Quest Security and Service Advisories

As an ongoing service to Quest's valued clients, our team of experts monitors security and service advisories we are seeing in the market from multiple vendors and these important notices are sent to our clients. You can view an overview of our recent advisories below. If you need more information on any of these advisories, or would like to set up a meeting to discuss them further, please reach out to our team.

May 2026

Quest has been notified of a security advisory addressing a vulnerability in Palo Alto (PAN-OS) User-ID Authentication Portal. Also known as the Captive Portal, the User-ID Authentication Portal is a PAN-OS security feature that authenticates users whose identities cannot be automatically mapped by the firewall.

Vendor: Palo Alto / PAN-OS
CVE(s): CVE-2026-0300
CVSS: 9.3 (Critical)
In the Wild: Yes
Unauthenticated: Yes

Description:
Palo Alto Networks has identified a critical vulnerability affecting the User-ID Authentication Portal (also known as the Captive Portal) service of Palo Alto Networks PAN-OS software.

Impact:
Successful exploitation of this vulnerability allows a remote, unauthenticated attacker to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls by sending specially crafted packets that trigger a buffer overflow condition.

Workarounds:
Yes. Customers restricting sensitive portals to trusted internal networks are at a greatly reduced risk. Disabling the User-ID Authentication Portal is recommended if it is not required.

Link to Source(s): Palo Alto Advisory

IOC Available: No

Recommendation:
Review vendor advisories to confirm applicability, configure workarounds (as described in the vendor advisory), and apply updates once available.

If you need assistance with reviewing and patching your Palo Alto devices or would like to discuss this vulnerability in more detail, let us know, and we will set up a call.

Quest has been notified of a security advisory addressing a critical vulnerability in most major Linux distributions. The Linux vulnerability, known as “Copy Fail,” could allow an unprivileged local user to gain root permissions.

Vendor: Major Linux Distributions
CVE(s): CVE-2026-31431
CVSS: 7.8 (High)
In the Wild: Yes, a public exploit is available and reported to be reliable.
Unauthenticated: Yes

Description:

CVE-2026-31431, known as “Copy Fail,” is a local privilege escalation vulnerability affecting Linux kernel versions distributed since 2017. This vulnerability allows an unprivileged local user to gain root access through exploitation of the kernel’s authencesn cryptographic template.

Impact:

The flaw allows a local user to modify the kernel’s cached copy of a file in memory without changing the file on disk. By targeting a privileged binary, an attacker can gain root access.

Workarounds:

Yes, please see vendor advisories for further details.

Link to Source(s):

Amazon (AWS): CVE-2026-31431
Debian: CVE-2026-31431
Oracle: Critical Patch Updates, Security Alerts and Bulletins
Red Hat Enterprise Linux (RHEL): CVE-2026-31431
SUSE: CVE-2026-31431
Ubuntu: CVE-2026-31431
Note: This is not an exhaustive list; it’s recommended to confirm with your distribution’s security advisory site for impact and status of resolution. Patched kernel versions are available. However, some major distributions have not yet shipped updates.

IOC Available: No.

Recommendation:

Review vendor advisories to confirm applicability and apply updates as necessary.

If you need assistance with reviewing and patching impacted Linux distributions or would like to discuss this vulnerability in more detail, please let us know, and we will set up a call.

April 2026

Quest has been made aware of a critical privilege escalation vulnerability affecting Windows 11 and Windows Server 2025 (CVE-2025-60710). This vulnerability has recently been added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA). Recent reports confirm that it is being actively exploited in the wild. It allows attackers with basic user-level access to escalate privileges to SYSTEM, effectively granting full control of the affected device.

CISA has issued a directive requiring federal agencies to remediate this vulnerability within two weeks, highlighting the urgency and the real-world exploitation risk.

Summary:

Vulnerability Type: Privilege Escalation
Affected Systems: Windows 11 and Windows Server 2025 (unpatched systems)
Attack Complexity: Low
Privileges Required: Low (initial access required)
Impact: SYSTEM-level access, full device compromise

Why This Matters:
While this is not an initial access vulnerability, it is highly valuable to attackers as a post-compromise escalation mechanism. This vulnerability aligns with common attack chains:

Initial Access: Phishing, credential theft, or exposed services.
Privilege Escalation: Exploitation of CVE-2025-60710.
Post-Exploitation: Persistence, lateral movement, and potential ransomware deployment.

