Weekly Threat Bulletin – March 4th, 2026

Critical Claude Code Vulnerabilities Allowed RCE and API Key Theft Across Developer Workstations

Check Point researchers identified three critical vulnerabilities in Claude Code, an AI coding tool, stemming from its use of project-level configuration files stored in repositories, which could be exploited by an attacker with commit access. The first vulnerability allowed remote code execution (RCE) by manipulating the `.claude/settings.json` file to inject malicious shell commands as "hooks," which would automatically execute on collaborators' machines; this was reported on July 21, 2025, and patched by August 29, 2025 (GHSA-ph6w-f82w-28w6). The second RCE vulnerability involved bypassing the Model Context Protocol (MCP) consent mechanism, where specific repository settings could override safeguards, allowing commands from `.mcp.json` to execute immediately upon launch without user approval; this was reported on September 3, 2025, patched later that month, and assigned CVE-2025-59536. The third issue enabled Anthropic API key theft by overriding the `ANTHROPIC_BASE_URL` in project configuration to redirect API requests, containing the full API key in plain text, to an attacker-controlled server before a trust prompt appeared; a stolen key could then grant full read/write access to workspace files, and this was reported on October 28, 2025, patched, and assigned CVE-2026-21852 on January 21, 2026, with affected versions being Claude Code prior to 2.0.65. These findings highlight a broader supply chain risk as AI tools integrate into development workflows, introducing new attack vectors through configuration files that directly influence development environment behavior and command execution.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Ensure all developer workstations using Claude Code are updated to the latest version to remediate the identified vulnerabilities.
• Immediately initiate a rotation of all Anthropic API keys used by developers and audit their usage logs for any anomalous activity.
• Perform a targeted scan across all source code repositories for the files `.claude/settings.json` and `.mcp.json` to audit their contents for unauthorized hooks, suspicious server configurations, or `ANTHROPIC_BASE_URL` overrides.

Compliance Best Practices

• Establish a formal security review and approval process for all new developer tools, IDE plugins, and AI assistants before they are permitted for use in the corporate environment.
• Configure source code scanning tools to automatically detect and flag the addition or modification of executable hooks and suspicious URL overrides within project-level configuration files.
• Implement and enforce a strict policy for API key management that mandates the principle of least privilege, ensuring keys are scoped to the minimum required permissions and have defined expiration dates.
• Develop and implement a recurring security awareness training program for developers that specifically covers the risks of project-based configuration files that can execute code, such as git hooks or IDE-specific settings.

Critical Trend Micro Apex One Vulnerabilities Allow Remote Malicious Code Execution

Trend Micro has disclosed eight security vulnerabilities impacting its Apex One endpoint protection platform, as well as Worry-Free Business Security and Worry-Free Business Security Services. A critical arbitrary code execution vulnerability, CVE-2023-41179 (CVSSv3 9.1), affects the 3rd party AV uninstaller module across these products. Exploitation of this flaw requires prior administrative console access and has been observed in the wild, leading to its inclusion in the CISA Known Exploited Vulnerabilities catalog. Remediation includes applying SP1 Patch 1 (B12380) for Apex One 2019, SP1 Patch 1 (B12380) with Agent version 14.0.12637 for Apex One as a Service, version 10.0 SP1 Patch 2495 for Worry-Free Business Security, and the July 31, 2023, Monthly Maintenance Release for Worry-Free Business Security Services. Additional mitigations involve restricting administrative console access to trusted networks and implementing detection measures such as monitoring for unusual process spawning, system file modifications, anomalous network connections, and suspicious authentication logs. Qualys customers can identify vulnerable assets using QID 378868.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Immediately apply Service Pack 1, Patch 1 (Build 12380) to all on-premises Trend Micro Apex One 2019 servers.
• For Trend Micro Apex One as a Service, ensure the environment is updated to Service Pack 1, Patch 1 (Build 12380) and that all agents are updated to version 14.0.12637 or later.
• If using Trend Micro Worry-Free Business Security, apply Patch 2495 to all version 10.0 SP1 installations.
• Use a vulnerability scanner with the latest signatures, such as Qualys QID 378868, to scan the entire network and identify all assets vulnerable to CVE-2023-41179.
• In your SIEM or EDR, actively hunt for any instances of Trend Micro service processes spawning child processes like 'cmd.exe' or 'powershell.exe'.
• Review Trend Micro Apex One administrative console authentication logs for successful logins from unexpected IP addresses, geolocations, or outside of normal business hours.
• Immediately apply firewall rules to restrict all access to the Trend Micro Apex One management console to only essential administrative workstations and jump servers.

