"CISA orders feds to patch max-severity Cisco flaw by Sunday"

"[...] The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22."

https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-max-severity-cisco-flaw-by-sunday/

#Cybersecurity

⚠️ Ransomware crims abused Cisco 0-day weeks before disclosure

｢ Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon security boss CJ Moses ｣
https://www.theregister.com/2026/03/18/amazon_cisco_firewall_0_day_ransomware/

#cisco #0day #Ransomware #infosec

CVE-2026-20963 Sharepoint Insecure Deserialization 8.8/10

Weekend soon. Where @watchTowr blog? Need lolz. I can has?

Geopolitical tensions surged as Iran targeted Gulf energy after Israeli strikes, spiking oil prices to $118/barrel (March 18-19). In cybersecurity, CISA warned of actively exploited SharePoint flaws (CVE-2026-20963), critical Ubiquiti UniFi (CVE-2026-22557), and Telnetd root-access vulnerabilities (CVE-2026-32746). NVIDIA forecasts $1T AI demand by 2027.
#AnonNews_irc #Cybersecurity #News

Fun #HaikuOS fact of the day: for the first time (as far as I know), we are listed in the affected systems for a CVE. Upon closer inspection, it turns out the affected code (a bug in telnetd dating back to 1994) is behindea compiler guard and not actually enabled in our version. So, Haiku is actually safe from this CVE for which there is no actual exploit also on other systems.

https://discuss.haiku-os.org/t/cve-2026-32746/18926/9

Geopolitical tensions surged as Iran targeted Gulf energy after Israeli strikes, spiking oil prices to $118/barrel (March 18-19). In cybersecurity, CISA warned of actively exploited SharePoint flaws (CVE-2026-20963), critical Ubiquiti UniFi (CVE-2026-22557), and Telnetd root-access vulnerabilities (CVE-2026-32746). NVIDIA forecasts $1T AI demand by 2027.
#AnonNews_irc #Cybersecurity #News

just like cve-2026-22557, i think you're a 10/10 :neocat_sillycat_kisser:

Ubiquiti – CVE-2026-22557 : cette faille critique menace votre réseau UniFi https://www.it-connect.fr/ubiquiti-cve-2026-22557-cette-faille-critique-menace-votre-reseau-unifi/ #ActuCybersécurité #Cybersécurité #Vulnérabilité

Geopolitical tensions surged as Iran targeted Gulf energy after Israeli strikes, spiking oil prices to $118/barrel (March 18-19). In cybersecurity, CISA warned of actively exploited SharePoint flaws (CVE-2026-20963), critical Ubiquiti UniFi (CVE-2026-22557), and Telnetd root-access vulnerabilities (CVE-2026-32746). NVIDIA forecasts $1T AI demand by 2027.
#AnonNews_irc #Cybersecurity #News

Ubuntu a rischio: bug di Snap permette accesso root (CVE-2026-3888)
#Ubuntu
Scoperta una vulnerabilità critica in Ubuntu (CVE-2026-3888): il sistema Snap permette escalation a root.

https://www.marcosbox.com/2026/03/19/ubuntu-vulnerabilita-snap-cve-2026-3888-root/

@sicurezza

｢ Local Privilege Escalation (LPE) vulnerability affecting default installations of Ubuntu Desktop version 24.04 and later. This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles. ｣
https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root

#ubuntu #snap #infosec

Ubuntu har rettet en bug i Snap-pakke-installations-programmet, som kunne have været udnyttet til root-angreb med privilege root attacks
https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root

This Week in Security: Linux Flaws, Python Ownage, and a Botnet Shutdown

The ides of security March are upon us — Qualys reports the discovery by their threat research unit of vulnerabilities in the Linux AppArmor system used by SUSE, Debian, Ubuntu, and Kubernetes as an additional security mechanism and application firewall.

AppArmor was added to Linux in 2010, and the vulnerabilities Qualys discovered have been present since 2017, and allow unprivileged (non-root) local users to elevate privileges by executing arbitrary code in the kernel, gaining root access, or perform a denial-of-service attack across the entire system by replacing all AppArmor behavior with “deny all” rules.