This type of vulnerability is frequently leveraged to:

Bypass endpoint protections.
Disable security tooling.
Establish durable persistence.

Risk to Your Environment:

Organizations are at elevated risk if:

Systems are not patched (missing November 2025 or later updates).
Endpoints allow execution from standard user contexts.
There is limited Endpoint Detection and Response (EDR) visibility or privilege monitoring.

Recommendations:

Apply Microsoft security updates addressing CVE-2025-60710 immediately.
Validate patch levels across all Windows 11 and Windows Server 2025 assets.

Priority: Critical – Immediate Action Required
Given the confirmed exploitation and inclusion in the CISA KEV catalog, we strongly recommend prioritizing remediation and validation efforts without delay.

If you need help reviewing and patching impacted Windows 11 or Windows Server 2025 systems, or if you’d like to discuss this vulnerability in more detail, please let us know, and we will set up a call.

Quest has been notified of a security advisory addressing critical vulnerabilities in Cisco Identity Services Engine (ISE). Cisco has patched critical security vulnerabilities that could allow unauthenticated users to perform authentication bypass and remote code execution (RCE) and Path Traversal on impacted products listed in their security advisories.

Vendor: Cisco
CVE(s): CVE-2026-20147, CVE-2026-20148, CVE-2026-20180, CVE-2026-20186
CVSS: 9.9 (Critical)
In the Wild: Cisco PSIRT is not aware of any public announcements or malicious use of this vulnerability at the time of this posting.
Unauthenticated: No

Description: Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.

Impact: A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.

Workarounds: None.

Link to Source(s): CVE-2026-20147, CVE-2026-20148, CVE-2026-20180, CVE-2026-20186

IOC Available: No.

Recommendation: Review vendor advisories to confirm applicability and apply updates as necessary.

If you need assistance with reviewing and patching impacted Cisco Identity Services Engine (ISE) devices or would like to discuss these vulnerabilities in more detail, let us know, and we will set up a call.

Microsoft has announced a phased deprecation and default disablement of RC4 (Rivest Cipher 4) encryption within Windows Kerberos authentication due to vulnerabilities disclosed under CVE-2026-20833. RC4 is considered cryptographically weak and susceptible to modern credential theft attacks, such as Kerberoasting.

As part of this change, Microsoft will update Windows domain controller behavior so that AES-based encryption is used by default, and authentication requests relying on RC4 will eventually fail unless explicitly remediated. To avoid authentication issues, organizations must plan and complete a safe migration from RC4 to AES before enforcement.

View the announcement here: Managing Kerberos RC4 Usage for Service Accounts (CVE-2026-20833)

Microsoft’s Enforcement Timeline:

January 2026 – Audit Phase Starts
April 2026 – Phase 1 Enforcement (Enforced with Microsoft April ’26 Patch Tuesday OS patches. Applications and accounts may start to fail if not remediated; manual rollback option available.)
July 2026 – Phase 2 Final Enforcement (Manual rollback option removed to force AES encryption.)

Potential Impact:

Legacy service accounts using RC4-only encryption
Older NAS devices or appliances integrated with Active Directory
Any third-party applications that do not support AES Kerberos encryption
Non-Windows systems (including Linux-based systems) authenticating to Active Directory

Recommendation:

Quest recommends the following actions to avoid business disruption:

Ensure all domain controllers are fully patched on or after January 13, 2026 (to enable additional audit and control features).
Identify RC4 usage:
- If a SIEM platform is available, review Domain Controller logs for Kerberos-related events that may indicate RC4 usage.
- Use Microsoft-provided temporary registry keys and scripts to detect RC4 dependencies in Domain Controller logs.
Remediate impacted accounts and applications:
- Reset passwords for service accounts to generate AES keys.
- Upgrade or replace non-compliant devices or applications (engage application vendors as needed, as remediation may require application-level changes outside of infrastructure management).
Continue to test/review logs to ensure RC4 event findings are no longer being generated.
Ensure all domain controller backups are successful (prior to the implementation of Microsoft’s April 14 Patch Tuesday).
Patch domain controllers during a low-impact maintenance window and allow adequate time for remediation.
Test all business processes. If impacted, follow up with Quest or Microsoft to assist with the assessment and configuration of a temporary workaround.

