Table of Contents

CISA warns of attacks on endpoint management

The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about adversaries targeting endpoint management software. This alert follows a March 2026 attack on Stryker Corporation that affected their Microsoft environment.

Why it matters: Endpoint management tools like Microsoft Intune control every device in your network. If an adversary gets into these tools, they can wipe devices or change security rules for your entire business.

The big picture: The attack on Stryker shows that adversaries are misusing legitimate management software to move through networks and inflict damage. In the Stryker case, there wasn’t a financial motive, just one of destruction.

3 steps to take now to secure Microsoft Intune

  • Give admins only the access they need. Use role-based access to limit what team members can see and change. Match permissions to the actual work people do every day. Hint: Global Administrator is NOT the appropriate role.

  • Use strong sign-in rules. Turn on phishing-resistant multifactor authentication (passkeys FTW!) for all your admin accounts. Set up Conditional Access rules (if you’re licensed for them) to block access if a sign-in looks risky or comes from an unmanaged device.

  • Require two people to approve big changes. Set up policies that require a second admin to approve sensitive tasks. This includes actions like wiping a device or changing security groups.

Go deeper: You can find the full alert and more tips for securing your network on the CISA website.

Tax season brings new phishing risks

Adversaries are sending fake emails about tax refunds and W-2 forms to trick people into opening malicious files. These attacks increase as the April 15 deadline approaches.

Why it matters: Adversaries use the urgency of tax filings to make you click links or scan QR codes without thinking. If an adversary steals your login info, they can access your financial data or take over your cloud accounts or your computer.

The big picture: Microsoft found several campaigns using fake tax documents to spread malware. Some adversaries use QR codes in "Employee Tax Docs" to send you to fake login pages. These pages can steal your password and bypass some types of security. Other attacks install remote tools like ScreenConnect or Datto to give hackers control over your system.

Steps to take now to reduce your risk

  • Use strong multifactor authentication (MFA). Use the Microsoft Authenticator app with passkeys to protect your accounts from theft.

  • Turn on Safe Links (Microsoft specific, license required). This tool checks web links in your emails and Teams messages to make sure they are safe before you click them.

  • Enable Zero-hour auto purge (ZAP; Microsoft specific, license required). ZAP can find and remove malicious emails even after they have already reached your inbox.

  • Watch out for QR codes. Remind your team that real tax forms do not ask you to scan a QR code to view your documents.

Go deeper: Read the full report on the Microsoft Security blog to see more examples of these attacks.

Use of “EDR killers” to disable endpoint security

Adversaries are using specialized tools called "EDR killers" to turn off security software before they start an attack. These tools help hackers avoid detection by Endpoint Detection and Response (EDR) systems.

Why it matters: Security software is supposed to stop attacks. If an adversary can turn off your security tools, they can steal data or lock your files with ransomware without being caught. Many of these tools are now sold as products on the dark web, making them easy for even low-skill adversaries to use.

The big picture: Research from ESET shows that adversaries have many ways to kill security tools.

  • Abusing drivers: Many tools use a technique called "Bring Your Own Vulnerable Driver." This involves loading an old, legitimate driver that has a known flaw to gain control over the computer's system.

  • Driverless attacks: Some new tools don't even need to touch the computer's core system. Instead, they block the security software from sending alerts or cause it to freeze in place.

  • Using built-in tools: Some simple attacks use the computer's own commands to stop security services.

Steps to take now to reduce your risk

  • Block old drivers. Configure your systems to only allow drivers that are known to be safe. Microsoft and other vendors provide lists of vulnerable drivers that you should block.

  • Limit admin rights. Most EDR killers need high-level "admin" rights to work. Make sure your users only have the permissions they need.

  • Monitor for tool termination. Watch for alerts that show security services stopping unexpectedly. This is often a sign that an EDR killer is active.

  • Keep software updated. Updates often include fixes for the flaws that these tools exploit.

Go deeper: Read the full technical report from ESET Research to learn more about how these tools work and how to stop them.

