Wednesday War Room – 03/25/2026

This Wednesday the pattern is loud: enterprise apps with broad reach, identity-adjacent infrastructure, and supply chain dependencies are getting punched in the mouth.

Author

J.W. Croley
March 25, 2026

In partnership with

88% resolved. 22% stayed loyal. What went wrong?

That's the AI paradox hiding in your CX stack. Tickets close. Customers leave. And most teams don't see it coming because they're measuring the wrong things.

Efficiency metrics look great on paper. Handle time down. Containment rate up. But customer loyalty? That's a different story — and it's one your current dashboards probably aren't telling you.

Gladly's 2026 Customer Expectations Report surveyed thousands of real consumers to find out exactly where AI-powered service breaks trust, and what separates the platforms that drive retention from the ones that quietly erode it.

If you're architecting the CX stack, this is the data you need to build it right. Not just fast. Not just cheap. Built to last.

If your program still treats “internal tooling” like it is automatically safe, this week disagrees.

Let’s dive in.

PTC Windchill and FlexPLM Critical RCE Risk

Risk Level: Critical

Business Impact: A compromise of PLM systems can expose IP, engineering data, supply chain workflows, and enable stealthy industrial espionage.

What You Need to Know: PTC warned customers about an “imminent threat” tied to a critical Windchill and FlexPLM bug tracked as CVE-2026-4681. The concern is remote code execution against systems that often sit close to design artifacts, product data, and high-trust integrations.

Why This Matters:

  • PLM compromise is not “IT noise,” it is direct business and IP risk.

  • These systems usually have deep integrations, which widens blast radius fast.

  • Threat actors targeting manufacturing and engineering move quietly and stay longer.

Executive Actions:

🧯 Patch Windchill/FlexPLM immediately and validate the fixed version is running in production.

🔒 Restrict admin access to allowlisted networks and remove unnecessary internet exposure.

🕵️ Hunt for suspicious web requests, new service accounts, and abnormal process execution on PLM servers.

🔑 Rotate credentials for integrations connected to PLM if exposure is suspected.

Citrix NetScaler Memory Leak in SAML Setups

Risk Level: Critical

Business Impact: Unauthenticated memory disclosure on NetScaler can leak sensitive data and enable follow-on compromise in identity-heavy environments.

What You Need to Know: Citrix urged urgent patching for a NetScaler issue tracked as CVE-2026-3055. The flaw can allow unauthenticated attackers to read sensitive memory, with elevated concern in environments using SAML-related configurations.

Why This Matters: 

  • Memory disclosure frequently becomes a credential and session spill.

  • NetScaler is high-leverage infrastructure. When it gets hit, many apps get hit.

  • Attackers love repeats. If it resembles older NetScaler trauma, it will be targeted hard.

Executive Actions: 

🩹 Patch NetScaler immediately and confirm the build versions are actually updated.

🔐 Tighten access to management interfaces and enforce MFA for administrative workflows.

🔎 Review logs for anomalous requests and suspicious authentication behavior tied to SSO flows.

🧱 Add compensating controls if patching is delayed: WAF rules, allowlists, and strict segmentation.

LiteLLM PyPI Package Backdoored

Risk Level: Critical

Business Impact: Backdoored AI gateway libraries can steal secrets, tokens, and credentials from developer and production environments at scale.

What You Need to Know: Threat actors published malicious versions of the popular LiteLLM package, per LiteLLM compromise report. The backdoored releases were designed to deploy an infostealer and harvest sensitive data from systems that install or run the impacted versions.

Why This Matters: 

  • Supply chain hits scale faster than almost any other intrusion method.

  • AI gateway tooling often touches multiple providers, keys, and internal services.

  • One compromised dependency can turn into broad credential exposure without obvious malware signals.

Executive Actions: 

🧪 Identify and remove impacted LiteLLM versions immediately across dev and prod.

🔑 Rotate API keys, tokens, and secrets used on systems that installed affected packages.

🧾 Implement dependency controls: allowlists, pinning, and verified publishers for critical libraries.

🧱 Restrict CI runner egress and secrets access to only what each job actually needs.

Leadership Insight:

This 48-hour window shows the modern reality: attackers target systems that multiply impact.

NetScaler sits in the authentication path, PLM sits next to crown-jewel IP, and supply chain libraries sit inside everything.

The winning orgs are not the ones with the most tools.

