Friday, March 06 2026 · @SignalOverNoizX
Top Story of the Week
CISA's Known Exploited Vulnerabilities catalog expanded this week with critical flaws in industrial control systems and enterprise infrastructure, signaling a deliberate shift in attacker targeting. Hikvision (CVSS 9.8) and Rockwell Automation vulnerabilities joined Delta Electronics CNCSoft-G2 and Cisco enterprise networking patches on the agency's watchlist — a concentrated cluster of ICS and critical infrastructure exploitation.
The timing is significant: these aren't theoretical threats. Each addition to the KEV catalog means active exploitation is documented in the wild. Organizations running surveillance, manufacturing automation, or network switching infrastructure are now confirmed targets. The industrial sector, already fragmented in patching discipline, faces immediate pressure to remediate while many facilities operate on extended update cycles measured in months, not hours.
Critical Vulnerabilities
- Hikvision Vulnerabilities — Multiple CVSS 9.8 flaws in surveillance systems allowing remote code execution; active exploitation confirmed
- Rockwell Automation MobileView — CVSS 9.8 remote code execution vulnerability; affects industrial control monitoring across manufacturing and utilities
- Delta Electronics CNCSoft-G2 — Industrial automation software containing critical vulnerabilities exploited by threat actors
- Cisco Enterprise Networking — Multiple critical patches released for switches and routing equipment; scope and CVSS ratings vary but enterprise-wide deployment makes them high-priority
- Microsoft Windows Terminal — ClickFix campaign actively delivering Lumma stealer malware through trojanized Windows Terminal instances
Threat Actor Activity
Russian ransomware operators remain active despite legal consequences. This week's guilty plea from a Phobos ransomware administrator demonstrates that US indictments carry real teeth, yet the gang's infrastructure and affiliate network persisted through the prosecution. The plea signals enforcement is working at the leadership level, but criminal-as-a-service models mean replacements emerge faster than arrests stick.
Chinese state-sponsored actors are actively targeting telecommunications infrastructure with new malware toolkits, per this week's reporting. Telecom companies represent the crown jewel for espionage — signals intelligence, billing data, and intercept capabilities make carriers perpetual targets. The development of new toolkits suggests previous campaigns either burned or evolved. Telecom CISO teams should assume breach assessment and network segmentation are no longer optional.
By the Numbers
90 zero-days exploited in 2025 — Google's comprehensive research confirms organized, well-resourced attackers are operating at scale; half targeted enterprises specifically, not consumer populations
50% of exploited zero-days aimed at enterprise — The strategic focus on business targets means commodity ransomware crews have access to sophisticated vulnerabilities through supply chains or underground markets
Ransomware gangs pivoting to data theft — Backup recovery improvements are forcing extortion groups to threaten disclosure rather than encryption-only attacks; the threat model hasn't changed, just the leverage point
CISA added 5 new KEV entries this week — Industrial control systems represent 40%+ of recent additions; defenders have clearer intelligence on active threat vectors but narrower remediation windows
The Bottom Line
Industrial and telecom organizations need emergency patching protocols activated immediately. The convergence of Hikvision, Rockwell Automation, and Delta Electronics vulnerabilities on the KEV catalog isn't coincidence — it's targeting pattern. If you operate surveillance systems, manufacturing controls, or carrier-grade infrastructure, assume your environment is scanned daily. Backup strategies bought time against ransomware, but threat actors responded by weaponizing data theft; assume exfiltration defenses are now table stakes. For enterprise security teams: prioritize Windows Terminal execution controls and monitor for Lumma stealer indicators before the next wave of ClickFix campaigns lands in your mailboxes.
Follow @SignalOverNoizX for daily threat intelligence. Live feed: signal-noise.tech