The Lyceum: Cybersecurity Daily — Mar 19, 2026

Cisco firewalls are having a very bad week — a ransomware group had a perfect-10 zero-day for six weeks before anyone noticed, and a second Cisco firewall family is getting hit with a separate zero-day simultaneously. Meanwhile, CISA confirmed active exploitation of a SharePoint bug that's been patchable since February, Adobe rushed out an Acrobat zero-day fix, and Flare and IBM cracked open the org chart of North Korea's 100,000-person fake IT worker operation. The theme today is uncomfortable: the people attacking you are more organized than the people defending you, and the window between "patch available" and "you're compromised" is now measured in days, not months.

• CISA KEV Addition: CVE-2026-20963 — SharePoint Deserialization (CISA/Microsoft): Active exploitation confirmed; patch available since February Patch Tuesday.
• Adobe Acrobat/Reader Emergency Patch (Adobe): Out-of-band fix for an actively exploited zero-day enabling RCE via malicious PDFs on Windows and macOS.
• ConnectWise ScreenConnect 26.1 (ConnectWise): Patches CVE-2026-3564 (CVSS 9.0), a cryptographic key weakness in on-prem installations that could allow session hijacking.
• Flare/IBM X-Force DPRK IT Worker Infrastructure Report (Flare/IBM): First public exposure of internal management platforms — "RB Site" and "NetkeyRegister" — used to coordinate North Korea's fake worker scheme.
• SpyCloud 2026 Identity Exposure Report (SpyCloud): Documents 65.7 billion exposed identity records, including 18.1 million API keys and 6.2 million AI-tool credentials.
• HiddenLayer 2026 AI Threat Landscape Report (HiddenLayer): Survey of 250 IT/security leaders finds agentic AI implicated in roughly 1 in 8 AI-related breaches.

Ransomware groups finding zero-days used to be the exclusive territory of nation-state spies. That distinction is now academic.

Amazon Threat Intelligence is warning of an active Interlock ransomware campaign exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center — a flaw carrying a perfect CVSS 10.0. The bug is insecure deserialization (the software trusts data it shouldn't) that lets an unauthenticated attacker execute code as root on your firewall management console. Root on FMC means the attacker owns the controls that are supposed to protect everything else.

The alarming part: according to Amazon's MadPot sensor network, Interlock exploited this as a zero-day since January 26 — more than a month before Cisco publicly disclosed it. The group focused on healthcare, manufacturing, and government, sectors where downtime creates maximum pressure to pay.

Separately, a second Cisco zero-day affecting ASA and Firepower Threat Defense platforms is also being actively exploited to drop malware. If you manage any Cisco firewall family, treat this as an all-hands emergency. Apply patches, then audit for compromise going back to late January.

CISA added CVE-2026-20963 to its Known Exploited Vulnerabilities catalog yesterday, confirming that attackers are actively exploiting a deserialization flaw in Microsoft SharePoint. An unauthorized attacker can execute code over a network — no username or password required.

The patch has been available since February's Patch Tuesday. That represents about a five-week gap between "fix shipped" and "actively exploited" — a gap attackers commonly exploit while organizations schedule change-control meetings.

CISA also added a Zimbra Collaboration Suite flaw (CVE-2025-66376) to the same catalog this week. The pattern is clear: collaboration and management platforms — the tools your entire organization trusts — are the attack surface du jour. If your SharePoint instance is internet-facing and unpatched, it is a live target right now.

Imagine a foreign government running a staffing agency — complete with recruiters, HR managers, performance reviews, and timesheets — except the entire operation exists to infiltrate your company, steal your secrets, and fund a weapons program.

Flare and IBM X-Force published a report today revealing the internal infrastructure of North Korea's fake IT worker scheme. According to U.S. government figures, upwards of 100,000 North Koreans across 40 countries generate approximately $500 million a year for Pyongyang. The researchers uncovered internal platforms — "RB Site" and "NetkeyRegister" — that function as management dashboards for tracking work and distributing software. This isn't a loose network of freelancers. It's a managed enterprise.

Some operatives recruit Western individuals via LinkedIn or GitHub to use their identities, meaning your background check can pass cleanly. Warning signs include AI face changers during video calls, unusual Google Translate usage on corporate endpoints, and salary requests in cryptocurrency.

The job application sitting in your hiring queue might be the most sophisticated cyberattack your organization will ever face — and your security team has no visibility into it because it arrives through HR.

Adobe issued an out-of-band update for an Acrobat/Reader zero-day that's being actively exploited in the wild. The vulnerability allows remote code execution via malicious PDFs, and attackers are already weaponizing it to drop payloads on both Windows and macOS.

Acrobat is ubiquitous in enterprise workflows. A single malicious PDF — arriving as an invoice, a contract, a "please review this document" — can turn into a full-system compromise. Apply the update now, block suspicious PDF sources at the gateway, and consider sandboxing document viewers for higher-risk users. This is the kind of bug that makes phishing campaigns dramatically more effective.

Xakep.ru reports on newly disclosed vulnerabilities dubbed "CrackArmor" affecting Linux AppArmor — the mandatory access control framework used to sandbox applications on Ubuntu and other distributions. The flaws reportedly allow an unprivileged attacker to escalate to root and break out of container isolation. Given that AppArmor is a default security boundary in many cloud and container deployments, this has direct implications for anyone running containerized workloads. No English-language coverage was found at time of publication.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru details newly discovered vulnerabilities in IP KVM (keyboard-video-mouse) devices from several manufacturers. IP KVMs provide remote physical-level access to servers and are common in data centers and colocation facilities — a compromised KVM effectively gives an attacker a seat at the console. The article warns that many of these devices run outdated firmware and are exposed to the internet. If you manage data center infrastructure, this is worth tracking even before English-language advisories appear.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

CERT-UA published advisory #19542 warning that UAC-0001 (APT28/Fancy Bear) is conducting cyberattacks against Ukraine and EU member states using an exploit for CVE-2026-21509. The advisory is classified as a "Security Bulletin" and indicates active targeting. Given APT28's track record of pivoting techniques tested in Ukraine into broader European campaigns, Western organizations should monitor for this CVE in their own environments.

Source: CERT-UA Advisory #19542 — Ukrainian. No English-language coverage confirmed at time of publication.

A ransomware crew running a perfect-10 Cisco exploit for six weeks like it's a private beta. North Korea managing 100,000 fake employees with timesheets and Google Translate. A 27-year-old telnet bug sitting on your network with a 9.8 score and no patch until April Fools' Day.

The most sophisticated cyberattack your company faces this year might arrive as a résumé with a LinkedIn endorsement from someone who doesn't exist.

Stay sharp out there.

If someone you know manages firewalls, hires remote developers, or still has telnet running somewhere — forward this. They'll thank you later.