Useful Microsoft links:

If you need assistance identifying RC4 usage, validating application compatibility, or planning a phased remediation in more detail, please let us know, and we will set up a call.

March 2026

To ensure uninterrupted access and maintain the highest levels of security, Duo Mobile is implementing important updates and changes to its app and supported operating systems. These updates will impact users who have not upgraded their Duo Mobile app or are using older versions of iOS and Android. Please review the details below to understand how these changes may affect your organization and take the necessary steps to prepare.

Key Updates:

As of March 31, 2026, Duo Mobile users must upgrade the Duo Mobile app to version 4.85 or they will not be able to authenticate.
As of April 16, 2026, Duo Mobile will no longer support iOS 16 and Android 11. The new minimum supported versions will be iOS 17 and Android 12.

This end-of-support milestone means that:

Duo teams will no longer be able to troubleshoot issues with Duo Mobile running on iOS 16 and Android 11 or older.
Duo Push will continue to work on already-installed versions of Duo Mobile on iOS 16 and Android 11, and users will still be able to authenticate.
Duo Mobile-generated passcodes will also continue to work on already-installed versions of the app, and users will still be able to authenticate.
SMS-delivered passcodes and phone callback authentication are not affected by this change, as these methods do not rely on Duo Mobile.
Duo Mobile will continue to be fully supported on iOS 17 and Android 12 or newer.
Mobile devices using iOS 16 and Android 11 will no longer receive Duo Mobile maintenance fixes or security updates.
Users cannot download the latest version of Duo Mobile on mobile devices running iOS 16 and Android 11.

Quest recommends taking proactive measures to ensure your users are prepared for these changes and avoid any disruptions to their authentication process.

If you have any questions or need assistance with these updates, please let us know. Our team is here to help you navigate these changes and maintain a secure authentication experience.

Quest has been notified of a security advisory addressing critical vulnerabilities in NetScaler ADC and NetScaler Gateway. Citrix has urgently patched these vulnerabilities, which could allow unauthenticated users to perform Out-of-Bounds Read and Race Condition attacks on impacted products listed in their Security Advisory.

Vendor: Citrix

CVE(s): CVE-2026-3055, CVE-2026-4368

CVSS: 9.3 (Critical)

In the Wild: No. Although these vulnerabilities were identified internally, it is expected that threat actors may attempt to reverse engineer the patch to develop exploit capabilities. These vulnerabilities are being referenced as “similar” to the CitrixBleed Zero-day, which was a significant business-impacting exploit.

Unauthenticated: Yes

Description: A vulnerability in Citrix ADC and Citrix Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) could allow an unauthenticated, remote attacker to perform an Out-of-Bounds Read and Race Condition on an affected device.

Impact: A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges.

Workarounds: None

Link to Source(s): Citrix Advisory Link

IOC Available: No

Recommendation: Review the vendor advisory, confirm applicability, and apply updates as soon as possible.

If you need assistance with reviewing and patching impacted NetScaler ADC and NetScaler Gateway devices or would like to discuss these vulnerabilities in more detail, please let us know, and we will set up a call.

Quest has been notified of a security advisory addressing critical vulnerabilities in Veeam Backup and Replication versions. Veeam has patched several critical security vulnerabilities that could allow authenticated users to perform Remote Code Execution (RCE) on impacted products listed in their security advisories.

Vendor: Veeam Backup and Replication (VBR)

VBR version 12

CVE(s): CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21672, CVE-2026-21708

VBR version 13

CVE(s): CVE-2026-21708, CVE-2026-21669, CVE-2026-21672, CVE-2026-21670, CVE-2026-21671

CVSS: 9.9 Critical

In the Wild: No

Unauthenticated: No

Description: Multiple vulnerabilities in the Veeam Backup and Replication platform could allow an authenticated, remote attacker to perform remote code execution (RCE) against the affected versions.

Impact: A successful exploit could allow the attacker to execute arbitrary code on the VBR system, elevating privileges to gain full control of the backup system.

Workarounds: None

Link to source(s): Veeam Version 12, Veeam Version 13

IOC available: No

Recommendation: Review vendor advisories, confirm applicability, and apply updates as necessary.

If you need assistance with reviewing and patching impacted Veeam Backup and Replication systems or would like to discuss these vulnerabilities in more detail, please let us know.

