23rd March – Threat Intelligence Report

This week's threat intelligence highlights significant data breaches affecting over 2.6 million individuals at Navia Benefit Solutions, approximately 900,000 at Aura, and Puerto Rico Aqueduct and Sewer Authority. Multiple critical vulnerabilities are under active exploitation, including CVE-2026-33017 in Langflow (weaponized within 20 hours), CVE-2026-20131 in Cisco Secure Firewall (used by Interlock ransomware group as zero-day), and CVE-2026-32746 in GNU InetUtils telnetd (CVSS 9.8). AI threats are evolving toward agentic-era attack chains, with researchers discovering chained flaws in Anthropic's Claude.ai enabling stealthy data theft. Organizations should prioritize patching critical infrastructure vulnerabilities, implement network segmentation, and strengthen phishing defenses. Check Point IPS protections are available for documented threats.

For the latest discoveries in cyber research for the week of 23rd March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Navia Benefit Solutions, a United States-based employee benefits administrator, has disclosed a breach affecting more than 2.6 million individuals after unauthorized access and potential data exfiltration occurred between December 22, 2025 and […] The post 23rd March – Threat Intelligence Report appeared first on Check Point Research .

This week's threat intelligence highlights significant data breaches affecting over 2.6 million individuals at Navia Benefit Solutions, approximately 900,000 at Aura, and Puerto Rico Aqueduct and Sewer Authority. Multiple critical vulnerabilities are under active exploitation, including CVE-2026-33017 in Langflow (weaponized within 20 hours), CVE-2026-20131 in Cisco Secure Firewall (used by Interlock ransomware group as zero-day), and CVE-2026-32746 in GNU InetUtils telnetd (CVSS 9.8). AI threats are evolving toward agentic-era attack chains, with researchers discovering chained flaws in Anthropic's Claude.ai enabling stealthy data theft. Organizations should prioritize patching critical infrastructure vulnerabilities, implement network segmentation, and strengthen phishing defenses. Check Point IPS protections are available for documented threats. For the latest discoveries in cyber research for the week of 23rd March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Navia Benefit Solutions, a United States-based employee benefits administrator, has disclosed a breach affecting more than 2.6 million individuals after unauthorized access and potential data exfiltration occurred between December 22, 2025 and […] The post 23rd March – Threat Intelligence Report appeared first on Check Point Research . For the latest discoveries in cyber research for the week of 23rd March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Navia Benefit Solutions, a United States-based employee benefits administrator, has disclosed a breach affecting more than 2.6 million individuals after unauthorized access and potential data exfiltration occurred between December 22, 2025 and January 15, 2026. Exposed information may include personal, health, and benefits data. Identity protection firm Aura was breached after a phone phishing attack let an intruder access an employee account and a marketing platform. The actor obtained about 900,000 records, mostly names and emails, while the core systems and identity protection services were not compromised. Puerto Rico Aqueduct and Sewer Authority, which manages the territory’s water supply, has confirmed a cyberattack that exposed customer and employee information. The authority said critical infrastructure was not affected because network segmentation separated operational systems, limiting the incident to business data and administrative environments. Intuitive, a United States-based robotic surgery company, has suffered a data breach after a targeted phishing incident led to a compromised employee account. Exposed information includes customer contact details, employee data, and corporate records, while the company said its da Vinci and Ion platforms were unaffected. AI THREATS Check Point Research highlighted the key developments and major trends in the AI threat ecosystem during January – February 2026. The report focuses on the transition to the agentic era by the threat actors, where development is shifting from simple prompting to structured workflows, attack chains are evolving from human-led to AI-led operations, and safeguard bypass techniques are increasingly beginning to exploit agent mechanisms. Researchers have discovered three chained flaws in Anthropic’s Claude.ai, enabling invisible prompt injection, silent exfiltration of conversation history through the Files API, and redirection through an open redirect. Anthropic patched the injection issue and is addressing the remaining weaknesses, while the chain enables stealthy data theft. Researchers have witnessed exploitation of CVE-2026-33017, a critical unauthenticated remote code execution flaw in Langflow, an open-source framework for AI agents and retrieval-augmented generation pipelines. Attackers weaponized the bug within 20 hours of disclosure, allowing arbitrary Python execution on exposed instances through a single crafted request. Check Point IPS provides protection against this threat (Langflow Remote Code Execution (CVE-2026-33017)) VULNERABILITIES AND PATCHES ConnectWise has patched CVE-2026-3564, a critical cryptographic signature verification flaw in ScreenConnect, its remote access platform used by managed service providers and IT teams. The issue could let attackers use extracted machine keys to authenticate sessions without authorization and gain elevated privileges on affected instances Ubiquiti has addressed CVE-2026-22557, a maximum-severity flaw in the UniFi Network Application used to manage access points, switches, and gateways. The unauthenticated path traversal bug affects version 10.1.85 and earlier and can let attackers access files, compromise accounts, and potentially seize control of underlying systems. Zimbra warns of active exploitation of CVE-2025-66376, a stored cross-site scripting flaw in Zimbra Collaboration Suite that was recently patched. Malicious emails can execute code when viewed in the Classic UI, exposing session cookies and...