// Articles
389 articles — page 16 of 17
PAN-OS GlobalProtect Denial-of-Service CVE-2026-0227 — PoC Published, Firewalls Risk Forced Maintenance Mode
A proof-of-concept exploit has been published for CVE-2026-0227, a denial-of-service vulnerability in Palo Alto Networks PAN-OS affecting GlobalProtect gateways and portals. An unauthenticated remote attacker can crash the firewall into a mandatory maintenance mode by sending malformed requests to the GlobalProtect interface. Prisma Access deployments are also affected. Palo Alto has released patches; the PoC significantly elevates exploitation risk.
Citrix CVE-2026-3055 Confirmed Exploited — CISA KEV Addition Triggers Mandatory Patch Deadline
CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities catalogue on 30 March, confirming active exploitation of the critical Citrix NetScaler memory overread vulnerability disclosed the previous week. NetScaler appliances configured as SAML Identity Providers are leaking session tokens from memory, allowing attackers to impersonate users without credentials. Organisations must patch immediately.
Dell iDRAC Service Module CVE-2026-23856 Allows Local Privilege Escalation on PowerEdge Servers
Dell has patched CVE-2026-23856, a privilege escalation vulnerability in the iDRAC Service Module (iSM) shipped with PowerEdge servers. A local attacker with standard user privileges can exploit improper access controls in the iSM — which runs with elevated system privileges to communicate with the hardware management interface — to elevate to SYSTEM or root. Updated iSM packages are available for both Windows and Linux.
Apple macOS CoreMedia Out-of-Bounds Write RCE Disclosed — Remote Exploitation via Malicious Media Files
Zero Day Initiative researchers have disclosed ZDI-26-230, an out-of-bounds write vulnerability in the Apple macOS CoreMedia framework that could allow remote code execution when a user processes a specially crafted media file. A companion vulnerability ZDI-26-231 discloses a separate macOS information disclosure flaw. Both were disclosed on 30 March 2026 following Apple's 120-day coordinated disclosure window.
March 2026 Brought 83 Patch Tuesday CVEs and Three CISA KEV Additions — How to Prioritise
March 2026's Patch Tuesday addressed 83 vulnerabilities including three critical Office RCEs, an Active Directory privilege escalation now in CISA's KEV catalogue, and a Kerberos security feature bypass. Add three separate CISA KEV additions throughout the month — F5 BIG-IP, Citrix NetScaler, and Active Directory — and security teams are managing a substantial patching backlog entering April. This analysis cuts through the volume to identify where to focus.
Active Directory Privilege Escalation CVE-2026-25177 Added to CISA KEV — Domain Admin Risk via SPN Abuse
CVE-2026-25177, a privilege escalation vulnerability in Active Directory Domain Services patched in March's Patch Tuesday, has been added to CISA's Known Exploited Vulnerabilities catalogue. An authenticated attacker with low-privileged domain credentials can exploit improper SPN and UPN name validation to escalate to domain administrator level. The KEV addition confirms in-the-wild exploitation approximately three weeks after patching was available.
Qilin Ransomware Posts Record 131 Victims in March — Third Consecutive Month Above 100
Qilin ransomware posted 131 confirmed victims in March 2026, its highest monthly total since emerging as a major ransomware-as-a-service operation. This marks three consecutive months above 100 victims — a sustained tempo that no tracked ransomware group has previously achieved. Healthcare, manufacturing, and professional services bear the heaviest burden, with the US accounting for half of all March ransomware victims across all groups.
CISA Publishes Dual ICS Advisories Covering Critical Flaws in Rockwell and Siemens OT Products
CISA released two industrial control system advisories on 31 March — ICSA-26-090-01 and ICSA-26-090-02 — covering critical and high-severity vulnerabilities in Rockwell Automation ControlLogix and Siemens SIMATIC S7 products. The advisories follow a pattern of stepped-up CISA ICS disclosure activity in March and arrive against a backdrop of active Iranian-affiliated targeting of operational technology environments.
