Here are today’s top cybersecurity stories for Thursday, March 26, 2026.
Microsoft March 2026 Patch Tuesday Fixes 84 Flaws Including Two Zero-Days and Critical Office RCE
Microsoft released its March 2026 Patch Tuesday security updates, addressing 84 vulnerabilities across Windows, SQL Server, Microsoft Office, .NET, Azure, and Edge. Two publicly disclosed zero-days are included: CVE-2026-21262 (CVSS 8.8), an elevation of privilege flaw in SQL Server enabling an authenticated low-privilege attacker to gain full sysadmin control, and CVE-2026-26127 (CVSS 7.5), a .NET denial-of-service vulnerability exploitable remotely without authentication. Two additional critical Office remote code execution flaws (CVE-2026-26110 and CVE-2026-26113) are exploitable via the preview pane without any user interaction. BleepingComputer | Krebs on Security
DarkSword iOS Exploit Kit Chains Six Vulnerabilities to Deploy GHOSTBLADE Infostealer
Google researchers identified DarkSword, an iOS exploit chain using six vulnerabilities — three of them zero-days — to execute JavaScript-based malware on unpatched iPhones through drive-by attacks on compromised websites. The GHOSTBLADE payload exfiltrates device identifiers, SMS messages, call history, contacts, Wi-Fi credentials, Safari cookies, iCloud files, saved passwords, and Telegram and WhatsApp message histories. Russian state-linked actor UNC6353 has been observed deploying DarkSword in watering hole campaigns targeting Ukrainian users since December 2025. Devices running Lockdown Mode and current iOS versions are protected. The Hacker News | BleepingComputer
Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets
Attackers compromised Aqua Security’s Trivy open-source vulnerability scanner by force-pushing malicious code to 75 release tags in the aquasecurity/trivy-action repository, redirecting legitimate version references to credential-stealing payloads. The attack extracted SSH keys, cloud provider credentials, Kubernetes tokens, and Docker configuration from infected GitHub Actions runners. More than 1,000 cloud environments were infected before the compromise was identified. Microsoft published detection and investigation guidance. The attack is attributed to TeamPCP, the group responsible for the earlier LiteLLM PyPI supply chain attack. The Hacker News
Device Code Phishing Campaign Targets 340+ Microsoft 365 Organizations Across Five Countries Including Canada
An active OAuth device code phishing campaign has compromised Microsoft 365 accounts across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany since February 19, 2026. Attackers abuse Microsoft’s legitimate device authorization flow, routing phishing emails through redirect services operated by Cisco, Trend Micro, and Mimecast to bypass spam filters. When victims complete the device login — including MFA — attackers receive persistent access and refresh tokens. Targeted sectors include financial services, healthcare, legal, and government. The Hacker News
CISA Adds Critical Langflow RCE Flaw CVE-2026-33017 to KEV Catalog After 20-Hour Exploitation Window
CISA added CVE-2026-33017 (CVSS 9.3), a critical code injection vulnerability in the Langflow AI pipeline platform, to its Known Exploited Vulnerabilities catalog on March 25, 2026. The flaw is an unauthenticated remote code execution vulnerability in a public API endpoint passing attacker-controlled Python code directly to exec() without sandboxing. Active exploitation began within 20 hours of the advisory’s publication on March 17, with no proof-of-concept code required. All Langflow versions through 1.8.1 are affected. The Hacker News
New WebRTC Payment Skimmer Bypasses Content Security Policies on Magento E-Commerce Sites
Security researchers identified a payment skimmer using WebRTC data channels over DTLS-encrypted UDP to exfiltrate stolen card data, bypassing HTTP-based Content Security Policies. The attack was deployed via PolyShell, a Magento Open Source and Adobe Commerce vulnerability allowing unauthenticated file uploads through the REST API. Mass exploitation of PolyShell began March 19; over 56% of vulnerable Magento stores have been targeted. Adobe released a fix in version 2.4.9-beta1 on March 10, but the patch has not reached production releases. The Hacker News | BleepingComputer
Stryker Restoring Systems After Iran-Linked Handala Group Wiped 200,000 Devices
Medical technology company Stryker says it is working to restore systems following a destructive wiper attack attributed to Handala, an Iran-linked group associated with Iran’s Ministry of Intelligence and Security. Attackers allegedly used a compromised administrator account to access Stryker’s Microsoft Intune device management platform and remotely wipe more than 200,000 servers, mobile devices, and other systems across 79 countries. Manufacturing, order processing, and shipping operations were disrupted. No patient-connected medical products were affected. Krebs on Security | SecurityWeek
Critical Telnetd Flaw CVE-2026-32746 Enables Unauthenticated Root RCE in GNU InetUtils
Researchers disclosed CVE-2026-32746 (CVSS 9.8), a buffer overflow in the GNU InetUtils telnet daemon triggered by a crafted LINEMODE Set Local Characters suboption. The flaw gives unauthenticated remote attackers root-level code execution. All GNU InetUtils telnet daemon versions through 2.7 are affected. Administrators should apply patches and review whether telnet services remain exposed. The Hacker News
Ubuntu Privilege Escalation Flaw CVE-2026-3888 Allows Local Attackers to Gain Root via Systemd Timing
A privilege escalation vulnerability in Ubuntu (CVE-2026-3888) allows an unprivileged local attacker to gain full root access by exploiting a timing interaction between snap-confine and systemd-tmpfiles. The exploit window opens between 10 and 30 days after initial system setup. Ubuntu has released patches; administrators should update affected packages without delay. The Hacker News
Apple Patches WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS
Apple released security updates addressing a WebKit vulnerability enabling attackers to bypass the same-origin policy and access sensitive cross-origin data within a browser session. The flaw affects both iOS and macOS. Users should update to the latest available Apple software versions. CISA previously flagged DarkSword-related Apple CVEs in its Known Exploited Vulnerabilities catalog in March 2026. The Hacker News
Stay tuned for today’s in-depth analysis posts.
