Daily Briefing for 03.27.26

Top stories.

• CISA warns of critical flaws affecting PTC and Langflow products.
• Phishing activity surges amid war in Iran.
• Alleged RedLine infostealer developer faces thirty years in a US prison.

CISA warns of critical flaws affecting PTC and Langflow products.

The US Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical remote code execution vulnerability (CVE-2026-4681) affecting PTC’s Windchill product lifecycle management software. The industrial software maker says it hasn't observed exploitation affecting its customers, although a patch is not yet available.

In Germany, Heise reports that the Federal Criminal Police Office (BKA) sent officers to visit companies in person to warn them about the vulnerability. In some cases, officers woke up administrators at their private residences in the middle of the night. While the vulnerability is serious, it's unclear what prompted such an urgent response from the police, which Heise describes as "unprecedented." PTC urges customers to immediately implement mitigations until patches are available, prioritizing publicly accessible systems.

Separately, CISA has also warned of active exploitation of a critical flaw affecting the Langflow framework for building AI agents, BleepingComputer reports. The vulnerability (CVE-2026-33017) is a code injection flaw that can lead to remote code execution. Researchers at Sysdig observed exploitation of the flaw about twenty hours after its disclosure on March 17th. The researchers state, "Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise." Users are advised to update Langflow as soon as possible and audit their systems for compromise.

Phishing activity surges amid war in Iran.

Bitdefender is tracking a surge in phishing and malware activity targeting Gulf countries amid the war in Iran, with malicious emails spiking by approximately 130% since the conflict began on February 28th. Bitdefender states, "Within days, activity doubled, and at peak reached nearly four times the baseline levels, signaling a sustained and coordinated spike rather than a one-off campaign. This clearly suggests that phishing and malware delivery campaigns are being deployed and adjusted in real time, with attackers capitalizing on heightened regional sensitivity and business disruptions."

While state-sponsored cyber operations are accompanying the war, much of this phishing activity is financially motivated, with criminal threat actors exploiting fear and uncertainty across the region.

Alleged RedLine infostealer developer faces thirty years in a US prison.

An Armenian national accused of developing the popular RedLine infostealer has been extradited to the United States, where he faces up to thirty years in prison, the Record reports. The defendant, Hambardzum Minasyan, allegedly worked with co-conspirators to maintain RedLine's infrastructure, including C2 servers and administrative panels, and collected payments from the malware's affiliates. The US Justice Department states, "The indictment alleges that Minasyan registered two virtual private servers to host portions of RedLine’s infrastructure as well as two internet domains in support of the RedLine scheme. He also allegedly created repositories on an online file-sharing site that were used to distribute RedLine to affiliates. In November 2021, he allegedly registered a cryptocurrency account that was used to receive payments from RedLine affiliates."

An international law enforcement effort disrupted the RedLine operation in October 2024, and the Justice Department unsealed charges against one of Minasyan's alleged co-conspirators, Maxim Rudometov. Rudometov is also facing a maximum of thirty years.