Weekly threat intelligence digest: March 16-22, 2026

Executive summary

Week 2026-W12 was dominated by critical infrastructure compromises, supply-chain attacks targeting security tools themselves, and a sophisticated shift by state-sponsored threat actors toward account takeover via social engineering. A Microsoft Entra compromise at Stryker demonstrated that cloud identity is now the primary attack vector for destructive campaigns, while the Trivy supply-chain compromise underscores an emerging pattern: adversaries are weaponizing defensive security infrastructure to contaminate downstream CI/CD pipelines. Combined with active federal patching directives for critical RCE flaws and widespread industrial control system vulnerabilities, threat levels remain critical across enterprise, cloud, and operational technology domains.

Critical & high priority

Destructive Entra-based attack on Stryker

Stryker Corporation suffered a destructive cyberattack leveraging compromised Microsoft Entra cloud credentials to remotely wipe tens of thousands of employee devices. The attack required no malware—attackers gained legitimate administrative access through cloud identity compromise and used it for large-scale device destruction. This incident validates a long-suspected threat model: cloud identity infrastructure is now the primary target for organizational-level attacks. Organizations should immediately audit Entra ID administrative privilege assignments, enforce MFA on all cloud admin accounts, and implement conditional access policies that restrict device management operations to trusted networks and endpoints.

Trivy supply-chain compromise and CanisterWorm

A critical supply-chain attack compromised Trivy, a widely-deployed vulnerability scanner, and weaponized the breach to distribute CanisterWorm malware across 47 npm packages. This represents a direct attack on CI/CD pipelines—the compromise of a security scanning tool became the distribution vector for self-propagating malware leveraging ICP (Internet Computer Protocol) canisters. Organizations using Trivy should immediately rotate to a known-good binary, audit recent scan outputs for anomalies, and review npm package dependencies for CanisterWorm indicators. This incident signals a dangerous escalation where attackers are targeting defensive tooling as a high-leverage attack surface.

Cisco Firewall Management Center RCE (CVE-2026-20131)

CISA issued an emergency patching mandate for a maximum-severity unauthenticated RCE vulnerability in Cisco Secure Firewall Management Center, with federal agencies required to remediate by March 22, 2026. The urgent mandate indicates either active exploitation or credible intelligence of imminent weaponization. FMC is a critical control point for firewall management across thousands of organizations. Immediate action required: apply the emergency patch or isolate FMC instances from network access pending remediation.

Oracle Identity Manager zero-day RCE (CVE-2026-21992)

Oracle released an emergency out-of-band patch for an unauthenticated remote code execution flaw in Identity Manager and Web Services Manager. Identity infrastructure compromise enables complete organizational takeover. Patch immediately; if an immediate patch window is unavailable, restrict network access to Identity Manager to trusted administrative networks only.

ScreenConnect authentication bypass

ConnectWise patched a critical cryptographic signature verification flaw in ScreenConnect that allows attackers to bypass authentication and hijack remote access sessions. This is a high-risk supply-chain vulnerability affecting thousands of managed service providers and their downstream customers. MSPs should immediately audit ScreenConnect deployments and apply patches. Customers of MSPs should request confirmation of patch status and review recent session logs for unauthorized connections.

Industrial control system cascade of vulnerabilities

This week saw critical RCE, authentication bypass, and denial-of-service vulnerabilities across multiple ICS platforms:

• Schneider Electric EcoStruxure Automation Expert: Arbitrary command execution on engineering workstations threatening discrete, hybrid, and continuous manufacturing.
• Schneider Electric SCADAPack RTU: Authentication bypass in versions prior to 9.12.2 affecting critical industrial control systems.
• CODESYS Runtime in Festo Automation Suite: Unauthenticated code execution in CODESYS runtime components bundled with Festo Automation Suite prior to v2.8.0.138.
• Mitsubishi Electric CNC Series: Remote out-of-bounds read enabling denial-of-service attacks on manufacturing equipment.
• WebCTRL Premium Server: Multiple critical vulnerabilities including cleartext transmission and authentication bypass in building automation systems.

Organizations operating these systems should treat these as immediate critical risks. OT/IT security teams must prioritize patching and implement network segmentation to limit the blast radius of any successful exploitation.

UK Companies House registry breach

Companies House, the UK's official business registry, suffered a security flaw in its WebFiling service exposing sensitive business information for approximately four months (October 2025-present). This represents compromise of a government-critical infrastructure system handling registration data for all UK companies. This has significant implications for UK business privacy and represents a persistent challenge in securing legacy government digital infrastructure.

Loblaw customer data breach

Hackers accessed personal information including names, email addresses, and phone numbers from Loblaw, one of Canada's largest retailers, affecting a potentially massive customer base. This creates significant identity theft and phishing risks for consumers.

Widespread email infrastructure compromises

Multiple critical vulnerabilities enable XSS exploitation in Zimbra Collaboration Suite and bypass attacks in HAPI FHIR HTTP clients. CISA issued a binding patching directive for federal agencies targeting Zimbra vulnerabilities currently under active exploitation. Email infrastructure compromise enables lateral movement and credential theft across organizations. Patch Zimbra immediately and audit HAPI FHIR configurations.

Microsoft Exchange Online outage

Exchange Online experienced a widespread global outage blocking mailbox and calendar access. This incident underscores the operational risks of cloud-based email dependencies and demonstrates cascading business impact when a single provider experiences infrastructure failures. Organizations should document their dependency on Exchange Online and develop communication plans for future outages.