F5 BIG-IP APM Vulnerability Reclassified as Critical RCE — CISA Mandates Three-Day Patch Window
A vulnerability in F5 BIG-IP Access Policy Manager initially classed as denial-of-service has been reclassified as critical remote code execution with CVSS 9.8 after active exploitation was confirmed. CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalogue on 27 March and set a three-day patch deadline for federal agencies. All organisations running BIG-IP APM should treat this as an emergency.
Langflow RCE CVE-2026-33017 Exploited Within 20 Hours, Added to CISA KEV
A critical unauthenticated remote code execution vulnerability in Langflow AI pipeline builder was exploited in the wild within 20 hours of disclosure, with attackers harvesting API keys for OpenAI, Anthropic, and AWS from compromised instances. CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalogue on 26 March, making patching mandatory for US federal agencies.
TeamPCP Backdoors LiteLLM on PyPI — AI Gateway Package With 3 Million Daily Downloads Compromised
The LiteLLM Python package — a widely-deployed AI gateway library with three million daily downloads — was backdoored on PyPI on 24 March by threat actor TeamPCP. Malicious versions 1.82.7 and 1.82.8 deployed a three-stage payload stealing cloud credentials, Kubernetes secrets, and CI/CD tokens from any system that installed the package during a 40-minute window.
Ubiquiti UniFi CVSS 10 Path Traversal CVE-2026-22557 Enables Full Account Takeover
Ubiquiti disclosed a maximum-severity path traversal vulnerability in the UniFi Network Application that allows unauthenticated attackers to read arbitrary files from the underlying OS and take over controller accounts with no credentials required. Censys identified approximately 87,000 internet-exposed UniFi endpoints at time of disclosure. The vulnerability is frequently chained with a companion NoSQL injection flaw for full administrative access.
NIST Updates DNS Security Guidance SP 800-81-3 — What Changed and Why It Matters Now
NIST released an updated edition of Special Publication 800-81, its foundational guidance on securing the Domain Name System, as DNS-based attacks and abuse techniques have evolved significantly since the previous version. The new SP 800-81-3 expands coverage of DNS-over-HTTPS, DNSSEC deployment best practices, DNS-based threat detection, and resilience against cache poisoning variants. Security teams should use this revision to audit current DNS architecture against current recommendations.
Cyberattack Hits European Commission Europa Web Platform — Data Taken From Hosted Websites
The European Commission confirmed on 27 March that a cyberattack struck the cloud infrastructure hosting the Europa web platform on 24 March 2026, with early forensic findings indicating data was exfiltrated from affected websites. The Commission operates hundreds of websites across the europa.eu domain hosting EU policy documents, consultation portals, and public databases. The incident is under investigation.
MongoBleed CVE-2025-14847: 87,000 Exposed MongoDB Instances Under Active Attack, Memory Leaking Credentials
CVE-2025-14847, named MongoBleed, is an unauthenticated memory disclosure vulnerability in MongoDB Server that allows attackers to read uninitialized heap memory from any internet-exposed instance. With 87,000 potentially vulnerable deployments globally and CISA KEV inclusion confirmed, active exploitation campaigns are targeting MongoDB instances to extract credentials, API keys, and sensitive data cached in server memory. The fix has been available since December 2025.
German Police Physically Visit Companies to Warn of Critical PTC Windchill RCE — No Patch Available
A critical unauthenticated remote code execution vulnerability in PTC Windchill and FlexPLM — industrial PLM software used across manufacturing, aerospace, and defence — prompted German federal and state police to physically dispatch officers to affected companies on the weekend of 27 March. No patch was available at time of the emergency response. PTC has provided a temporary workaround via Apache/IIS rule modification while developing a permanent fix.
Qilin Claims ASB Saarland Attack — 72 GB Stolen From German Humanitarian Organisation
Qilin ransomware claimed responsibility for a cyberattack against ASB Saarland, a German humanitarian and social services organisation, alleging theft of 72 GB of data including employee records, applicant data, health-related information, and client data. The attack continues Qilin's record-breaking March 2026 activity, during which the group claimed 131 victims — their highest monthly total — driven by wide deployment of BYOVD techniques to defeat endpoint detection.
Interlock Ransomware Exploited Cisco FMC Zero-Day for 36 Days Before Patch — Root Access on Enterprise Firewalls
Cisco's Firepower Management Center (FMC) contains a CVSS 10.0 deserialization vulnerability that Interlock ransomware was exploiting as a zero-day for 36 days before Cisco disclosed or patched it. CVE-2026-20131 allows unauthenticated remote attackers to execute arbitrary Java code as root on any internet-exposed FMC appliance. Cisco patched the flaw on 4 March 2026, but unpatched appliances remain under active ransomware targeting.
UAC-0255 Impersonates CERT-UA to Target Ukrainian Government, Healthcare, and Finance
Russian-linked threat actor UAC-0255 launched a targeted phishing campaign on 26–27 March posing as CERT-UA, Ukraine's national computer emergency response team, to deliver malware to state organisations, medical centres, financial institutions, and software development companies. The campaign uses CERT-UA brand authority to lower recipient suspicion of archive attachments containing remote access implants.
ShinyHunters Claims Infinite Campus Breach — 11 Million Student Records at Risk
Infinite Campus, the K-12 student information system used by over 3,200 school districts across 46 US states, has warned customers of a security incident after ShinyHunters claimed to have stolen data via a Salesforce ticketing system compromise on 18 March. The company confirmed the attack lasted 38 minutes and primarily exposed school staff contact details, asserting no student database access occurred — but the threat actor's extortion deadline has passed without resolution.
React2Shell CVE-2025-55182: China-Nexus Groups Exploit Max-Severity Next.js Flaw Across 30+ Organisations
CVE-2025-55182 (React2Shell), a maximum-severity unauthenticated remote code execution vulnerability in React Server Components and Next.js, is being actively exploited by China-state-affiliated threat groups and financially motivated actors simultaneously. Palo Alto Networks has confirmed over 30 organisations breached and 77,000 internet-exposed vulnerable instances, with attackers systematically harvesting AWS credentials, database connection strings, and SSH keys from compromised web infrastructure.
Craft CMS CVSS 10 Code Injection CVE-2025-32432 Added to CISA KEV
CISA added CVE-2025-32432, a maximum-severity code injection vulnerability in Craft CMS, to its Known Exploited Vulnerabilities catalogue on 20 March 2026. The flaw allows unauthenticated remote attackers to execute arbitrary code on any publicly accessible Craft CMS installation. Exploitation has been ongoing since at least February 2025 and the Mimo threat actor has been actively using it to deploy cryptocurrency miners and residential proxy malware.
Trivy Security Scanner Hijacked — 75 GitHub Action Tags Redirected to Credential Stealer
The widely-used Aqua Security Trivy vulnerability scanner was compromised in a supply chain attack that replaced 75 version tags in the official trivy-action and setup-trivy GitHub Actions with credential-stealing malware. Threat actor TeamPCP leveraged non-atomic secret rotation to retain access after an initial February compromise, launching a second attack wave on 19 March. Any CI/CD pipeline that ran trivy-action or setup-trivy during the compromise window may have had cloud credentials, API tokens, and SSH keys exfiltrated.
DarkSword Apple Exploit Chain Adds Three CVEs to CISA KEV — Federal Deadline April 3
CISA has added three vulnerabilities from the DarkSword iOS/macOS exploit chain to its Known Exploited Vulnerabilities catalogue, mandating federal agencies patch all Apple devices by 3 April. DarkSword is a multi-stage attack framework linking six chained vulnerabilities to achieve full kernel compromise across iOS, iPadOS, macOS, watchOS, and tvOS — with no user interaction required beyond visiting a malicious webpage.