This Week in Cyber: Top CVEs and Hacks — Week of March 16, 2026

This Week in Cyber: Top CVEs and Hacks — Week of March 16, 2026

Another week, another round of critical vulnerabilities being actively exploited before most organizations have had a chance to patch them. The week of March 9–16, 2026 brought a familiar mix: browser zero-days, enterprise software RCEs, supply chain shenanigans, and a state-sponsored espionage campaign with a decade of patience behind it.

Here’s the full rundown.


Critical CVEs of the Week

Chrome Zero-Days: Two Active Exploits, One Update You Need Now

Google shipped an emergency update for Chrome this week after two zero-day vulnerabilities were confirmed as actively exploited in the wild. Both have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

CVE-2026-3909 — Skia Out-of-Bounds Write (CVSS 8.8)

  • Affected: Chrome, ChromeOS, Android, Flutter
  • Added to KEV: March 13, 2026
  • An out-of-bounds write vulnerability in Google’s Skia graphics rendering library allows attackers to execute arbitrary code within the browser’s context. The flaw affects all major platforms that use Skia, including Chromium-based browsers like Edge and Brave.

CVE-2026-3910 — V8 JavaScript Engine Memory Violation (CVSS 8.8)

  • Affected: All Chromium-based browsers
  • Added to KEV: March 13, 2026
  • A memory buffer boundary violation in Chrome’s V8 JavaScript engine that permits code execution even within sandboxed environments. This class of vulnerability is particularly dangerous because it can break out of the browser sandbox under the right conditions.

What to do: Update Chrome, Edge, Brave, and any other Chromium-based browser immediately. CISA’s KEV inclusion means federal agencies must patch by the due date, but the active exploitation means everyone else should treat this as urgent too.


Veeam Backup & Replication: The Worst Possible Place for RCE

If you’re responsible for enterprise backup infrastructure, this week was rough. Veeam disclosed five critical vulnerabilities in Backup & Replication, three of which carry a CVSS score of 9.9.

CVE CVSS Description
CVE-2026-21666 9.9 RCE via authenticated domain user
CVE-2026-21667 9.9 RCE on Backup Server
CVE-2026-21708 9.9 RCE as postgres user
CVE-2026-21668 8.8 Arbitrary file manipulation on Backup Repository
CVE-2026-21672 8.8 Local Windows privilege escalation

The three CVSS 9.9 vulnerabilities are especially alarming. Backup servers are high-value targets — they contain credentials, recovery images, and often have elevated trust relationships throughout the network. Ransomware operators have historically targeted backup infrastructure specifically to prevent recovery.

What to do: Apply Veeam’s patches immediately. If patching can’t happen right away, isolate backup servers from untrusted network segments and review service account permissions. An authenticated domain user shouldn’t be able to achieve remote code execution on anything.


Ivanti Endpoint Manager: Authentication Bypass Exposes Stored Credentials

CVE-2026-1603 — Authentication Bypass (Added to KEV: March 9, 2026)

  • Affected: Ivanti Endpoint Manager
  • An authentication bypass vulnerability that exposes stored credentials on affected systems. Ivanti products have been a recurring target over the past two years, and this addition to the KEV catalog confirms exploitation is already happening.

Ivanti has had a rough few years. Each new vulnerability in their product line is being actively hunted by threat actors who know that IT teams managing large device fleets often struggle to keep pace with Ivanti’s patch cadence.


SolarWinds Web Help Desk: Deserialization Strikes Again

CVE-2025-26399 — Untrusted Data Deserialization (Added to KEV: March 9, 2026)

  • Affected: SolarWinds Web Help Desk
  • Improper deserialization of untrusted data allows attackers to execute arbitrary commands on host systems. Deserialization vulnerabilities are notoriously difficult to fully remediate and represent one of the most reliable paths to server-side code execution.

VMware Aria Operations: Unauthenticated RCE

CVE-2026-22719 — Command Injection (Added to KEV: March 3, ongoing)

  • Affected: Broadcom VMware Aria Operations
  • A command injection vulnerability permitting unauthenticated remote code execution. Aria Operations manages monitoring and analytics across VMware environments — making it a privileged vantage point for anyone who gains access to it.

