The Lyceum: Cybersecurity Daily — Mar 22, 2026

CISA's deadline to patch a max-severity Cisco firewall flaw is today, 23 public exploit templates for a Windows Notepad RCE are live on GitHub, and the FBI confirmed that Russian intelligence is actively hijacking Signal and WhatsApp accounts belonging to U.S. officials and journalists. Meanwhile, Los Angeles Metro is down after a WorldLeaks ransomware attack disrupted operations, and macOS 26 quietly broke its own VPN and encrypted DNS features in ways that leak traffic in plaintext. This is a day when the things people trust most — their firewall, their text editor, their encrypted messenger, their operating system's DNS — are all demonstrably failing.

• CVE-2026-20131 Patch (Cisco): Emergency fix for max-severity unauthenticated RCE in Secure Firewall Management Center; CISA deadline is today.
• CVE-2026-21992 Out-of-Cycle Patch (Oracle): CVSS 9.8 unauthenticated RCE fix for Identity Manager and Web Services Manager.
• KB5085516 Emergency Update (Microsoft): Out-of-band fix for sign-in breakages caused by the March cumulative update KB5079473.
• CVE-2026-20841 PoC Templates (Community): 23 public exploit repositories now live for the Windows Notepad Markdown RCE.
• CISA KEV Additions (CISA): Five new entries including Craft CMS and Apple iOS zero-days confirmed exploited in the wild.
• CVE-2026-21385 Patch (Google/Qualcomm): Android March bulletin patches actively exploited Qualcomm GPU memory corruption zero-day across 234 chipsets.

CVE-2026-20131 is a maximum-severity flaw in Cisco Secure Firewall Management Center — the centralized control plane for enterprise Cisco firewalls, intrusion prevention, and malware filtering. An unauthenticated attacker sends a crafted request to the web management interface and can obtain a root shell. No credentials required.

Cisco patched it March 4. CISA added it to the Known Exploited Vulnerabilities catalog on March 20, flagging active use in ransomware campaigns, and gave federal agencies until today to patch or disconnect. A Reddit thread claims the Interlock ransomware group exploited it 36 days before public disclosure and alleges they used compromised firewalls as on-ramps, converted random Linux servers into proxy relays, and wiped logs every five minutes.

If you run Cisco FMC and haven't patched since March 4, assume your perimeter has been compromised. No workaround exists. The patch is the only fix, and the deadline is today. Watch for Interlock to expand targeting as unpatched instances linger past today.

Nobody thinks of a text file as dangerous. That mental blind spot is exactly why CVE-2026-20841 matters today.

The vulnerability lives in Windows Notepad's Markdown rendering feature — the 2025 addition that lets Notepad display formatted text. Open a crafted .md file, click a link inside it, and Notepad invokes unverified protocol handlers (system shortcuts that tell Windows which program should open a particular type of link) that can download and execute attacker-controlled code with your permissions. CVSS 8.8. Microsoft patched it in February, but only for users with Microsoft Store auto-updates enabled — and many enterprise environments disable exactly that. The CVE record confirms the scope.

What changed today: 23 public proof-of-concept exploits are now live on GitHub. The window from research paper to phishing campaign is closed. Check your Notepad version — it should be 11.2510 or later. If your organization pushes updates through SCCM or Intune rather than the Store, verify those .md files aren't already sitting in someone's inbox. Expect phishing campaigns using Markdown attachments to spike this week.

A joint CISA and FBI advisory issued Friday confirms that Russian intelligence-linked actors are running a sustained campaign to hijack Signal and WhatsApp accounts. The method is disarmingly simple: targets receive what appears to be a request from a trusted contact asking them to verify a device or scan a QR code. Complying links the attacker's device to your account as a trusted secondary device, giving them real-time access to every message — sent and received — going forward.

The advisory names current and former U.S. government officials, military personnel, political figures, and journalists as targets. The FBI reports thousands of accounts already compromised. This isn't a theoretical nation-state technique limited to embassy staff — Signal and WhatsApp's legitimate device-linking features are the attack surface.

The fix is immediate: open Settings in both apps, check which devices are linked, and remove anything you don't recognize. Be deeply skeptical of any request to link a new device or scan a QR code, even from people you know. Amid concurrent APT28 activity against European institutions, this campaign may expand to EU targets.

Apple's newest macOS has three DNS bugs that collectively undermine the privacy and security features people specifically bought into. The /etc/resolver/ per-domain DNS mechanism — a long-standing, Apple-documented feature — is silently broken for any custom top-level domain not in the public IANA root zone. Apple's mDNSResponder intercepts queries for domains like .internal, .local, and .test and treats them as multicast DNS, never consulting the nameserver you configured.

It gets worse. Installing encrypted DNS profiles via .mobileconfig files fails with a misleading error. VPN services that rely on custom DNS configurations experience resolution failures when encryption is enabled — and the system falls back to plaintext DNS on port 53, breaking the entire security model. Users of Mullvad, NextDNS, AdGuard, or Quad9 can't install or update encrypted DNS profiles; existing ones work, but remove one and it's gone.

These issues have been reported across Hacker News, Privacy Guides, Tailscale, and Docker forums — multiple independent workflows are broken. Apple has issued no statement. If your organization deploys macOS with VPN or internal DNS, validate resolution paths end-to-end now. The thing protecting your DNS traffic may be the thing leaking it.

Xakep.ru details a newly identified Android banking trojan called Perseus that specifically targets note-taking and memo applications — the places where people store passwords, seed phrases, and account recovery codes they're too lazy to put in a proper password manager. Perseus scans note content using pattern matching for cryptocurrency wallet formats and common credential structures, then exfiltrates matches to C2 infrastructure. This is a reminder that "write it down in Notes" is now an explicitly targeted behavior, not just bad hygiene advice.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

FreeBuf published a detailed Chinese-language technical analysis of the DarkSword iOS exploit kit, documenting its six-vulnerability chain (three zero-days) that achieves full device control on iOS 18.4 through 18.7. The writeup maps the WebKit/JavaScriptCore entry points, sandbox escape mechanisms, and data exfiltration paths — providing IOC-level detail that hasn't appeared in English-language coverage. For teams building mobile threat detection rules, this is the most granular public analysis available.

Source: FreeBuf — Chinese. No English-language coverage confirmed at time of publication.

Xakep.ru reports on new Interpol statistics showing fraud operations leveraging AI tools — deepfake voice, generated identity documents, automated social engineering — are generating 4.5 times the revenue of traditional fraud. The numbers come from Interpol's own operational data, and they quantify what the industry has been saying anecdotally: AI doesn't just make fraud easier, it makes it dramatically more profitable per operation.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A text editor that executes code, a firewall that hands out root shells, and an encrypted messenger that gives Russia a front-row seat — the tools we trust most are having their worst week. Meanwhile, macOS quietly decided your VPN's DNS should travel in plaintext, which is the operating system equivalent of installing a screen door on a submarine. Stay paranoid.

If someone you know is still opening .md files in Notepad like it's 2024, forward them this.