Cheap IP-KVM devices have big security holes

New research shows that many cheap IP-KVM devices have serious security flaws. These devices allow IT pros to control computers over a network, but adversaries can use them to take over entire systems.

Why it matters: A KVM device gives a user the same power as standing in front of a computer. If an adversary breaks into your KVM, they can type commands, change BIOS settings, and bypass disk encryption. Because these tools work below the operating system, your normal security software like antivirus or EDR often cannot see the attack.

The big picture: Eclypsium researchers found nine vulnerabilities across four different KVM brands. Some of these devices cost as little as $30 but have major issues like missing password protection or insecure firmware updates. While some companies like JetKVM and Sipeed have released fixes, others like Angeet and GL-iNet currently have no plans to fix some of the reported problems.

Steps to take now to reduce your risk

  • Isolate your KVM devices. Place all KVM tools on a separate management network (VLAN) that is not connected to the open internet and only accessible from privileged computers.

  • Use a VPN for remote access. Do not expose KVM management pages directly to the web. Use a secure connection to reach them.

  • Set strong, unique passwords. Never use the default credentials. Enable multifactor authentication (MFA) if the device supports it.

  • Update your firmware immediately. Check the manufacturer's website for the latest security patches.

  • Audit your hardware. Scan your network to find any KVM devices you might not know about.

Go deeper: You can read the full list of vulnerabilities and technical details on the Eclypsium blog.

Ubiquiti UniFi flaw allows account takeover

Ubiquiti has released a patch for a critical vulnerability in its UniFi Network app. This flaw could allow adversaries to take full control of user accounts.

Why it matters: The main flaw (CVE-2026-22557) has a severity score of 10.0 out of 10. It allows someone on the network to access system files and hijack accounts without needing a login or any help from a user. Because the attack is simple to carry out, experts expect adversaries to automate it quickly.

The big picture: The UniFi Network app is used to manage hardware like Wi-Fi access points, switches, and gateways. Scans recently found nearly 88,000 UniFi systems exposed to the public internet. Ubiquiti also fixed a second flaw (CVE-2026-22558) that allowed users with low permissions to gain full control of the application.

Steps to take now to reduce your risk

If you are using UniFi:

  • Update the UniFi Network app immediately. Install version 10.1.89 or later to fix both vulnerabilities.

  • Remove management tools from the internet. Do not host your UniFi dashboard on the public web. Use a VPN or a private management network (VLAN) to limit access.

  • Audit your administrator list. Check for any unknown admin accounts that may have been created before you applied the patch.

Go deeper: You can find the full technical details and the official security advisory on the Security Affairs website.

CISA adds critical SharePoint 2016 flaw to exploited list

On March 18, 2026, CISA added a Microsoft SharePoint 2016 flaw to its list of known exploited vulnerabilities. This means there is proof that adversaries are currently using this bug to attack organizations.

Why it matters: The flaw, tracked as CVE-2026-20963, allows an attacker to run their own code on your SharePoint server. An adversary does not need a username or password to carry out this attack. If you use SharePoint, your files and your entire network are at high risk.

The big picture: CISA tracks bugs that are being used in real-world attacks to help IT teams know what to fix first. While the government requires federal agencies to fix these bugs by a set date, all businesses should treat them as an emergency. This specific SharePoint flaw lets attackers inject and run malicious code over a network.

Steps to take now to reduce your risk

  • Update your SharePoint servers. Install the latest security patches from Microsoft immediately to block this attack.

  • Look for signs of an attack. Check your server logs for any unusual activity or new files that your team did not create.

  • Review the full catalog. Check the CISA list regularly to see if other tools you use are at risk.

  • BONUS: Stop using on-premises SharePoint servers. There’s got to be a better way!

Go deeper: You can view the official bulletin on the CISA KEV Catalog website.

If you have any comments or feedback, just respond to this email!

Thanks for reading and stay secure,

Aaron

Keep Reading

© 2026 Sensible Security.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv