State-linked actors are actively targeting internet-exposed Rockwell/Allen-Bradley PLCs on critical infrastructure networks, moving the threat from IT management planes into the operational technology layer. A second AI workflow platform — Flowise (CVE-2025-59528, max severity) — is under active exploitation for arbitrary code execution, two weeks after Langflow. Docker Engine CVE-2026-34040 (CVSS 8.8) bypasses authorization plugins via an incomplete fix from 2024. Ponemon Institute research reveals hundreds of "dark matter" applications disconnected from centralized identity in the typical enterprise, creating an unmanaged attack surface now exploited by AI agents. A law enforcement operation disrupted a state-linked campaign hijacking home routers to steal cloud credentials. The FortiClient EMS zero-day KEV deadline is tomorrow.

Links & Resources

• https://www.bleepingcomputer.com/news/security/iranian-hackers-targeting-rockwell-plcs-critical-infrastructure/
• https://www.bleepingcomputer.com/news/security/flowise-ai-platform-max-severity-rce-exploited/
• https://thehackernews.com/2026/04/docker-engine-authz-bypass-cve-2026-34040.html
• https://thehackernews.com/2026/04/ponemon-dark-matter-applications-identity.html
• https://www.bleepingcomputer.com/news/security/frostarmada-apt28-router-hijack-disrupted/
• https://www.bleepingcomputer.com/news/security/cisa-forticlient-ems-patch-deadline-friday/
• https://thehackernews.com/2026/04/iran-nexus-password-spraying-m365-israel-uae.html
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog