Weekly Threat Landscape Digest – Week 10

1. Critical Access Bypass Vulnerability in AJAX Dashboard (CVE-2026-3527)

A critical access bypass vulnerability has been identified in the AJAX Dashboard: Entity Dashboards submodule. The issue allows unauthorized users to access the dashboard configuration interface when the submodule is enabled. Although attackers cannot directly modify dashboard content, they may enable or disable dashboards, potentially disrupting administrative monitoring and operational oversight.

Key Details:

• Vulnerability Type: Access Bypass
• CVE ID: CVE-2026-3527
• Affected Component: AJAX Dashboard – Entity Dashboards submodule
• Affected Versions: AJAX Dashboard versions earlier than 3.1.0
• Fixed Version: AJAX Dashboard 3.1.0
• Risk Level: Critical
• Impact: Unauthorized users may access dashboard configuration and enable or disable dashboards.

Potential Impact:
Successful exploitation may allow unauthorized access to dashboard management interfaces, potentially affecting monitoring visibility and administrative control over dashboards.

Recommendations:

• Upgrade AJAX Dashboard to version 3.1.0 or later immediately.
• Restrict access to dashboard configuration interfaces.
• Monitor system logs for unauthorized access attempts.
• Apply regular security patching and vulnerability management practices.

Reference:
https://www.drupal.org/sa-contrib-2026-022

2. Multiple Critical Vulnerabilities Addressed in Google Chrome

Google has released security updates to address multiple vulnerabilities affecting the Google Chrome browser, several of which are rated Critical. Successful exploitation of these vulnerabilities could allow attackers to execute arbitrary code, trigger memory corruption, or compromise affected systems through specially crafted web content.

Key Details:

Critical Vulnerabilities

• CVE-2026-3536 – Integer overflow in ANGLE
• CVE-2026-3537 – Object lifecycle issue in PowerVR
• CVE-2026-3538 – Integer overflow in Skia

High Severity Vulnerabilities

• CVE-2026-3539 – Object lifecycle issue in DevTools
• CVE-2026-3540 – Inappropriate implementation in WebAudio
• CVE-2026-3541 – Inappropriate implementation in CSS
• CVE-2026-3542 – Inappropriate implementation in WebAssembly
• CVE-2026-3543 – Inappropriate implementation in V8
• CVE-2026-3544 – Heap buffer overflow in WebCodecs
• CVE-2026-3545 – Insufficient data validation in Navigation

Fixed Versions

• Chrome 145.0.7632.159/160 for Windows and Mac
• Chrome 145.0.7632.159 for Linux
• Chrome 145 (145.0.7632.159) for Android
• Chrome 144.0.7559.236 Extended Stable for Windows and Mac
• Chrome 146.0.7680.38 for iOS

Potential Impact:
Exploitation of these vulnerabilities could allow remote attackers to execute arbitrary code, crash the browser, or compromise affected systems by convincing users to visit malicious web pages.

Recommendations

• Update Google Chrome to the latest available version immediately.
• Ensure automatic browser updates are enabled.
• Apply security patches across all enterprise endpoints.
• Monitor endpoints for abnormal browser behavior or exploitation attempts.

Reference:
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html
https://chromereleases.googleblog.com/

3. Multiple Security Vulnerabilities in Cisco Products

Cisco has released security updates addressing multiple vulnerabilities across several Cisco products. These issues range from Critical to Medium severity and may allow attackers to perform denial-of-service (DoS) attacks, execute arbitrary commands, bypass security controls, or gain unauthorized access if exploited.

Critical Severity

• Cisco Catalyst SD-WAN – CVE-2026-20122, CVE-2026-20126, CVE-2026-20128

High Severity

• Cisco Secure Firewall Management Center SQL Injection – CVE-2026-20001, CVE-2026-20002, CVE-2026-20003
• Cisco ASA & Secure Firewall Threat Defense SSL VPN DoS – CVE-2026-20100, CVE-2026-20101, CVE-2026-20103
• VPN Web Server DoS – CVE-2026-20039
• IKEv2 DoS – CVE-2026-20013, CVE-2026-20014, CVE-2026-20015
• IPsec DoS – CVE-2026-20049
• SCP Unauthorized File Access – CVE-2026-20062
• TCP Flood DoS – CVE-2026-20082

Medium Severity

• SQL Injection (Firewall Management Center) – CVE-2024-20340
• Command Injection (ASA & Firepower Threat Defense) – CVE-2024-20358
• Cisco Webex Cross-Site Scripting – CVE-2026-20149
• Snort 3 DoS (Multiple Cisco Products) – CVE-2026-20005, CVE-2026-20065, CVE-2026-20066
• Path Traversal (Firewall Management Center & Threat Defense) – CVE-2026-20018
• TLS Snort Detection Engine DoS – CVE-2026-20006
• Snort 3 SSL Memory Management DoS – CVE-2026-20052
• Snort 3 VBA DoS – CVE-2026-20053, CVE-2026-20054, CVE-2026-20057
• Snort Deep Inspection Bypass – CVE-2026-20007
• SSL Decryption Policy DoS – CVE-2026-20050
• Authenticated Command Injection – CVE-2026-20016, CVE-2026-20017, CVE-2026-20063
• Management Center Command Injection – CVE-2026-20044
• ClamAV CSS Image Parsing DoS – CVE-2026-20031
• VPN Web Services Cross-Site Scripting – CVE-2026-20070
• SAML Reflected Cross-Site Scripting – CVE-2026-20102
• OSPF Protocol Vulnerabilities – CVE-2026-20020, CVE-2026-20021, CVE-2026-20022
• Lua Code Injection – CVE-2026-20008
• Client-Side Request Smuggling – CVE-2026-20069
• Access Control List Bypass – CVE-2026-20073
• SSH Authentication Bypass – CVE-2026-20009

Recommendations

• Apply the latest Cisco security patches and updates immediately.
• Review Cisco security advisories for affected product versions.
• Restrict administrative access to network infrastructure.
• Monitor systems for unusual traffic or potential exploitation attempts.

Reference
https://sec.cloudapps.cisco.com/security/center/publicationListing.x

4. Critical Vulnerabilities in Cisco Secure Firewall Management Center (FMC) Software

Two critical vulnerabilities have been identified in Cisco Secure Firewall Management Center (FMC) software that could allow unauthenticated remote attackers to gain root-level access or execute arbitrary code on affected systems. Both vulnerabilities carry a CVSS score of 10.0, indicating a maximum severity risk. No workarounds are currently available, and organizations are advised to upgrade affected systems immediately.

Key Details

1. Authentication Bypass Vulnerability

• CVE: CVE-2026-20079
• CWE: CWE-288 (Authentication Bypass)
• Impact: Allows attackers to bypass authentication and execute scripts with root privileges.
• Attack Vector: Remote, unauthenticated network access.
• Mechanism: Improper system process created during boot allows crafted HTTP requests to bypass authentication controls.
• Affected Products: Cisco Secure FMC Software (on-premises).
• Not Affected: Cloud-delivered FMC (cdFMC), ASA Software, FTD Software, Security Cloud Control (SCC).

2. Remote Code Execution Vulnerability

• CVE: CVE-2026-20131
• CWE: CWE-502 (Insecure Deserialization)
• Impact: Enables remote execution of arbitrary Java code with root privileges.
• Attack Vector: Remote, unauthenticated network-based attack.
• Mechanism: Insecure deserialization of user-supplied Java objects within the web management interface.
• Affected Products: Cisco Secure FMC Software and Security Cloud Control (SCC) Firewall Management.
• Not Affected: ASA Software, FTD Software.
• Note: Risk exposure is reduced if the FMC management interface is not accessible from the internet.

Recommendations

• Upgrade affected Cisco FMC instances to the latest fixed software versions immediately.
• Restrict access to the FMC management interface to trusted internal networks only.
• Implement network segmentation and firewall rules to prevent public access.
• Monitor logs for suspicious authentication attempts or unusual management interface activity.

Reference
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh

5. Critical Remote Code Execution Vulnerability in OpenStack Vitrage (CVE-2026-28370)

A critical Remote Code Execution (RCE) vulnerability has been identified in OpenStack Vitrage, the Root Cause Analysis (RCA) service used by cloud administrators. The flaw exists in the query parser component and could allow authenticated attackers with access to the Vitrage API to execute arbitrary code on the affected system, potentially leading to full compromise of the Vitrage service host.

Key Details

• Vulnerability Type: Remote Code Execution (RCE)
• CVE ID: CVE-2026-28370
• CVSS Score: 9.1 (Critical)
• Affected Component: Vitrage query parser (_create_query_function in vitrage/graph/query.py)
• Attack Vector: Network (authenticated access to Vitrage API)
• Privileges Required: Vitrage service privileges
• Impact: Potential full compromise of the Vitrage service host and disruption of cloud monitoring operations.

Affected Versions

• All versions prior to 12.0.1
• 13.0.0 (excluding 13.0.1)
• 14.0.0 (excluding 14.0.1)
• 15.0.0 (excluding 15.0.1)

Fixed Versions

• OpenStack Vitrage 12.0.1 or later

Recommendations

• Upgrade OpenStack Vitrage to version 12.0.1 or later immediately.
• Restrict access to the Vitrage API and management interfaces.
• Monitor logs for suspicious API requests or abnormal activity.
• Implement strong authentication and access controls for cloud management services.

Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-28370

6. Security Updates Address Multiple Vulnerabilities in Django Framework

Security updates have been released for the Django web framework to address two vulnerabilities affecting supported versions. The updates fix a moderate-severity Denial-of-Service (DoS) vulnerability and a low-severity issue related to incorrect file permissions.

Key Details

CVE-2026-25673 – Potential Denial-of-Service in URLField (Windows)

• Severity: Moderate
• A vulnerability exists in django.forms.URLField within the to_python() method.
• The method previously used urllib.parse.urlsplit() to determine whether a URL scheme should be prepended to user input.
• On Windows systems, the urlsplit() function performs Unicode NFKC normalization, which can be computationally expensive for specially crafted large inputs.
• Attackers could exploit this behavior by submitting malicious inputs that consume excessive processing time, potentially causing a Denial-of-Service (DoS) condition.

CVE-2026-25674 – Incorrect Permissions on File System Objects

• Severity: Low
• A vulnerability was identified in Django’s file-system storage and file-based cache backends.
• Directory permissions relied on the process-wide umask setting when creating directories.
• In multi-threaded environments, temporary changes to umask by one thread could affect other threads, potentially resulting in filesystem objects being created with unintended permissions.

Affected Products

• Django main branch
• Django 6.0
• Django 5.2
• Django 4.2

Fixed Versions

• Django 6.0.3
• Django 5.2.12
• Django 4.2.29
• Django main branch (patched)

Recommendations

• Upgrade Django deployments to the latest patched versions immediately.
• Review application logs for abnormal input patterns targeting URL fields.
• Ensure secure file permission handling in application environments.
• Maintain regular patch management for framework dependencies.

Reference
https://www.djangoproject.com/weblog/2026/mar/03/security-releases/

7. High-Severity Vulnerability in WatchGuard Firebox (CVE-2026-3342)

A high-severity Out-of-Bounds Write vulnerability has been identified in Fireware OS affecting WatchGuard Firebox appliances. The flaw could allow an authenticated privileged administrator to execute arbitrary code with root-level permissions via the device management interface, potentially leading to full system compromise.

Key Details

• CVE ID: CVE-2026-3342
• CVSS Score: 8.6 (High)
• Vulnerability Type: Out-of-Bounds Write
• Impact: Arbitrary code execution with root privileges through the management interface, potentially compromising the confidentiality, integrity, and availability of the affected system.

Affected Products

Fireware OS Versions

• Fireware OS 11.9 up to 11.12.4_Update1
• Fireware OS 12.0 up to 12.11.7
• Fireware OS 2025.1 up to 2026.1.1

Affected Models

• T-Series: T15, T35, T20, T25, T40, T45, T55, T70, T80, T85
• Enterprise T-Series: T115-W, T125, T125-W, T145, T145-W, T185
• M-Series: M270, M290, M295, M370, M390, M395, M470, M495, M570, M590, M595, M670, M690
• High-End Models: M440, M4600, M4800, M5600, M5800
• Virtual & Cloud: Firebox Cloud, Firebox NV5, FireboxV

Fixed Versions

• 2025.1.x branch: Fixed in 2026.1.2
• 12.x branch: Fixed in 12.11.8
• 12.5.x branch (T15 & T35 models): Fixed in 12.5.17
• 11.x branch: Reached End of Life – upgrade to a supported version required.

Recommendations

• Upgrade affected Fireware OS versions to the latest patched releases.
• Restrict access to Firebox management interfaces to trusted administrators only.
• Implement strong authentication and access control for firewall management.
• Monitor device logs for suspicious administrative activity.

Reference
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00003

8. High-Severity Path Traversal Vulnerability in Nessus Manager (CVE-2026-3493)

A high-severity Path Traversal vulnerability has been identified in Tenable Nessus Manager. The vulnerability allows an authenticated remote attacker to read arbitrary operating system files on affected systems, potentially exposing sensitive configuration data and system information.

Key Details

• CVE ID: CVE-2026-3493
• Advisory ID: TNS-2026-08
• Severity: High
• CWE Classification: CWE-35 – Path Traversal
• Impact: Authenticated attackers may read arbitrary files from the underlying operating system.

Affected Products

• Nessus Manager 10.10.2 and earlier
• Nessus Manager 10.11.0 through 10.11.2

Fixed Versions

• Nessus Manager 10.10.3
• Nessus Manager 10.11.3

Recommendations

• Upgrade Nessus Manager to version 10.10.3 or 10.11.3 or later.
• Restrict access to Nessus Manager interfaces to authorized users only.
• Monitor system logs for suspicious file access attempts.
• Apply regular patch management and vulnerability monitoring.

Reference
https://www.tenable.com/security/tns-2026-08

9. High-Severity Vulnerability in HP Poly Voice Devices (CVE-2026-0754)

A high-severity vulnerability has been identified in HP Poly Voice devices that could allow attackers to impersonate devices and register unauthorized endpoints with SIP services. The issue stems from an embedded test key and certificate within device firmware, which could be extracted through reverse engineering techniques.

Key Details

• CVE ID: CVE-2026-0754
• CVSS Score: 8.2 (High)
• Vulnerability Type: Device impersonation via embedded test credentials
• Impact: Unauthorized device registration and potential interception of voice communications.

The vulnerability exists due to an embedded test key and certificate stored in Poly Voice device firmware. If attackers extract these credentials, they could impersonate legitimate devices when connecting to SIP service environments that do not enforce strict certificate validation during provisioning.

Potential Impact
Successful exploitation may allow attackers to:

• Impersonate legitimate SIP endpoints
• Register unauthorized devices with SIP services
• Access or intercept communication sessions
• Cause service disruption within voice infrastructure.

Affected Products and Fixed Versions

Recommendations

• Upgrade affected HP Poly Voice devices to the latest firmware versions.
• Ensure strict certificate validation during SIP device provisioning.
• Monitor SIP infrastructure for unauthorized device registrations.
• Implement network monitoring and access controls for voice infrastructure.

Reference
https://support.hp.com/us-en/document/ish_14269649-14269682-16/hpsbpy04081

10. Multiple Vulnerabilities Addressed in Android Security Updates

Google has released the March 2026 Android Security Bulletin addressing multiple vulnerabilities affecting Android devices. The updates resolve several critical Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure (ID), and Denial-of-Service (DoS) vulnerabilities across Android Framework, System components, Kernel, and hardware drivers.

Actively Exploited Vulnerability

• CVE-2026-21385
  • Severity: High
  • Component: Qualcomm Display Driver
  • Impact: Memory corruption vulnerability.
  • Exploitation Status: May be under limited targeted exploitation.
  • The flaw originates from improper memory allocation alignment in a Qualcomm display component and could compromise device integrity if exploited.

Patch Level: 2026-03-01

Critical Vulnerabilities

• CVE-2026-0006
  • Component: System
  • Severity: Critical
  • Description: Remote Code Execution vulnerability that could allow device compromise without user interaction or additional privileges.
• CVE-2026-0047
  • Component: Framework
  • Severity: Critical
  • Description: Elevation of Privilege vulnerability requiring no user interaction.

Patch Level: 2026-03-05

Additional Critical Vulnerabilities

• CVE-2026-0038 – Hypervisor
• CVE-2026-0027 – Protected Kernel-Based Virtual Machine (pKVM)

These vulnerabilities impact virtualization and sandboxing mechanisms responsible for isolating applications and protecting sensitive data.

Recommendations

• Update Android devices to the latest available security patch level.
• Ensure enterprise mobile devices receive monthly Android security updates.
• Monitor devices for suspicious activity related to exploitation attempts.
• Apply mobile device management (MDM) policies to enforce timely updates.

Reference
https://source.android.com/docs/security/bulletin/2026/2026-03-01

11. Critical OS Command Injection Vulnerability in OneUptime Probe (CVE-2026-27728)

A critical OS Command Injection vulnerability has been identified in the NetworkPathMonitor component of OneUptime Probe. The flaw allows authenticated remote attackers to execute arbitrary operating system commands, potentially leading to Remote Code Execution (RCE) on the affected server.

Key Details

• CVE ID: CVE-2026-27728
• CVSS Score: 10.0 (Critical)
• CWE Classification: CWE-78 – Improper Neutralization of Special Elements used in an OS Command
• Attack Vector: Network
• Privileges Required: Low (Authenticated user)
• User Interaction: None
• Impact: Attackers may execute arbitrary commands on the underlying server, potentially affecting multiple tenants in shared environments.

Affected Component

• Product: OneUptime Probe
• Module: NetworkPathMonitor
• Affected Versions: ≤ 10.0.6

Fixed Version

• OneUptime Probe 10.0.7

Recommendations

• Upgrade OneUptime Probe to version 10.0.7 or later immediately.
• Verify that updates are successfully applied across all probe instances.
• Restrict access to monitoring infrastructure and administrative interfaces.
• Monitor systems for suspicious command execution or abnormal monitoring activity.

Reference
https://www.cve.org/CVERecord?id=CVE-2026-27728

12. High-Severity Authentication Bypass Vulnerability in HPE AutoPass License Server (CVE-2026-23600)

A high-severity vulnerability has been identified in HPE AutoPass License Server (APLS) that could allow attackers to bypass authentication mechanisms and gain unauthorized access to affected systems.

Key Details

• CVE ID: CVE-2026-23600
• Severity: High
• CVSS v3.1 Score: 7.3
• Impact: Remote Authentication Bypass
• The vulnerability could allow an unauthenticated remote attacker to bypass authentication controls and gain unauthorized access, potentially affecting the confidentiality, integrity, and availability of the system.

Affected Products

• HPE AutoPass License Server (APLS) – Versions prior to 9.19

Fixed Version

• HPE AutoPass License Server (APLS) 9.19 or later

Recommendations

• Upgrade HPE AutoPass License Server to version 9.19 or later immediately.
• Restrict access to license server management interfaces.
• Monitor authentication logs for suspicious or unauthorized access attempts.
• Implement network segmentation and access controls to protect licensing infrastructure.

Reference
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn05003en_us&docLocale=en_US

13. Critical Remote Code Execution Vulnerability in Langflow (CVE-2026-27966)

A critical Remote Code Execution (RCE) vulnerability has been identified in Langflow, a visual platform used to design and deploy AI-powered agents and workflows. The flaw could allow remote attackers to execute arbitrary system commands on servers hosting Langflow, potentially leading to full system compromise.

Key Details

• CVE ID: CVE-2026-27966
• CVSS Score: 9.8 (Critical)
• Vulnerability Type: Remote Code Execution (RCE)
• The vulnerability exists in Langflow’s CSV Agent component, which processes spreadsheet data using the LangChain backend framework.
• In affected versions, the backend setting allow_dangerous_code was hardcoded to True, automatically enabling execution of arbitrary Python code on the host system.
• This unsafe configuration allows attackers to exploit the system via prompt injection, causing the AI agent to execute malicious operating system commands.
• Because the behavior could not be disabled through configuration or the user interface, exposed instances are vulnerable to remote code execution.

Affected Products

• Langflow versions prior to 1.6.9

Fixed Versions

• Langflow 1.8.0 and later

Recommendations

• Upgrade Langflow deployments to version 1.8.0 or later immediately.
• Restrict external access to Langflow management interfaces.
• Monitor systems for suspicious command execution or abnormal AI workflow activity.
• Implement network segmentation and secure configuration for AI service deployments.

Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-27966

14. Multiple Vulnerabilities in Trend Micro Apex One

Multiple vulnerabilities have been identified in Trend Micro Apex One that could allow remote code execution or privilege escalation under certain conditions. Successful exploitation could potentially lead to full system compromise or unauthorized privilege elevation on affected systems.

Key Details

Console Directory Traversal Remote Code Execution

• CVE: CVE-2025-71210, CVE-2025-71211
• CVSS Score: 9.8 (Critical)
• A directory traversal vulnerability in the Apex One management console may allow remote attackers to upload and execute arbitrary code on affected systems, potentially leading to full system compromise.

Scan Engine Link Following Privilege Escalation

• CVE: CVE-2025-71212
• CVSS Score: 7.8 (High)
• A link following vulnerability in the scan engine could allow a local attacker to escalate privileges on affected installations.

Origin Validation Error Privilege Escalation

• CVE: CVE-2025-71213
• CVSS Score: 7.8 (High)
• An origin validation flaw could allow a local attacker to bypass security validation mechanisms and escalate privileges.

Affected Products

• Apex One 2019 (On-premises) – Windows
• Apex One as a Service (Trend Vision One Endpoint – Standard Endpoint Protection) – SaaS

Fixed Versions

• Apex One CP Build 14136 (Windows)
• Trend Vision One Endpoint – Security Agent Build 14.0.20315

Recommendations

• Upgrade Trend Micro Apex One to the latest patched versions immediately.
• Restrict access to Apex One management consoles.
• Monitor endpoint and console logs for suspicious activity or unauthorized uploads.
• Apply regular patch management and endpoint security updates.

Reference
https://success.trendmicro.com/en-US/solution/KA-0022458

15. Multiple Vulnerabilities Addressed in Cisco Products

Cisco has released security updates addressing multiple vulnerabilities across several networking and infrastructure products. These vulnerabilities range from Critical to Medium severity and could allow attackers to perform authentication bypass, privilege escalation, remote code execution, cross-site scripting (XSS), or denial-of-service (DoS) attacks.

Key Details

Critical Severity

• Cisco Catalyst SD-WAN Software – Multiple Vulnerabilities
  • CVE-2026-20122
  • CVE-2026-20126
  • CVE-2026-20128

High Severity

• Cisco SD-WAN Software – Privilege Escalation
  • CVE-2022-20775
  • CVE-2022-20818
• Cisco Nexus 3600 and 9500-R Series Switching Platforms – Layer 2 Loop DoS
  • CVE-2026-20051
• Cisco Nexus 9000 Series Fabric Switches (ACI Mode) – SNMP DoS
  • CVE-2026-20048
• Cisco Nexus 9000 Series Fabric Switches (ACI Mode) – DoS
  • CVE-2026-20033
• Cisco NX-OS Software – Link Layer Discovery Protocol DoS
  • CVE-2026-20010

Medium Severity

• Cisco UCS Manager Software – Command Injection
  • CVE-2026-20036
• Cisco UCS Manager Software – Privilege Escalation
  • CVE-2026-20037
• Cisco FXOS and UCS Manager Software – Stored Cross-Site Scripting
  • CVE-2026-20091
• Cisco FXOS and UCS Manager Software – Command Injection
  • CVE-2026-20099
• Cisco Application Policy Infrastructure Controller – Denial of Service
  • CVE-2026-20107

Potential Impact
Successful exploitation may allow attackers to:

• Bypass authentication controls
• Execute arbitrary commands
• Escalate privileges
• Disrupt network services through denial-of-service attacks
• Inject malicious scripts into management interfaces.

Recommendations

• Apply the latest Cisco security updates and patches immediately.
• Review Cisco advisories for affected product versions and mitigation guidance.
• Restrict administrative access to network infrastructure devices.
• Monitor network devices for abnormal activity or exploitation attempts.

Reference
https://sec.cloudapps.cisco.com/security/center/publicationListing.x

16. Critical Remote Code Execution Vulnerability in ServiceNow AI Platform (CVE-2026-0542)

A critical vulnerability has been identified in the ServiceNow AI Platform that could allow unauthenticated remote attackers to execute arbitrary code within the platform’s AI Sandbox environment. Successful exploitation could lead to unauthorized system access and potential compromise of the affected platform.

Key Details

• CVE ID: CVE-2026-0542
• Severity: Critical (CVSS v4: 9.2)
• Vulnerability Type: Remote Code Execution (RCE)
• Affected Component: ServiceNow AI Platform – AI Sandbox environment
• Impact: Unauthenticated attackers may execute arbitrary code within the AI sandbox, potentially compromising system integrity.

Recommendations

• Verify the ServiceNow instance version and ensure the latest security patches are applied.
• Confirm that hosted environments have received the January 2026 security update.
• Restrict access to AI platform management and sandbox environments.
• Monitor logs for suspicious activity related to AI sandbox execution.

Reference
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2693566

17. Multiple Vulnerabilities Addressed in Wireshark

Security updates have been released for Wireshark to address multiple vulnerabilities that could allow attackers to trigger Denial-of-Service (DoS) conditions through specially crafted packet captures or malicious live network traffic.

Key Details

CVE-2026-3201 – USB HID Dissector Memory Exhaustion

• Component: USB HID dissector
• Issue Type: Uncontrolled sequential memory allocation
• Impact: Denial of Service (DoS) due to memory exhaustion.

CVE-2026-3202 – NTS-KE Dissector NULL Pointer Dereference

• Component: NTS-KE (Network Time Security – Key Establishment) dissector
• Issue Type: NULL pointer dereference
• Impact: Application crash when processing crafted traffic.

CVE-2026-3203 – RF4CE Profile Dissector Crash

• Component: RF4CE Profile dissector (Zigbee RF for Consumer Electronics)
• Issue Type: Crash during packet dissection
• Impact: Denial of Service caused by application crash.

Fixed Version

• Wireshark 4.6.4

Recommendations

• Upgrade Wireshark to version 4.6.4 or later immediately.
• Avoid opening untrusted packet capture files from unknown sources.
• Monitor systems for abnormal crashes related to packet analysis tools.
• Apply regular updates to network analysis software.

Reference
https://www.wireshark.org/docs/relnotes/wireshark-4.6.4.html

18. Iranian Threat Actors Target IP Cameras Across the Middle East

Security researchers have identified increased cyber activity attributed to Iran-linked threat actors targeting IP cameras across the Middle East, including Israel, UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. The activity is believed to support military intelligence gathering and battle damage assessment (BDA) during ongoing regional tensions.

Key Details

• Targeting activity intensified starting February 28, 2026, coinciding with heightened geopolitical conflict in the region.
• Earlier targeted scanning activity was also observed January 14–15, aligning with periods of geopolitical tension and Iranian airspace restrictions.
• Attack infrastructure includes commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and virtual private servers (VPS) linked to Iranian threat actor operations.
• The attacks primarily target Hikvision and Dahua IP cameras, attempting to exploit known vulnerabilities.

Targeted Vulnerabilities

• CVE-2017-7921 – Improper authentication vulnerability in Hikvision IP camera firmware.
• CVE-2021-36260 – Command injection vulnerability in Hikvision web server component.
• CVE-2023-6895 – OS command injection vulnerability in Hikvision Intercom Broadcasting System.
• CVE-2025-34067 – Unauthenticated remote code execution vulnerability in Hikvision Integrated Security Management Platform.
• CVE-2021-33044 – Authentication bypass vulnerability affecting multiple Dahua devices.

Threat Actor Activity

• Scanning campaigns were observed targeting IP cameras in multiple Middle Eastern countries simultaneously.
• The activity aligns with geopolitical developments, including military tensions and missile-related incidents.
• Compromised cameras may be used to monitor military targets, gather intelligence, or assess damage following missile strikes.

Potential Impact
Successful compromise of exposed cameras could allow attackers to:

• Monitor sensitive locations and military infrastructure.
• Conduct real-time surveillance of targeted areas.
• Support battle damage assessment (BDA) following kinetic attacks.
• Use compromised cameras as pivot points for further network access.

Recommendations

• Remove direct internet exposure of cameras and NVR devices.
• Place cameras behind VPN or zero-trust access gateways.
• Change default credentials and enforce strong unique passwords.
• Apply latest firmware updates and security patches.
• Segment camera networks using dedicated VLANs with restricted access.
• Monitor logs for failed login attempts or suspicious outbound connections.

Reference
https://research.checkpoint.com/2026/interplay-between-iranian-targeting-of-ip-cameras-and-physical-warfare-in-the-middle-east/

19. Iranian Cyber Operations Escalate Following Operation Epic Fury

Recent threat intelligence reports indicate a significant escalation in cyber operations linked to Iranian state-aligned threat actors following the launch of Operation Epic Fury by the United States and Operation Roaring Lion by Israel on February 28, 2026. The coordinated campaign targeted Iranian military infrastructure and leadership while also including large-scale cyber operations against Iranian networks.

Key Details

• Cyber operations were reportedly launched before kinetic military strikes, with U.S. Cyber Command initiating cyber activities during the early phase of the operation.
• Israeli cyber operations reportedly disrupted Iran’s internet connectivity to 1–4% of normal levels by targeting BGP routing, DNS infrastructure, and SCADA/ICS systems.
• Cyber activities included the compromise of the BadeSaba prayer application, website hijacking of Iranian government portals, and disruption of IRGC command-and-control communications.

Threat Landscape Developments

• Approximately 60 hacktivist groups, including some pro-Russian collectives, became active by March 2.
• Observed cyber activities include:
  • Phishing and SMS campaigns distributing malicious RedAlert Android malware.
  • Distributed Denial-of-Service (DDoS) attacks targeting regional infrastructure.
  • Website defacements and data exfiltration operations.
  • Early-stage deployment of destructive wiper malware.

Iran-Linked Threat Actors
Several known Iranian threat groups are expected to intensify operations, including:

• MuddyWater – A state-linked group associated with Iran’s Ministry of Intelligence and Security (MOIS), primarily conducting espionage against government, telecom, and energy sectors.
• APT35 (Charming Kitten / Phosphorus) – Known for long-term intelligence operations targeting government, academic, and private sector organizations globally.
• OilRig (APT34) – A long-standing Iranian cyber espionage group targeting financial services, telecommunications, and energy sectors.

Emerging Malware Families

• RustyWater – A Rust-based remote access trojan linked to MuddyWater that includes anti-debugging techniques and remote command execution capabilities.
• WezRAT – A modular information-stealing malware used in phishing campaigns targeting Israeli organizations, capable of command execution, keylogging, screenshot capture, and browser credential theft.

Potential Impact
Organizations in sectors such as energy, oil and gas, government, defense, financial services, and telecommunications may face increased cyber threats, including espionage operations, disruptive attacks, and destructive malware deployment.

Recommendations

• Monitor networks for indicators related to Iranian threat actor tools and infrastructure.
• Strengthen email filtering and phishing protection mechanisms.
• Implement strict network segmentation and access controls for critical systems.
• Monitor for suspicious outbound connections and abnormal authentication activity.
• Conduct threat hunting for known Iranian malware families and TTPs.

Reference
https://www.attackiq.com/2026/03/05/operation-epic-fury/