Linux AppArmor “CrackArmor”: Nine Confused Deputy Vulnerabilities

No CVE IDs have yet been assigned, but security researchers disclosed nine “confused deputy” vulnerabilities in Linux AppArmor this week under the informal name CrackArmor. The vulnerabilities, present in AppArmor since at least 2017, allow unprivileged users to:

  • Escalate to root
  • Bypass container isolation mechanisms

The disclosure is particularly notable for container environments where AppArmor is relied upon as a security boundary. Organizations running containerized workloads on Linux should monitor for patches from distribution maintainers and consider supplementary isolation controls in the meantime.


n8n Workflow Automation: Remote Code Execution via Dynamic Code

CVE-2025-68613 — Improper Control of Dynamically Managed Code Resources (Added to KEV: March 11, 2026)

  • Affected: n8n workflow automation platform
  • Allows remote code execution through improper handling of dynamically managed code resources. n8n is popular for building automation workflows and often has access to sensitive integrations — making RCE in this context particularly dangerous.

Major Cyber Incidents This Week

GlassWorm: 72 More Malicious VS Code Extensions Discovered

The GlassWorm supply chain campaign continues to expand. Since the initial disclosure on January 31, 2026, researchers have uncovered 72 additional malicious extensions in the Open VSX marketplace. The campaign is sophisticated:

  1. Threat actors publish legitimate-looking extensions and build user trust
  2. Extensions use extensionPack and extensionDependencies mechanisms to pull in malicious payloads
  3. Once trust is established, the extensions become malware delivery vehicles

The practical impact is significant for developer environments: compromised extensions can exfiltrate source code, credentials, API keys, and provide persistent access to development machines — which often have elevated access to production infrastructure.

Mitigation: Audit your VS Code extension list. Remove any extensions from unknown publishers or with suspicious dependency chains. Prefer extensions from verified publishers with large install counts and long histories.


Storm-2561: VPN Credential Theft via SEO Poisoning

Microsoft’s threat intelligence team documented a campaign tracked as Storm-2561 that targets VPN credentials through a clever multi-stage attack:

  1. Threat actors create malicious websites that rank well in search results (SEO poisoning)
  2. Victims search for VPN client downloads and land on the malicious site
  3. The downloaded installer is a digitally signed trojan — passing signature checks while silently harvesting VPN credentials
  4. Collected credentials enable network access for follow-on attacks

The use of digital signatures makes this particularly dangerous because many security tools trust signed executables without further scrutiny. Users who downloaded VPN software recently should verify they obtained it directly from the official vendor site.


OpenClaw AI Agent Platform: Prompt Injection Weaponized

Security researchers issued a warning about OpenClaw, an open-source autonomous AI agent platform increasingly used in enterprise environments. Weak default security configurations allow attackers to:

  • Control agent endpoints via prompt injection attacks
  • Extract sensitive data from agent memory and connected tools
  • Pivot from a compromised agent to connected systems and APIs

This represents a growing class of threat: as AI agents are granted more autonomy and access to sensitive systems, the attack surface expands dramatically. Organizations deploying autonomous AI agents should treat prompt injection as a first-class security concern, not an academic curiosity.


CL-STA-1087: Chinese Espionage Campaign Targeting Southeast Asian Militaries

Palo Alto Networks Unit 42 published a detailed report this week on a Chinese state-sponsored campaign designated CL-STA-1087. Key findings:

  • Active since at least 2020 — six years of sustained operations before public disclosure
  • Targets include Southeast Asian military organizations
  • Focus on intelligence collection related to military capabilities and collaboration with Western armed forces
  • Demonstrates what Unit 42 called “strategic operational patience” — the hallmark of nation-state actors who prioritize stealth over speed

The disclosure follows a pattern: Chinese APT groups operate for years before being detected, collecting intelligence slowly enough to avoid triggering anomaly-based detection systems.