All Linux kernels since Linux 4.11 are vulnerable. If your Linux distribution enables AppArmor, and quite a few do, you’ll want to be updating as soon as fixes are available from your distribution maintainers. On systems with untrusted users, such as shared environments, VPS server environments, and the like, this is even more critical and urgent. Even on single-user systems, vulnerabilities like these allow other exploits, like the Python attack below, mechanisms to elevate their access and persistence.

At the time of writing, the full details of the AppArmor vulnerability are limited until the Linux Kernel team releases a stable version with the fixes for distribution maintainers. Qualys has published the technical write-up with the currently public information.

Python Projects Compromised

StepSecurity reports on a new campaign to infect Python projects on GitHub with a complex malware that, once deployed, appears to be yet another crypto and login stealer.

The attacker first gains access to the GitHub credentials via another info stealing worm – the Glassworm stealer infects VSCode extensions with over 35,000 downloads of infected extensions in October of 2025. Glassworm harvests NPM, GitHub, and OpenVSX credentials and sends them to a remote command and control (C2) server. It also harvests a wide range of crypto currency wallet extensions to steal crypto directly.

Once it’s harvested all the credentials it can find, Glassworm then installs a SOCKS proxy, a standard connection proxy protocol used to re-route connections, multiple remote desktop control tools, and redundant control networks. The “ForceMemo” worm (as StepSecurity dubs it) then targets Python repositories, infecting every repository the credentials have access to, using credentials from VS Code, git credential storage, GITHUB_TOKEN, and any other discovered credentials.

The actual mechanism of compromise is the most interesting aspect of what is otherwise an aggressive malware, but in many ways, just another crypto stealer. ForceMemo gains its name by using a series of Git tricks to attempt to hide its activity: instead of simply generating a git push or GitHub pull request, the malware rebases the last commit in the repository, injects the malware into the Python scripts, and performs a force push to silently replace the last commit record.

Once infected, a Python project runs the payload as soon as a consumer runs the setup.py command to build and install the package. The payloads are heavily obfuscated and encrypted, but StepSecurity believes once triggered, ForceMemo harvests SSH keys, GitHub tokens, and crypto wallet tokens, as well as connecting to multiple C2 servers and installing remote access and proxy tools for future activity.

With the malware infecting Python projects indiscriminately, this exposes developer workstations with internal credentials and CI/CD environments with production credentials equally.

Ubuntu Snapd flaws

Apparently on a roll, Qualys also discovered that the Ubuntu Snapd system — the service responsible for managing packages and services in the Snap format — allows for privilege escalation. The Ubuntu report is low on details, stating only that improper handling of “certain operations” in a snap package tmp directory could cause systemd-tmpfiles to recreate the files, allowing replaying commands and gaining “escalated privileges”.

Fixes are available for all recent Ubuntu releases, however Ubuntu 20.04 and older require the paid “Ubuntu Pro” subscription to get them. As always, the advice is to patch as soon as possible – once a vulnerability is known it becomes a vector for malware and other attacks, such as a credential stealer gaining root access to reinstall itself.

UniFi Network Application

UniFi is often a popular networking choice for home lab and networking geeks, and probably has a higher-than-average usage rate among readers here. The company reports a high-risk vulnerability in the UniFi Network Application component of the management service and a second high risk vulnerability in the NoSQL implementation.

UniFi lists the vulnerability as a path traversal bug allowing access to files on the server. Path traversal bugs are validation bugs involve forming URLs which reference files outside of directories the web server would normally be allowed to serve files from. In a properly paranoid server, paths are resolved to the final file, then checked to make sure that serving that file is allowed, but in a naive implementation the paths are simply concatenated, allowing a requested file path – for instance “../../../../../../../../../etc/passwd” – to escape the web server directory and serve a file directly from the filesystem. Because it’s always possible to go back a directory, even from the base of the filesystem, so often an attacker will simply add a dozen, or more, “../” references to brute force assume that it will find the root of the system eventually.

