Weekly Cybersecurity Roundup: Mar 16-23, 2026

Your weekly digest of the most important vulnerabilities and security developments

What Happened This Week

Well, friends, let me tell you—this was quite a week in our corner of the security world. We tracked 12 new vulnerabilities, and I need to be straight with you: five of them earned that dreaded "Critical" rating, with three hitting the maximum CVSS score of 10.0. That's about as serious as it gets.

Here's the thing that concerns me most: CISA added seven of these vulnerabilities to their Known Exploited Vulnerabilities catalog this week. That means attackers aren't waiting around—they're already using these flaws in real-world attacks. The Apple ecosystem took several hits, with three separate vulnerabilities being actively exploited. We also saw authentication bypass flaws in Quest KACE and Craft CMS that are giving attackers the keys to the kingdom without so much as a password prompt.

But let me walk you through this carefully. Yes, the numbers look intimidating, but we're going to break down exactly what you need to focus on first, what can wait until next week, and how to prioritize your response. That's what we do here—we turn overwhelming threat data into actionable intelligence you can actually use.

By The Numbers

• Total CVEs Tracked: 12
• Critical Severity: 5 (including three CVSS 10.0 scores)
• High Severity: 6
• Medium Severity: 1
• Security Articles: 34 from 31 trusted sources
• CISA KEV Additions: 7 vulnerabilities under active exploitation
• Highest CVSS Score: 10.0 (three vulnerabilities)

The Big Stories

CVE-2025-32975: Quest KACE Authentication Bypass (CVSS 10.0)

Severity: CRITICAL | CVSS: 10.0 | Attack Vector: NETWORK

Now, this one keeps me up at night. Quest KACE Systems Management Appliance has an authentication bypass vulnerability that's as bad as they come—CVSS 10.0, the maximum score. What does that mean in plain English? An attacker can walk right past your authentication without any credentials whatsoever and take complete administrative control of your system.

The vulnerability exists in how KACE handles SSO authentication. Think of it like a security guard who's supposed to check IDs at the door, but there's a side entrance where the guard just waves everyone through without looking. That's essentially what's happening here.

• What's Vulnerable: Quest KACE SMA versions 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341, and 14.1.x before 14.1.101
• The Risk: Complete administrative takeover without authentication. Attackers can deploy malware, steal data, and establish persistent access across your entire managed infrastructure.
• Active Exploitation: Arctic Wolf reported seeing exploitation attempts starting the week of March 9, 2026, particularly targeting educational institutions.
• Your Action: If you're running KACE SMA, this is a drop-everything-and-patch situation. Apply the vendor patches immediately. If you can't patch right away, take the system offline or isolate it behind additional network controls until you can.
• Sources: The Hacker News (Credibility: 7/10), SecurityWeek (Credibility: 7/10)

CVE-2025-32433: Erlang/OTP SSH Remote Code Execution (CVSS 10.0)

Severity: CRITICAL | CVSS: 10.0 | Attack Vector: NETWORK

Here's another maximum-severity vulnerability that demands your immediate attention. Erlang/OTP, which is used in many telecommunications and messaging systems, has a flaw in its SSH server implementation that allows unauthenticated remote code execution. Let me emphasize that: no authentication required, and the attacker gets to run whatever code they want on your system.

The vulnerability stems from improper handling of SSH protocol messages. It's classified as CWE-306, which means "Missing Authentication for Critical Function"—the SSH server is essentially trusting messages it should be validating first.

• What's Vulnerable: Erlang/OTP versions before OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20
• The Risk: Complete system compromise. Attackers can execute arbitrary commands, install backdoors, steal sensitive data, and use your system as a launching point for further attacks.
• CISA KEV Status: Added to the Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
• Your Action: Update to the patched versions immediately. If you can't patch right away, disable the SSH server or block SSH access via firewall rules as a temporary workaround.
• Sources: CISA (Credibility: 10/10), Tenable Blog (Credibility: 8/10)

CVE-2025-32432: Craft CMS Code Injection (CVSS 10.0)

Severity: CRITICAL | CVSS: 10.0 | Attack Vector: NETWORK

The third CVSS 10.0 vulnerability this week affects Craft CMS, a popular content management system. This is actually an additional fix for a previously disclosed vulnerability (CVE-2023-41892), which tells us something important: sometimes the first patch doesn't catch everything, and attackers are clever about finding ways around incomplete fixes.

This code injection vulnerability allows remote attackers to execute arbitrary code without authentication. The flaw exists in how Craft CMS hydrates certain component property updates—think of it as the system accepting and executing instructions it should be questioning first.

• What's Vulnerable: Craft CMS versions 3.0.0-RC1 through 3.9.14, 4.0.0-RC1 through 4.14.14, and 5.0.0-RC1 through 5.6.16
• The Risk: Unauthenticated remote code execution leading to complete site compromise, data theft, and potential lateral movement to other systems.
• CISA KEV Status: Added March 20, 2026, with a mandatory remediation deadline of April 3, 2026 for federal agencies.
• Your Action: Update to versions 3.9.15, 4.14.15, or 5.6.17 immediately. This is being actively exploited, so treat this as an emergency patch.
• Sources: CISA (Credibility: 10/10), CISA KEV (Credibility: 10/10)

CVE-2025-59719: Fortinet FortiWeb SAML Authentication Bypass (CVSS 9.8)

Severity: CRITICAL | CVSS: 9.8 | Attack Vector: NETWORK

Fortinet's FortiWeb web application firewall has a critical vulnerability in its SAML authentication handling. Now, SAML is supposed to be a secure way to handle single sign-on, but this flaw allows attackers to craft malicious SAML response messages that bypass the authentication entirely.

The technical classification is CWE-347: "Improper Verification of Cryptographic Signature." In simpler terms, the system isn't properly checking whether the digital signatures on authentication messages are legitimate—it's like accepting a check without verifying the signature.

• What's Vulnerable: FortiWeb 8.0.0, 7.6.0 through 7.6.4, and 7.4.0 through 7.4.9
• The Risk: Unauthenticated attackers can bypass FortiCloud SSO login and gain unauthorized access to protected resources.
• Your Action: Apply Fortinet's patches as soon as possible. Review your FortiWeb logs for any suspicious authentication activity, particularly around SAML SSO.
• Sources: Tenable Blog (Credibility: 8/10), CISA (Credibility: 10/10), Check Point Research (Credibility: 9/10)

CVE-2025-54068: Laravel Livewire Code Injection (CVSS 9.8)

Severity: CRITICAL | CVSS: 9.8 | Attack Vector: NETWORK

Laravel Livewire, a popular full-stack framework, has a code injection vulnerability that's unique to version 3. The issue is in how component property updates are hydrated—essentially, the framework is accepting and processing data it should be treating with more suspicion.

What makes this particularly concerning is that exploitation doesn't require authentication or user interaction. If you have a vulnerable Livewire component mounted and configured in a certain way, attackers can exploit it remotely.

• What's Vulnerable: Livewire v3 up to and including v3.6.3
• The Risk: Remote command execution without authentication, leading to complete application compromise.
• CISA KEV Status: Added March 20, 2026, indicating active exploitation.
• Your Action: Upgrade to Livewire v3.6.4 or later immediately. This is a high-priority patch with no known workarounds.
• Sources: CISA (Credibility: 10/10), CISA KEV (Credibility: 10/10)

CVE-2026-20963: Microsoft SharePoint Deserialization Vulnerability (CVSS 8.8)

Severity: HIGH | CVSS: 8.8 | Attack Vector: NETWORK

Now we're moving into the high-severity vulnerabilities, and this SharePoint flaw is a significant one. It's a deserialization vulnerability, which is a fancy way of saying the system is accepting and processing data objects without properly validating them first. Think of it like accepting a package without checking what's inside—sometimes that package contains something dangerous.

What's particularly noteworthy here is that while this requires an authenticated user, it doesn't require high privileges. A low-privileged user can exploit this to execute code with elevated permissions.

• What's Vulnerable: Microsoft Office SharePoint (specific versions detailed in Microsoft's advisory)
• The Risk: Authenticated attackers can execute arbitrary code on the SharePoint server, potentially compromising the entire SharePoint environment and accessing sensitive corporate data.
• CISA KEV Status: Added March 18, 2026, with a remediation deadline of April 1, 2026 for federal agencies.
• Your Action: Apply Microsoft's patches from the January 2026 Patch Tuesday. Review SharePoint access logs for suspicious activity.
• Sources: CISA (Credibility: 10/10), CISA KEV (Credibility: 10/10), MSRC Updates (Credibility: 10/10), Zero Day Initiative (Credibility: 9/10)

CVE-2025-31277: Apple Multiple Products Buffer Overflow (CVSS 8.8)

Severity: HIGH | CVSS: 8.8 | Attack Vector: NETWORK

This week brought bad news for the Apple ecosystem. This vulnerability affects Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS—essentially the entire Apple product line. It's a buffer overflow in how these systems handle web content, which means malicious websites can trigger memory corruption.

The attack requires user interaction (visiting a malicious website), but once triggered, it can lead to complete system compromise. The widespread nature of this vulnerability—affecting everything from your iPhone to your Mac—makes it particularly concerning.

