Weekly Cybersecurity Bulletin 16 -22 March, 2026

1. Critical Vulnerabilities: Oracle and Langflow Under Fire

Oracle CVE-2026-21992: Critical RCE Summary

Oracle released an out-of-band patch on March 19, 2026, for CVE-2026-21992 (CVSS 9.8), a critical unauthenticated RCE flaw in Oracle Identity Manager's REST WebServices and Web Services Manager's security components.

Unauthenticated attackers with HTTP network access can execute arbitrary code without user interaction, fully compromising identity governance systems for account manipulation, privilege escalation, and lateral movement, or bypass Web Services Manager controls to inject payloads.

Mitigation: Apply emergency patches immediately, prioritize internet-exposed systems, restrict access to trusted sources, monitor HTTP traffic and IAM logs for anomalies, and assume breach for unpatched environments.

Refer: Oracle Security Alert

Ubuntu CVE-2026-3888: Local Privilege Escalation Summary

Qualys disclosed CVE-2026-3888 (CVSS 7.8, March 17, 2026) in Ubuntu Desktop 24.04 LTS+, stemming from a race condition between snap-confine (setuid root for snap sandboxing) and systemd-tmpfiles cleanup of /tmp/.snap directory.

Local unprivileged attackers time the directory recreation with malicious payloads; snap-confine then bind-mounts them into privileged contexts, enabling arbitrary root code execution without user interaction - impacting confidentiality, integrity, and availability.

Mitigation: Update snapd immediately (e.g., 2.73+ubuntu24.04.1 for 24.04 LTS, 2.75 upstream); verify packages, monitor /tmp/.snap activity and snap executions, restrict local user access, and patch custom setups despite older LTS immunity.

Refer: Ubuntu Security Advisory

Langflow CVE-2026-33017: Critical RCE Summary

CVE-2026-33017 (CVSS 9.3, disclosed March 17, 2026) in Langflow ≤1.8.1 enables unauthenticated RCE via the /api/v1/build_public_tmp/{flow_id}/flow endpoint, which unsafely executes attacker-supplied Python code in the optional data parameter using exec() without sandboxing.

Exploitation is trivial - a single HTTP POST with malicious JSON grants server-process privileges for credential theft, file manipulation, backdoors, or reverse shells; scans and post-exploitation (e.g., .env extraction) began within 20 hours of disclosure.

Mitigation: Upgrade to 1.9.0.dev8+, restrict endpoint access via networks/proxies/auth, audit for compromise (outbound connections, .env access), rotate all credentials/API keys/DB passwords, and enforce least-privilege monitoring.

Refer: Langflow Advisory
NVD Record

2. Attack Campaigns

Navia Benefit Solutions Data Breach: 2.7M Impacted Summary

From Dec 22, 2025, to Jan 15, 2026, attackers maintained unauthorized access to U.S. benefits administrator Navia Benefit Solutions, detected Jan 23, exfiltrating PII (names, DOBs, SSNs, phones, emails) and PHI for 2,697,540 individuals over 24 days.

The prolonged dwell suggests targeted intrusion via credentials, phishing, or access control gaps; Navia notified regulators (e.g., Maine AG), mailed letters, and offers 12 months free credit monitoring, emphasizing third-party risks in aggregated health/financial data.

Refer: Regulatory Notice
Official Notice

Mazda Data Breach: Employee Data Exposed Summary

In December 2025, attackers exploited application vulnerabilities in Mazda's Thailand-linked warehouse management system, exposing 692 records of employee and partner data (user IDs, names, emails, affiliations) by March 24, 2026 disclosure.

No customer data was affected, and no threat actor or extortion was identified, but the leak heightens risks of phishing, credential theft, and BEC; Mazda patched vulns, bolstered access controls, monitoring, and external restrictions with no secondary misuse detected.

Refer: Mazda Disclosure

3. Security News

Google Chrome Security Update: 26 Vulnerabilities Patched Summary

On March 18, 2026, Google released Chrome updates (v146.0.7680.153/.154 for Windows/macOS, .153 for Linux) fixing 26 flaws, including 3 critical RCE vulnerabilities in WebGL, WebRTC, Blink, V8, PDFium, and network components - mostly memory corruption like use-after-free and heap overflows.

Attackers exploit these via malicious websites for browser-context code execution, potentially escalating to system compromise with sandbox escapes; many were found via fuzzing tools (AddressSanitizer, libFuzzer), with details limited to hinder exploits.

Refer: Chrome Release Notes

AsyncRAT Espionage Campaign Targets Libyan Infrastructure Summary

From November 2025 to February 2026, attackers used spear-phishing with Libya-specific lures (e.g., Saif al-Gaddafi assassination) to deploy AsyncRAT RAT via VBS/PowerShell droppers and "devil" scheduled tasks, targeting oil refineries, telecoms, and state entities for long-term surveillance and data exfiltration.

Symantec identified the geopolitical espionage, noting persistent access (possibly since April 2025), keystroke logging, screen captures, and modular updates without disruption - highlighting commodity malware's effectiveness through tailored ops in critical energy/government sectors.

Refer: Threat Intelligence Report

Anthropic Claude Desktop "Projects" Feature Summary

On March 20, 2026, Anthropic launched the "Projects" feature for Claude Desktop, enhancing its Cowork environment with persistent workspaces that maintain files, instructions, and task context across sessions for Pro, Team, and Enterprise users.

Building on January 2026's Cowork agentic workflows - enabling AI access to approved local folders for file read/modify and structured tasks - Projects organizes work into folder-linked environments, streamlining long-running research, analysis, document processing, and iterative operations without re-establishing context.

Refer: Announcement
Support Article

Visit our Cyber Security Offerings: Cyber Threat Management & Security Services UAE | Crowe UAE