Weekly Exploit Roundup

Generated 2026-03-17T08:00:15.494614+00:00 (UTC)

1. Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
   Source: Threat Intelligence | Published: 2026-03-16T14:00:00+00:00 | Score: 35.064
   Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark Introduction Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, which is exemplified by the proliferation of the ransomware-as-a-service (RaaS) business model. While ransomware remains a dominant threat due to the volume of activity and the potential for serious operational disruptions, we have observed multiple indicators that suggest the overall profitability of ransomware operations is in decline. This trend is likely the result of multiple factors, including improved cybersecurity pra
2. Rapid7 Detection Coverage for Iran-Linked Cyber Activity
   Source: Rapid7 Cybersecurity Blog | Published: 2026-03-11T17:31:06+00:00 | Score: 31.497
   The tension arising out of the conflict in Iran is beginning to show signs of expanding beyond a strictly regional crisis. Following our recent published advisories, this communication is intended to outline and summarize the detection and enrichment coverage available to Rapid7 customers, broadly assess the macro cyber threat landscape, and demonstrate the specific actions undertaken within the Rapid7 portfolio to assure our customers of the protection they receive and can expect moving forward. For a research-driven companion piece from Rapid7 Labs, dive into Iran’s Cyber Playbook in the Escalating Regional Conflict . Tracking the campaigns associated with the current conflict There exists a number of threat campaigns (both directly and indirectly) associated with groups associated with Iranian APT actors. In order to track details of these campaigns, any relevant indicators of compromise will be made available within Intelligence Hub . Figure 1: A screenshot of the collective campai
3. Patch Tuesday – March 2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-03-10T20:30:36+00:00 | Score: 24.672
   Microsoft is publishing 77 vulnerabilities this March 2026 Patch Tuesday . Microsoft is aware of public disclosure of two of today’s vulnerabilities, but without evidence of exploitation in the wild for any (yet), so there are no Microsoft additions to CISA KEV today. Earlier in the month, Microsoft provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above. SQL Server: zero-day remote EoP SQL Server often goes several months in a row without any mention on Patch Tuesday. Today, however, all versions from the latest and greatest SQL Server 2025 back as far as SQL Server 2016 SP3 receive patches for CVE-2026-21262 , a SQL Server elevation of privilege vulnerability. This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network. The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges
4. CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed
   Source: The Hacker News | Published: 2026-03-12T05:18:00+00:00 | Score: 24.448
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
   The vulnerability, tracked as CVE-2025-68613 (CVSS score: 9.9), concerns a case of expression injection that leads to remote code execution. The security shortcoming was patched
5. CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths
   Source: The Hacker News | Published: 2026-03-17T05:23:00+00:00 | Score: 19.522
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Wing FTP to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
   The vulnerability, CVE-2025-47813 (CVSS score: 4.3), is an information disclosure vulnerability that leaks the installation path of the application under certain conditions
6. CISA flags Wing FTP Server flaw as actively exploited in attacks
   Source: BleepingComputer | Published: 2026-03-16T18:00:22+00:00 | Score: 18.283
   CISA warned U.S. government agencies to secure their Wing FTP Server instances against an actively exploited vulnerability that may be chained in remote code execution attacks. […]
7. Veeam Patches 7 Critical Backup & Replication Flaws Allowing Remote Code Execution
   Source: The Hacker News | Published: 2026-03-13T04:15:00+00:00 | Score: 18.131
   Veeam has released security updates to address multiple critical vulnerabilities in its Backup & Replication software that, if successfully exploited, could result in remote code execution.
   The vulnerabilities are as follows –

   CVE-2026-21666 (CVSS score: 9.9) – A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server.
   CVE-2026-21667 (

8. Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8
   Source: The Hacker News | Published: 2026-03-13T09:17:00+00:00 | Score: 16.781
   Google on Thursday released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild.
   The list of vulnerabilities is as follows –

   CVE-2026-3909 (CVSS score: 8.8) – An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML

9. Metasploit Wrap-Up 03/13/2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-03-13T19:06:41+00:00 | Score: 15.473
   No bad luck here: Friday the 13th brings new modules and a Metasploit Pro milestone This week’s Metasploit Framework release delivers three new modules across reconnaissance, evasion, and exploitation: LeakIX-powered discovery for exposed services and leaked data, a Linux x64 RC4 payload packer for more flexible evasive delivery, and an unauthenticated RCE module for SPIP Saisies (CVE-2025-71243). Alongside those additions, we shipped practical quality-of-life improvements including a smaller configurable bind_netcat payload path, automatic WordPress service reporting in the WordPress mixin, and a fix for Base64Decoder defaults in shell payload workflows. Finally, we’re also excited to share the new Metasploit Pro 5.0.0 release with an updated UI and SSO support amongst other changes, check out the announcement here: Announcing Metasploit Pro 5: Penetration Testing, Evolving . New module content (3) LeakIX Search Authors: LeakIX support@leakix.net and Valentin Lobstein chocapikk@leakix
10. Dozens of Vendors Patch Security Flaws Across Enterprise Software and Network Devices
    Source: The Hacker News | Published: 2026-03-11T12:26:00+00:00 | Score: 15.446
    SAP has released security updates to address two critical security flaws that could be exploited to achieve arbitrary code execution on affected systems.
    The vulnerabilities in question listed below –

    CVE-2019-17571 (CVSS score: 9.8) – A code injection vulnerability in SAP Quotation Management Insurance application (FS-QUO)
    CVE-2026-27685 (CVSS score: 9.1) – An insecure deserialization

End of report.