Techworks Threat Brief - March 20, 2026

This week's security landscape was dominated by critical vulnerabilities and significant breaches, prompting urgent patching and heightened defensive measures across multiple sectors.

Top Security Stories

Hackers Exploit Critical Langflow Bug in Just 20 Hours

Sysdig details how threat actors exploited a critical CVE in Langflow in less than a day

Source: infosecurity-magazine.com

Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw

Attackers can execute arbitrary code without authentication if Oracle's Identity or Web Services Managers are exposed to the Web.

Source: darkreading.com

Cisco FMC flaw was exploited by Interlock weeks before patch (CVE-2026-20131)

A critical vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC) that Cisco disclosed and patched in early March 2026 has been exploited as a zero-day by the Interlock ransom...

Source: helpnetsecurity.com

Cyber OpSec Fail: Beast Gang Exposes Ransomware Server

Files on a central cloud server used by the ransomware group highlight a systematic, aggressive attack on network backups as a key TTP.

Source: darkreading.com

Everyday tools, extraordinary crimes: the ransomware exfiltration playbook

Attackers use trusted tools for data theft, making traditional detection unreliable. The Exfiltration Framework enables defenders to spot exfiltration by focusing on behavioral signals across endpoint...

Source: blog.talosintelligence.com

Oracle pushes emergency fix for critical Identity Manager RCE flaw

Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager tracked as CVE-2026-21992. [...]

Source: bleepingcomputer.com

Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure

A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabili...

Source: thehackernews.com

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI/CD secrets. The late...

Source: thehackernews.com

Millions of iPhones can be hacked with a new tool found in the wild

DarkSword, a powerful iPhone-hacking technique, has been discovered in use by Russian hackers.

Source: arstechnica.com

CISA Adds Five Known Exploited Vulnerabilities to Catalog

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-31277 Apple Multiple Products Buffer Overflow Vulnerabi...

Source: cisa.gov

Analyzing the Current State of AI Use in Malware

Unit 42 research explores how AI is currently used in malware, from superficial integrations to advanced decision-making, and its future impact. The post Analyzing the Current State of AI Use in Malw...

Source: unit42.paloaltonetworks.com

Free real estate: GoPix, the banking Trojan living off your memory

Kaspersky GReAT experts describe the unprecedentedly complex Brazilian banking Trojan GoPix that employs memory-only implants, Proxy AutoConfig (PAC) files for man-in-the-middle attacks, and malvertis...

Source: securelist.com

Friday Squid Blogging: Jumbo Flying Squid in the South Pacific

The population needs better conservation. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy.

Source: schneier.com

Widely used Trivy scanner compromised in ongoing supply-chain attack

Admins: Sorry to say, but it's likely a rotate-your-secrets kind of weekend.

Source: arstechnica.com

FBI links Signal phishing attacks to Russian intelligence services

The FBI has issued a public service announcement warning that Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp in phishing...

Source: bleepingcomputer.com

Critical Vulnerabilities (CVEs)