Research
-
CISA urges agencies to patch actively exploited Zimbra and SharePoint flaws
CISA issued an advisory on March 18, 2026 urging agencies to patch two actively exploited vulnerabilities in Synacor Zimbra and Microsoft SharePoint. Deadlines and technical details are provided for federal agencies.
-
Nine vulnerabilities in low-cost IP KVM devices can enable root access and arbitrary code execution
Nine vulnerabilities in low-cost IP KVM devices can allow unauthenticated attackers root access or arbitrary code execution. A technical analysis by Eclypsium highlights a CVSS 9.8 flaw and notes partial firmware fixes are available.
-
Critical pre-auth buffer overflow found in GNU InetUtils telnetd tracked as CVE-2026-32746
A pre-authentication buffer overflow in GNU InetUtils telnetd, tracked as CVE-2026-32746 and rated CVSS 9.8, can allow unauthenticated remote code execution as root. A fix is expected by April 1, 2026.
-
LeakNet adopts ClickFix via compromised websites and runs Deno in memory
ReliaQuest’s technical report says LeakNet now uses ClickFix fake CAPTCHA pages on compromised sites to trick users and a Deno-based in-memory loader. Post-compromise steps include DLL side-loading, PsExec lateral movement and S3 exfiltration.
-
Konni uses compromised KakaoTalk desktops to spread EndRAT via spear-phishing
Konni used spear-phishing to install EndRAT and other RATs then abused compromised KakaoTalk desktops to send malicious ZIP attachments to selected contacts maintaining long-term persistence and stealing internal documents.
-
ForceMemo offshoot of GlassWorm force pushes malware into hundreds of Python repositories
A supply chain campaign called ForceMemo stole GitHub tokens and force-pushed obfuscated code into hundreds of Python repositories starting March 8, 2026. Compromised packages and pip installs may deliver remote payloads.
-
CISA adds Wing FTP information disclosure flaw CVE-2025-47813 to KEV catalog
CISA added CVE-2025-47813, an information disclosure in Wing FTP Server, to its Known Exploited Vulnerabilities catalog. The bug affects versions up to 7.4.3 and was fixed in 7.4.4. Agencies should apply fixes by March 30, 2026.
-
ClickFix campaigns used search ads and ChatGPT lures to deliver MacSync macOS stealer
Sophos found three ClickFix campaigns that tricked users into pasting Terminal commands to install MacSync, a macOS infostealer that steals credentials, keychain data and wallet seed phrases. Campaigns ran from November 2025 to February 2026.
-
DRILLAPP backdoor runs in Edge to target Ukrainian entities
A February 2026 campaign used a JavaScript backdoor called DRILLAPP that runs in Microsoft Edge to capture files, microphone audio, camera video and screen images via the browser.
-
GlassWorm campaign escalates with transitive Open VSX extensions
A Socket report flagged a GlassWorm escalation in Open VSX with 72 malicious extensions found since January 31, 2026. The campaign uses transitive extension installs and invisible Unicode obfuscation to deliver payloads.
