Two CVSS 9.1 remote code execution bugs in Wazuh SIEM top the March 17 batch. Eclypsium published research on three budget IP-KVM products the same day. A ScreenConnect crypto exposure (CVSS 9.0), a Spinnaker SSRF bypass (CVSS 9.1), and an Atlassian Bamboo RCE round out the critical tier. Apache Airflow got four authorization fixes and Ubuntu's snapd got a privilege escalation patch.
Wazuh deserialization grants root on master node (CVSS 9.1)
Wazuh versions 4.0.0 through 4.14.2 have two RCE bugs in the DistributedAPI. CVE-2026-25769 and CVE-2026-25770 (CVSS 9.1 each) both stem from unsafe deserialization of JSON objects in the as_wazuh_object function. An attacker with worker node access can reach root privileges on the master.
The attack path exploits the run_as API endpoint. An attacker injects an unsanitized dictionary into the auth_context parameter, forging an __unhandled_exc__ object that evaluates arbitrary Python code on the master.
It is likely that there are more ways to reach the unsafe deserialization function, some of them might even be accessible from different contexts (without credentials, or initiated by a compromised agent).
— Wazuh GitHub Security Advisory GHSA-3gm7-962f-fxw5
All Wazuh deployments running cluster mode are at risk. The advisory lists three entry points: a taken-over worker, a taken-over dashboard, or a taken-over agent. Version 4.14.3 fixes the pair.
CVE-2025-24016 (CVSS 9.9), an identical unsafe-deserialization RCE in Wazuh, was exploited by Mirai botnets in early 2025. Censys counted 17,329 exposed instances at the time. The new pair targets the same function, so anyone who patched the 2025 bug but stayed below 4.14.3 remains exposed.
ScreenConnect cryptographic material exposure (CVSS 9.0)
ConnectWise disclosed CVE-2026-3564 on March 17. Under certain conditions, the ScreenConnect Certificate Signing Extension includes encrypted configuration values in responses sent to unauthenticated parties. On-premises installations are impacted. Cloud-hosted instances received an automatic fix.
ScreenConnect 26.1 patches the flaw. Partners using ScreenConnect integrated with ConnectWise Automate must also update the Automate ScreenConnect Extension. Expired maintenance agreements need renewal before the patch can be applied.
This is the third critical or high-severity ScreenConnect CVE in 14 months. CVE-2024-1709 (authentication bypass, February 2024) was exploited within hours by ransomware groups. CVE-2025-3935 (ViewState code injection, May 2025) involved a nation-state actor. The pattern (auth bypass, then deserialization, now crypto exposure) makes ScreenConnect one of the most targeted remote management tools in enterprise.
Eclypsium: three budget IP-KVM products riddled with flaws
Eclypsium disclosed weaknesses in three low-cost IP-KVM products on March 17. The vulnerable hardware includes the Sipeed NanoKVM, JetKVM, and GL-iNet Comet (GL-RM1), all priced between $30 and $100.
RunZero found 404 such units on the public internet in June 2025.
By January 2026, Eclypsium counted 1,611. IP-KVM hardware sits below the OS layer, intercepts keyboard input and video output, and bypasses endpoint security entirely. Enterprise data centers, healthcare facilities, and OT environments deploy these units for out-of-band server management.
CVE-2026-32296 (CVSS 8.2, High) hits Sipeed NanoKVM before 2.3.1. The /api/network/wifi endpoint requires no authentication. An attacker on the network can redirect the NanoKVM to a rogue Wi-Fi access point, gaining man-in-the-middle position on all subsequent traffic. A second payload exhausts system memory and kills the KVM process.
CVE-2026-32294 (CVSS 4.7, Medium) hits JetKVM's OTA mechanism. The hardware verifies firmware only with SHA-256 hashes, not cryptographic signatures. Both the hash and the binary come from one server, so a man-in-the-middle attacker who controls the channel controls the firmware. JetKVM raised over $5 million on Kickstarter.
