CyberNews: 20/03/2026 Edition

Today’s roundup

Summary

A critical 32-year-old pre-authentication remote code execution (RCE) vulnerability (CVE-2026-32746, CVSS 9.8) has been found in GNU inetutils Telnetd. Affecting numerous forks, this buffer overflow allows unauthenticated attackers to corrupt memory and potentially achieve RCE, particularly on 32-bit systems still widely deployed in legacy infrastructure.

CISA has added a critical RCE vulnerability, CVE-2026-20131 (CVSS 10.0), in Cisco Secure Firewall Management Center (FMC) Software to its Known Exploited Vulnerabilities catalog. The Interlock ransomware group actively exploited this zero-day via insecure Java deserialization since January 2026, weeks before public disclosure. Federal agencies must remediate by March 22, 2026.

Ubiquiti patched two UniFi Network application vulnerabilities, including a maximum-severity path traversal flaw (CVE-2026-22557, CVSS 10.0) allowing network-based account takeover. An authenticated NoSQL injection (CVE-2026-22558, CVSS 7.7) also permits privilege escalation. Users are urged to update to version 10.1.89 or later.

Russian APT group APT28 is exploiting a high-severity stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-66376, CVSS 7.2) in Zimbra Collaboration Suite. Targeting Ukrainian government entities, the attackers embed malicious JavaScript in HTML emails to harvest credentials, session tokens, and 2FA codes, then exfiltrate data via DNS and HTTPS. CISA has added this flaw to its KEV catalog.

Apple warned users to update older iPhones against advanced Coruna and DarkSword iOS exploit kits. Coruna targets iOS 13-17.2.1 via 23 exploits, while DarkSword, with six flaws (three zero-days), compromises iOS 18.4-18.7 for rapid data exfiltration. Both are used by surveillance vendors and state-sponsored actors like Russia-linked UNC6353.

An international operation led by the U.S. Justice Department, with Canadian and German authorities, disrupted the command-and-control infrastructure of four major IoT botnets: Aisuru, Kimwolf, JackSkid, and Mossad. These botnets, comprising over three million compromised devices, were responsible for record-breaking DDoS attacks, some reaching 31.4 Terabits per second, and involved alleged operators in Canada and Germany.

A critical vulnerability, 'PolyShell', was found in Magento Open Source and Adobe Commerce stable version 2. The flaw in Magento’s REST API allows unauthenticated attackers to upload arbitrary executables, achieving remote code execution (RCE) and account takeover by disguising malicious code as an image, posing a severe risk to e-commerce platforms.

New research highlights that 54 Endpoint Detection and Response (EDR) killer programs now utilize the "Bring Your Own Vulnerable Driver" (BYOVD) technique, abusing 35 distinct signed vulnerable drivers to disable security software. This method is frequently employed by ransomware groups to neutralize defenses before deploying file-encrypting malware, representing a significant challenge for enterprise security.

Navia Benefit Solutions, Inc. has disclosed a data breach affecting nearly 2.7 million individuals. The incident resulted in the exposure of sensitive personal information to unauthorized attackers. The company is actively notifying all impacted individuals about the breach to ensure they can take necessary protective measures.

Details emerged on 'The Gentlemen' ransomware-as-a-service (RaaS) operation from affiliate leaks. The group employs FortiGate exploits, "Bring Your Own Vulnerable Driver" (BYOVD) for evasion, and Qilin ransomware's split tactics. This provides critical intelligence on modern ransomware operational methods, indicating sophisticated attack chains and evasion techniques.

Want to dig deeper?

Vulnerabilities

Cyber Groups

Malware Families