INTERPOL Global Cybercrime Crackdown: By the Numbers

Law enforcement scored a significant win this week with the results of a major INTERPOL operation targeting cybercriminal infrastructure:

  • 45,000 malicious IPs and servers dismantled
  • 94 arrests across 72 countries and territories
  • 212 electronic devices and servers seized
  • Crimes addressed: phishing, malware distribution, ransomware, fraud, and identity theft

Operations at this scale demonstrate the growing effectiveness of international law enforcement cooperation in cybercrime, though threat actors typically reconstitute infrastructure within weeks of takedowns.


SocksEscort Proxy Botnet: 369,000 Routers Compromised

Law enforcement also disrupted SocksEscort, a criminal residential proxy service that had been operating since summer 2020. The service:

  • Compromised approximately 369,000 residential router IP addresses across 163 countries
  • Included approximately 2,500 U.S.-based infected devices
  • Sold access to compromised routers as “residential proxies” — making attack traffic appear to originate from legitimate consumer IP addresses

Residential proxies are used to evade IP-based security controls, make fraud harder to detect, and bypass geographic restrictions on malicious activity. Home router owners should check for firmware updates and consider whether their router has been replaced by the manufacturer.


Priority Action List for This Week

If you’re a security practitioner, here’s where to focus your energy:

  1. Update all Chromium-based browsers — Chrome, Edge, Brave, Opera. CVE-2026-3909 and CVE-2026-3910 are actively exploited.
  2. Patch Veeam Backup & Replication — Three CVSS 9.9 vulnerabilities. Ransomware actors love backup servers.
  3. Check Ivanti Endpoint Manager — Apply the authentication bypass patch. This is on the KEV list, meaning it’s being actively exploited.
  4. Review n8n and SolarWinds WHD installations — Both have critical vulnerabilities on the KEV list.
  5. Audit developer workstation extension lists — The GlassWorm campaign is still expanding.
  6. Verify VPN software sources — Storm-2561 is distributing signed credential stealers through SEO-poisoned search results.
  7. Apply AppArmor patches when available — Monitor your Linux distribution’s security advisories for CrackArmor mitigations.
  8. Review AI agent security configurations — If you’re running autonomous agents, threat model prompt injection seriously.

Patch Tuesday Context

March’s Patch Tuesday (March 10, 2026) landed squarely in the middle of this busy week. Combined with the zero-days and KEV additions, organizations running behind on patching cadence are facing significant exposure across multiple product lines simultaneously.

The consistent theme this week: attackers are moving faster than patch cycles. The Chrome zero-days, Ivanti auth bypass, and SolarWinds deserialization flaw were all actively exploited before or immediately after disclosure. Defense-in-depth, network segmentation, and behavioral monitoring remain essential because patches alone cannot keep up.


The Bigger Picture

The week’s events collectively illustrate the current threat landscape:

  • Nation-state actors (China/CL-STA-1087) are patient, persistent, and focused on intelligence value
  • Criminal actors are weaponizing legitimate infrastructure (residential proxies, signed binaries, trusted marketplaces)
  • AI is expanding the attack surface in ways that security teams are still developing controls for
  • Legacy vulnerabilities (AppArmor since 2017, SocksEscort since 2020) remain exploitable years after introduction

Stay patched, stay paranoid, and patch Veeam first.


Resources


This post covers the week of March 9–16, 2026. CVE data sourced from CISA’s KEV catalog and NVD. Incident data from public threat intelligence disclosures. Patch early, patch often.


Tags: #Cybersecurity #CVE #ZeroDay #Chrome #Veeam #Ivanti #VMware #SupplyChain #ThreatIntelligence #WeeklyRoundup #CISA #PatchTuesday

Share this post: LinkedIn Reddit WhatsApp Mastodon
Jesse Borden

Jesse Borden

Software Engineer with an interest in hands on learning

I have several years of professional Information Technology (IT) experience leading staff and projects within the Department of War (DOW). I have managed Service Desk, Web Application Development, and System Administration teams. My two greatest passions are learning and conti...