The Lyceum: Cybersecurity Daily — Mar 17, 2026

Two tools you probably forgot were installed — an enterprise FTP server and a workflow automation engine — are confirmed actively exploited in the wild, and CISA just gave federal agencies two weeks to patch. Meanwhile, a proof-of-concept exploit for a Windows Notepad vulnerability went public on GitHub, compressing the window between "patched in February" and "weaponized in March" to roughly the time it takes to find a README file. And hacktivists who breached DHS keep pulling threads: today's revelation is $845 million in AI surveillance contracts, including predictive policing built on 911 call data.

If your organization runs a file transfer server or uses n8n to automate workflows, someone may already be inside.

CISA added Wing FTP Server (CVE-2025-47813) to its Known Exploited Vulnerabilities catalog on March 16, with a remediation deadline of March 30. The flaw is an information disclosure bug triggered by a long value in the UID cookie — an unauthenticated attacker sends a malformed request and gets back sensitive data, including the full local installation path. That sounds trivial until you realize path information is a common pivot point: researchers have demonstrated chaining it with other server-side bugs to achieve full remote code execution.

The second addition is worse. n8n, a popular open-source workflow automation tool, carries CVE-2025-68613 — a remote code execution vulnerability in its expression evaluation system. n8n is the kind of tool a developer installs once, wires to Slack, GitHub, cloud databases, and internal APIs with high-privilege keys, and then everyone forgets it exists. A compromised n8n instance doesn't just give an attacker a foothold — it gives them the keys to everything n8n touches, which is often everything.

As one security executive told Computer Weekly: "The KEV catalogue is not just a list of bugs, it is a blueprint of what adversaries are successfully monetising today."

Both have patches available. Update now. Federal agencies must comply by March 30; private-sector organizations should treat that as a ceiling, not a target.

A vulnerability patched five weeks ago just got a lot more dangerous, after a working proof-of-concept exploit was published on GitHub.

CVE-2026-20841 is a critical remote code execution flaw (CVSS 8.8) in Windows Notepad's relatively new Markdown rendering feature — the upgrade that lets Notepad display formatted text. An attacker tricks a user into clicking a malicious link inside a .md file opened in Notepad, which causes the app to launch unverified protocols that load and execute remote files with the logged-in user's permissions. The Notepad Markdown engine doesn't validate certain URL protocols, allowing abuse of file:/// to point to files on WebDAV or SMB network shares — a well-known malware delivery technique.

The news today: a working proof-of-concept exploit was published on GitHub and promptly hit 800+ points on Hacker News. The researcher notes that if the target has Python or Java installed, attackers can use .py or .jar payloads to bypass Windows' built-in warning dialogs entirely. Analysts at Threat Landscape are also flagging a possible exploit chain: CVE-2026-20805, a Windows ALPC information disclosure flaw patched in January, is being used in the wild to defeat ASLR — and may be paired with the Notepad bug for final payload execution.

Microsoft hasn't confirmed targeted in-the-wild exploitation beyond the PoC. Notepad ships via the Microsoft Store, and many enterprises don't surface its updates in central patch dashboards. Verify your fleet is on Notepad version 11.2510 or later — and brief your helpdesk to flag unexpected Markdown attachments.

A data breach that happened two weeks ago keeps getting more interesting as journalists work through the stolen documents — and today's batch covers the government's AI-powered surveillance wishlist.

A hacktivist group calling itself "Department of Peace" accessed and uploaded DHS documents revealing the depth of the department's AI surveillance funding: an AI tool that uses 911 call data to build "geospatial heat maps" predicting crime patterns, automated airport surveillance, and adapters that let federal agents collect biometric data from their phones. The leaked data includes two databases — one listing over 6,800 bidding companies, another detailing roughly 1,400 funded contracts worth approximately $845 million from 2004 to 2025. Named contractors include Palantir, Oracle, Raytheon, and Microsoft. One vendor, Intellisense, would use its Ossca system to detect and track individuals, identify clothing, shoe types, and accessories, with automated alerts for field agents.

The cybersecurity angle cuts both ways. First, DHS itself got breached — the agency responsible for defending federal civilian infrastructure couldn't protect its own contractor registry, which now includes employee names, contact details, and in some cases home addresses. Second, the revelation follows testimony from DHS leaders last month in which they said under oath they have no domestic terrorist database — contradicted by what's now public. The documents were published via the transparency nonprofit Distributed Denial of Secrets, and multiple outlets — The Mirror, The Guardian, and FedScoop — are independently corroborating the contents.

Watch for DHS's official response, and whether named contractors face follow-on targeting.

Stryker, one of the world's largest medical device manufacturers, disclosed on March 17 that a destructive wiper attack — malware designed to permanently erase data rather than hold it for ransom — reportedly wiped tens of thousands of corporate devices and disrupted operations globally.

Unlike ransomware, wipers don't offer a transaction. The attackers appear motivated by disruption, not extortion, and some reporting associates the attack with the Iran-linked Handala hacktivist group, though Stryker's public statements stop short of formal attribution. No patient data has been confirmed leaked. But the scale of device loss highlights a risk that hospitals rarely model: vendors that service clinical operations can become attack vectors that ripple into patient care. Combined with Intuitive Surgical's disclosure this month of a phishing breach exposing surgeon and employee records, the medtech sector is under coordinated pressure from multiple directions.

Expect extended outages and regulatory scrutiny if the incident continues to affect supply or maintenance services.

A text editor that executes code, a workflow tool that hands attackers the keys to everything, and a government surveillance playbook that leaked because the surveillance agency couldn't secure its own filing cabinet. The 911 calls are supposed to predict your future — turns out nobody predicted DHS would get hacked by people who named themselves after a John Lennon song. Stay paranoid.

If someone you know runs n8n, Wing FTP, or a medical device company — forward this before they find out the hard way.