Daily Digest

Trivy Supply Chain Attack Escalates, Oracle Issues Critical RCE Patch, and CISA Adds Actively Exploited Flaws to KEV Catalog

March 23, 2026

9 articles (9 new)

27 min read

Summary

This intelligence brief for March 23, 2026, covers a rapidly escalating supply chain attack against the Trivy security scanner, with attackers publishing new malicious Docker images and re-establishing access. Oracle has issued an emergency out-of-band patch for a critical 9.8 CVSS RCE vulnerability in its Identity Manager. CISA has added actively exploited flaws in Apple, Laravel, and Craft CMS to its KEV catalog, mandating federal patching. Other major incidents include a data breach at Navia Benefit Solutions affecting 2.7 million individuals, a ransomware attack on the City of Los Angeles by the WorldLeaks group, and an international takedown of massive DDoS botnets that infected over 3 million IoT devices.

Filter by Category

New Articles (9)

URGENT: Oracle Patches Critical 9.8 CVSS Unauthenticated RCE Flaw

CRITICAL

Oracle Releases Out-of-Band Patch for Critical RCE Vulnerability (CVE-2026-21992) in Identity Manager

Oracle has released an emergency, out-of-band security update for a critical remote code execution (RCE) vulnerability, CVE-2026-21992. The flaw, which affects Oracle Identity Manager and Oracle Web Services Manager, carries a CVSS score of 9.8 and can be exploited by an unauthenticated attacker over HTTP. A successful exploit could lead to a complete system takeover, allowing attackers to exfiltrate sensitive identity data, deploy malware, and pivot within the corporate network. Due to the flaw's ease of exploitation and the critical role of the affected products in enterprise identity management, Oracle strongly urges customers to apply the patches immediately. The out-of-band release suggests a high risk of active exploitation.

March 23, 2026

5 min read

OracleRCEvulnerabilityzero-daypatch management +2 more

URGENT: Oracle Patches Critical 9.8 CVSS Unauthenticated RCE Flaw

Vulnerability

Patch Management

CISA KEV Catalog Updated: Federal Agencies Must Patch Exploited Flaws in Apple, Laravel, Craft CMS

HIGH

CISA Adds Actively Exploited Vulnerabilities in Apple visionOS, Laravel, and Craft CMS to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The flaws include an out-of-bounds write issue in Apple visionOS (CVE-2026-28217), a remote code execution bug in the Laravel Framework (CVE-2024-4671), and a critical cross-site scripting (XSS) vulnerability in Craft CMS (CVE-2026-25487) that allows for admin account creation. The inclusion in the KEV catalog signifies that these vulnerabilities are being actively used in real-world attacks. U.S. federal agencies are now mandated to apply patches by April 12, 2026, and CISA strongly urges all organizations to prioritize remediation to defend against these active threats.

March 23, 2026

4 min read

CISAKEVvulnerabilityAppleLaravel +3 more

CISA KEV Catalog Updated: Federal Agencies Must Patch Exploited Flaws in Apple, Laravel, Craft CMS

Vulnerability

Patch Management

Regulatory

Navia Benefit Solutions Breach Exposes PII and PHI of 2.7 Million People

HIGH

Navia Benefit Solutions Discloses Data Breach Affecting Nearly 2.7 Million Individuals

Navia Benefit Solutions, a third-party administrator of employee benefits, has disclosed a significant data breach impacting nearly 2.7 million individuals. The company revealed that an unauthorized party had access to its network for three weeks, from December 22, 2025, to January 15, 2026. The compromised data includes a vast amount of personally identifiable information (PII) and protected health information (PHI), such as names, Social Security numbers, dates of birth, and health plan details. While financial and claims data were not exposed, the breach affects current and former members of over 10,000 employers. Navia is providing 12 months of identity theft protection to affected individuals.

March 23, 2026

5 min read

data breachPIIPHIHIPAAidentity theft +2 more

Navia Benefit Solutions Breach Exposes PII and PHI of 2.7 Million People

Data Breach

Regulatory

Over 7,500 Magento E-Commerce Sites Defaced in Ongoing Global Campaign

MEDIUM

Mass Defacement Campaign Compromises Over 7,500 Magento Sites, Including Global Brands

A widespread and ongoing defacement campaign has compromised over 7,500 websites running the Magento e-commerce platform since late February 2026. The attackers, using aliases like 'Typical Idiot Security', are exploiting a suspected file upload vulnerability to place simple text files on web servers, leading to site defacement. The campaign appears opportunistic, affecting a diverse range of victims from regional storefronts and subdomains of major brands like Toyota, Asus, and FedEx to government services and universities. While largely driven by notoriety-seeking actors, the campaign highlights a significant vulnerability in the Magento ecosystem that could be exploited for more malicious purposes, such as deploying web shells or credit card skimmers.