• What's Vulnerable: Safari 18.6, watchOS 11.6, visionOS 2.6, iOS 18.6, iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6 and earlier versions
• The Risk: Processing malicious web content can lead to memory corruption and arbitrary code execution.
• CISA KEV Status: Added March 20, 2026, with a remediation deadline of April 3, 2026.
• Your Action: Update all Apple devices to the latest versions immediately. This is being actively exploited, so don't delay.
• Sources: The Hacker News (Credibility: 7/10), CISA (Credibility: 10/10), CISA KEV (Credibility: 10/10)

CVE-2025-66376: Zimbra Collaboration Suite XSS (CVSS 7.2)

Severity: HIGH | CVSS: 7.2 | Attack Vector: NETWORK

Zimbra Collaboration Suite has a stored cross-site scripting vulnerability in its Classic UI. Attackers can embed malicious CSS @import directives in HTML email messages that execute when the recipient views the email.

Now, you might think "it's just XSS," but stored XSS in an email system is particularly dangerous. It can be used to steal session tokens, capture credentials, and spread to other users automatically as they view infected messages.

• What's Vulnerable: Zimbra Collaboration Suite 10 before 10.0.18 and 10.1 before 10.1.13
• The Risk: Attackers can execute malicious scripts in users' browsers, steal credentials, and potentially pivot to other attacks.
• CISA KEV Status: Added March 18, 2026, indicating active exploitation.
• Your Action: Update to Zimbra 10.0.18 or 10.1.13. Review email logs for suspicious HTML content.
• Sources: The Hacker News (Credibility: 7/10), CISA (Credibility: 10/10), CISA KEV (Credibility: 10/10)

CVE-2025-43510 & CVE-2025-43520: Apple Multiple Products Memory Corruption (CVSS 7.8 & 7.1)

Severity: HIGH | CVSS: 7.8 & 7.1 | Attack Vector: LOCAL

Two more Apple vulnerabilities round out our high-severity list. Both are memory corruption issues, but these require local access—meaning an attacker needs to already have some level of access to the device, typically through a malicious application.

CVE-2025-43510 is an improper locking vulnerability that can cause unexpected changes in memory shared between processes. CVE-2025-43520 is a classic buffer overflow that could allow a malicious app to crash the system or write to kernel memory.

• What's Vulnerable: watchOS 26.1, iOS 18.7.2, iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, tvOS 26.1, and earlier versions
• The Risk: Malicious applications can cause system instability, crash devices, or potentially escalate privileges.
• CISA KEV Status: Both added March 20, 2026, indicating active exploitation.
• Your Action: Update all Apple devices to the latest versions. Be cautious about installing applications from untrusted sources.
• Sources: CISA (Credibility: 10/10), CISA KEV (Credibility: 10/10)

CVE-2024-30088: Windows Kernel Elevation of Privilege (CVSS 7.0)

Severity: HIGH | CVSS: 7.0 | Attack Vector: LOCAL

This Windows kernel vulnerability is actually from 2024, but it's seeing renewed attention this week in the context of Iran's cyber operations following Operation Epic Fury. It's a time-of-check to time-of-use (TOCTOU) race condition that allows privilege escalation.

While it requires local access and some complexity to exploit, it's being used in multi-stage attack chains where attackers first gain initial access through other means, then use this vulnerability to elevate their privileges.

• What's Vulnerable: Various Windows versions (see Microsoft's advisory for specifics)
• The Risk: Local attackers can elevate privileges from standard user to system-level access.
• Your Action: Ensure you've applied Microsoft's June 2024 patches. This should already be patched in most environments, but verify.
• Sources: Tenable Blog (Credibility: 8/10), Cyble (Credibility: 8/10)

Other Notable Vulnerabilities

CVE-2025-47813: Medium Severity Cross-Site Scripting (CVSS 4.3)

We tracked one medium-severity vulnerability this week that's worth mentioning because it appeared in CISA's KEV catalog, which is unusual for a medium-severity issue. This tells us that even lower-severity vulnerabilities can be actively exploited when they're in the right context.

The vulnerability has a CVSS score of only 4.3, but it's being used as part of larger attack chains. It's a good reminder that attackers don't always need critical vulnerabilities—sometimes a medium-severity flaw in the right place is enough.

• Sources: CISA (Credibility: 10/10), CISA KEV (Credibility: 10/10), SecurityWeek (Credibility: 7/10), The Hacker News (Credibility: 7/10)

Trends We're Seeing

Let me share some patterns that emerged this week, because understanding these trends helps you anticipate what's coming next.

