This week's report covers a critical, actively exploited flaw in Microsoft SharePoint Server; a high-severity vulnerability in ConnectWise ScreenConnect being targeted by attackers; a supply chain attack on a widely used security scanning tool for software development pipelines; an FBI and CISA warning about Russian-linked actors posing as Signal support to steal accounts; and a phishing-led cyberattack on Intuitive, maker of the da Vinci robotic surgery system.
A critical vulnerability in Microsoft SharePoint Server — tracked as CVE-2026-20963 — is now being actively exploited by unknown attackers. The flaw carries a severity score of 9.8 out of 10. It allows an attacker with no login credentials to run their own code directly on a SharePoint server, simply by sending a specially crafted request. No user needs to click anything.
Microsoft patched the vulnerability as part of its January 2026 updates and stated at the time that exploitation was "less likely." That assessment has now changed. The US government's cybersecurity agency CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on 19 March 2026 and gave federal agencies just three days to apply the fix. NHS England's National CSOC has assessed that further exploitation is highly likely.
Microsoft SharePoint is one of the most widely used platforms globally for document management, team collaboration, and internal intranets. It is used extensively across NHS trusts, local authorities, and the suppliers and technology partners that support them.
An attacker who can exploit this flaw remotely and without authentication could read or steal files, move deeper into your network, or use your SharePoint server as a launchpad for further attacks — potentially including ransomware. The fact that attackers are already exploiting this in the wild makes patching an immediate priority, not a scheduled task.
ConnectWise has released a security update to fix a vulnerability in ScreenConnect, its widely used remote access and IT support tool. The flaw — CVE-2026-3564 — carries a severity score of 9.0 out of 10 and relates to how the software checks cryptographic signatures used for authentication. An attacker who can obtain server-level cryptographic material could use the flaw to gain unauthorised access to ScreenConnect, potentially with elevated privileges. ConnectWise has warned that this vulnerability is either already being targeted or is at high risk of being targeted. The fix is included in ScreenConnect version 26.1.
ScreenConnect is used by IT support teams and managed service providers to connect to and control devices remotely. It is a popular tool among NHS suppliers and managed service providers that support health organisations. Remote access tools have historically been a prime target for ransomware groups. If your organisation uses ScreenConnect — or if any of your IT suppliers do on your behalf — this vulnerability should be treated as time-sensitive. Under DSPT requirements, NHS suppliers are expected to maintain patching disciplines on tools that provide remote access to clinical or health data environments.
Security researchers discovered that the aquasecurity/trivy-action GitHub Action — a widely used tool that scans software for vulnerabilities as part of automated development pipelines — was compromised in a supply chain attack. Versions prior to 0.35.0 were found to contain malicious code capable of stealing secrets and credentials from any system that ran the affected action. The compromise was active from 19:00 on 19 March 2026. A clean version (0.35.0) has since been released. Any pipeline that used the affected action after the compromise window should be treated as fully compromised, and all secrets should be rotated immediately.
This is a software supply chain attack — malicious code inserted into a legitimate, trusted tool, so that organisations are compromised simply by using software they already trust. For NHS suppliers and digital health companies that build or maintain software products, this is directly relevant. Tools like Trivy are commonly included in development pipelines as a security check. The DSPT includes requirements around secure development practices and supply chain risk; incidents like this are exactly the kind of scenario those requirements are designed to address.
The FBI and CISA issued a joint advisory warning that Russian intelligence-affiliated actors are impersonating customer support services for messaging applications, primarily Signal, but also WhatsApp, in order to steal accounts. The attackers send messages claiming there has been suspicious activity on the target's account and urge them to click a verification link. When victims click through, attackers either link their own device to the victim's account, gaining the ability to read and send messages, or steal credentials and two-factor authentication codes to take over the account entirely. The campaign has compromised thousands of accounts. Targets include former government officials, military personnel, politicians, and journalists.
Russian state-sponsored actors have a long history of targeting UK government bodies, defence suppliers, and healthcare organisations. Senior staff, executives, policy leads, and communications professionals at NHS trusts, health technology companies, and government-adjacent organisations are exactly the kind of high-value targets this campaign is designed to reach. Signal is increasingly used within digital health and government circles for sensitive communications. The attack does not compromise Signal's encryption; it exploits the user's trust. Staff awareness of this technique is the most effective defence.
Intuitive, the American company that makes the da Vinci robotic surgical system and the Ion endoluminal system, has disclosed that it suffered a cyberattack in March 2026. The incident began when a targeted phishing email successfully deceived one of its employees. Using that employee's access, the attackers were able to reach certain internal business applications and access customer business and contact information, employee records, and corporate data.
Intuitive said it activated its incident response protocols quickly and has fully contained the attack. Critically, the company confirmed that its surgical systems — including the da Vinci platform — were not affected, as they operate on a separate network from its internal business systems. Hospital customer networks were also confirmed to be unaffected. The appropriate data privacy regulators are being notified. The number of individuals affected and the identity of the attackers have not been disclosed.
This incident follows last week's report on the destructive Iranian attack on Stryker, another major medical device company. Together, they paint a clear picture: medical device manufacturers are increasingly in the crosshairs of cybercriminals and state-aligned attackers.
Intuitive's da Vinci systems are used in NHS hospitals across the UK for procedures including urology, gynaecology, and general surgery. While Intuitive has confirmed that the surgical platforms themselves were not compromised, the breach of customer contact and business data has direct implications for NHS trusts and private healthcare providers that have a commercial relationship with the company.
The attack also serves as a reminder that a single phishing email can be enough to trigger a breach at a major enterprise. For NHS suppliers and healthtech companies, staff awareness training and robust email security controls are not optional extras — they are core components of DSPT compliance and good cyber hygiene.
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.