cisa issued emergency three-day patch orders for actively exploited zero-days in check point and palo alto vpn products and in microsoft sharepoint, with the sharepoint flaw contradicting microsoft's own 'less likely' exploitation rating. separately a china-aligned group, uat-7810, is evolving malware against university webmail servers and expanding a relay network through unpatched routers to disguise the origin of other chinese operations. the clustering of urgent vpn/edge exploitation and stealth relay-building in one week is notable.