The Lyceum: Cybersecurity Daily — Mar 14, 2026

Your browser has two holes attackers are already walking through, your network switches might hand the admin password to anyone who asks nicely, and Cl0p's Oracle rampage just crossed 100 victims while most of them pretend nothing happened. Today is a "stop reading and go patch something" day — Chrome first, then everything else.

The browser you're probably reading this in has two actively exploited vulnerabilities, and Google pushed emergency fixes overnight.

CVE-2026-3909 is an out-of-bounds write in Skia, the graphics library that renders everything you see on a webpage — the kind of memory corruption bug that can crash your browser or, worse, let an attacker run their own code. CVE-2026-3910 hits V8, Chrome's JavaScript engine, which is particularly dangerous because it can potentially be triggered just by visiting a malicious website. No click required. No download. Just a page load.

Google is deliberately keeping exploitation details quiet until most users have updated — they don't want to hand other criminals a blueprint. CISA moved fast, adding both CVEs to its Known Exploited Vulnerabilities catalog, which places federal systems on established remediation schedules and should prompt private-sector organizations that track KEV to prioritize fixes.

These are Chrome's second and third actively exploited zero-days of 2026. We're 73 days into the year. Last year Google fixed eight for the entire twelve months.

What to do: Update to version 146.0.7680.75/76 (Windows/macOS) or 146.0.7680.75 (Linux). Go to the three-dot menu → Help → About Google Chrome. Many orgs lose time when Chrome downloads the update but doesn't activate it until a restart. For zero-days, restarting matters. Edge, Brave, and every other Chromium-based browser will need their own patches shortly.

Imagine walking up to the front door of a corporate building, pressing a button, and having it hand you the master key. That's roughly what CVE-2026-23813 does to your network switches.

Scoring 9.8 out of 10 on the severity scale, this flaw lets an unauthenticated remote attacker reset the administrator password on HPE's Aruba AOS-CX switches — the hardware sitting at the core of campus and data center networks. The web management interface fails to properly validate session tokens for specific admin endpoints, so a crafted request is all it takes. Once that password is reset, an attacker can modify network configurations, intercept traffic, or shut down critical services.

Affected: AOS-CX versions 10.17.0001 and below, 10.16.1020 and below, 10.13.1160 and below, and 10.10.1170 and below — across the Aruba CX 10000, 4100i, 6000, 6100, 6200F, 6300, 6400, 8320, 8325, 8360, 8400, and 9300 series. HPE says no public exploit code exists yet, but that window won't stay open long. Upgrade immediately, or at minimum isolate all management interfaces to a dedicated VLAN where they can't be reached from the general network.

A second bug (CVE-2026-23814, CVSS 8.8) lets a low-privilege user break out of the restricted CLI and run code with elevated privileges. The two could be chained.

The most quietly devastating breach campaign of the past six months keeps getting bigger.

Cl0p exploited a zero-day in Oracle E-Business Suite (CVE-2025-61882) back in August 2025, gained access to customer data across more than 100 organizations, then sat silently before sending extortion emails to executives. Named victims include Harvard University, The Washington Post, American Airlines subsidiary Envoy Air, Schneider Electric, Logitech, and Cox Enterprises, among others.

This is Cl0p's signature: breach a common platform, hit everyone at once. They ran the same playbook against MOVEit in 2023, affecting over 2,600 organizations and nearly 90 million individuals. Most current victims are staying silent, but that won't protect them — Cl0p controls the narrative through its leak site and posts names regardless.

The exploit chain involves five separate bugs to achieve pre-authentication remote code execution, and since valid exploit code is now public, this is no longer a single-actor story. Any unpatched Oracle EBS instance is open to anyone who downloaded the proof-of-concept. The patch has been available since October 2025. If you haven't applied it, assume compromise first, then patch.

Stryker, one of the world's largest medical device manufacturers, is dealing with a "global network disruption" after an attack claimed by Handala, an Iranian-linked hacktivist group. This wasn't ransomware — it was a wiper, designed to destroy data rather than hold it hostage. The group claims to have remotely wiped thousands of systems and stolen approximately 50 terabytes of data.

Stryker says the incident is contained to its internal Microsoft environment with no indication of traditional ransomware. But the attack disrupted the LIFENET system — the platform emergency responders use to communicate with hospitals during patient transport. CISA has opened an investigation. Early technical analysis is tracing the disruption pattern alongside the exfiltration claims.

A wiper behaves like ransomware on the ground — everything goes dark — but without the negotiation lever. There's no key to buy back. Healthcare and med-tech teams should use this as a prompt to sanity-check rebuild-vs-restore runbooks and backup isolation, not just backup frequency.

A browser that betrays you if you visit the wrong webpage, a network switch that hands its keys to strangers, and a ransomware gang that cracked 100 victims before most of them noticed they'd been robbed. Meanwhile, a GPU-accelerated decryptor recovered Akira's keys using sixteen rented GPUs and about $1,200 — which is either the most inspiring or most terrifying thing about modern cryptography, depending on which side of the encryption you're sitting on. Stay paranoid.

If someone you know runs Chrome, Aruba switches, or Oracle EBS — so, everyone — forward this their way.