CVE-2026-32291 (CVSS 6.8, Medium) affects the GL-iNet Comet. Its UART serial console requires no authentication, and physical access grants a root shell. The GL-RM1 also validates firmware updates using only MD5.
Caution
IP-KVM hardware operates below the OS and intercepts keystrokes, video, and BIOS-level access. A compromised unit gives an attacker full control of the host without any endpoint agent detecting it. Scan your environment using Shodan queries like title:JetKVM, title:NanoKVM, or title:GLKVM.
Spinnaker SSRF bypass via underscore hostnames (CVSS 9.1)
CVE-2026-25534 affects Spinnaker's clouddriver and orca components. The CD platform's URL validation logic fails to handle underscores in hostnames because Java URL objects do not parse them correctly. This bypasses the fix for CVE-2025-61916, the previous SSRF in clouddriver.
Spinnaker found the identical parsing problem in Orca's fromUrl expression handling, so both components are hit. An attacker can fetch internal resources, extract cloud provider secrets on AWS/GCP, and reach internal Spinnaker APIs.
Patched versions are 2025.2.4, 2025.3.1, 2025.4.1, and 2026.0.0. Teams that cannot upgrade should disable HTTP artifact providers accepting untrusted URLs. CISA tagged this as "Technical Impact: partial" in its ADP enrichment.
Atlassian Bamboo RCE inside a 21-vulnerability bulletin (CVSS 8.6)
Atlassian's monthly Security Bulletin on March 17 disclosed 21 high-severity issues. CVE-2026-21570 (CVSS 8.6) is an RCE in Bamboo Data Center and Server that lets an authenticated attacker run arbitrary code.
Bamboo is Atlassian's CI/CD build server. RCE in a build server typically gives the attacker credentials for production targets, artifact repositories, and source control. Atlassian has released fixed versions. Cloud offerings are not at risk.
Apache Airflow: four authorization flaws in one day
Four bugs in Apache Airflow 3.1.0 through 3.1.7 all involve broken authorization. CVE-2026-30911 (CVSS 8.1) is the most serious: missing authorization on Human-in-the-Loop (HiTL) endpoints. HiTL is a security gate that requires human sign-off before critical pipeline steps execute. The bypass defeats the feature entirely.
CVE-2026-28779 (CVSS 7.5) sets the session token cookie with path=/ regardless of deployment path. Tokens may leak to unrelated apps on the same domain. Two lower-severity bugs leak DAG version data and dependency graphs without proper controls.
Airflow is the dominant workflow orchestration tool in data engineering, used by Airbnb, Spotify, Lyft, and Twitter/X. Teams running Airflow 3.1.x with human approval gates should treat CVE-2026-30911 as a priority patch.
Snapd local privilege escalation on Ubuntu (CVSS 7.8)
CVE-2026-3888 lets local attackers gain root on Linux through snapd. The daemon runs as root and manages Snap package installation, confinement, and updates. Ubuntu servers and desktops are vulnerable.
Snapd has a history of LPE bugs. CVE-2022-3328 was a race condition in snap-confine chainable to root. CVE-2021-44731 (Qualys "Oh Snap! More Lemmings") was a similar escalation. The daemon's root-level position and local input handling make it a recurring target for LPE researchers.
Also notable
CVE-2026-24901 (CVSS 8.1) is an IDOR in Outline, a collaborative documentation tool. Prior to version 1.4.0, any team member can restore and seize ownership of deleted private documents belonging to administrators.
CVE-2026-21886 (CVSS 6.5) lets authenticated OpenCTI users read beyond their authorization scope via GraphQL. Update to 6.9.1. CVE-2026-4147 (CVSS 6.5) leaks uninitialized stack memory from MongoDB Server's filemd5 command. It is a less severe relative of MongoBleed (CVE-2025-14847, CVSS 8.7), which Wiz observed exploited in the wild in late 2025 across 87,000 exposed instances.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
