Lyceum News Desk · March 15, 2026

The Lyceum: Cybersecurity Daily — Mar 15, 2026

Sunday, March 15, 2026

The Big Picture

It's a Sunday built on deferred homework. March Patch Tuesday dropped five days ago and the blast radius is still expanding — CISA keeps adding exploited bugs to its mandatory-fix list, CL0P is still dining on Oracle zero-days, and a researcher who tried to do the right thing got a cease-and-desist for his trouble. The theme today isn't novel attacks — it's the compounding cost of patches nobody applied and policies nobody wrote.

What Just Shipped

Microsoft March 2026 Patch Tuesday (Microsoft): 84 fixes including two publicly disclosed zero-days — CVE-2026-21262 (SQL Server privilege escalation, CVSS 8.8) and CVE-2026-26127 (.NET denial of service, CVSS 7.5). Neither is confirmed exploited in the wild yet, but both were known before the patch shipped.
Android March 2026 Security Bulletin (Google): Patches CVE-2026-21385, a Qualcomm display component memory corruption flaw under limited, targeted exploitation on Android devices.
Chrome Emergency Updates (Google): Two high-severity zero-days exploited in attacks — an out-of-bounds write in Skia and a V8 JavaScript engine flaw — patched on March 13.
VMware Aria Operations Fix (Broadcom/VMware): Patch for CVE-2026-22719 (command injection, CVSS 8.1) released February 24; CISA confirmed active exploitation and set a March 24 federal deadline for federal agencies to patch.
Nemotron 3 Super (Nvidia): Trained natively in 4-bit floating point on H300-class GPUs, designed to make always-on agent inference dramatically cheaper.
Olmo 7B (AI2): Hybrid RNN-Transformer model that reportedly matches larger competitors with half the training data — lowering the barrier for in-house agent deployments.
NASCIO Agentic AI Report (NASCIO): First mainstream public-sector playbook explicitly framing AI agents as privileged service accounts requiring procurement guardrails and least-privilege controls.

Today's Stories

CL0P's Oracle Zero-Day Rampage Keeps Growing — Dozens of Victims and Counting

If your organization touches Oracle E-Business Suite — directly or through a vendor — this is the story that should ruin your Sunday coffee.

CL0P-linked attackers exploited CVE-2025-61882, a now-patched zero-day in Oracle E-Business Suite, to breach dozens of organizations. The flaw allowed remote code execution on exposed Oracle instances, and internet-facing deployments with weak segmentation were essentially open doors. Victim reports continue to surface — early coverage names universities and large enterprises, with some outlets identifying Harvard University among the targets. The extortion activity is ongoing, with follow-up ransom demands arriving months after initial compromise, according to Bright Defense's reporting.

The uncomfortable truth: you might not think you run Oracle EBS, but your payroll provider, logistics partner, or university back-end might. The move today is to confirm whether any Oracle EBS instance you control or depend on has applied the January/February security updates, and push third-party vendors for explicit attestation and IOC sharing. The Paubox blog tracks named victims as they emerge.

A Researcher Found a Vulnerability. The Company Found a Lawyer.

A security researcher published a detailed account of what happened when they tried to responsibly disclose a bug: no thank-you, no bounty — just legal threats and accusations, despite following a textbook "email them, give them time, don't exploit anything" playbook. The post is tearing through Hacker News today because it captures a fear every researcher carries: that doing the right thing gets you sued.

For organizations, the lesson is blunt. A lawyer-first response to vulnerability reports doesn't reduce risk — it accelerates public disclosure, scares off the people who might quietly save you, and signals to the next researcher that selling the bug is safer than reporting it. If your company doesn't have a published vulnerability disclosure policy with safe-harbor language, you're one blog post away from being the villain in this story. Regulators and cyber insurers are already watching these dynamics, and formal disclosure safe harbors may soon become compliance requirements.

VMware Aria Operations RCE Is Being Exploited — CISA Says Patch by March 24

VMware Aria Operations is the kind of tool that quietly runs in a management network, sees everything in your virtual environment, and almost never gets patched on schedule. Attackers have noticed.

