Threats

A weekend batch of 198 CVEs includes a BACnet plaintext flaw (CVSS 9.1) exposing building automation to traffic interception. WordPress gets hit with five privilege escalation bugs, cookie-based SQL injection bypassing WAFs, and a strpos() admin takeover.

Fake job interviews on Google Forms are installing the PureHVNC trojan. Malwarebytes found forms impersonating real companies in finance and tech, linking to ZIP files that deploy a multi-stage infection chain with DLL hijacking and crypto wallet theft.

Four IoT botnets that launched 316,000+ DDoS attacks and hit a record 31.4 Tbps are down. The DOJ-led takedown targeted Aisuru, KimWolf, JackSkid, and Mossad, which had compromised 3+ million devices. Two suspected admins identified in Germany and Canada.

Oracle broke its quarterly cycle with an emergency patch for Identity Manager RCE (CVSS 9.8), likely a bypass of an actively exploited October 2025 flaw. Spring patched two actuator auth bypasses. FastGPT's GitHub Actions let anyone push malicious Docker images.

A new Android trojan opens your note-taking apps and reads them. Perseus targets Google Keep, Samsung Notes, Evernote, and four more to steal passwords and crypto seed phrases. Fake IPTV apps deliver it across Europe.

Thirty-six days of zero-day access. Interlock ransomware hit Cisco Firewall Management Center via CVE-2026-20131 (CVSS 10.0) before anyone knew the flaw existed. A misconfigured server exposed their entire toolkit. CISA gave agencies three days to patch.

Three critical WordPress plugin flaws, all unpatched. A WooCommerce privilege escalation, a BuilderPress file inclusion, and a Profile Builder Pro SQL injection. Plus five OpenClaw command injections and a PX4 drone autopilot crash via MAVLink.

Six vulnerabilities, three zero-days, full kernel control. The DarkSword iOS exploit chain has been used by a spyware vendor, a surveillance customer, and suspected Russian spies across four countries since November 2025. Update to iOS 26.3.1.

A timing flaw between snap-confine and systemd-tmpfiles gives unprivileged users root on default Ubuntu Desktop 24.04+ installations. Qualys TRU's second Ubuntu disclosure in one week. Patch snapd now.

SQL injection meets RAG pipelines. Spring AI flaws turn chatbot queries into database commands. An unpatched ONNX bypass silences model trust checks. A CVSS 9.8 WordPress healthcare plugin leaks patient records with just an email address.

No malware needed. Attackers used Stryker's own Microsoft Intune to wipe 80,000 devices between 5 AM and 8 AM UTC. A week later, manufacturing and shipping across 61 countries remain disrupted. Multi-Admin Approval could have stopped it.

Five years of reviews, 480 hours, 18 deep dives. FedRAMP reviewers called Microsoft's government cloud "a pile of shit" and reported "lack of confidence" in its encryption. They approved it anyway. ProPublica reveals how.

Nine confused deputy bugs in Linux AppArmor let any local person gain root on 12.6 million Ubuntu, Debian, and SUSE systems. Hidden since 2017. Qualys TRU named the cluster CrackArmor. Patches landed March 12, no CVEs assigned yet.

Twin CVSS 9.1 Wazuh RCEs, a ScreenConnect crypto exposure, and Eclypsium KVM research headline the March 17 digest. Budget IP-KVM exposure grew from 404 to 1,611 internet-facing units in seven months.

A five-stage chain uses ClickFix social engineering and the Deno JavaScript runtime to load CastleRAT entirely in memory. ThreatDown calls it the first Deno abuse in malware. Velvet Tempest already deployed CastleRAT in a 12-day ransomware staging operation.