They are the ones that patch the right things fast, reduce exposure by default, and treat dependencies and third parties as real attack surfaces.

The Future of AI in Marketing. Your Shortcut to Smarter, Faster Marketing.

This guide distills 10 AI strategies from industry leaders that are transforming marketing.

  • Learn how HubSpot's engineering team achieved 15-20% productivity gains with AI

  • Learn how AI-driven emails achieved 94% higher conversion rates

  • Discover 7 ways to enhance your marketing strategy with AI.

Google Confirms 2.5 Million Customer Records Exposed in Salesforce Breach

Risk Level: High

Business Impact: Student and staff data exposure can drive phishing, fraud, and long-tail identity abuse, plus regulatory and reputational fallout.

What You Need to Know: K-12 platform Infinite Campus warned customers of a potential breach after ShinyHunters claimed data theft, per breach warning coverage. The risk is downstream targeting of districts, staff, and families using credible data to fuel scams and account takeover attempts.

Why This Matters:

  • Education ecosystems are high-trust and heavily targeted, especially during disruption.

  • Breach data becomes phishing fuel that looks real because it is real.

  • Third-party platforms amplify blast radius across many districts at once.

Executive Actions: 

📣 Alert staff to expect tailored phishing and “urgent account reset” scams.

🔐 Enforce MFA where possible and tighten password reset verification processes.

🔎 Increase monitoring for ATO patterns: new devices, unusual locations, and bulk data access.

🧾 Review vendor access paths and require least privilege for integrations.

HackerOne Employee Data Stolen After Navia Benefits Admin Hack

Risk Level: High 

Business Impact: HR and benefits data exposure drives payroll scams, tax fraud, and executive-targeted social engineering.

What You Need to Know: HackerOne disclosed an employee data breach after attackers compromised Navia, a benefits administrator, per HackerOne breach disclosure. This is classic third-party risk: benefits data can be weaponized quickly for impersonation, payroll diversion, and identity fraud.

Why This Matters: 

  • Benefits and HR data is extremely useful for convincing impersonation.

  • Third-party compromises bypass your internal controls entirely.

  • Once employee data leaks, finance and payroll become prime follow-on targets.

Executive Actions:

🧾 Require out-of-band verification for payroll and direct deposit changes.

🔐 Add step-up verification for HR and benefits portal actions that change sensitive info.

🔎 Monitor for unusual password resets, mailbox rule creation, and finance-related phishing attempts.

📣 Brief HR and Service Desk on new scam patterns and escalation procedures.

Ransomware Ecosystem Reality Check: Botnet Operator Sentenced

Risk Level: High 

Business Impact: Phishing botnets remain a durable feeder system for ransomware and access brokers, even when infrastructure gets disrupted.

What You Need to Know: A botnet operator tied to phishing activity used in ransomware attacks was sentenced, as reported in botnet sentencing report. The key lesson is operational, not legal: phishing infrastructure keeps fueling initial access, and it still works.

Why This Matters: 

  • Access for ransomware often starts with boring phishing and credential theft.

  • Botnets scale initial access across many orgs quickly.

  • Disruption does not equal elimination. The ecosystem adapts.

Executive Actions:

🧠 Refresh phishing training with modern lures, especially invoice, HR, and “IT support” themes.

🔐 Enforce phishing-resistant MFA for admins and high-impact systems.

🔎 Monitor for early-stage signals: unusual logins, new inbox rules, and suspicious OAuth grants.

🧯 Validate restore readiness: offline backups and tested recovery timelines.

⚙️ Immediate Leadership Checklist ⚙️

🩹 Patch NetScaler and PLM systems immediately and verify versions in production

💎 Audit dependencies: identify impacted LiteLLM versions, remove them, rotate exposed secrets

🔒 Lock down management planes: allowlists, MFA, and no direct internet admin access

📣 Brief HR and payroll teams on third-party breach-driven impersonation and diversion scams

🧠 Reinforce phishing controls and ATO monitoring as ransomware feeder activity persists

💡 If your environment still assumes “trusted software” and “trusted vendors,” attackers will happily be the ones to onboard both. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Turn AI Into Extra Income

You don’t need to be a coder to make AI work for you. Subscribe to Mindstream and get 200+ proven ideas showing how real people are using ChatGPT, Midjourney, and other tools to earn on the side.

From small wins to full-on ventures, this guide helps you turn AI skills into real results, without the overwhelm.