Weekly Exploit Roundup

Generated 2026-03-24T08:00:16.820390+00:00 (UTC)

1. The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
   Source: Threat Intelligence | Published: 2026-03-18T14:00:00+00:00 | Score: 23.893
   Introduction Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit . Notably, UNC6353, a suspected Russian
2. Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager
   Source: The Hacker News | Published: 2026-03-21T10:24:00+00:00 | Score: 23.828
   Oracle has released security updates to address a critical security flaw impacting Identity Manager and Web Services Manager that could be exploited to achieve remote code execution.
   The vulnerability, tracked as CVE-2026-21992, carries a CVSS score of 9.8 out of a maximum of 10.0.
   "This vulnerability is remotely exploitable without authentication," Oracle said in an advisory. "If successfully
3. Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability
   Source: SecurityWeek | Published: 2026-03-23T05:34:43+00:00 | Score: 21.514
   CVE-2026-21992 can be used without authentication for remote code execution and it may have been exploited in the wild. The post Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability appeared first on SecurityWeek .
4. Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
   Source: The Hacker News | Published: 2026-03-20T15:15:00+00:00 | Score: 20.458
   A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities.
   The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution.
   "The POST /api/v1
5. CISA Warns of Zimbra, SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware Attacks
   Source: The Hacker News | Published: 2026-03-19T06:05:00+00:00 | Score: 19.771
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to apply patches for two security flaws impacting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint, stating they have been actively exploited in the wild.
   The vulnerabilities in question are as follows –

   CVE-2025-66376 (CVSS score: 7.2) – A stored cross-site scripting

6. Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access
   Source: The Hacker News | Published: 2026-03-18T16:00:00+00:00 | Score: 19.552
   Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software.
   The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to
7. CVE-2026-3055: Citrix NetScaler ADC and NetScaler Gateway Out-of-Bounds Read
   Source: Rapid7 Cybersecurity Blog | Published: 2026-03-23T19:30:51+00:00 | Score: 18.628
   Overview On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. This vulnerability, CVE-2026-3055 , which is classified as an out-of-bounds read and holds a CVSS score of 9.3 , allows unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory. The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable , whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on. Per the advisory , organizations can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: add authentication samlIdPProfile .* CVE-2026-3055 affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 1
8. M-Trends 2026: Data, Insights, and Strategies From the Frontlines
   Source: Threat Intelligence | Published: 2026-03-23T14:00:00+00:00 | Score: 17.964
   Every year, the cyber threat landscape forces defenders to adapt to evolving adversary tactics, techniques, and procedures (TTPs). In 2025, Mandiant observed a clear divergence in adversary pacing that closely aligns with the trends we have been documenting for defenders over the past year. On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial. On the other end, sophisticated cyber espionage groups and insider threats optimized for extreme persistence, utilizing unmonitored edge devices and native network functionalities to evade detection. Today, we release M-Trends 2026. Grounded in over 500,000 hours of frontline incident investigations conducted by Mandiant globally in 2025, this report provides a definitive look at the TTPs actively being used in breaches today. aside_block <ListValue: [StructValue([('title', 'M-Trends 2026 is available!'), ('body', <wagtail.rich_text.RichText object at 0x7fc40359d100>), ('btn_text', 'Downl
9. Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
   Source: The Hacker News | Published: 2026-03-24T05:59:00+00:00 | Score: 17.54
   Citrix has released security updates to address two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw that could be exploited to leak sensitive data from the application.
   The vulnerabilities are listed below –

   CVE-2026-3055 (CVSS score: 9.3) – Insufficient input validation leading to memory overread
   CVE-2026-4368 (CVSS score: 7.7) – Race condition leading to user

10. Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE
    Source: The Hacker News | Published: 2026-03-18T12:30:00+00:00 | Score: 16.448
    Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges.
    The vulnerability, tracked as CVE-2026-32746, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of out-of-bounds write in the LINEMODE Set

End of report.