The Lyceum: Cybersecurity Daily — Mar 28, 2026

Iran's Handala hacking group breached the FBI director's personal Gmail, published his family photos and passport scans, and the FBI confirmed it — amid discussions that a decade-old personal email account remains among the softest targets in Washington. Meanwhile, researchers say a fileless email attack called Operation GhostMail is silently harvesting MFA codes and entire mailboxes from Zimbra users the moment they open a message — no clicks, no attachments, no endpoint alerts. And CISA keeps stapling new entries to its Known Exploited Vulnerabilities catalog: an F5 BIG-IP bug just got reclassified from denial-of-service to full remote code execution, SharePoint is under active attack, and a CVSS 10.0 flaw in PTC's industrial software is so urgent that German police are physically waking up system administrators at 3 AM.

• CVE-2026-23767 — ESC/POS networked Epson-compatible printers: new Metasploit module enables unauthenticated command injection over TCP against receipt printers on your network. Weaponized as of March 27.
• CVE-2026-29058 — AVideo Encoder (getImage.php): unauthenticated command injection now in Metasploit. No authentication required; video encoding servers exposed to the internet are immediate targets.
• CVE-2025-64328 — FreePBX filestore: authenticated command injection module added to Metasploit. If you run FreePBX, restrict management interfaces and patch.

If you want a clean illustration of why senior officials shouldn't use personal Gmail for anything even adjacent to work: here it is.

Iran-backed hacking group Handala publicly claimed Friday that it breached the personal email account of FBI Director Kash Patel, then published over 300 emails, passport scans, family photos, and chat logs. The FBI acknowledged the incident, saying it was "aware of malicious actors targeting Director Patel's personal email information" and had "taken all necessary steps to mitigate potential risks." A Justice Department official told Reuters the published materials appear authentic. TechCrunch independently verified some of the leaked emails by examining message headers. The stolen correspondence dates from roughly 2010 to 2019 — personal, business, and travel material, not classified government data.

What makes this operationally significant isn't the contents — it's the context. The breach came days after the Justice Department seized four domains connected to Handala. The group explicitly framed the hack as retaliation, writing they "decided to respond to this ridiculous show in a way that will be remembered forever," according to CBS News. The DOJ's infrastructure seizure did not deter them; the group framed the hack as retaliation. Handala, which presents itself as a pro-Palestinian hacktivist collective, is assessed by Western researchers to be a persona operated by Iranian government cyberintelligence units, per CNBC. Amid the U.S.-Israeli war against Iran that began in February, the group has escalated steadily — most notably claiming the destructive wiper attack against medical device giant Stryker. The Trump administration is offering up to $10 million for information identifying Handala members, according to PBS News. Analysts say the group's public, named response is consistent with state-backed operations and indicates a lower concern about operational security.

The failure mode here is obvious and already playing out: personal accounts of senior officials become propaganda weapons in hot conflicts. The success signal is equally clear — if additional email caches from other officials surface in coming days, this graduates from embarrassment to a sustained intelligence operation. If you protect executives, require hardware security keys on personal accounts, kill SMS-based recovery, and treat decade-old email archives as active data-loss risk.

This one deserves more attention than it's getting. Researchers at Seqrite Labs documented a campaign they're calling Operation GhostMail, targeting users of Zimbra — the open-source email platform used heavily by governments, universities, and enterprises outside the Microsoft 365 ecosystem.

The attack is genuinely unsettling: no malicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a single email. It exploits CVE-2025-66376, a cross-site scripting flaw (XSS — where malicious code runs inside a trusted web page) in Zimbra's webmail interface. The JavaScript executes the moment a victim opens the email in a browser. It harvests credentials, session tokens, backup MFA recovery codes, browser-saved passwords, and the contents of the victim's mailbox going back 90 days — exfiltrating everything over both DNS and HTTPS channels.

Seqrite noted similarities to prior XSS-based campaigns attributed to Russian state-sponsored actors that targeted Ukrainian organizations. If this technique spreads — and fileless, click-free email exploitation is the kind of thing that gets adopted fast — it could force a rethink of email security architectures that assume "don't click links" is sufficient protection. The observable signal: if you see Zimbra-hosted organizations disclosing breaches in the next few weeks with no clear initial access vector, this is likely the method. Patch to Zimbra 10.0.18 or 10.1.13 immediately. This is based on Seqrite Labs' research and hasn't been independently replicated yet, so treat it as credible-but-developing.

