This reporting period is defined by active, confirmed exploitation across multiple enterprise network security platforms — Fortinet FortiClientEMS, Citrix NetScaler ADC/Gateway, and F5 BIG-IP APM — all carrying CVSS scores above 9.0 and all listed in CISA’s Known Exploited Vulnerabilities catalog. These are not theoretical risks; adversaries are actively targeting the infrastructure organizations rely on to manage endpoint security, application delivery, and remote access. The convergence of three simultaneously exploited perimeter and security management platforms in a single reporting cycle is atypical and warrants elevated organizational attention beyond standard patch cadence. The F5 BIG-IP remediation deadline for federal agencies passed on March 30, and any organization that has not acted should treat this as overdue. The Citrix NetScaler situation is further complicated by active reconnaissance activity and a possible second related CVE (CVE-2026-4368) whose scope has not yet been confirmed by primary sources. Leadership should expect this threat surface to remain active in the near term. Beyond the vulnerability cluster, the Telus Digital breach attributed to ShinyHunters and the public leak of the DarkSword iOS exploitation tool both signal a broader democratization of capable threat tooling. ShinyHunters has a documented history of large-scale extortion following data theft, and any organization with supply chain or data-sharing relationships with Telus Digital should assess third-party exposure now. DarkSword’s public availability means iOS-targeted credential theft is no longer a nation-state-only concern — criminal and opportunistic actors now have access to the same capability, compressing the window before exploitation becomes widespread.