Authentication Bypass is the Theme: Three of our five critical vulnerabilities (CVE-2025-32975, CVE-2025-32433, CVE-2025-59719) involve authentication bypass or missing authentication. Attackers are focusing on ways to completely skip the login process rather than trying to steal credentials. This tells us we need to pay special attention to authentication mechanisms, particularly in SSO and SAML implementations.

The Apple Ecosystem Under Siege: Four vulnerabilities affecting Apple products, three of them actively exploited, all added to CISA's KEV catalog in the same week. This coordinated exploitation pattern suggests organized threat actors are specifically targeting Apple users. Given the context of Operation Epic Fury and expected Iranian cyber retaliation, this may be part of a broader campaign.

Web-Facing Applications Remain Prime Targets: The majority of our critical and high-severity vulnerabilities this week affect web-facing applications and services: Quest KACE, Craft CMS, Laravel Livewire, SharePoint, Zimbra. The attack vector is consistently "NETWORK" with "AC:L" (low attack complexity), meaning these are relatively easy to exploit remotely.

Deserialization and Code Injection Dominate: Looking at the CWE classifications, we're seeing a lot of CWE-94 (code injection), CWE-502 (deserialization of untrusted data), and CWE-306 (missing authentication). These are all vulnerabilities that stem from trusting user input without proper validation. It's a fundamental security principle that keeps getting violated: never trust, always verify.

Rapid Exploitation Timelines: Several of these vulnerabilities were added to CISA's KEV catalog very quickly after disclosure, and in some cases (like CVE-2025-32975), exploitation was observed before widespread public awareness. The window between disclosure and active exploitation continues to shrink, which means our patch deployment timelines need to shrink too.

Your Action Items

Now, let's talk about what you actually need to do. I've organized this by urgency because I know you can't do everything at once.

• This Week (Emergency Priority):
  • Patch Quest KACE SMA immediately if you're running it (CVE-2025-32975). This is a CVSS 10.0 with active exploitation.
  • Update Erlang/OTP SSH servers (CVE-2025-32433). If you can't patch immediately, disable SSH or firewall it off.
  • Patch Craft CMS to versions 3.9.15, 4.14.15, or 5.6.17 (CVE-2025-32432).
  • Update Laravel Livewire to v3.6.4 or later (CVE-2025-54068).
  • Update all Apple devices across your organization (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520).
  • Review your incident response procedures—with seven actively exploited vulnerabilities this week, make sure your team knows what to do if you discover a compromise.
• This Month (High Priority):
  • Apply Microsoft SharePoint patches from January 2026 if you haven't already (CVE-2026-20963).
  • Update Fortinet FortiWeb to patched versions (CVE-2025-59719).
  • Patch Zimbra Collaboration Suite to 10.0.18 or 10.1.13 (CVE-2025-66376).
  • Verify that Windows systems have the June 2024 patches for CVE-2024-30088.
  • Conduct a review of all internet-facing authentication systems, particularly those using SAML or SSO.
  • Review logs for signs of exploitation, particularly around authentication events and unusual administrative activity.
• Long Term (Strategic Improvements):
  • Implement a formal vulnerability management program if you don't have one. This week's seven CISA KEV additions show how quickly you need to respond.
  • Consider implementing application allowlisting on critical systems to prevent malicious applications from running (helps with the Apple local vulnerabilities).
  • Review your authentication architecture. Multiple authentication bypass vulnerabilities this week suggest this is an area that needs hardening.
  • Establish a process for emergency patching that can be activated when CVSS 10.0 vulnerabilities with active exploitation are disclosed.
  • Conduct security awareness training focused on the risks of visiting untrusted websites and opening suspicious emails (relevant for the Apple and Zimbra vulnerabilities).
  • Implement network segmentation to limit the blast radius if a web-facing application is compromised.

Where We Found This Information

This roundup synthesizes information from multiple authoritative sources. Here's where we gathered our intelligence this week:

• CISA - Cybersecurity and Infrastructure Security Agency (Credibility: 10/10)
• CISA Known Exploited Vulnerabilities Catalog (Credibility: 10/10)
• Microsoft Security Response Center (Credibility: 10/10)
• Tenable Blog (Credibility: 8/10)
• Check Point Research (Credibility: 9/10)
• Zero Day Initiative (Credibility: 9/10)
• Cyble (Credibility: 8/10)
• The Hacker News (Credibility: 7/10)
• SecurityWeek (Credibility: 7/10)

This weekly roundup is compiled from multiple authoritative security sources and represents our analysis of the week's most significant vulnerabilities. Always test updates in a controlled environment before deploying to production systems. Remember, security is a journey, not a destination—we're here to help you navigate it one week at a time.

Stay safe out there, and I'll see you next week with another roundup.