Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23
Israeli cybersecurity firm Dream has disclosed CVE-2026-32746 — a CVSS 9.8 out-of-bounds write vulnerability in the LINEMODE Set Local Characters (SLC) suboption handler of the GNU InetUtils telnet daemon that allows an unauthenticated remote attacker to overflow a buffer and execute arbitrary code as root before the login prompt ever appears, simply by sending a specially crafted message during the initial TCP handshake on port 23. The flaw affects all versions of GNU InetUtils telnetd through 2.7, was discovered on March 11, has no patch yet — with a fix expected by April 1 — and Censys data shows approximately 3,362 exposed hosts still publicly reachable over telnet as of March 18, creating a live attack surface for any threat actor willing to scan for it. The disclosure is the second critical GNU InetUtils telnetd flaw in as many months — following CVE-2026-24061 (also CVSS 9.8), which CISA added to its Known Exploited Vulnerabilities catalog in January after 21 unique malicious IPs were observed exploiting it within 24 hours of disclosure — and underscores that Telnet, a protocol with no encryption and a 55-year legacy of security debt, should be disabled and replaced with SSH on any system where it is still running.
Critical Microsoft SharePoint Flaw Now Exploited in Attacks
CISA has added CVE-2026-20963 — a deserialization of untrusted data vulnerability in Microsoft SharePoint that Microsoft patched in January — to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch by Saturday, March 21, after confirming the flaw is being actively exploited in the wild despite Microsoft’s own advisory not yet being updated to reflect in-the-wild exploitation. The vulnerability affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, allowing an unauthenticated attacker with network access to write and execute arbitrary code remotely via a low-complexity attack — while SharePoint Server versions 2007, 2010, and 2013 are also vulnerable but no longer receive security updates, leaving organizations running those legacy versions with no vendor-provided remediation path. Separately, CISA also added CVE-2025-66376 — a stored cross-site scripting flaw in the Classic UI of Synacor Zimbra Collaboration Suite where attackers abuse CSS @import directives in HTML emails — to the KEV catalog the same day, following a Seqrite Labs report linking active exploitation to a suspected Russian state-sponsored intrusion set targeting Ukrainian government infrastructure. (Note: BleepingComputer blocks automated fetches but is fully accessible in-browser.)
Russian Hackers Exploit Zimbra Flaw to Breach Ukrainian Maritime Agency
APT28 — the GRU-linked Russian threat group also tracked as Fancy Bear — has exploited the newly KEV-listed Zimbra Collaboration Suite cross-site scripting vulnerability (CVE-2025-66376) to breach a Ukrainian maritime agency, according to CERT-UA and Recorded Future News, in a campaign that abused Zimbra’s Classic UI to deliver a JavaScript payload that established unauthorized access to victim mailboxes and pilfered sensitive communications. The targeted agency handles shipping, port logistics, and maritime regulatory activity — making it a high-value intelligence target for Russian military planners seeking insight into Ukrainian Black Sea operations, supply chain logistics, and international shipping coordination at a time when the maritime corridor remains strategically critical to Ukraine’s grain exports and Western military aid flows. The breach is a sharp reminder that the 48-hour gap between CISA adding a flaw to the KEV catalog and agencies applying patches represents a live exploitation window — APT28 was using this vulnerability before it appeared in the KEV catalog, and organizations running any Zimbra version below 10.0.18 or 10.1.13 should treat unpatched remediation as an emergency rather than a routine maintenance item.
Second iOS Exploit Kit Now in Use by Suspected Russian Hackers
iVerify, Lookout, and Google have jointly disclosed DarkSword — a second iOS exploit kit deployed in active campaigns since at least late 2025, distinct from the recently disclosed Coruna kit — which researchers attributed to UNC6353 (a suspected Russian-backed espionage group), Turkish commercial surveillance vendor PARS Defense, and UNC6748, targeting users in Ukraine, Saudi Arabia, Turkey, and Malaysia via watering hole attacks on compromised regional news and court websites, with victims’ devices silently exfiltrated of saved passwords, cryptocurrency wallet credentials, text messages, and financial app data before the malware deletes all traces of itself in a “hit-and-run” model. iVerify estimates up to 270 million iPhone users could be susceptible to the exploit chain’s underlying vulnerabilities, while Lookout notes that roughly 15% of iOS devices in active use globally are running iOS 18 or earlier and remain unpatched — with all six exploited vulnerabilities now addressed across iOS 18.7.2, 18.7.3, and iOS 26.x. The discovery of two separate sophisticated iOS exploit kits in a single month reinforces what researchers described as an emerging secondary market for high-end mobile exploits, where tools originally developed for or sold to government surveillance clients are leaking into broader criminal and espionage ecosystems — a proliferation dynamic with serious implications for the hundreds of millions of individuals who cannot practically keep their devices on the latest OS at all times.
NCA Launches National Strategic Assessment 2026: Technology Is Reshaping Crime Itself
UK National Crime Agency Director General Graeme Biggar unveiled the NCA’s National Strategic Assessment 2026 on March 20 with a stark central finding: technology has crossed a threshold where it is no longer simply a tool criminals exploit but is fundamentally reshaping the nature of serious and organized crime itself — accelerating it, globalizing it, and making it more harmful in ways that demand a corresponding structural evolution in law enforcement. The Assessment documents rising cross-boundary crime where drug trafficking, fraud, cybercrime, money laundering, and child sexual abuse material operations are increasingly interlinked within the same criminal networks and sometimes the same individuals, with criminals shifting away from dedicated encrypted phone networks like EncroChat and Sky ECC — both previously dismantled by law enforcement — to commercially available consumer encrypted messaging apps that are far harder to lawfully intercept, while referrals from technology companies reporting child sexual abuse material have risen by a third in two years. Biggar used the Assessment launch to make the public case for a proposed UK National Police Service — positioned as a successor structure incorporating the NCA and Counter Terrorism Policing — arguing that just as crime has fundamentally changed, so must the institutional architecture designed to counter it, and calling directly on technology companies to design their platforms with public safety built in rather than treating lawful access as an afterthought.
