Security Check-in Quick Hits: EU Mega-Breach, iOS Zero-Days, F5 & Citrix Exploits, and a Phishing Firm's Ironic Fail

For March 29, 2026

Massive Cyberattack Hits EU Commission, ENISA, and Digital Services – ShinyHunters Strikes Again

In a major incident shaking European institutions, threat actor ShinyHunters has compromised the EU Commission, the European Union Agency for Cybersecurity (ENISA), and the Directorate-General for Digital Services. The attackers leaked a trove of sensitive data, including emails and attachments, the full SSO user directory, DKIM signing keys, AWS configuration snapshots, NextCloud and Athena data, and internal admin URLs.

Security researchers and observers on X are calling it “a mess,” highlighting how deeply the breach penetrates authentication, cloud infrastructure, and internal systems. This isn’t just embarrassing for the EU’s cybersecurity posture—it exposes real risks to cross-border digital operations and could enable follow-on attacks like account takeovers or data exfiltration.

What to watch: Organizations using similar SSO or cloud setups should immediately audit logs, rotate keys, and scan for indicators of ShinyHunters activity. The breach underscores that even high-profile government bodies remain prime targets.

Apple Patches Major iOS Zero-Days Exploited in Targeted Attacks

Apple has rolled out urgent fixes in iOS 26.2 and 26.3 for actively exploited zero-days. The updates address WebKit flaws in 26.2 and a critical dyld memory corruption vulnerability (CVE-2026-20700) in 26.3. Both were leveraged in sophisticated targeted attacks against users on older versions.

Security accounts on X are urging immediate updates, with one researcher even advertising a 0-click RCE exploit for testing (a reminder of how quickly these flaws can be weaponized). iOS users—especially those in high-risk sectors—face real danger until patched.

Action step: Update to the latest iOS version right now. Enable automatic updates and avoid delaying patches on devices handling sensitive data. Zero-days like these often precede broader campaigns.

CISA Adds Actively Exploited F5 BIG-IP RCE Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed CVE-2025-53521—an unspecified remote code execution vulnerability in F5 BIG-IP Access Policy Manager (APM)—on its Known Exploited Vulnerabilities (KEV) list. Threat actors are already using it in real-world attacks.

F5 BIG-IP appliances sit at the heart of many enterprise networks for traffic management, authentication, and secure app delivery, making RCE here especially dangerous for lateral movement and data theft. CISA gave federal agencies until March 30, 2026, to apply mitigations or disconnect affected systems.

Bottom line: If you run F5 BIG-IP APM, treat this as emergency patching priority. Review logs for suspicious admin activity and segment networks. RCE vulns rarely stay contained.

Hackers Ramp Up Probing on Citrix NetScaler – CVE-2026-3055 Looms

Researchers have detected active reconnaissance against Citrix NetScaler ADC and Gateway appliances, specifically those configured as SAML Identity Providers. The target is CVE-2026-3055, a critical (CVSS 9.3) memory overread flaw caused by insufficient input validation. Unauthenticated attackers can remotely extract sensitive memory contents via crafted requests to the /cgi/GetAuthMethods endpoint.

No full exploitation wave has hit yet, but honeypot data shows attackers fingerprinting SAML setups—signaling the window for patching is closing fast. The flaw echoes past “CitrixBleed” issues and threatens SSO environments across enterprises.

Urgent advice: Patch affected NetScaler instances immediately. If you can’t patch right away, restrict internet exposure and monitor for POST requests to the vulnerable endpoint.

Phishing Protection Company Breached—Via a Phone Call (900,000 Records)

In a painfully ironic twist making the rounds on X, a company that sells phishing protection services suffered a breach of 900,000 records after falling victim to a simple social-engineering phone call. The firm that claims to “take your security seriously” was phished the old-fashioned way—human error bypassed every technical control they market.

The incident is a stark reminder that even security vendors aren’t immune. Advanced endpoint protection, AI filters, and multi-factor authentication mean nothing if the person who answers the phone hands over credentials.

Takeaway for every organization: Run social-engineering drills regularly. Verify caller identities through secondary channels, enforce strict verification for data access requests, and remember—the human layer is still the weakest (and most exploited) link.

Stay vigilant—patch early, monitor aggressively, and never underestimate the basics.