Weekly Cyber Threat Advisory: 9–15 March 2026

Reading time: 5 minutes

From privilege escalation bugs in core management tools to destructive wiper attacks on medical device manufacturers, the global threat landscape continues to demand urgent attention from CISOs, IT security teams and risk leaders.

High‑severity vulnerabilities in Ivanti, Microsoft Office and Cisco IOS XR

Ivanti released a security update for its Desktop and Server Management (DSM) platform, addressing CVE‑2026‑3483, a high‑severity privilege escalation vulnerability affecting all versions up to and including 2026.1. Classified under CWE‑749 (Exposed Dangerous Method or Function), this flaw allows a local authenticated attacker to abuse an exposed internal method and gain elevated system privileges with low attack complexity and no user interaction. For enterprises across the GCC that rely on Ivanti DSM for centralised endpoint and server management, timely patching to version 2026.1.1 is critical to prevent attackers from manipulating configurations, deploying unauthorised changes or accessing sensitive operational data at scale.

Reference: https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-DSM-CVE-2026-3483?language=en_US

Microsoft, meanwhile, addressed CVE‑2026‑26110, a high‑severity remote code execution vulnerability in Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, Microsoft 365 Apps for Enterprise and Office for Mac and Android. The bug stems from a type confusion issue (CWE‑843) that can lead to memory corruption and arbitrary code execution once a malicious file is processed on the target system. One particularly concerning vector is the Windows File Explorer Preview Pane, where a specially crafted Office document can trigger exploitation simply by being previewed, without the user explicitly opening the file. Given the widespread use of Microsoft 365 in Middle East enterprises and government entities, immediate deployment of March 2026 patches and disabling of the Preview Pane in high‑risk environments should be prioritised.

Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26110

Cisco also published a security advisory for two high‑severity privilege escalation vulnerabilities in Cisco IOS XR Software and IOS XRv 9000 Routers, tracked as CVE‑2026‑20040 and CVE‑2026‑20046. CVE‑2026‑20040 arises from insufficient validation of user‑supplied CLI arguments, allowing a low‑privileged user to execute arbitrary commands as root, while CVE‑2026‑20046 is caused by incorrect mapping of CLI commands to task groups, enabling full administrative control. With many regional service providers and large enterprises in the UAE, Saudi Arabia and across the GCC depending on Cisco IOS XR for backbone routing, patching to fixed releases and tightening local account access controls are essential steps to reduce the risk of network‑wide compromise.

Reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-privesc-bF8D5U4W

Ransomware and destructive wiper attacks hit healthcare and medical technology

Attackers continued to target the healthcare sector, with Bell Ambulance confirming that 237,830 individuals were affected by a ransomware‑driven data breach originating from a February 2025 network intrusion. Data exposed includes names, Social Security numbers, dates of birth, driver’s licence details, financial account information and medical and health insurance data, creating elevated risk of identity theft, financial fraud and medical identity misuse. The Medusa ransomware group claimed responsibility, having allegedly exfiltrated around 219.5 GB of data, later published on its leak site, suggesting that no ransom was paid.

Reference:  https://www.264bell.com/data-security-incident https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/defd3317-3bbe-4d85-abc8-3311860c016a.html

In a parallel escalation, global medical technology manufacturer Stryker suffered a destructive cyberattack involving wiper malware designed to permanently erase data rather than encrypt it for ransom. The incident, reported on 11 March 2026, disrupted operations across multiple regions, with significant impact at its Cork, Ireland headquarters and cascading effects across Europe, Asia and the United States. Threat intelligence sources attribute the campaign to the Handala group, a pro‑Palestinian hacktivist collective assessed to have links to Iranian state‑aligned interests, focusing on disruption and economic damage. Observed impacts included remote wiping of Intune‑managed endpoints, disruption of proprietary applications and backend infrastructure, and loss of access to internal authentication and collaboration systems, affecting more than 5,500 employees in Ireland alone.

Reference: https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html

Security news: AI‑driven anti‑scam tools and rising bug bounty investments

On the defensive side, major platforms announced new measures to harden digital ecosystems. Meta launched AI‑driven anti‑scam protections across WhatsApp, Facebook and Messenger, combining behavioural detection, real‑time warning prompts and expanded advertiser verification to combat social engineering and fraud at scale. Enhancements include improved device‑linking alerts on WhatsApp, automated warnings for suspicious friend requests on Facebook and AI models in Messenger capable of detecting fraudulent job offers and impersonation patterns.

Reference: https://about.fb.com/news/2026/03/meta-launches-new-anti-scam-tools-deploys-ai-technology-to-fight-scammers-and-protect-people/

Google revealed that it paid 17.1 million USD through its Vulnerability Reward Programs in 2025, a 40 percent increase over 2024 and bringing total payouts over 15 years to 81.6 million USD. Significant rewards targeted vulnerabilities in Chrome, Google Cloud, Android, on‑device Gemini AI components and open‑source software, with some single findings earning up to 250,000 USD for full‑chain sandbox escapes. These investments highlight an industry‑wide shift towards proactive security, incentivising global researchers to discover and disclose critical flaws before they are exploited in the wild.

Reference: https://bughunters.google.com/blog/google-vrps-in-review-2025

Meta has confirmed it will permanently discontinue end-to-end encryption (E2EE) for Instagram direct messages effective May 8, 2026, citing low user adoption as the primary reason for the rollback. This decision, quietly announced via the Instagram Help Center on March 15, 2026, marks a significant departure from Meta’s long-term goal of platform-wide messaging privacy. Once the feature is removed, Instagram DMs will revert to standard transport encryption, granting Meta the technical capability to access message content for moderation, AI training, and regulatory compliance. Users with active encrypted chats are being notified to download their message history and media before the cutoff date, as these conversations may otherwise become inaccessible. While the move has drawn sharp criticism from privacy advocates, Meta has directed users seeking high-level security to WhatsApp, where E2EE remains the default standard.

Reference: https://help.instagram.com/491565145294150