CISA added CVE-2026-22719 — a command-injection bug (CVSS 8.1) that lets an authenticated attacker run arbitrary commands on the underlying OS — to the Known Exploited Vulnerabilities catalog. Federal agencies have until March 24 to patch; that's nine days away. The real danger is positional: Aria typically runs with elevated privileges, which can give attackers a single pivot point to credentials, configurations, and the entire virtualization stack. Think of it as robbing the locksmith instead of picking a lock. No public proof-of-concept or detailed exploitation chain has surfaced yet, but CISA's confirmation of active exploitation is enough to act on. Patch now, or run VMware's workaround script on every appliance node while you schedule the change window — and check whether these boxes are unnecessarily exposed to flat networks or the internet.

The FBI Is Investigating Malware Hidden Inside Steam Games

The FBI has opened an investigation after malware was found embedded in games distributed through Steam — Valve's dominant PC gaming platform with over 130 million active users. This isn't a sketchy piracy site; it's the most trusted name in PC gaming.

The enterprise angle is real and underappreciated. Employees who game on the same machine they use for work — or who share a home network with a gaming PC — could unknowingly introduce malware into corporate environments. Most endpoint detection tools are tuned for corporate software; game installers often fly under the radar entirely. It's unclear whether the malware arrived via compromised developer accounts, a supply-chain attack on a game's build pipeline, or another vector. Valve has not made a public statement. Until Valve issues guidance and names affected titles, avoid installing new games or updates on any machine with access to corporate resources, and consider whether game distribution platforms are addressed in your acceptable-use and endpoint policies.

⚡ What Most People Missed

React2Shell just hit CISA's "fix it now" list and most people have never heard of it. It's a framework for embedding shell interfaces in web apps — the kind of developer tool that gets stood up on an internal network and forgotten. CISA confirmed active exploitation (reportedly CVE-2026-11347, CVSS 9.8). If it's anywhere in your dependency tree, find it today.
Stryker's attackers used the company's own IT tools as weapons. Reporting on the Iran-linked Handala group's attack on medical device maker Stryker suggests they leveraged Microsoft Intune — a legitimate device management platform — to issue mass remote wipe commands. If your endpoint management system doesn't require multi-party approval for destructive actions, you've handed attackers a loaded gun.
Anthropic's Claude found 22 Firefox bugs in two weeks but reportedly could barely exploit any of them. The split between discovery and weaponization is the key insight: AI accelerates finding vulnerabilities dramatically, but turning findings into reliable exploits still mostly requires human creativity. That gap gives defenders time — but it's shrinking.
China told government agencies to stop running OpenClaw-based AI agents on office machines, explicitly citing supply-chain and data-exfiltration risk. With 302,000 GitHub stars this week, OpenClaw went from niche to ubiquitous fast enough to trigger a regulatory response. Agent runtimes are being treated like unvetted third-party software — as they are.
A new arXiv preprint maps exactly where agentic AI breaks in the SOC. AgenticCyOps identifies tool orchestration and memory management as the two recurring failure points in multi-agent security deployments — and argues the fix is classic engineering controls (least-privilege, workflow isolation), not longer safety prompts.

📅 What to Watch

If a proof-of-concept drops for any Microsoft March zero-day before all Windows 10 builds are patched, exploitation shifts from targeted to opportunistic overnight — check your deployment telemetry now, not after the PoC lands.
If Valve names specific Steam titles carrying malware, enterprise security teams will need to rapidly assess whether affected software exists anywhere in their environment — including on BYOD devices touching corporate networks.
If CISA's classified Fortra hunt guidance surfaces indicators of compromise in federal systems, it would confirm exploitation preceded the patch and elevate urgency for every Fortra file-transfer customer, not just government.
If VMware updates its Aria Operations advisory with evidence of ransomware use, this escalates from "server-side RCE" to a full incident trend requiring active threat hunting across virtualization estates.
If more researchers publish "I reported a bug and got sued" stories this quarter, expect cyber insurers to start requiring formal safe-harbor disclosure policies as part of underwriting — turning a community grievance into a compliance line item.

The Closer

A ransomware gang breaching Oracle ERP systems like it's an all-you-can-breach buffet, a medical device company getting wiped by its own laptop management tool, and the FBI investigating malware hiding inside video games on the world's most trusted gaming platform. Somewhere a CISO is explaining to the board that the real threat isn't the hackers — it's the 17-year-old PowerPoint bug nobody patched because "who still uses ActiveX?" Enjoy your Sunday.

If someone you know is still gaming on their work laptop, forward this before they find out the hard way.