Security Check-in Quick Hits: F5 Exploits, FBI Director Email Breach, Citrix Recon, Ransomware Spikes, and a Major E-Commerce Leak

For March 30, 2026

CISA Adds Actively Exploited F5 BIG-IP Vulnerability to KEV Catalog – Patch Immediately

CISA has escalated CVE-2025-53521, a critical remote code execution flaw in F5 BIG-IP Access Policy Manager, after confirming in-the-wild exploitation. Multiple threat intelligence roundups flagged it as a “patch-now” priority with a tight deadline. Organizations running affected BIG-IP systems are being urged to apply mitigations without delay to avoid breaches.

Security teams note this joins other recent high-profile network appliance flaws. The consensus on X: treat this as an active threat actor opportunity—don’t wait for a public proof-of-concept.

Iran-Linked Handala Hack Group Breaches FBI Director Kash Patel’s Personal Gmail

Pro-Iranian actors from the Handala Hack Team (tied to Iran’s Ministry of Intelligence) compromised FBI Director Kash Patel’s personal email account. They leaked historical photos, documents, and emails (mostly 2010–2019). The FBI confirmed the incident but stressed the data was personal and contained no classified government information. The same group also claimed a wiper malware attack on medical-tech firm Stryker.

This high-profile breach is dominating cybersecurity discussions, highlighting the persistent risk to personal accounts of senior officials even when government systems remain untouched.

Gentlemen Ransomware Group Rapidly Adds Global Victims to Leak Site

The Gentlemen ransomware operation is on a tear. Over the past day, their dark-web portal listed fresh victims across multiple countries and sectors, including:

• Global Capital Advisors Group (US)

• Tapón Corona (Mexico)

• Gesvalt (Spain)

• Ravands Plastech (India)

• Zanzi (Italy)

• Das Labor (Austria)

• Aircos Pascual (France)

• DYSA Healthcare (Paraguay)

• Synergy France

• Economia Group (Czech Republic)

A parallel leak-site post showed overlapping organizations with “Data” availability flags, signaling double-extortion tactics.

Analysts describe this as “large-scale activity” with staggered data releases, underscoring how ransomware groups continue simultaneous multi-sector targeting.

Active Reconnaissance Underway on Citrix NetScaler Critical Vulnerability (CVE-2026-3055)

Security researchers reported widespread scanning and reconnaissance for CVE-2026-3055—a CVSS 9.3 memory over-read flaw in Citrix NetScaler appliances. The bug could let unauthenticated attackers leak sensitive memory contents. Threat intel posts labeled it a top patching priority alongside the F5 issue.

X users are advising organizations to check their gateway appliances now—similar “NetScaler-style” memory leaks are being probed across the internet.

Saudi E-Commerce Platform Salla Suffers Massive Data Breach

Grubder threat actors listed a huge dataset from Salla.com (one of Saudi Arabia’s largest digital sales platforms) for sale. The breach includes ~684,000 records covering customer contacts, shop details, physical addresses, ID card information, and more. The data dump exposes the full value chain of the e-commerce ecosystem.

This incident serves as a stark reminder that even regional platforms handling sensitive customer and business data remain prime targets.

Bottom line for today: Network appliances (F5, Citrix) are under active fire, nation-state actors are hitting high-visibility personal targets, ransomware groups are operating at scale, and data brokers are flooding leak sites. Security teams should prioritize the CISA KEV items, review personal account hygiene for executives, and monitor dark-web mentions of their organizations. Stay vigilant—March 30, 2026, is shaping up as another high-alert day in cyberspace.