Quest’s Threat Intelligence is advising customers to continue increasing defensive vigilance due to a heightened risk of cyber activity from Iranian state-sponsored and state-aligned threat actors. Multiple government agencies have issued recent warnings indicating that Iranian cyber groups have increased their operational tempo, actively targeting vulnerable organizations—particularly those with unpatched systems, exposed remote access services, and weak identity controls.

Recently Observed Middle East Threat Actor Patterns:

Spear-Phishing / Social Engineering Campaigns: Phishing emails containing “themed” lure attachments (e.g., Invoice, Voicemail), which subsequently execute remote monitoring and management (RMM) tools and ultimately download the legitimate file-transfer tool WinSCP to extract data.

Vulnerabilities: Exploitation of known vulnerabilities in internet-facing devices, remote access appliances, VPNs, firewalls, and web applications (in some cases, IP surveillance cameras for reconnaissance). Exploitation of known vulnerabilities in unpatched operating systems and installed applications to gain SYSTEM-level privileges.

Weak Authentication: Targeted operations against operational technology (OT) and industrial control systems (ICS) using default or weak credentials and poor security configurations.

Recommendations:

1. Conduct a full external attack surface scan and apply all critical patches (prioritize remote access appliances and VPNs).

2. Validate EDR coverage across servers, endpoints, and virtual environments.

3. Review and remediate identified risks of unpatched workstations, servers, and appliances.

4. Train staff on advanced social engineering tactics and enhance monitoring for phishing indicators.

5. Implement network segmentation (especially IT/OT separation), geo-blocking, and zero-trust (ZTNA) principles.

6. Validate offline, immutable backups and test incident response plans for ransomware/wiper scenarios.

7. Hunt and monitor for password spraying, brute-force attacks, or MFA fatigue attempts in Microsoft 365/Entra ID, VPN, and email environments.

8. Monitor and control the use of common threat actor tradecraft tools (e.g., RMM applications, RDP, PsExec, Rclone, ngrok).

9. Conduct Microsoft 365 breach simulations to identify identity and access weaknesses and validate real-world security posture.

If you need assistance with reviewing Quest recommendations or would like help addressing other related cyber risks, please let us know.

Quest has been notified of a security advisory addressing a critical vulnerability in Cisco Secure Firewall Management Center. Cisco has patched a critical security vulnerability that could allow unauthenticated users to perform authentication bypass and remote code execution (RCE) on impacted products listed in their security advisories.

Vendor: Cisco
CVE(s): CVE-2026-20131, CVE-2026-20079
CVSS: 10.0 (Critical)
In the Wild: Cisco PSIRT is not aware of any public announcements or malicious use of this vulnerability at the time of this posting.
Unauthenticated: Yes

Description: A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.

Impact: A successful exploit could allow the attacker to bypass authentication and execute arbitrary code on the device, elevating privileges to root.

Workarounds: None.

Link to Source(s): CVE-2026-20131, CVE-2026-20079

IOC Available: No.

Recommendation: Review vendor advisories to confirm applicability and apply updates as necessary.

If you need assistance with reviewing and patching impacted Cisco Secure Firewall Management Center devices or would like to discuss these vulnerabilities in more detail, please let us know.

Given recent global events, Quest has observed a sharp rise in social engineering malicious activity exploiting Microsoft Teams, AnyDesk, ScreenConnect, and other RMM tools used to gain external access to machines. Threat actors are initiating chats and voice calls from external tenants while impersonating internal IT or help desk personnel, attempting to persuade users to deploy or approve remote access sessions to their workstations. In many cases, the RMM software involved is legitimate and may even align with tools already used within the organization. What begins as a routine-looking support interaction can escalate rapidly, leading to ransomware execution, data theft, and fraudulent financial transactions within minutes or hours.

Microsoft Teams is especially preferred by attackers, as external federation is enabled by default, introducing a direct communication channel that external threat actors can exploit without deploying any software prior to the support interaction to control your workstation.

Recommended Actions:

Disable Microsoft Teams external access if there is no business requirement.
Where outside collaboration is necessary, allow Microsoft Teams to communicate only with explicitly approved partner domains.
Avoid relying solely on domain blocklists as a protective measure.
Restrict Microsoft Teams federation capabilities to specifically authorized users.
Strengthen meeting and other collaboration tools by enforcing authenticated access, using lobbies or waiting rooms, and limiting guest participation.
Use application control and network-level controls to limit or block unused RMM applications.
Perform continuous security audits and monitoring to proactively identify and respond to suspicious activities and potential threats.

