Vodafone Spain €200k GDPR Fine Appeal Dismissed
AEPD dismissed Vodafone Spain's appeal against a €200,000 GDPR fine originally issued on 10 January 2026 for violations of Article 6.1 of the GDPR. The enforcement action arose from Vodafone's processing of a SIM card duplicate request without adequate identity verification, allowing a third party to obtain the claimant's SIM card by first modifying the account email. The DPA upheld the fine, finding Vodafone failed to follow its own security policies requiring verification calls or requests from linked phone lines.
GDPR Appeal Dismissed as Late - Administrative Procedure
The Spanish Data Protection Agency (AEPD) issued Resolution EXP202407584 dismissing a recurso de reposición (administrative appeal) as extemporaneous. The appellant filed the appeal on February 27, 2026, exceeding the one-month deadline from the January 26, 2026 notification of the original resolution. The AEPD found no grounds to admit the late-filed appeal under Article 116.d of the LPACAP.
ARTURO ACOSTA S.L. v. AEPD - Right to Erasure Enforcement Appeal Dismissed
The AEPD dismissed the appeal filed by ARTURO ACOSTA S.L. (NIF: B38094249) against enforcement resolution EXP202512014 (PD/00238/2025), which had upheld a data subject's GDPR erasure complaint. The company argued it could not suppress data because returned devices were factory-restored, but the AEPD upheld the original ruling based on the company's failure to timely respond to the erasure request and lack of documented proof of compliance. The DPA rejected claims of bad faith by the claimant and proportionality violations by the company.
Apache Traffic Server vulnerabilities allow DoS, request smuggling
CERT-Bund published security advisory WID-SEC-2026-0978 disclosing multiple vulnerabilities (CVSS Base Score 7.5, CVSS Temporal Score 6.5) in Apache Traffic Server. The vulnerabilities affect versions prior to 9.1.13 and 10.1.2 running on Linux and UNIX systems, including Debian Linux and Fedora Linux. Remote attackers can exploit these vulnerabilities to conduct Denial of Service or HTTP Request Smuggling attacks. Mitigations are available.
Dell PowerScale OneFS Multiple Vulnerabilities, CVSS 6.6, Privilege Escalation
CERT-Bund issued security advisory WID-SEC-2026-0984 regarding multiple vulnerabilities in Dell PowerScale OneFS with CVSS Base Score 6.6 (medium). Affected organizations running Dell PowerScale NAS platforms below versions 9.10.1.7, 9.13.0.1, and 9.13.0.2 face risks of information disclosure and privilege escalation. Mitigation measures are available.
OpenBSD Vulnerability Enables Unspecified Remote Attack
CERT-Bund issued a security advisory regarding a high-severity vulnerability (CVSS 7.3) in OpenBSD versions 7.7 and 7.8 that enables remote attacks by unauthenticated threat actors. The vulnerability allows remote code execution without user interaction. Organizations running affected OpenBSD systems should review and apply available mitigations immediately.
MariaDB DoS Vulnerability - CVSS 6.5 Medium Severity
CERT-Bund issued advisory WID-SEC-2026-0972 disclosing a medium-severity denial-of-service vulnerability in MariaDB database systems. Affected versions include MariaDB prior to 11.4.10, 11.8.6, and 12.2.2, with a CVSS base score of 6.5. Remote authenticated attackers can exploit this vulnerability to conduct DoS attacks against affected installations on Linux, UNIX, and Windows platforms.
sudo Vulnerability Enables Privilege Escalation - CVSS 7.4
CERT-Bund issued security advisory WID-SEC-2026-0971 regarding a vulnerability in sudo (CVSS Base Score 7.4) affecting Linux and UNIX systems. The vulnerability enables local attackers to escalate privileges. Affected products include Microsoft Azure Linux azl3 and Open Source sudo. Mitigation measures are available.
OpenClaw Multiple Vulnerabilities - CVSS 5.3 (Medium)
CERT-Bund issued a security advisory identifying multiple vulnerabilities in OpenClaw, a personal AI assistant for Linux. The vulnerabilities carry a CVSS Base Score of 5.3 (medium) and allow remote anonymous attackers to manipulate data, bypass security mechanisms, or cause denial of service. Affected versions include OpenClaw prior to version 2026.4.2.
Keycloak vulnerabilities CVSS 8.1, affects Linux
Keycloak vulnerabilities CVSS 8.1, affects Linux
OpenSSH Multiple Vulnerabilities - Remote Code Execution and Privilege Escalation
CERT-Bund issued security advisory WID-SEC-2026-0979 warning of multiple vulnerabilities in OpenSSH versions prior to 10.3. The vulnerabilities carry a CVSS Base Score of 7.5 (high) and enable remote attackers to execute arbitrary code, escalate privileges, or bypass security mechanisms on affected systems running Linux, UNIX, and Windows. Mitigation measures are available but immediate patching is required.
