CRITICAL 3 min read 3 Apr 2026

Identity and Registry Risks: Critical pac4j-jwt Bypass (CVE-2026-29000) and UK Companies House Exposure

A critical unauthenticated bypass in the pac4j-jwt identity provider (CVE-2026-29000, CVSS 10.0) and an unauthenticated backup disclosure in Nginx UI (CVE-2026-27944, CVSS 9.8) pose immediate infrastructure risks. Companies House (UK) confirms a 5-month retrospective exposure window for 5 million firms.

Key findings
01
pac4j-jwt Authentication Bypass (CVE-2026-29000)
CRITICAL
[High] Confidence: High A critical unauthenticated authentication bypass has been confirmed in the pac4j-jwt identity provider library. This vulnerability, assigned CVSS 10.0, allows an attacker to bypass security filters and gain unauthorised access to protected Java and web applications that rely on the library for identity management.
CVE-2026-29000
02
Nginx UI Backup Disclosure (CVE-2026-27944)
CRITICAL
[High] Confidence: High The Nginx UI management interface is vulnerable to an unauthenticated backup disclosure flaw (CVSS 9.8). This vulnerability allows a remote attacker to retrieve sensitive backup files containing administrative credentials, system configurations, and data relevant to lateral movement.
CVE-2026-27944
03
Companies House (UK) WebFiling Exposure
HIGH
[High] Confidence: High Companies House has disclosed a retrospective 5-month exposure window (October 2025 to March 2026) affecting the UK's central business register.
04
Feníe Energía (Spain) 430GB Data Leak
HIGH
[Medium] Confidence: Medium Spanish utility provider Feníe Energía has suffered a massive 430GB data leak after a failed extortion attempt. The archive reportedly contains 1.7 million records, including customer and corporate data, which are now circulating on dark web platforms.
05
Telegram Zero-Click RCE (ZDI-CAN-30207)
HIGH
[Low] Confidence: Low/Unverified Italy's National Cybersecurity Agency (ACN) has issued an alert regarding a potential zero-click remote code execution (RCE) vulnerability in Telegram (ZDI-CAN-30207).
06
Update: F5 BIG-IP RCE (CVE-2025-53521)
HIGH
[High] Confidence: High Update: CVE-2025-53521 has been reclassified to a 9.8 RCE. Active exploitation by China-nexus group UNC5221 is confirmed; immediate patching to version 21.0.0 or fixed 17.x releases is mandatory.
CVE-2025-53521
07
Update: EU Commission (Europa.eu) 90GB Leak
HIGH
[High] Confidence: High Update: A 90GB archive of stolen data from Europa.eu is now public. Linked to a February staff MDM compromise, the leak includes internal emails and contracts.
08
Update: Axios NPM UNC1069 Attribution
CRITICAL
[High] Confidence: High Update: Google GTIG has formally attributed the malicious Axios npm packages to the North Korean state-sponsored actor BlueNoroff (UNC1069).

Identity and Registry Risks: Critical pac4j-jwt Bypass (CVE-2026-29000) and UK Companies House Exposure

Guidance: Title must contain specific identifiers (CVE-xxxx or Threat Actor name). Never generic.

pac4j-jwt Authentication Bypass (CVE-2026-29000)

Confidence: High

A critical unauthenticated authentication bypass has been confirmed in the pac4j-jwt identity provider library. This vulnerability, assigned CVSS 10.0, allows an attacker to bypass security filters and gain unauthorised access to protected Java and web applications that rely on the library for identity management.

Given its broad adoption in the Java ecosystem, this represents a significant systemic risk to enterprise identity fabric in the UK and EU. Organisations must prioritise updating pac4j to the latest patched version immediately to mitigate this unauthenticated entry point.

Nginx UI Backup Disclosure (CVE-2026-27944)

Confidence: High

The Nginx UI management interface is vulnerable to an unauthenticated backup disclosure flaw (CVSS 9.8). This vulnerability allows a remote attacker to retrieve sensitive backup files containing administrative credentials, system configurations, and data relevant to lateral movement.

Exposure of these backups can facilitate the rapid compromise of web application environments and infrastructure managed via the Nginx UI. Administrators should immediately restrict access to the management interface and verify that no sensitive backups are accessible without authentication.

Companies House (UK) WebFiling Exposure

Confidence: High

Companies House has disclosed a retrospective 5-month exposure window (October 2025 to March 2026) affecting the UK's central business register. This exposure impacts approximately 5 million firms and involves the potential disclosure of credential or filing-related data within the WebFiling service.

As the primary source of truth for UK business identification, this exposure poses a significant risk of identity-related fraud or industrial espionage. UK-based firms should audit their corporate filings and monitor for unauthorised changes or suspicious activity tied to their Companies House identities.

Feníe Energía (Spain) 430GB Data Leak

Confidence: Medium

Spanish utility provider Feníe Energía has suffered a massive 430GB data leak after a failed extortion attempt. The archive reportedly contains 1.7 million records, including customer and corporate data, which are now circulating on dark web platforms. This incident underscores the continued targeting of the European utility sector by cybercriminal groups.

Telegram Zero-Click RCE (ZDI-CAN-30207)

Confidence: Low/Unverified

Italy's National Cybersecurity Agency (ACN) has issued an alert regarding a potential zero-click remote code execution (RCE) vulnerability in Telegram (ZDI-CAN-30207). The flaw is alleged to reside in the handling of animated stickers on Android and Linux versions of the application. While unverified by the vendor, users are advised to exercise caution with unsolicited media.

Update: F5 BIG-IP RCE (CVE-2025-53521)

Confidence: High

Update: CVE-2025-53521 has been reclassified to a 9.8 RCE. Active exploitation by China-nexus group UNC5221 is confirmed; immediate patching to version 21.0.0 or fixed 17.x releases is mandatory.

Update: EU Commission (Europa.eu) 90GB Leak

Confidence: High

Update: A 90GB archive of stolen data from Europa.eu is now public. Linked to a February staff MDM compromise, the leak includes internal emails and contracts.

Update: Axios NPM UNC1069 Attribution

Confidence: High

Update: Google GTIG has formally attributed the malicious Axios npm packages to the North Korean state-sponsored actor BlueNoroff (UNC1069).

Why This Matters

The convergence of a CVSS 10.0 identity bypass (pac4j-jwt) and the reclassification of F5 BIG-IP to an actively exploited RCE indicates a high-intensity period of infrastructure targeting. The Companies House exposure further destabilises the UK's trust environment for business registration.

  • Recommended Actions
  • Update pac4j-jwt to the latest patched release immediately (CVE-2026-29000).
  • Restrict Nginx UI access and audit for unauthenticated backup access (CVE-2026-27944).
  • Audit F5 BIG-IP instances for exploitation following the RCE reclassification (CVE-2025-53521).
  • Monitor Companies House filings for any unauthorised modifications during the Oct-Mar window.

All findings grounded in A13E intelligence sweeps through 04:30 UTC 03 April 2026.

companies-housecve-2025-53521cve-2026-27944cve-2026-29000identity-managementuk-cyber

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed