TL;DR — This Week's Key Takeaways
Commvault disclosed a nation-state actor planted a webshell in its SaaS backup environment — check your backup integrity now. A federal data exposure linked to DOGE system access exposed SSNs and financial records for an estimated 2.1 million Americans. A new ransomware trend called encryption-free extortion is surging — attackers steal data and threaten publication without ever encrypting a file. Microsoft Entra ID has a critical privilege escalation flaw under active exploitation. CISA published its 2026 SMB Cybersecurity Grant Program details.
CRITICALBREACH5 min
CVE-2025-34028
Commvault SaaS Backup Compromised — Nation-State Actor Planted Webshell in Metallic Platform
Commvault disclosed that a sophisticated nation-state threat actor exploited CVE-2025-34028 to plant a persistent webshell inside its Metallic SaaS backup platform. Organizations using Commvault Metallic should immediately audit backup integrity and rotate all credentials stored in the platform.
Action Items
›Audit all backup jobs completed in the past 90 days — verify backup integrity and that no data was exfiltrated
›Rotate all credentials that are stored in or accessible through Commvault, including service account passwords, API keys, and cloud provider credentials
›Review Commvault audit logs for unauthorized access, configuration changes, or unusual data access patterns
+2 more at segler.net/security-news
Affected Systems
Commvault Metallic SaaS (all tenants prior to April 25, 2026 remediation)Commvault Command Center 11.38.xCommvault HyperScale X appliancesAny environment using Commvault cloud-connected backup
HIGHBREACH5 min
Federal Data Exposure: DOGE System Access Linked to 2.1M SSN and Financial Record Leak
Congressional investigators confirmed that broad system access granted to DOGE personnel resulted in the exposure of Social Security numbers, tax records, and financial data for an estimated 2.1 million Americans. Multiple federal agencies are conducting breach notifications.
Action Items
›Monitor your credit reports and financial accounts for unusual activity — affected individuals will receive breach notifications
›Place a credit freeze with all three bureaus (Equifax, Experian, TransUnion) if you are notified of exposure
›Be alert for targeted phishing using your SSN or financial data — attackers exploit breach data for follow-on attacks
+2 more at segler.net/security-news
Affected Systems
Social Security Administration systemsIRS taxpayer data systemsTreasury Department financial systemsDepartment of Education student loan records
HIGHTHREAT5 min
Ransomware Groups Drop Encryption — Pure Data Extortion Is Now the Dominant Attack Model
A major shift in ransomware tactics: leading threat groups including Cl0p successors and new entrants are abandoning file encryption entirely, focusing solely on data theft and extortion. Traditional backup-based defenses no longer provide full protection.
Action Items
›Backups alone no longer protect against ransomware — data loss prevention and exfiltration detection are now essential
›Implement Data Loss Prevention (DLP) tools to detect and block large-scale data exfiltration
›Monitor for unusual outbound data transfers — exfiltration often precedes any ransom demand by days or weeks
+2 more at segler.net/security-news
Affected Systems
Any organization storing sensitive customer or employee dataHealthcare organizations (PHI)Legal and professional services firms (privileged documents)Financial services (account and transaction data)
CRITICALTHREAT4 min
CVE-2026-2915
CVE-2026-2915 — Microsoft Entra ID Privilege Escalation, Attackers Gaining Global Admin Without Credentials
Microsoft confirmed active exploitation of CVE-2026-2915, a critical privilege escalation vulnerability in Microsoft Entra ID (formerly Azure AD) that allows attackers with any authenticated access to escalate to Global Administrator. Patch or apply mitigations immediately.
Action Items
›Apply Microsoft's emergency patch via Windows Update and Entra ID admin portal immediately
›Audit your Entra ID Global Administrator role assignments — remove any accounts that should not have this role
›Review Entra ID sign-in logs for the past 30 days for unusual privilege escalation events
+2 more at segler.net/security-news
Affected Systems
Microsoft Entra ID (all tenants)Microsoft 365 (all plans)Azure subscriptions linked to affected Entra ID tenantsAny application using Entra ID for authentication
INFOADVISORY4 min
CISA Launches 2026 SMB Cybersecurity Grant Program — Up to $50K Available for Small Businesses
CISA announced the 2026 State and Local Cybersecurity Grant Program expansion, making funding available to small businesses through state-administered programs. Eligible businesses can receive grants to implement MFA, EDR, and incident response planning.
Action Items
›Check your state's cybersecurity office website for grant application details — programs vary by state
›Eligible uses include MFA implementation, EDR deployment, employee security training, and incident response planning
›Application windows are typically 60-90 days — do not wait to start the process
+2 more at segler.net/security-news
HIGHTHREAT4 min
Google Workspace OAuth Token Theft Campaign — Attackers Bypassing MFA via Malicious App Authorizations
A large-scale campaign is targeting Google Workspace users with malicious OAuth app authorization requests that grant attackers persistent access to Gmail, Drive, and Calendar — bypassing MFA entirely. Over 15,000 organizations targeted in April 2026.
Action Items
›Audit all third-party OAuth app authorizations in your Google Workspace admin console immediately
›Revoke access for any apps you do not recognize or no longer use
›Enable Google Workspace's OAuth app allowlisting to prevent users from authorizing unapproved apps
+2 more at segler.net/security-news
Affected Systems
Google Workspace (all editions)GmailGoogle DriveGoogle Calendar