Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.
🚨 Critical: CISA Known Exploited Vulnerabilities
These vulnerabilities are being actively exploited in the wild. Immediate action required.
CVE-2025-53521: F5 BIG-IP Unspecified Vulnerability
Vendor/Product: F5 BIG-IP
Description: F5 BIG-IP APM contains an unspecified vulnerability that could allow a threat actor to achieve remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-03-30
Reference: CVE-2025-53521 - NVD
CVE-2026-33634: Aquasecurity Trivy Embedded Malicious Code Vulnerability
Vendor/Product: Aquasecurity Trivy
Description: Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-04-09
Reference: CVE-2026-33634 - NVD
CVE-2026-33017: Langflow Code Injection Vulnerability
Vendor/Product: Langflow Langflow
Description: Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-04-08
Reference: CVE-2026-33017 - NVD
đź“° This Week’s Security News
Hackers now exploit critical F5 BIG-IP flaw in attacks, patch now
F5 has reclassified a BIG-IP APM denial-of-service (DoS) vulnerability as a critical-severity remote code execution (RCE) flaw, warning that attackers are exploiting it to deploy webshells on unpatche…
Read more: Hackers now exploit critical F5 BIG-IP flaw in attacks, patch now
Critical Fortinet Forticlient EMS flaw now exploited in attacks
Attackers are now actively exploiting a critical vulnerability in Fortinet’s FortiClient EMS platform, according to threat intelligence company Defused. […]…
Read more: Critical Fortinet Forticlient EMS flaw now exploited in attacks
European Commission confirms data breach after Europa.eu hack
The European Commission has confirmed a data breach after its Europa.eu web platform was hacked in a cyberattack claimed by the ShinyHunters extortion gang. […]…
Read more: European Commission confirms data breach after Europa.eu hack
âś… What You Should Do This Week
- Immediate: Patch CVE-2025-53521, CVE-2026-33634 (actively exploited)
- Verify: Check your systems against CISA KEV catalog
- Monitor: Review Azure AD sign-in logs for suspicious activity
- Audit: Verify MFA is enforced for all privileged accounts
- Backup: Test your disaster recovery procedures
Weekly security intelligence and unfiltered commentary on the threats and vulnerabilities that actually matter this week.
You know what’s worse than a critical zero-day? A “low severity” bug that suddenly graduates to remote code execution while you were sleeping.
Here is what you actually need to pay attention to this week.
The F5 BIG-IP Mess (CVE-2025-53521)
Let’s jump right into the F5 BIG-IP vulnerability. F5 initially flagged this as a Denial of Service vulnerability. In the real world, a DoS on a load balancer usually gets thrown into the “we’ll patch it next maintenance window” bucket. Nobody wants to touch the core network if they don’t have to. But surprise! It’s actually a remote code execution flaw, and now attackers are actively dropping webshells on unpatched boxes.
When I was running data engineering at the pension fund, asking the network team for an F5 maintenance window was like asking to cancel Christmas. The uncomfortable truth is that most organizations are terrified to touch their core network appliances. High availability is great on a whiteboard, but in practice, doing an active-passive failover to patch firmware usually drops a handful of persistent database connections, and then the application owners scream at you.
So what happens? We rely on virtual patching. We cross our fingers and hope our WAF rules catch the bad traffic. Stop doing this. Seriously. Just stop. You can’t WAF your way out of an RCE on the very appliance doing the traffic inspection. Take the downtime, fail the boxes over, and patch the damn things.
The Aquasecurity Trivy Nightmare (CVE-2026-33634)
I actually laughed out loud when I read this one, mostly to keep from crying. Trivy is a vulnerability scanner. Its entire job is to keep you safe.
Everyone says you should “shift left” and embed security in your pipelines, but in reality, we’re just shifting the attack surface. To make these scanners work, we give them massive permissions. We tell them to look at our code, our containers, our infrastructure, and we feed them high-privilege credentials to do it. This CVE is an embedded malicious code flaw that lets an attacker dump everything the scanner has in memory. That means every SSH key, every Azure service principal, every database password in your CI/CD environment is gone.
I’ve seen this exact scenario three times in the past year. Security mandates a scanner, DevOps integrates it, and nobody bothers to handle the credentials properly because “the security tool needs access.” If your security tooling getting compromised means a threat actor can pivot and take over your entire Azure tenant, your architecture is broken.
The trade-off nobody talks about with CI/CD security is that static secrets are ticking time bombs. The only thing that actually works here isn’t buying another security tool to watch your security tool—it’s moving to Workload Identity Federation (OIDC). Your pipelines shouldn’t have static passwords in memory to begin with. They should request a short-lived, ephemeral token from Azure AD, do their job, and let the token expire 10 minutes later.
Langflow and Shadow AI (CVE-2026-33017)
Finally, let’s look at Langflow. It’s an unauthenticated code injection bug that lets anyone build public flows.
Here’s the thing nobody wants to admit about the current AI gold rush: your data scientists are bypassing your security controls. Right now, in almost every enterprise I consult for, there is a rogue engineering team standing up LLM orchestration tools like Langflow in a shadow Azure subscription because IT governance moves too slow. They stand it up “just for a quick proof of concept,” leave authentication turned off because it’s annoying to configure, and hook it up to a live database to train their model.
Next thing you know, a botnet is using your unauthenticated public-facing AI tool to dump PII or pivot into your internal network. Stop letting the words “AI project” act as a get-out-of-jail-free card for basic network hygiene. If an application is touching data, it sits behind Azure AD authentication. Period. There is no good answer for why a web-based workflow builder is sitting naked on the internet in 2026.
Wrapping Up
It’s been a messy week. The theme here is that the things we implicitly trust—our core load balancers, our security scanners, and our internal data science projects—are exactly what attackers are leveraging.
What matters this week isn’t reading threat actor profiles about who hacked the European Commission. What matters is knowing exactly where your F5s are, finding out which of your GitHub Actions or DevOps pipelines are hoarding static credentials, and having a very blunt conversation with your data teams about shadow IT.
Need help with moving your CI/CD pipelines off static secrets and onto Azure Workload Identity? I’ve been doing this for a while. First call is free - let’s talk.
📬 Stay Updated
Subscribe to receive weekly security digests directly in your inbox.
Questions or feedback? Contact us
GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.