Implementing these safeguards can significantly reduce the likelihood of Teams/RMM phishing, account compromise, ransomware incidents, and unauthorized data exposure.

For assistance in reviewing your Microsoft Teams configuration or assessing your RMM control posture, please reach out to our team.

February 2026

Quest has been notified of security advisories addressing multiple critical vulnerabilities in Cisco Catalyst SD-WAN products currently under global exploitation. Cisco has urgently patched critical security vulnerabilities that could allow unauthenticated users to bypass authentication and elevate privileges to root on impacted products listed in their Security Advisory.

Vendor: Cisco

CVE(s): CVE-2026-20127, CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129, CVE-2026-20133

CVSS: 9.8-10.0 (Critical)

In the wild: Yes

Unauthenticated: Yes

Description: Cisco Catalyst SD-WAN Controller Authentication Bypass, Privilege Escalation Vulnerabilities

Impact: Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files. An additional vulnerability in the peering authentication of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.

Workarounds: None

Link to source(s):

Cisco Catalyst SD-WAN Controller Auth Bypass CVE-2026-20127:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Cisco Catalyst SD-WAN Vulnerabilities CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129, CVE-2026-20133: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v

IOC available: Yes

Recommendation:

1. Inventory all in-scope Cisco SD-WAN systems.

2. Collect artifacts, including virtual snapshots and logs from SD-WAN systems, to support threat-hunting activities.

3. Fully patch Cisco SD-WAN systems with available updates.

4. Hunt for evidence of compromise.

5. Concurrently review Cisco’s latest security advisories, Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability and Cisco Catalyst SD-WAN Vulnerabilities, and implement Cisco’s SD-WAN Hardening Guidance.

CISA has also provided guidance: CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems | CISA

If you need assistance with threat hunting, artifact collection, hardening configuration, updating Cisco Catalyst SD-WAN products, or would like to discuss these vulnerabilities in more detail, please reply to this email, and we will set up a call.

Quest has been notified of a maximum severity zero-day security advisory addressing critical risks Dell RecoverPoint for Virtual Machines. Dell is urging customers to immediately update / address Dell RecoverPoint for Virtual Machines to a patched version.

Vendor: Dell / RecoverPoint

CVE(s): CVE-2026-22769

CVSS: 10.0 (Critical)

In the wild: Yes

Unauthenticated: Yes

Description: Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.

Impact: Full system compromise leading to ransomware and to data theft

Workarounds: No

Link to source(s): https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079

Indicators of Compromise (IOC) available: No

Mitigation & Recommendations: Upgrade immediately to a non-impacted version and ensure that RecoverPoint for Virtual Machines be deployed within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation.

If you need assistance reviewing, implementing the mitigation & recommendations or would like to discuss these vulnerabilities in more detail, please reply to this email, and we will set up a call.

Quest’s Threat Intelligence has been monitoring a growing risk to organizations with the rapid rise and availability of Agentic AI agents. Agentic AI agents (or agentic AI) are autonomous software systems driven by large language models (LLMs) that plan, reason, and act independently to achieve complex, multi-step goals with minimal human oversight. Unlike chatbots that simply generate text, these agents use tools to interact with digital environments, learn from feedback, and make decisions to execute entire processes. While powerful, research has identified multiple critical risks associated with AI agent deployments.

Known Security Risks:

Critical Remote Code Execution (RCE)
Critical vulnerabilities have allowed one-click remote code execution via token exfiltration and WebSocket hijacking. Simply visiting a malicious web page could allow attackers to take full control of the host system.

Internet Exposed Instances at Scale
Security researchers have identified over 100K AI agent instances exposed to the public internet, many with weak or no authentication. A significant portion of these instances were vulnerable to known exploits, enabling attackers to access files, API keys, chat histories, and connected services.

Malicious Skills and Supply Chain Risk
An audit of AI agent extension marketplaces revealed thousands (and growing daily) of malicious skills designed to distribute malware, such as the Atomic macOS Stealer, via fake prerequisites and social engineering.