Compliance Best Practices

• Design and implement network segmentation to isolate all security management consoles, including Trend Micro Apex One, into a secure management zone accessible only from a limited set of hardened administrative workstations.
• Establish a quarterly review process for all accounts with administrative privileges to the Trend Micro Apex One console and enforce the principle of least privilege by removing or downgrading permissions for any accounts that do not strictly require them.
• Formalize and resource a vulnerability management policy that defines strict SLAs for patching critical vulnerabilities, especially those on the CISA KEV list, on internet-facing systems and security infrastructure.
• Develop, test, and deploy validated detection rules in your SIEM or EDR to create high-fidelity alerts for suspicious activity originating from Trend Micro processes, such as anomalous child process creation or network connections to untrusted destinations.

OpenClaw `tools.exec.safeBins` Bypass for Unapproved Execution

CVE-2026-28363 identifies a critical vulnerability in OpenClaw, scoring 9.9 on the CVSS scale, which allows for a bypass within the `tools.exec.safeBins` validation logic. This flaw specifically affects the `sort` command when configured in allowlist mode, enabling an attacker to achieve approval-free execution of paths that are explicitly designed to require security approval. The root cause lies in OpenClaw's incomplete interpretation of GNU long-option abbreviations, where the validation routine fails to recognize functionally equivalent abbreviated options (e.g., `--compress-prog` instead of `--compress-program`), thereby bypassing the allowlist. This network-accessible vulnerability requires no authentication or specific privileges, impacting OpenClaw versions prior to 2026.2.23 where the `tools.exec.safeBins` feature is configured with an allowlist for `sort`. Exploitation involves crafting input with such an abbreviated option to execute unintended or malicious code. Remediation requires upgrading OpenClaw deployments to version 2026.2.23 or any subsequent release that incorporates the necessary validation fixes.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Use asset management systems, software bill of materials (SBOM) tools, and network scanners to identify all instances of OpenClaw in the environment and their corresponding version numbers.
• Upgrade all identified vulnerable OpenClaw instances to version 2026.2.23 or newer.
• In your SIEM, create a detection rule to alert on process execution events where the `sort` command is invoked with abbreviated long options, such as `--compress-prog`, which could indicate an exploitation attempt of CVE-2026-28363.

Compliance Best Practices

• Implement and configure host-based security controls like AppArmor or SELinux to create strict execution policies for services like OpenClaw, preventing them from running unauthorized commands or binaries, regardless of application-level vulnerabilities.
• Update secure coding standards and developer training to include specific guidance on sanitizing inputs passed to shell commands, emphasizing the need to handle variations like command-line option abbreviations.
• Formalize and automate the software asset inventory process to ensure all third-party and open-source components are tracked, allowing for rapid identification of systems affected by newly disclosed vulnerabilities.

New Dohdoor Malware Campaign Targets Education and Health Care

A malicious campaign, active since December 2025, by threat actor UAT-10027, targets education and healthcare sectors in the United States with a previously undisclosed backdoor named Dohdoor. This multi-stage attack likely begins with social engineering phishing, leading to a PowerShell script downloading a Windows batch script. The batch script then performs DLL sideloading of Dohdoor using legitimate Windows executables and conducts anti-forensic cleanup by deleting Run command history and clearing clipboard data. Dohdoor, a 64-bit DLL, utilizes DNS-over-HTTPS (DoH) via Cloudflare for stealthy command-and-control (C2) communications, bypassing traditional DNS and network monitoring. It dynamically resolves Windows API functions, parses command-line arguments, and decrypts payloads using a custom XOR-SUB position-dependent cipher. To evade detection, Dohdoor employs process hollowing to inject decrypted payloads (potentially Cobalt Strike Beacon) into legitimate Windows processes like OpenWith.exe or ImagingDevices.exe, and implements an EDR bypass technique by unhooking system calls in ntdll.dll. Technical characteristics, including the decryption method, NTDLL unhooking, DoH implementation, process hollowing, and specific TLD usage, show low-confidence overlaps with North Korea-nexus Lazarus Group, despite the campaign's victimology deviating from Lazarus's typical targets. Indicators of compromise are available.

