Cybersecurity Daily — Mar 11, 2026

Patch Tuesday dropped alongside active exploitation of everything from FortiGate firewalls to Qualcomm phone chips, and a Russian intelligence unit debuted a shiny new spy toolkit — so "patch your stuff" doesn't begin to cover it. Meanwhile, AI crossed a quiet threshold: Anthropic's Claude found 22 Firefox vulnerabilities and wrote a working exploit for one, which is either the best news defenders have gotten in years or the worst, depending on who points it at your codebase next. If you act on one thing today, make it this: patch SQL Server, update your Android fleet, and check whether your FortiGate is already someone else's front door.

Every Patch Tuesday has a buried headline, and this month it's CVE-2026-21262 — a privilege escalation flaw affecting SQL Server versions from 2016 SP3 through 2025. An attacker with a low-level database login can promote themselves to sysadmin over the network, which is the database equivalent of a janitor handing themselves the CEO's keycard. It's one of two publicly disclosed zero-days in Microsoft's 79-fix batch, alongside CVE-2026-26127, a .NET denial-of-service bug that lets unauthenticated attackers crash services remotely.

Also worth flagging while you're triaging: CVE-2026-21536, a remote-code-execution flaw in Microsoft's Devices Pricing Program that CrowdStrike and Malwarebytes both flag as deserving immediate attention, and CVE-2026-26144, a cross-site scripting bug in Excel that could let attackers weaponize Copilot to exfiltrate data — a preview of how embedded AI features create attack surfaces that didn't exist two years ago.

As of March 11, 2026, neither zero-day has confirmed active exploitation yet, but the reverse-engineering clock is ticking. Patch CVE-2026-21262 now, especially if your SQL Server is reachable from anything other than localhost.

A newly discovered botnet called KadNap is hijacking ASUS routers and other edge devices, converting them into proxies that route criminal traffic through your internet connection — making attacks look like they originate from legitimate homes and businesses. Lumen's Black Lotus Labs team says the malware has infected over 14,000 devices since first appearing in August 2025 (as of March 11, 2026).

KadNap uses the DHT protocol — the same peer-to-peer technology behind BitTorrent — to locate command-and-control servers, which can make traditional blocklists largely useless. If you have an ASUS router at home or in a branch office, update its firmware today and disable remote management — that's the most common entry point, and this one is flying under the mainstream radar.

The device whose entire job is keeping attackers out is increasingly the thing they walk through first. SentinelOne's DFIR team reports that throughout early 2026, they responded to multiple incidents where FortiGate firewalls were compromised as initial footholds — attackers were already moving laterally through internal networks before anyone noticed.

The attack paths include CVE-2025-59718 and CVE-2025-59719 (SSO signature validation flaws granting unauthenticated admin access), CVE-2026-24858 (FortiCloud SSO bypass), and plain old weak credentials. The real prize in each case: extracted service account credentials that become direct keys to Active Directory, the system controlling who can access what inside most corporate networks. Fortinet has issued patches. Apply them, rotate service account credentials, and audit your SSO configuration today.

Anthropic's Frontier Red Team pointed Claude at Firefox's codebase, and it found its first serious vulnerability within about 20 minutes. The final count: over 100 bugs flagged, 22 receiving CVE assignments, 14 classified as high severity by Mozilla. Then the team tested whether Claude could go further — and it successfully wrote a working exploit for CVE-2026-2796 (now patched). The exploit only worked in a stripped-down environment without a sandbox, so this isn't evidence that AI is hacking browsers in the wild. But the trajectory is the signal.

Anthropic notes Claude's success rate on the Cybench security evaluation doubled in six months, then doubled again in four months on Cybergym. That's not linear improvement. Mozilla's engineers drew the implication explicitly: "there is likely a substantial backlog of now-discoverable bugs across widely deployed software." The question isn't whether this capability helps defenders — it clearly does. The question is what happens when it's pointed at codebases with fewer resources than Mozilla's.