Prompt Injection and Logic Abuse
Because AI agents access private data, ingest untrusted content, and can take autonomous actions, they are highly susceptible to prompt injection attacks. In these attacks, malicious instructions are hidden in emails, documents, or web pages. These attacks do not require software exploits and may bypass traditional security tooling.

Credential Concentration and Data Leakage
AI agents commonly store API keys, OAuth tokens, chat logs, and session data locally. Misconfiguration or compromise can expose multiple systems at once, creating a high-impact single point of failure.

Financial Risk
Uncontrolled financial spending has already materialized in deployments through runaway API usage, prompt-injection attacks that trigger paid actions, and retries with unreasonable persistence. Reports of crypto wallet draining have also surfaced.

Recommendations:
Block AI Agent applications, downloads, network traffic at the endpoint and gateway level.
Treat unauthorized AI deployments as “shadow IT” and remediate/contain accordingly.

For companies choosing to use Agentic AI agents, Quest recommends strong safeguards (Guardrails) such as runtime isolation, reduced network exposure, least privilege permissions, controlled use of skills/extensions, spend limits, data exposure protection, and monitoring to detect anomalous behavior.

If you need help reviewing your defensive posture, assistance with detection or guardrail configuration, or would like to discuss this further, please let us know, and we will schedule a call.

Quest is advising our customers of a recent compromise involving the well-known text editor Notepad++, widely used by IT admins and developers.

What Was Discovered

The Notepad++ development team and independent researchers confirmed this week that the software’s official update infrastructure was compromised by a sophisticated threat actor between June and December 2025. During this period, certain update requests were intercepted and redirected to attacker-controlled servers, which delivered malicious payloads instead of legitimate update files.

The identified malware included a custom backdoor (dubbed “Chrysalis”), capable of providing persistent remote access. This activity is believed to be the result of a compromised update service, not a flaw in the application itself.

What Happened

Using the hijacked software update mechanism, targeted users who checked for updates could have received a trojanized installer that dropped additional malicious components.
This did not occur to all users—only specific users targeted by the threat actors.
The activity has been attributed to the Lotus Blossom group, a China-linked espionage actor known for targeted supply-chain and reconnaissance operations.

What Was the Impact

Unauthorized code execution on affected systems via malicious update components.
Backdoor installation (e.g., Chrysalis) granting remote persistent access.
Credential theft or lateral movement in environments where affected systems had elevated privileges.

Who Is at Risk

The attack is believed to be highly selective rather than broadly distributed. However, systems that installed Notepad++ updates from mid-2025 may be at risk.

What Does Quest Recommend?

Ensure all Notepad++ installations are updated to version 8.8.9 or higher from the official source.
Remove older or unknown installers and unused plugins.
Add known IOCs to EDR/AV platforms and isolate any affected systems.

Quest is actively reviewing telemetry and can assist with version checks, IOC scanning, and remediation. Please reach out and let us know how we can help.

January 2026

Quest has been notified of a security advisory addressing critical vulnerabilities in multiple Cisco Unified Communications Manager products. Cisco has urgently patched a critical security vulnerability that could allow unauthenticated users to perform privilege escalation exploits on impacted products listed in their Security Advisory.

Vendor: Cisco (Unified CM, Unified CM SME, Unified CM IM&P, UC, Cisco Webex Calling)

CVE(s): CVE-2026-20045

CVSS: 8.2 (Critical)

In the wild: Yes

Unauthenticated: Yes

Description: A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device

Impact: This vulnerability could enable attackers to gain admin-level / root privileges on affected systems.

Workarounds: No

Link to source(s): Cisco Security Advisory

Indicators of Compromise (IOC) available: No

Recommendation: Review the vendor advisory, confirm applicability, and update to a patched version as soon as feasible.

If you need help reviewing or patching the affected Cisco products, or would like to discuss these vulnerabilities further, please let us know.

Security Advisory: Strengthen Email Security with BIMI (1/20):

As the sophistication of email attacks against organizations continues to grow, there is a simple but powerful way to improve protection against phishing while also strengthening brand trust. That technology is called BIMI, which allows your verified company logo to appear next to legitimate emails in employee and customer inboxes. This gives recipients a quick visual signal that a message is authentic and not a spoofed email.

BIMI works alongside traditional email security controls like SPF, DKIM, and DMARC to ensure that only properly authenticated emails receive this brand indicator.