Severity: High

Threat Details and IOCs

Mitigation Advice

• Update antivirus definitions to include the specified ClamAV signatures for Dohdoor malware and its associated PowerShell loaders.
• Deploy the specified SNORT rules (SIDs 65950, 65951, 65949 for Snort2; 301407, 65949 for Snort3) to your network intrusion detection and prevention systems.
• In your network monitoring tools and logs, hunt for the JA3S hash '466556e923186364e82cbdb4cad8df2c' and the TLS certificate serial number '7FF31977972C224A76155D13B6D685E3'.
• Search web proxy, firewall, and DNS logs for the User-Agent strings 'insomnia/11.3.0', 'curl/7.88', and 'curl/7.83.1' and create alerts for future occurrences.
• Create a detection rule to alert when 'Fondue.exe', 'mblctr.exe', or 'ScreenClippingHost.exe' are executed from paths other than 'C:\Windows\System32\', particularly from 'C:\ProgramData\' or 'C:\Users\Public\'.
• Create detection rules in your SIEM or DNS security tool to identify and alert on DNS queries to TLDs such as '.online', '.design', or '.software' that use irregular capitalization.
• Download all Indicators of Compromise (IOCs) from the linked GitHub repository and import them into your SIEM, EDR, and threat intelligence platform for blocking and alerting.

Compliance Best Practices

• Develop a corporate policy to manage DNS-over-HTTPS (DoH) traffic by either blocking it outright to known public DoH resolvers or forcing all endpoint DNS requests through a monitored internal DNS resolver that can inspect or control such queries.
• Enable PowerShell Script Block Logging, Module Logging, and Transcription across all Windows endpoints and ensure these logs are forwarded to a central SIEM for analysis and alerting.
• Implement an application control solution, such as Windows Defender Application Control (WDAC) or AppLocker, to restrict the execution of system utilities and LOLBins from non-standard directories like 'C:\ProgramData' and user profiles.
• Evaluate your current Endpoint Detection and Response (EDR) solution's ability to prevent or detect user-mode API unhooking techniques. Engage with the vendor to understand and enable relevant protective features.
• Enhance the employee security awareness program to include regular phishing simulations that specifically test for lures involving script downloads and social engineering themes relevant to our industry.
• Configure your email security gateway to block or strictly quarantine emails with executable attachments, script files (.ps1, .bat, .cmd), and URLs leading directly to such files.

ServiceNow AI Platform Vulnerability Allows Remote Code Execution

A critical security vulnerability, tracked as CVE-2026-0542 and detailed in advisory KB2693566 published on February 25, 2026, has been identified in the ServiceNow AI Platform. This flaw permits unauthenticated attackers to remotely execute arbitrary code within the ServiceNow Sandbox environment. Although exploitation is confined to the sandbox, successful attacks could expose sensitive workflow data, automation logic, and enterprise integrations. As of the advisory date, no active exploitation has been detected in the wild. ServiceNow proactively deployed security updates to hosted customer instances on January 6, 2026, and patches are available for self-hosted customers and partners, including specific fixed versions such as Zurich Patch 4 Hotfix 3b, Zurich Patch 5, Yokohama Patch 10 Hotfix 1b, Yokohama Patch 12, and Xanadu Patch 11 Hotfix 1a. Organizations utilizing the ServiceNow AI Platform are strongly advised to apply these relevant patches immediately, particularly for internet-accessible or externally integrated deployments.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Identify all self-hosted ServiceNow instances, determine their current release version (e.g., Zurich, Yokohama, Xanadu), and immediately apply the corresponding patch or hotfix as specified in security advisory KB2693566.
• Contact your ServiceNow account manager or check your administration portal to confirm that the security update for CVE-2026-0542 has been successfully applied to all your cloud-hosted ServiceNow instances.
• Give patching priority to any ServiceNow instances that are internet-accessible or have external integrations, as they have the highest exposure to this unauthenticated RCE vulnerability.
• Review ServiceNow application and system logs for any unusual or anomalous activity related to the AI Platform or sandbox environment, particularly around the time the vulnerability was disclosed.

Compliance Best Practices

• Establish or improve a comprehensive software asset management (SAM) program to maintain an up-to-date inventory of all applications, their versions, and their hosting models (e.g., self-hosted, SaaS).
• Conduct a security review of the ServiceNow sandbox configuration to enforce the principle of least privilege, limiting its access to sensitive data, APIs, and enterprise integrations to only what is absolutely necessary.
• For self-hosted ServiceNow instances, implement or strengthen network segmentation controls to restrict access to the platform from only trusted internal networks and authorized administrative endpoints.
• Review and formalize the organization's vulnerability management and incident response plan, specifically defining roles, communication channels, and timelines for responding to critical, zero-day, or unauthenticated vulnerabilities.