Weekly Cybersecurity Threat Advisory

Reading time: 4 minutes

The cybersecurity landscape continues to evolve rapidly, with organisations across the Middle East - especially in technology‑driven hubs like Dubai, Abu Dhabi, Riyadh, and Doha - facing heightened exposure to zero‑day exploits, supply‑chain attacks, and data breaches. This week’s threat advisory (30 March - 5 April 2026) highlights several critical vulnerabilities and high‑impact incidents affecting global enterprises, healthcare institutions, and cloud‑based platforms.

1. Critical Vulnerabilities Impacting Enterprise Infrastructure

Fortinet FortiClient EMS Zero‑Day (CVE‑2026‑35616)

A major zero‑day flaw in Fortinet FortiClient EMS (versions 7.4.5 and 7.4.6) is being actively exploited in the wild. As noted in the advisory, “the vulnerability… allows unauthenticated remote attackers to bypass both authentication and authorization mechanisms.” This improper access control issue enables full remote code execution, endpoint manipulation, and potential compromise of all managed devices.
Recommended actions: immediate hotfix deployment, network segmentation, and log monitoring for suspicious API activity.

Refer: https://www.tp-link.com/us/support/faq/5027/

TP‑Link Tapo C520WS Smart Camera Vulnerabilities (Multiple CVEs)

Multiple high‑severity flaws—including authentication bypass (CVE‑2026‑34121) and several buffer overflows—affect Tapo C520WS devices running firmware below 1.2.4. These weaknesses can lead to device crashes, unauthorized configuration changes, and surveillance disruption. The document states that attackers can exploit “improper validation and inconsistent parsing of JSON requests” to bypass authentication.
Recommended actions: firmware updates, IoT network segmentation, and disabling unnecessary remote access.

Refer: https://www.tp-link.com/us/support/faq/5047/

Cisco IMC Authentication Bypass (CVE‑2026‑20093)

Cisco’s Integrated Management Controller contains a critical flaw enabling full administrative takeover. Attackers can manipulate password‑change operations without authentication, impacting ENCS, Catalyst 8300, UCS servers, and appliances built on these platforms. With “no workarounds or mitigations available,” urgent patching is essential especially for internet‑exposed management interfaces.

Refer: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn

2. Major Attack Campaigns & Data Breaches

Lloyds Banking App Glitch Exposes 450,000 Users

A faulty mobile app update caused transaction data leakage for nearly half a million users. According to the advisory, the glitch briefly made “transaction details from one user’s account… visible to other users.” Although no fraudulent transactions occurred, the incident underscores the risks of rapid software deployment in financial environments.

Refer: https://committees.parliament.uk/committee/158/treasury-committee/news/212885/nearly-half-a-million-lloyds-banking-group-customers-affected-by-personal-data-glitch/

https://committees.parliament.uk/publications/52415/documents/290917/default/

Nacogdoches Memorial Hospital Breach (257,000 Individuals Affected)

A cyber intrusion led to the exposure of sensitive PII, healthcare data, and financial information. The breach included “names, addresses… Social Security numbers… medical record numbers,” and more. Healthcare organisations in the GCC should take note, as similar attacks continue to target medical institutions globally.

Refer: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/ebcabbec-590c-4fd3-b97c-555fd8ced542.html

3. Security News & Emerging Threats

Claude Code Vulnerability After Source Code Leak

A leaked sourcemap exposed 500,000 lines of internal TypeScript code, enabling researchers to identify a critical flaw in Claude Code’s permission enforcement. The system fails when command chains exceed 50 subcommands, causing deny‑rules to be bypassed. This creates opportunities for prompt‑injection‑driven supply‑chain attacks.

Refer: https://adversa.ai/blog/claude-code-security-bypass-deny-rules-disabled/

https://x.com/Fried_rice/status/2038894956459290963

Mercor Impacted by LiteLLM Supply‑Chain Attack

A malicious PyPI package (LiteLLM 1.82.7/1.82.8) infiltrated CI/CD pipelines globally. Mercor confirmed exposure, with threat actors claiming theft of “over 4TB of sensitive data.” This incident highlights the growing risk of automated dependency updates in cloud‑native environments.

Refer: https://docs.litellm.ai/blog/security-update-march-2026

https://x.com/mercor_ai/status/2039101905675403306

Google Drive Rolls Out Advanced Ransomware Detection

Google has launched AI‑powered ransomware detection and rapid recovery features for Drive. The system automatically halts sync operations and preserves clean file versions, offering stronger protection for businesses across the UAE and wider Middle East adopting cloud‑first strategies.

Refer: https://workspaceupdates.googleblog.com/2026/03/ransomware-detection-and-file-restoration-for-Google-Drive-now-generally-available.html

Conclusion

This week’s advisory reinforces the urgent need for proactive patching, supply‑chain security, and robust monitoring across enterprise and cloud ecosystems. Organisations in UAE and the GCC - where digital transformation is accelerating - must prioritise vulnerability management and adopt zero‑trust principles to stay ahead of emerging threats.

Know your cyber threat posture. Take Complimentary Assessment: https://forms.gle/215oZk1AE2BSpu9P9

Our Cyber Threat Management Services: Cyber Threat Management & Security Services UAE | Crowe UAE

For details: Call / WA +971 52 373 4662 | [email protected]