Here's a scenario nobody enjoys: you triaged a vulnerability last year, decided it was low-priority, and moved on. Now CISA says it's being actively exploited and the severity just jumped to critical.

CVE-2025-53521 affects F5's BIG-IP Access Policy Manager (APM) — the appliance that handles VPN, SSO, and access control for large enterprises. Originally disclosed in 2025 as a denial-of-service issue, F5 has now reclassified it as unauthenticated remote code execution with a CVSS of 9.8. CISA added it to the Known Exploited Vulnerabilities catalog on March 27; CISA's addition indicates known exploitation. Impacted versions span BIG-IP trains 15.1, 16.1, 17.1, and 17.5, per Wiz's vulnerability tracking.

If this reclassification holds and exploitation broadens, every organization that deprioritized the 2025 advisory faces an emergency patching weekend. If F5 or CISA publishes indicators of compromise in the next few days, use them to retro-hunt your BIG-IP logs — look for unusual crashes on APM virtual servers going back to October. The failure mode is straightforward: unpatched edge appliances become the fastest path from internet to domain compromise. Patch to the vendor-recommended release or pull the appliance off the public internet until you do.

When police make house calls for a CVE, pay attention.

CVE-2026-4681 is a maximum-severity vulnerability in PTC's Windchill and FlexPLM — product lifecycle management systems used by manufacturers and industrial organizations to manage everything from design files to supply chain data. The flaw allows remote code execution without authentication. There is no full patch yet — only vendor mitigations.

SecurityAffairs reported that German federal law enforcement physically contacted affected companies, sometimes in the middle of the night, to warn them. The intersection of a perfect CVSS score, no patch, and government-initiated outreach is exceptionally rare. If you run PTC Windchill or FlexPLM, apply vendor mitigations immediately and isolate these systems from the internet. The signal to watch: if a working exploit appears publicly before PTC ships a full patch, this becomes the next mass-exploitation event in the manufacturing sector. The absence of a patch means the window between "mitigated" and "compromised" is entirely dependent on how quickly you act today.

Check Point Research published new findings on "Silver Dragon," a campaign targeting organizations across Southeast Asia and Europe. The research, which has not yet appeared in English-language press, details the campaign's infrastructure, targeting patterns, and tooling. While full technical details are behind Check Point's research portal, the geographic scope — spanning two continents — and the timing alongside other state-aligned campaigns make this worth tracking for organizations with operations in either region. Source: Check Point Research — English-language original, but not yet covered by English-language press outlets. No English-language coverage confirmed at time of publication.

Xakep.ru reports that TP-Link has patched CVE-2025-15517, a critical authentication bypass vulnerability in its router firmware. The flaw allowed attackers to bypass login protections entirely — a worst-case scenario for consumer and small-business routers that often sit unpatched for years. Given TP-Link's massive global install base and the ongoing U.S. government scrutiny of Chinese-manufactured networking equipment, this patch deserves attention even if it hasn't crossed into English-language coverage yet. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru reports that researchers have connected the Coruna exploit kit to Operation Triangulation — the sophisticated iOS zero-click attack campaign disclosed by Kaspersky in 2023 that targeted iPhones via iMessage. The new research suggests shared infrastructure or tooling lineage between Coruna and the original Triangulation operators, potentially expanding the known scope of that campaign. If confirmed by additional researchers, this would represent a significant development in understanding the supply chain behind one of the most advanced mobile exploitation campaigns ever documented. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

The FBI director's decade-old Gmail turned into a propaganda weapon, a single HTML email is silently vacuuming entire mailboxes without a click, and German police are literally knocking on doors at 3 AM over a CVE.

Somewhere, a mailcow admin is reading about host header poisoning and realizing their self-hosted privacy fortress has a screen door on the back.

Stay patched, stay paranoid.

If someone you know runs SharePoint, Zimbra, or their own email server, forward this before they find out the hard way.