Weekly Exploit Roundup

Generated 2026-03-10T08:00:15.317157+00:00 (UTC)

1. Look What You Made Us Patch: 2025 Zero-Days in Review
   Source: Threat Intelligence | Published: 2026-03-05T14:00:00+00:00 | Score: 32.907
   Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan Executive Summary Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels. In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both the raw number (43) and proportion (48%) of vulnerabilities impacting enterprise technologies reached all-time highs, accounting for almost 50% of total zero-days exploited in 2025. We observed a sustained decrease in detected browser-based exploitation, which fell to historical lows, while seeing increased abuse of operating system vulnerabilities. State-sponsored espionage groups con
2. Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
   Source: Threat Intelligence | Published: 2026-03-03T14:00:00+00:00 | Score: 22.478
   Introduction Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023) . The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. The Coruna exploit kit provides another example of how sophisticated capabilities proliferate . Over the course of 2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a surveillance vendor , then observed its deployment in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group. We then retrieved the complete exploit kit when it was later used in broad-scale campaigns by
3. CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited
   Source: The Hacker News | Published: 2026-03-10T06:17:00+00:00 | Score: 19.549
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
   The vulnerability list is as follows –

   CVE-2021-22054 (CVSS score: 7.5) – A server-side request forgery (SSRF) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) that

4. Metasploit Wrap-Up 03/06/2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-03-06T18:28:41+00:00 | Score: 19.455
   Encoder exposed! Some of our releases add new ways in; this one adds new ways to stay in.   There are, of course, still new RCE toys in the box (Tactical RMM via Jinja2 SSTI and an unauthenticated MajorDoMo exploit). Still, the underlying theme is payloads: more control over how they are packaged and delivered, and fewer "why did it die instantly?" moments. We, like our community of module authors, grew tired of having to do everything by hand. You can now pick encoders (and tweak their options) directly for exploit and payload modules without extra glue code. Less plumbing, more choosing-the-right-badchar-killer-at-runtime. New module content (3) Linux RC4 Packer with In-Memory Execution (x86) Author: Massimo Bertocchi Type: Evasion Pull request: #20965 contributed by litemars Path: linux/x86/rc4_packer Description: Adds a new module evasion/linux/x86/rc4_packer that encrypts the generated payload with RC4, prepends an optional sleep-based delay (nanosleep), and decrypts/executes the
5. Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition
   Source: Threat Intelligence | Published: 2026-03-06T14:00:00+00:00 | Score: 18.121
   Written by: Matthew McWhirt, Bhavesh Dhake, Emilio Oropeza, Gautam Krishnan, Stuart Carrera, Greg Blaum, Michael Rudden Background Threat actors leverage destructive malware to destroy data, eliminate evidence of malicious activity, or manipulate systems in a way that renders them inoperable. Destructive cyberattacks can be a powerful means to achieve strategic or tactical objectives; however, the risk of reprisal is likely to limit the frequency of use to very select incidents. Destructive cyberattacks can include destructive malware, wipers, or modified ransomware. When conflict erupts, cyber attacks are an inexpensive and easily deployable weapon. It should come as no surprise that instability leads to increases in attacks. This blog post provides proactive recommendations for organizations to prioritize for protecting against a destructive attack within an environment. The recommendations include practical and scalable methods that can help protect organizations from not only destr
6. CISA Adds Actively Exploited VMware Aria Operations Flaw CVE-2026-22719 to KEV Catalog
   Source: The Hacker News | Published: 2026-03-04T04:35:00+00:00 | Score: 17.712
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw impacting Broadcom VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild.
   The high-severity vulnerability, CVE-2026-22719 (CVSS score: 8.1), has been described as a case of command injection that could allow an
7. CISA Adds Three Known Exploited Vulnerabilities to Catalog
   Source: Alerts | Published: 2026-03-09T12:00:00+00:00 | Score: 16.405
   CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2021-22054 Omnissa Workspace ONE Server-Side Request Forgery CVE-2025-26399 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2026-1603 Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Alt
8. Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities
   Source: The Hacker News | Published: 2026-03-05T15:22:00+00:00 | Score: 16.248
   Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild.
   The vulnerabilities in question are listed below –

   CVE-2026-20122 (CVSS score: 7.1) – An arbitrary file overwrite vulnerability that could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system.

9. Accelerate Attack Surface Discovery with new AI-Powered Connectors
   Source: Rapid7 Cybersecurity Blog | Published: 2026-03-09T16:28:20+00:00 | Score: 16.038
   Discovery: The foundation of exposure management To understand your attack surface, and all related exposures, Rapid7's Command Platform provides Attack Surface Management, (included in Surface Command, Exposure Command and Incident Command). It provides a 360° view of all assets in the organization, their associated risks, and how they relate to one another. This provides teams with the attack surface visibility they can trust to detect security issues from endpoint to cloud. This blog will cover how to use connectors to bring security data from your cloud, IT, AI and cybersecurity systems into Surface Command and make it actionable for the Discovery phase of Continuous Threat Exposure Management (CTEM), as well as some best practices on data management. Read on to the end of the blog to learn more about the latest connectors for most mainstream AI platforms. What are connectors in Rapid7 Surface Command? Connectors are lightweight, API-based integrations for common security data sour
10. Hikvision and Rockwell Automation CVSS 9.8 Flaws Added to CISA KEV Catalog
    Source: The Hacker News | Published: 2026-03-06T06:30:00+00:00 | Score: 14.698
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Hikvision and Rockwell Automation products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
    The critical-severity vulnerabilities are listed below –

    CVE-2017-7921 (CVSS score: 9.8) – An improper authentication vulnerability affecting

End of report.