Notable developments

State-sponsored phishing escalation

Russian intelligence services are conducting sustained, targeted phishing campaigns against Signal, WhatsApp, and commercial messaging application users. Thousands of accounts belonging to U.S. government officials, military personnel, and journalists have been successfully compromised. This represents a strategic shift from targeting application-level encryption to exploiting user-level account security through social engineering. High-value individuals should expect targeted phishing attempts and should implement account recovery options, security keys, and consider secondary authentication methods beyond standard SMS.

GitHub Actions shell injection via issue metadata

GitHub Actions workflows that interpolate untrusted issue fields (title, body, labels) into shell run blocks are vulnerable to command injection. Unauthenticated attackers can trigger arbitrary code execution by crafting malicious issue titles. Organizations using GitHub Actions should audit workflows for unsafe interpolation patterns and migrate to safer approaches using environment files or context filtering.

JWT algorithm confusion in MinIO OIDC

MinIO's OIDC implementation contains a JWT algorithm confusion vulnerability allowing attackers possessing the ClientSecret to forge identity tokens and obtain admin-level S3 credentials. This is a significant risk for organizations using MinIO with OIDC authentication.

GRPC-Go authorization bypass (CVE-2026-33186)

gRPC-Go servers fail to canonicalize HTTP/2 :path pseudo-headers before authorization checks, allowing attackers to bypass path-based access control policies by omitting the leading slash in requests. Organizations using gRPC-Go should update immediately.

Tekton git resolver path traversal (CVE-2026-33211)

The Tekton git resolver fails to sanitize the pathInRepo parameter, allowing namespace-scoped tenants to read arbitrary files from the resolver pod filesystem via path traversal. This enables exfiltration of ServiceAccount tokens and other sensitive data.

Apple Background Security Improvements model

Apple introduced a new patching mechanism enabling security updates for WebKit without requiring full OS upgrades. This represents a significant improvement in Apple's patching velocity for critical browser engine vulnerabilities. CVE-2026-20643 was addressed through this mechanism, demonstrating feasibility of decoupled security updates.

Policy-driven defensive hardening

Google's Android 17 API restrictions on accessibility services represent proactive security hardening against known malware abuse patterns. This preventive approach is valuable and should inform similar defensive strategies across platforms.

Aura identity protection data breach

Aura, an identity protection company, suffered a breach exposing ~900,000 marketing contact records. The reputational damage is particularly acute given Aura's core business is protecting customers from identity theft and data exposure.

Vulnerability landscape

This week tracked 300 new CVEs with a concerning severity distribution: 251 high-severity vulnerabilities, 40 unspecified severity, 8 critical, and only 1 medium. The top affected vendors are openclaw (2), htslib (2), h3 (2), Synacor (2), and Microsoft (2), with the remaining 294 CVEs distributed across diverse vendors.

The data reveals two significant trends:

1. High-severity dominance: The overwhelming majority of CVEs are classified as high-severity, suggesting either improved vulnerability disclosure practices or a genuine shift toward more impactful flaws. Organizations should not treat "only high-severity" as a manageable tier—the volume and criticality this week demonstrate that high-severity vulnerabilities now require the same rapid response as critical flaws.

2. Vendor diversity: Unlike weeks where a single vendor dominates (e.g., Microsoft), this week's CVEs are spread across diverse vendors, suggesting vulnerability disclosures are proceeding at normalized pace across the ecosystem rather than concentrated within a specific vendor's products.

The prevalence of industrial control system vulnerabilities and cloud infrastructure flaws (Entra compromises, minimal Microsoft vulnerabilities despite Exchange outage) indicates that adversaries are increasingly targeting operational technology and cloud identity infrastructure as primary vectors, while traditional endpoint attack surfaces remain secondary.

Recommended actions

1. Immediate (today): Apply patches for CVE-2026-20131 (Cisco FMC), CVE-2026-21992 (Oracle Identity Manager), and ScreenConnect authentication bypass. If immediate patching is infeasible, isolate affected systems from network access.

2. This week: Conduct emergency audit of Azure Entra ID administrative accounts; enforce MFA on all cloud admin roles; implement conditional access policies restricting device management operations. Rotate Trivy binaries to known-good versions and audit recent scan outputs.

3. This week: Patch all Schneider Electric, CODESYS, Mitsubishi Electric, and WebCTRL instances identified in your environment. Implement network segmentation for OT/IT boundaries. Contact your OT/IT managed service provider to confirm patch status if you lack direct access.

4. Within 3 days: Update GitHub Actions workflows to eliminate unsafe interpolation of untrusted issue fields. Audit MinIO OIDC configurations and update to patched versions. Update gRPC-Go dependencies and Tekton deployments.

5. This week: High-value individuals and government/military personnel should implement security keys on messaging applications (Signal, WhatsApp) and enable account recovery options. Conduct security awareness training on targeted phishing campaigns.

6. Ongoing: Document your Exchange Online dependency and develop communication protocols for future outages. Implement backup communication channels independent of Microsoft infrastructure.

Looking ahead

Monitor for:

• Evidence of active Trivy malware deployment; assess if CanisterWorm has propagated beyond initial 47 npm packages.
• Disclosure of additional supply-chain attacks targeting security infrastructure (SIEMs, EDR solutions, vulnerability scanners).
• Emergency patches from other vendors for similar RCE flaws; CISA emergency directives often precede similar disclosures from competing vendors.
• Successful exploitation of industrial control system vulnerabilities; attackers may now have a favorable window before widespread patching is complete.
• Additional evidence of Russian phishing campaign success; assess if compromised messaging app accounts are being leveraged for secondary targeting of contacts or government/military networks.
• Further Microsoft Exchange Online outage events; assess whether incident was isolated or indicates systemic reliability degradation.
• Confirmation of Cisco FMC exploitation; the emergency mandate suggests CISA has intelligence of imminent or already-occurring attacks.