Checkmk Critical Vulnerabilities - Privilege Escalation and XSS
CERT-Bund issued security advisory WID-SEC-2026-0983 identifying critical vulnerabilities in Checkmk IT monitoring software. Multiple security flaws including privilege escalation and Cross-Site Scripting (XSS) were discovered affecting versions below 2.6.0b1, 2.5.0b3, 2.4.0p25, and 2.3.0p46. The vulnerabilities carry a CVSS Base Score of 9.0 (critical) and enable remote attackers to elevate privileges and execute XSS attacks on affected systems running Linux and UNIX.
GDPR Article 15 Subject Access Request Complaint Assessment
The IDPC assessed a complaint under Article 77 GDPR regarding alleged failures by a controller to respond completely to two subject access requests made in August 2019 and May 2025. The complainant alleged the controller omitted key categories of personal data including employment-related correspondence, salary progression records, and Industrial Tribunal-related data. The Commissioner found the 2019 allegations inadmissible due to an approximately six-year delay between the access request and the complaint filing, which materially impaired the ability to investigate the matter with certainty.
Microsoft Azure critical vulnerabilities, CVSS 10.0, privilege escalation
Microsoft Azure critical vulnerabilities, CVSS 10.0, privilege escalation
Critical FortiClient EMS Vulnerability Enables Remote Code Execution
CERT-Bund issued a critical security advisory regarding a vulnerability in Fortinet FortiClient EMS software. The vulnerability, affecting versions prior to 7.4.7, carries a CVSS Base Score of 9.8 (critical) and enables remote anonymous attackers to execute arbitrary code without authentication. Organizations using FortiClient EMS are advised to apply available mitigations immediately or update to the patched version.
Multiple Exynos vulnerabilities allow DoS, code execution
CERT-Bund issued security advisory WID-SEC-2026-0981 regarding multiple high-severity vulnerabilities in Samsung Exynos chipsets (CVSS Base Score 8.6). Attackers can exploit these vulnerabilities to conduct denial of service attacks and potentially execute arbitrary code remotely. Affected products include Samsung Exynos mobile chipsets and processors.
Critical Cisco Smart Software Manager On-Prem Remote Code Execution Vulnerability
CERT-Bund issued a critical security advisory regarding CVE-2026-0964 affecting Cisco Smart Software Manager On-Prem (versions prior to 9-202601). The vulnerability carries a CVSS Base Score of 9.8 (critical) and enables remote, unauthenticated attackers to execute arbitrary code with administrator privileges. Organizations running the affected product are at immediate risk of complete system compromise.
Linux Kernel Multiple Vulnerabilities - CVSS 7.3 DoS Bypass
CERT-Bund issued a security advisory regarding multiple vulnerabilities in the Linux Kernel affecting Microsoft Azure Linux azl3. The vulnerabilities carry a CVSS Base Score of 7.3 (high) and CVSS Temporal Score of 6.6 (medium), with remote attack capability confirmed. An attacker could exploit these flaws to execute denial of service attacks or bypass security mechanisms. Mitigation measures are available.
Baron Property Services Settlement for Renters Insurance and Criminal Record Violations
The Colorado Attorney General reached a settlement with Baron Property Services, LLC requiring the company to pay $75,000 total for violations of the Colorado Consumer Protection Act and Rental Application Fairness Act. The settlement includes $7,300 in restitution to 368 tenants improperly charged duplicate renters insurance fees and $67,635 in civil penalties. Baron has also agreed to comply with both statutes going forward and refrain from misrepresenting renters insurance requirements or improperly using criminal records in rental decisions.
APT28 Exploits Routers for DNS Hijacking Attacks
The NCSC published an advisory exposing how Russian state cyber group APT28 compromised vulnerable internet routers to conduct DNS hijacking operations, enabling traffic interception and credential harvesting. The advisory provides mitigation guidance including protecting management interfaces, maintaining updated devices, and implementing two-step verification.
APT28 Exploits Routers to Enable DNS Hijacking Operations
The UK NCSC issued an advisory detailing how Russian state-sponsored actor APT28 exploits vulnerable routers by overwriting DHCP/DNS settings to redirect traffic through attacker-controlled DNS servers. These operations enable adversary-in-the-middle attacks that harvest passwords, OAuth tokens, and authentication credentials. The NCSC attributes APT28 to Russia's GRU military intelligence and provides indicators of compromise and mitigation guidance.
Secure Software Supply Chain and Development Workflows Advisory
The Cyber Security Agency of Singapore (CSA) issued an advisory on securing software supply chains and development workflows against cyber threats. The advisory highlights specific attack vectors including compromised package maintainer accounts, malicious dependency injection, and shadow IT adoption. CSA references the March 2026 Axios npm compromise and September 2025 @ctrl/tinycolor supply chain attack as examples of active threats targeting the software supply chain.