On the NoSQL side, there are even fewer details, but UniFi lists it as a SQL injection vulnerability which can lead to elevated privileges. Fortunately, the vulnerability seems to require access to a network which can reach the UniFi controller – this won’t open every install to a drive-by attack from the parking lot or the Internet at large.

If you run a UniFi system, still be sure to get the latest updates – it’s never a good idea to leave vulnerabilities in place, even on an internal network. Increasingly, complex attacks are taking advantage of multiple vulnerabilities to access internal services once a single external vulnerability is found, and this is taking place on home networks as well as corporate!

Gov Collab Shuts Down Botnets

Finally, Brian Krebs reports on a multi-national effort by Germany, Canada, and the United States to shut down the Kimwolf, Aisuru, Jackskid, and Mossad botnets, credited with being the source of world-record-breaking denial of service attacks.

The majority of devices forming the Kimwolf botnet appear to be Android TV devices with poor security, sold by major US retailers. Residential proxy networks, malware disguised as cheap or free VPNs, or other malware infections installing proxy servers, allowed attackers access to the internal home networks of infected users, exposing the vulnerable set-top boxes.

The shutdown of the botnets appear to be coordinated with the arrests of operators of the botnet services in multiple countries and seizure or shutdown of the C2 servers operating the network. When patching hundreds of thousands of infected devices is impractical, taking control of the infrastructure to prevent further abuse is usually the next best step.

hackaday.com/2026/03/20/this-w…

Oracle issues an out-of-band security update for a pre-auth RCE in Oracle Identity Manager

https://www.oracle.com/security-alerts/alert-cve-2026-21992.html

#CVE_2017_11882 or some similar BS from an Excel file attached to a message sent to my blog email address. Final malware seems to be an AgentTesla/SnakeKeyLogger/VIP Recovery variant. Sample at:

https://bazaar.abuse.ch/sample/263b3f3c5e91c8fe858803ceae4b268af40536487828cf980e8d6e4d793648c0/

Calls for follow-up files at:

- hxxp[:]//91.92.242[.]3:7777/noesisllc.online/wealt1818/wealtt/nerdfwiqtwqhdgfrwt6fntdwrgonht.js

- hxxp[:]//91.92.242[.]3:7777/noesisllc.online/wealt1818/ENCRYPT.Ps1

Samples of these follow-up files at:

- https://bazaar.abuse.ch/sample/c47d92db7ed3cc5fdbb3296f3f4ab328cd8b66ac079f5bf658d4f2fa5f8a6af7/

- https://bazaar.abuse.ch/sample/dd737dea20792860147b53679f68e964778a2b47e98d7187ccd4ead0127aec76/

Jemand mit #Joomla im Web unterwegs? Im #Astroid Framework gibt es eine kritische Sicherheitslücke, die gerade aktiv für Angriffe genutzt wird.

https://borncity.com/blog/2026/03/20/joomla-schwachstelle-cve-2026-21628-im-astroid-framework-wird-angegriffen/

ZAST engine has identified and verified CVE-2026-1829 in Content Visibility for Divi Builder 4.01, along with one additional verified vulnerability in the same plugin.

Project page: https://wordpress.org/plugins/content-visibility-for-divi-builder/ Project footprint: 2,000+ active installations on WordPress.org.

The critical issue is a code-execution path where user-controlled visibility expressions reach eval() through multiple application features. This is a representative example of why security teams need autonomous verification: dangerous APIs alone do not define risk. Reachability, privilege boundaries, and runtime behavior do.

ZAST.AI promotes findings into reports only after successful PoC validation, which supports a zero-false-positive operating model and helps enterprise teams prioritize remediation on verified issues.

Full report: https://blog.zast.ai/vulnerability%20research/ai%20security/Auditing-Content-Visibility-for-Divi-Builder/

@wordfence @WordPress@mastodon.world @wordpress@lemmy.world

#ApplicationSecurity #WordPressSecurity #AppSec #VulnerabilityResearch #AIForSecurity