A recent high-profile example where BIMI proved valuable occurred during the widespread wave of Instagram password reset emails earlier this month.

1. Valid password reset emails were being sent from Instagram but were not initiated by the users themselves

2. As this issue became publicized, threat actors quickly weaponized the situation by sending spoofed messages with identical content but not from Instagram

3. Many recipients struggled to distinguish real messages from fake ones because sender names and addresses appeared legitimate

4. Instagram had BIMI enabled for their domain, ensuring their logo was visible in official messages

5. This allowed Instagram to communicate to users a simple and reliable way to identify valid emails

6. This visual distinction helped users pause, verify, and avoid malicious links

Example of Phishing email without BIMI

Valid Email with BIMI logo

Beyond security, BIMI also strengthens brand confidence

1. Recipients see your logo consistently in the inbox, reinforcing brand recognition

2. Users gain confidence that messages truly come from your organization

3. Customers are less likely to ignore or mistrust legitimate communications

Major email providers such as Google, Yahoo, and Apple validate BIMI participation. This means your organization is not only improving security but also meeting higher trust standards recognized by leading email platforms.

Quest can guide you through:

1. DMARC readiness and enforcement

2. SPF and DKIM validation

3. BIMI record configuration

4. Verified Mark Certificate guidance

If you would like a short BIMI readiness review or technical walkthrough, please let our team know.

Security Advisory: Fortinet Vulnerability impacting Multiple Products (1/15):

Quest has been notified of a security advisory addressing a vulnerability in Fortinet products. Fortinet has patched the vulnerability that could allow unauthenticated users to execute arbitrary code or commands via specifically crafted requests.

Vendor: Fortinet (FortiOS and FortiSwitchManager)

CVE(s): CVE-2025-25249

CVSS: 7.4 (High)

In the wild: No

Unauthenticated: Yes

Description: A heap-based buffer overflow vulnerability in FortiOS and FortiSwitchManager cw_acd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Impact: This vulnerability could enable attackers to gain admin-level privileges on affected systems.

Workarounds: Yes, temporary workarounds are available until upgrading to a non-affected version.

Link to source(s): Fortinet Security Advisory

Indicators of Compromise (IOC) available: No

Recommendation: Review the vendor advisory, confirm applicability, apply the workaround, and update to a patched version as soon as feasible.

If you need assistance reviewing or implementing the temporary workaround, patching impacted Fortinet products, or discussing these vulnerabilities in more detail, please reply to this email, and we will set up a call.

Quest Security and Service Advisories

May 2026

April 2026

March 2026

February 2026

January 2026

May 2026

Security Advisory: Critical Vulnerability in Palo Alto PAN-OS User-ID Authentication Portal (5/6):

Service Advisory: Critical Vulnerability in Major Linux Distributions (5/1):

April 2026

Service Advisory: Privilege Escalation Risk in Windows 11 and Server 2025 (4/16):

Security Advisory: Critical Vulnerabilities in Cisco Identity Services (ISE) (4/15):

Security Advisory: Microsoft Deprecation of RC4 Encryption in Windows Kerberos (4/1):

March 2026

Service Advisory: Important Updates to Duo Mobile App and OS Versions (3/27):

Security Advisory: Critical Vulnerabilities in Citrix NetScaler ADC and Gateway (3/25):

Security Advisory: Critical Veeam Backup and Replication Vulnerabilities Identified (3/12):

Security Advisory: Heightened Cyber Risk from Iranian State-Nexus Threat Actors (3/10):

Security Advisory: Critical Vulnerability in Cisco Secure Firewall Management Center (3/6):

Security Advisory: External Access Risks in Microsoft Teams and RMM Tools (3/4):

February 2026

Security Advisory: Critical Cisco Catalyst SD-WAN Vulnerabilities (2/25):

Security Advisory: Critical Vulnerabilities in Dell RecoverPoint (2/19):

Security Advisory: Emerging Security Risks in Autonomous AI Agents (2/12):

Security Advisory: Notepad++ Update Compromise (2/4):

January 2026

Security Advisory: Cisco Communications Manager Vulnerability impacting Multiple Products (1/22):

Security Advisory: Strengthen Email Security with BIMI (1/20):

Security Advisory: Fortinet Vulnerability impacting Multiple Products (1/15):