Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.
Expert Commentary
Let’s talk about device code phishing first, because honestly, it’s the one keeping me up at night more than the CVEs this week.
The OAuth trick that’s outsmarting your MFA
Device code phishing surging 37x isn’t a surprise to anyone who’s been watching threat actors evolve post-MFA adoption. Here’s what’s actually happening: attackers are abusing the OAuth 2.0 Device Authorization flow — the same flow your TV uses when it says “go to this URL and enter this code to sign in.” It was designed for input-constrained devices. It was never designed to be resilient against a socially engineered human. And that gap is now a highway.
I’ve seen this exact scenario at a major financial institution. Security team had celebrated their MFA rollout. FIDO2 keys, Authenticator app, the works. Six months later, a treasury analyst got a Teams message from what looked like IT support, walked through a device code flow, and handed over a valid session token — MFA and all. The attacker never touched the password. Never needed to.
Here’s what nobody wants to admit: Conditional Access policies that block legacy auth and enforce MFA still don’t block device code flows by default in Entra ID. You have to go find it. And most shops haven’t done it because it’s buried, it’s not in the default templates, and it breaks legitimate workflows if you do it wrong.
What actually works: go into Entra ID Conditional Access right now, create a policy that blocks Device Code flow for all users except the specific service accounts that legitimately need it. Then filter your sign-in logs by Authentication Method = Device Code for the last 30 days. What you find might ruin your week. That’s fine. Better now than after the incident.
The FortiClient EMS emergency patch — and why “emergency patch released” should scare you
The same story plays out with Cisco, Palo Alto, and basically every enterprise security vendor at some point. When a security vendor ships an emergency weekend patch for a critical actively-exploited flaw, that’s a failure state for everyone in the chain — vendor, customer, and sometimes the pen testers who found it two years ago and couldn’t get it escalated.
In my experience running security operations for a large fund, the hardest part wasn’t knowing what to patch. It was the change management process. An emergency patch on a Saturday means someone is waking up a CAB member, arguing whether this qualifies as an emergency change, and navigating a process that was designed for predictability, not urgency. I’ve been in rooms where a critical patch sat in “pending approval” for 11 days because nobody wanted to own the production risk of an unscheduled change. Meanwhile the exploit was public.
The uncomfortable truth is that most change management processes are optimized for audit evidence, not security response. The organizations that handle this well have pre-approved emergency change procedures with clear escalation triggers — and they’ve actually practiced using them before something is on fire.
If you’re running FortiClient EMS, patch it. If you’re in a regulated environment and can’t patch immediately, document your compensating controls and get eyes on those logs. Don’t just put it in the queue and hope.
TrueConf and the update integrity problem — a solved problem we keep failing
CVE-2026-3502 is a download-without-integrity-check vulnerability. Translation: the software fetches updates and doesn’t verify that what it got is actually what the vendor sent. Code signing has existed for decades. And yet here we are.
The reason it keeps happening isn’t ignorance — it’s prioritization. Dev teams are shipping features. Security review of the update pipeline is unglamorous work that doesn’t show up in the product roadmap. And when the vendor is a smaller player, there often isn’t a dedicated security team reviewing that kind of thing before it ships.
The real exposure isn’t just “patch TrueConf.” It’s: do you actually know what software on your endpoints has auto-update enabled, what update sources those point to, and whether those update channels are authenticated and integrity-checked? Most shops don’t have a clean answer. Your EDR might catch a tampered payload at execution. Might. That’s not a plan, that’s a hope.
What actually matters this week
Patch the CVEs — yes, obviously. But the device code phishing surge is the most operationally important thing in this digest. It represents attackers directly adapting to the MFA wave the industry spent five years pushing. They didn’t break MFA. They went around it using legitimate flows we forgot to lock down.
Pull your Entra ID Conditional Access policies today. Look for a policy explicitly restricting Device Code flow. If you don’t have one, you’ve got homework. Then filter your sign-in logs by Authentication Method = Device Code for the last 30 days.
Everything else is maintenance. That one’s strategic.
🚨 Critical: CISA Known Exploited Vulnerabilities
These vulnerabilities are being actively exploited in the wild. Immediate action required.
CVE-2026-3502 — TrueConf Client: Download of Code Without Integrity Check
Vendor/Product: TrueConf Client
Description: TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload, resulting in arbitrary code execution in the context of the updating process or user.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-04-16 · Reference: CVE-2026-3502 - NVD
CVE-2026-5281 — Google Dawn: Use-After-Free Vulnerability
Vendor/Product: Google Dawn
Description: Google Dawn contains a use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. Affects Chromium-based products including Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-04-15 · Reference: CVE-2026-5281 - NVD
📰 This Week’s Security News
New FortiClient EMS flaw exploited in attacks, emergency patch released — Fortinet released an emergency weekend update for a critical FortiClient EMS vulnerability actively exploited in the wild.
Hackers exploit React2Shell in automated credential theft campaign — Large-scale automated credential theft campaign targeting vulnerable Next.js apps via CVE-2025-55182.
Device code phishing attacks surge 37x as new kits spread online — OAuth 2.0 Device Authorization Grant abuse is surging as attackers adapt to widespread MFA adoption.
✅ What You Should Do This Week
- Immediate: Patch CVE-2026-3502 and CVE-2026-5281 — both actively exploited
- Verify: Check your systems against the CISA KEV catalog
- Monitor: Review Entra ID sign-in logs filtered by
Authentication Method = Device Code - Audit: Confirm Device Code flow is explicitly blocked in your Conditional Access policies
- Backup: Test your disaster recovery procedures
📬 Stay Updated
Subscribe to receive weekly security digests directly in your inbox.
Questions or feedback? Contact us
Need help locking down your Entra ID Conditional Access posture or reviewing your emergency change management process against real threat scenarios? I’ve been doing this for a while — including in regulated environments where “just patch it” is never the full answer. First call is free. Let’s talk.
GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.