🚨 CRITICAL ALERT: Active Zero-Day Exploits Across Enterprise Infrastructure

THREAT LEVEL: CRITICAL | Multiple CVSS 9.8-10.0 vulnerabilities under active exploitation in the wild. Immediate patching required across Atlassian Confluence, Cisco Secure Firewall, F5 BIG-IP, and open-source tools. Supply chain compromise detected in Trivy security scanner affecting CI/CD pipelines globally.

Critical Vulnerabilities (CVSS ≥ 8.0)

• CVE-2023-22515 (CVSS: 9.8) — Atlassian Confluence Data Center & Server: Unauthenticated attackers can create unauthorized administrator accounts on publicly accessible instances, enabling full system compromise. Active exploitation confirmed by nation-state actors since October 5, 2023. Affected: Versions 8.0.0 through 8.5.1. Cloud instances (atlassian.net) unaffected. View NVD | CISA KEV (2023-10-05)
• CVE-2026-20131 (CVSS: 10.0) — Cisco Secure Firewall Management Center (FMC): Unauthenticated remote code execution as root via insecure deserialization in web-based management interface. Attackers can execute arbitrary Java code by sending crafted serialized objects. CISA KEV confirmed. View NVD | CISA KEV (2026-03-19)
• CVE-2025-53521 (CVSS: 9.8) — F5 BIG-IP APM: Remote code execution when malicious traffic targets misconfigured access policies on virtual servers. Unpatched versions face immediate compromise risk. View NVD
• CVE-2026-33017 (CVSS: 9.8) — Langflow AI Tool: Unauthenticated remote code execution via POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. Attackers inject arbitrary Python code in node definitions, executed without sandboxing. Affected: Versions <1.9.0. CISA KEV confirmed. View NVD | CISA KEV (2026-03-25)
• CVE-2026-21513 (CVSS: 8.8) — MSHTML Framework: Security feature bypass allowing unauthorized attackers to circumvent protections over network access. CISA KEV confirmed. View NVD | CISA KEV (2026-02-10)
• CVE-2026-33634 (CVSS: 8.8) — Trivy Supply Chain Compromise: Malicious v0.69.4 release and compromised GitHub Actions published March 19, 2026. Affected components: aquasecurity/trivy (0.69.4), trivy-action (0.0.1-0.34.2 except 0.35.0), setup-trivy (0.2.0-0.2.5). Attackers used compromised credentials to inject credential-stealing malware. CISA KEV confirmed. View NVD | CISA KEV (2026-03-26)

⚡ Immediate Actions Required

Priority 1 (Execute within 24 hours):

• Confluence: Upgrade all Data Center and Server instances to 8.5.2 or later. Identify compromised instances by checking for unexpected administrator accounts and unauthorized setup endpoint requests (/setup/*.action) in access logs.
• Cisco FMC: Restrict management interface internet exposure immediately. Apply vendor-provided patches. Audit all administrative access logs for unauthorized activity.
• F5 BIG-IP: Apply security patches to APM configurations. Validate access policy settings and monitor for anomalous traffic patterns.
• Langflow: Upgrade to version 1.9.0 or later. Disable public flow endpoints if not required.
• Trivy Users: Immediately identify all Trivy usage across pipelines. Remove v0.69.4 binaries and compromised GitHub Action versions (below 0.35.0 for trivy-action, below 0.2.6 recreated for setup-trivy). Treat all secrets accessed by affected pipelines as compromised and rotate immediately. Search GitHub organizations for suspicious repositories named „tpcp-docs“ indicating credential exfiltration.

Priority 2 (Execute within 48-72 hours):

• Conduct full forensic analysis of affected systems for indicators of compromise (IOCs): unexpected user accounts, suspicious file modifications, abnormal network traffic.
• For CI/CD environments: Audit all workflow runs using compromised Trivy versions (March 19-20, 2026). Review logs for unauthorized activity. Pin all GitHub Actions to immutable commit SHAs rather than mutable version tags.
• Implement network segmentation to isolate critical infrastructure (Confluence, FMC, BIG-IP) from internet-facing assets.

Detection Indicators: Unexpected Confluence administrator accounts | /setup/*.action HTTP requests in logs | Unauthorized Cisco FMC administrative logins | Trivy v0.69.4 binary execution traces | Repositories named „tpcp-docs“ in GitHub organizations | Failed credential validation attempts on rotated secrets

Vendor Contact for Support: Atlassian Security (confluence support) | Cisco PSIRT | F5 Networks | Aqua Security | Microsoft Security Response Center