Executive Summary The Australian cyber threat landscape has remained volatile over the weekend, dominated by the active exploitation of critical zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM). Simultaneously, the healthcare and FinTech sectors are grappling with fresh ransomware claims and data breaches, highlighting a persistent failure in credential management and API security.

Here is your deep dive into the last 24 hours of threat activity affecting Australian organisations.

Critical Infrastructure & SaaS: Ivanti Under Fire Again

The Threat: Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild. Impact: These vulnerabilities allow unauthenticated attackers to execute arbitrary code (RCE) on target servers, granting full control over mobile device management (MDM) infrastructure. This effectively hands threat actors the keys to an organisation’s entire mobile fleet, including IoT devices. Australian Context: The Australian Signals Directorate (ASD) and Palo Alto Networks Unit 42 have observed widespread exploitation targeting government, healthcare, and manufacturing sectors. Action: Immediate patching to RPM 12.x is mandatory. If you cannot patch immediately, isolate the appliances from the internet.

Healthcare Sector: LockBit Resurfaces

The Incident: The Aeromedical Society of Australasia has confirmed a cyber incident following claims by the LockBit ransomware group. Analysis: Despite previous law enforcement disruptions, LockBit remains a potent threat to Australian healthcare. The group is threatening to publish stolen sensitive data by the end of the month. This follows a broader trend noted in the ASD’s recent Annual Cyber Threat Report, which highlighted that ransomware incidents involving the healthcare sector have doubled in the 2024-25 period. Key Risk: The encryption of patient data and operational disruption in critical care support services.

FinTech & SaaS: youX Data Breach

The Incident: Australian FinTech platform youX has confirmed a significant data breach. Details: Threat actors have begun sharing samples of the stolen data, which reportedly compromises hundreds of thousands of user records. Experts point to a "lack of adequate cyber hygiene" as the root cause—likely an unmonitored API endpoint or hardcoded credentials. Broader Trend: This incident comes days after FIIG Securities was penalised $2.5 million for cyber security failures, signalling that regulators are losing patience with financial institutions that neglect data protection.

Government & Education: The "Identity" Crisis

The Incident: The Victorian Department of Education is managing the fallout from an unauthorised third-party access incident. Deep Dive: Recent analysis suggests that Australia’s biggest breaches in 2026 are not resulting from sophisticated zero-days, but from access failures. Attackers are bypassing perimeter defences by exploiting:

• Forgotten service accounts.
• Long-lived API keys embedded in code.
• Exposed cloud tokens. Takeaway: "Identity is the new perimeter." Organisations must pivot from purely network-based controls to robust Identity Threat Detection and Response (ITDR).

Emerging Tech: AI & Web Application Security

AI Vulnerabilities: The Langflow Unauthorized Code Injection (CVE-2025-3248) continues to be a vector for compromising AI application infrastructure. As Australian organisations race to deploy LLM-backed tools, unvalidated inputs in AI pipelines remain a critical blind spot. Web Apps: The React2Shell (CVE-2025-55182) vulnerability in Next.js allows pre-authentication RCE and is still being scanned for by botnets. Ensure your web frameworks are updated to versions 15.1.0+ or 16.0.2+.

Recommendations for C-Level & Security Teams

1. Patch Ivanti EPMM: Treat CVE-2026-1281 as an emergency.
2. Audit Non-Human Identities: Review all API keys, service accounts, and OAuth tokens. Rotate anything older than 90 days.
3. Validate AI Supply Chains: Ensure any AI development platforms (like Langflow) are not exposed to the public internet without strict authentication.
4. Healthcare Resilience: Verify offline backups are immutable, given the resurgence of LockBit targeting the sector.

Contact us for a quote for penetration testing service or adversary simulation.