March 23, 2026

5 min read

Magentodefacemente-commercevulnerabilityfile upload +1 more

Over 7,500 Magento E-Commerce Sites Defaced in Ongoing Global Campaign

Cyberattack

Vulnerability

WorldLeaks Ransomware Claims Attack on City of Los Angeles, Leaks Police Data

HIGH

WorldLeaks Ransomware Group Adds City of Los Angeles to Leak Site in Data Extortion Attack

The City of Los Angeles has been listed as a victim on the darknet leak site of the WorldLeaks ransomware group. The group, believed to be a rebrand of the Hunters International gang, claims to have stolen nearly 160 GB of data and has published pages from a police interview transcript as proof of the breach. This incident is a data extortion attack, where the group forgoes encryption and focuses solely on data theft and the threat of public release. The attack coincides with other cyber incidents in California, including a disruption at the Los Angeles Metro system and a ransomware attack that prompted a state of emergency in Foster City, highlighting a trend of cybercriminals targeting municipal services.

March 23, 2026

5 min read

ransomwaredata extortionWorldLeaksHunters InternationalLos Angeles +2 more

Ransomware

Data Breach

Threat Actor

Warning: Critical 10.0 CVSS Quest KACE Flaw from 2025 Now Actively Exploited

CRITICAL

Active Exploitation of Year-Old Critical Quest KACE Vulnerability (CVE-2025-32975) Observed in New Attacks

A critical authentication bypass vulnerability in the Quest KACE Systems Management Appliance (SMA), CVE-2025-32975, is being actively exploited in attacks observed in March 2026. The flaw, which has a perfect CVSS score of 10.0 and was patched in May 2025, allows an unauthenticated attacker to gain full administrative control of an unpatched, internet-exposed appliance. Attackers are leveraging this access to deploy credential harvesting tools like Mimikatz, create rogue admin accounts for persistence, and move laterally to other critical systems like domain controllers and backup servers. The new wave of attacks highlights the danger of unpatched legacy vulnerabilities, and all organizations using KACE SMA are urged to verify they are patched and remove the appliance from public internet exposure.

March 23, 2026

5 min read

CVE-2025-32975Quest KACEvulnerabilityzero-dayactive exploitation +2 more

Warning: Critical 10.0 CVSS Quest KACE Flaw from 2025 Now Actively Exploited

Vulnerability

Cyberattack

Patch Management

Puerto Rico Water Authority Hit by Cyberattack, Exposing Customer and Employee Data

MEDIUM

Puerto Rico's Water Authority (PRASA) Confirms Cyberattack and Data Breach

The Puerto Rico Aqueduct and Sewer Authority (PRASA) has confirmed it was the victim of a cyberattack that resulted in the exposure of customer and employee data. The utility, which is responsible for the territory's water supply, stated that critical water distribution and management systems were not affected. PRASA credited its network segmentation, which separates the operational technology (OT) systems from the business information technology (IT) network, for containing the impact and preventing a disruption to the water supply. Details on the nature of the attack, the volume of data breached, and the number of individuals affected have not yet been disclosed.

March 23, 2026

4 min read

critical infrastructureICSOTdata breachnetwork segmentation +2 more

Cyberattack

Data Breach

Industrial Control Systems

New 'Perseus' Malware with Espionage Features Used by Drug Cartels

HIGH

Researchers Detail 'Perseus', a New Espionage Malware Used by Drug Trafficking Organizations

Security researchers have identified a new malware strain named 'Perseus,' reportedly developed for and used by Drug Trafficking Organizations (DTOs) to conduct espionage against targets like journalists, officials, and rival groups. Perseus is a sophisticated information stealer with capabilities for keylogging, credential theft from browsers, and monitoring encrypted messaging apps. A key feature is its ability to take detailed notes on victim activity for exfiltration. The malware also includes a 'kill switch' that allows operators to remotely wipe all traces of it from a compromised system, a common feature in advanced espionage tools designed to evade forensic analysis. This highlights the growing technical sophistication of non-state criminal actors.

March 23, 2026

4 min read

malwareespionagespywarePerseusDTO +2 more

Malware

Threat Actor

A Look Inside 'The Gentlemen': A Sophisticated RaaS Operation

HIGH

Researchers Profile 'The Gentlemen' Ransomware-as-a-Service Group

Security researchers have published detailed profiles of 'The Gentlemen,' a Ransomware-as-a-Service (RaaS) operation that emerged in mid-2025 and has been targeting organizations across at least 17 countries. The group employs a double-extortion strategy, exfiltrating sensitive data before encrypting files on Windows, Linux, and ESXi systems. Their ransomware, written in Go, exhibits a degree of sophistication, requiring a password to execute to hinder analysis. The group's TTPs include using legitimate remote access tools like AnyDesk for persistence, abusing Group Policy Objects (GPOs) for mass deployment, disabling security products, and using WinSCP for data exfiltration. The reports serve as a timely warning about this active and evolving global threat.

March 23, 2026

5 min read

ransomwareRaaSThe Gentlemendouble extortionGPO +2 more

A Look Inside 'The Gentlemen': A Sophisticated RaaS Operation

Ransomware

Threat Actor

Malware

📢 Share This Publication

Help others stay informed about cybersecurity threats