 1.70.0. The issue is specifically in the SessionsPythonPlugin. This vulnerability has been fixed in Microsoft.SemanticKernel.Core version 1.70.0.
As a temporary solution, users can set up a Function Invocation Filter to validate the file paths in DownloadFileAsync and UploadFileAsync, ensuring the file paths are on the approved list.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
The Shadow Campaigns: Uncovering Global Espionage
Researchers have uncovered a previously unknown cyber-espionage actor, TGR-STA-1030, responsible for a series of operations known as the Shadow Campaigns. Over the past year, the group has successfully targeted government and critical infrastructure organizations across 37 countries while conducting reconnaissance activities on government networks in 155 nations in late 2025.
The groups’ targets have included law-enforcement agencies and ministries of finance, trade, energy, immigration, and diplomatic institutions, indicating a strategic focus on political and economic intelligence. The actor leverages phishing, exploits known vulnerabilities, and employs a diverse toolset including Cobalt Strike, VShell, and custom malware such as the Linux rootkit ShadowGuard to gain and maintain access.
RECOMMENDATIONS
- Prioritize enhanced network monitoring, intrusion detection, and threat-hunting capabilities.
- Implement robust access controls and enforce multi-factor authentication(MFA).
- Regularly review and update incident response plans, with a focus on potential long-term compromise scenarios.
- Engage in proactive threat intelligence sharing to better understand the evolving tactics and indicators of compromise associated with this campaign.
Fortinet Releases Critical Fix Addressing FortiClientEMS Vulnerability
Fortinet has released one security fix rated Critical. The update addresses a vulnerability identified in FortiClientEMS.
The fix resolves [Critical] CVE-2026-21643, an SQL injection vulnerability in Fortinet FortiClientEMS version 7.4.4. This issue could allow an unauthenticated attacker to execute unauthorized code or commands by sending specially crafted HTTP requests.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Upgrade to upcoming FortiClientEMS version 8.0.0 or above
- Upgrade to FortiClientEMS version 7.4.5 or above.
Researchers Uncover DKnife Framework Exploiting Linux Gateways
Researchers have uncovered a sophisticated gateway-based adversary-in-the-middle framework known as DKnife, identified during investigations into the MOONSHINE exploit kit and the DarkNimbus backdoor. The focus of this report is DKnife, a tool active since at least 2019 that operates on Linux-based edge and router devices to perform deep packet inspection, Domain Name System (DNS) manipulation, hijacking of Android and Windows application updates, credential harvesting, and real-time monitoring of user activity. The analysis references the WizardNet campaign only to highlight overlapping infrastructure and techniques—such as SLAAC spoofing and forged update responses—which suggest a possible shared development or operational lineage.
Evidence from configuration files indicates that DKnife primarily targets Chinese-language services, including WeChat and local mobile applications. However, related activity has also been observed in regions across the Middle East and Southeast Asia. The framework consists of several coordinated Executable and Linkable Format (ELF) components responsible for traffic interception, malware delivery, and data exfiltration to remote command servers.
RECOMMENDATIONS
- Monitor routers and edge devices for unknown binaries or unexpected configuration changes.
- Enforce strong administrative controls with (MFA) and restrict remote management access.
- Inspect DNS responses for unauthorized redirections to internal IP addresses.
- Validate application updates and block unexpected HTTP redirects.
- Enable strict Transport Layer Security (TLS) validation and reject self-signed or untrusted certificates.
- Segment gateway devices to limit their ability to intercept or manipulate network traffic.
References
https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64
https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d
https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4
https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/
