Check Point Weekly Report: Navia, Aura Breaches; Critical RCE in Langflow Exploited Within 20 Hours
Check Point's weekly threat intelligence report covers multiple breaches including Navia Benefit Solutions (2.6M affected) and Aura (900K records), plus critical vulnerabilities like CVE-2026-33017 in Langflow exploited within 20 hours of disclosure.
Check Point Research has released its weekly threat intelligence bulletin for March 23, 2026, detailing a series of significant breaches, vulnerabilities, and AI-related threats. The report highlights a major data breach at Navia Benefit Solutions, a US-based employee benefits administrator, which disclosed unauthorized access affecting over 2.6 million individuals. The breach occurred between December 22, 2025 and January 15, 2026, potentially exposing personal, health, and benefits data.
Identity protection firm Aura was also breached via a phone phishing attack that allowed an intruder to access an employee account and a marketing platform. The attacker obtained approximately 900,000 records, primarily names and email addresses, though core systems and identity protection services remained uncompromised. Additionally, the Puerto Rico Aqueduct and Sewer Authority confirmed a cyberattack that exposed customer and employee information, but network segmentation prevented impact on critical water infrastructure.
In the AI threat landscape, Check Point researchers discovered three chained flaws in Anthropic's Claude.ai, enabling invisible prompt injection, silent exfiltration of conversation history through the Files API, and redirection via an open redirect. Anthropic patched the injection issue and is addressing the remaining weaknesses. The report also notes the exploitation of CVE-2026-33017, a critical unauthenticated remote code execution vulnerability in Langflow, an open-source framework for AI agents. Attackers weaponized the bug within 20 hours of disclosure, allowing arbitrary Python execution on exposed instances through a single crafted request. Check Point IPS provides protection against this threat.
Several critical vulnerabilities were patched this week. ConnectWise addressed CVE-2026-3564, a critical cryptographic signature verification flaw in ScreenConnect that could allow attackers to authenticate sessions without authorization. Ubiquiti fixed CVE-2026-22557, a maximum-severity path traversal in UniFi Network Application affecting version 10.1.85 and earlier, which could lead to account compromise and system takeover. Zimbra warned of active exploitation of CVE-2025-66376, a stored XSS flaw in Zimbra Collaboration Suite, with patches available in versions 10.1.13 and 10.0.18. GNU InetUtils telnetd is affected by CVE-2026-32746, a CVSS 9.8 RCE impacting all versions up to 2.7, allowing attackers to gain root control on exposed Linux, IoT, and industrial systems.
Additional threat intelligence in the report includes an Interlock ransomware campaign exploiting CVE-2026-20131, a critical flaw in Cisco Secure Firewall Management Center, used as a zero-day weeks before patching. Researchers also identified a supply-chain attack on two React Native npm packages, react-native-country-select and react-native-international-phone-number, which were backdoored on March 16, 2026, deploying credential and crypto theft malware. The packages had over 130,000 combined downloads. A threat assessment of the Iranian APT group MuddyWater linked them to spear-phishing and LampoRAT campaigns.
The report underscores the rapid pace of exploitation following vulnerability disclosures, with Langflow's CVE-2026-33017 being weaponized within hours. Organizations are urged to apply patches promptly and monitor for indicators of compromise. Check Point's IPS provides protections for several of the highlighted vulnerabilities.