The Lyceum: Cybersecurity Daily — Mar 23, 2026

Your automation platform, your identity middleware, your phishing defenses, and Notepad all need attention today. CISA's patch deadline for an actively exploited RCE in n8n is March 25, and about 24,700 instances remain exposed; a global coalition partially disrupted the phishing kit that made your MFA decorative (operators are already rebuilding), and Oracle quietly shipped a 9.8-severity emergency fix for the identity system that controls who gets to be who inside your enterprise. The thread connecting all of it: the glue layers — automation, identity, authentication — are the new front doors, and attackers know it.

• CVE-2026-21262 — Microsoft SQL Server 2016+ Elevation of Privilege: publicly disclosed zero-day; no in-the-wild exploitation confirmed, CVSS 8.8, patched via March 2026 Patch Tuesday.
• CVE-2026-26127 — .NET Framework Denial of Service: publicly disclosed zero-day; no in-the-wild exploitation confirmed, CVSS 7.5, patched via March 2026 Patch Tuesday.
• CVE-2026-21385 — Qualcomm display component (Android): actively exploited zero-day (limited, targeted attacks), high severity, patched in Android March 2026 security bulletin.
• CVE-2026-29058 — AVideo Encoder getImage.php unauthenticated command injection: Metasploit module published March 20, 2026; weaponized.
• CVE-2026-32746 — GNU InetUtils telnetd (up to v2.7): unauthenticated RCE, CVSS 9.8, no patch available as of publication. Block or disable telnetd immediately.

n8n is the open-source workflow automation tool that wires together AI agents, APIs, databases, and internal tools for thousands of organizations. Think of it as the nervous system connecting your cloud services — it holds your API keys, OAuth tokens, and database credentials in one place. Compromising it means owning everything it touches.

CVE-2025-68613 (CVSS 9.9) is an expression injection flaw that leads to remote code execution. It was patched in December 2025, but CISA added it to the Known Exploited Vulnerabilities catalog — the government's official list of actively exploited flaws — and 24,700 unpatched instances remain exposed, with over 12,300 in North America. Federal agencies must patch by March 25.

A second bug — CVE-2026-21858, rated 10.0 — allows attackers to take over n8n instances via improper webhook handling without authentication. Public proof-of-concept exploits now chain the two flaws together: first extract sensitive data, then execute arbitrary commands, no login required. Meanwhile, the n8n community is flagging another sandbox escape — CVE-2026-27493 (CVSS 9.5) — in public Form nodes, meaning crafted data submitted to a public workflow can result in code running on the server.

If your team self-hosts n8n, confirm instances are at version 1.122.0 or later by end of business March 23. If you can't patch immediately, pull instances off the internet. Watch for lateral movement through compromised workflows in the coming weeks — a single breached instance can expose long-lived API keys and tokens used across services.

You set up two-factor authentication specifically to stop credential theft. Tycoon 2FA made that protection nearly worthless for three years, and last week a global coalition partially disrupted it.

A coalition including Microsoft, Europol, and authorities from six countries seized roughly 330 domains powering Tycoon 2FA, a phishing-as-a-service platform sold on Telegram for $350/month. The kit worked as a transparent reverse proxy — it sat between victims and legitimate services like Microsoft 365, relaying authentication prompts in real time to capture live session tokens. SMS codes, authenticator apps, push notifications — all could be captured. Microsoft Threat Intelligence says the platform reached more than 500,000 organizations monthly and hit healthcare and education hardest: over 100 Health-ISAC members were successfully phished.

CrowdStrike's Falcon Complete observed activity drop to 25% of pre-disruption levels for two days — then volume returned to early 2026 levels. Post-disruption campaigns include business email compromise, email thread hijacking, and cloud account takeover. Microsoft and Health-ISAC filed a civil complaint against alleged creator Saad Fridi in the Southern District of New York, seeking a $10 million injunction — an enforcement tactic that imposes costs without requiring extradition.

The only defense that fully closes the door is phishing-resistant authentication — FIDO2 hardware keys or passkeys. If your organization protects Microsoft 365 or Google Workspace with nothing but an authenticator app, you have a structural gap with a documented criminal ecosystem engineered to exploit it. Expect a successor platform within 30–60 days.

If your identity system gets hijacked, everything behind it belongs to the attacker. That's what's at stake with CVE-2026-21992 — a critical bug Oracle released an out-of-band fix for in Identity Manager and Web Services Manager.

This is a 9.8-rated unauthenticated remote code execution reachable over plain HTTP. An attacker doesn't need credentials — just network access to the vulnerable REST WebServices component. The bug affects the Fusion Middleware stack commonly used as the identity backbone for large enterprises. If exploited, attackers can mint accounts, escalate privileges, or pivot anywhere those identities are trusted. Security Affairs confirms affected versions include 12.2.1.4.0 and 14.1.2.1.0.

No broad in-the-wild exploitation has been confirmed yet, but this is the sort of bug that turns identity middleware into a skeleton key. If CISA adds it to the KEV catalog, federal agencies and contractors would face binding remediation requirements that compress patch timelines to hours. Verify these services aren't internet-exposed, patch immediately, and audit post-update logs for signs someone got there first.

OpenClaw — the AI coding agent that surpassed React to become the most-starred project on GitHub — keeps accumulating security flaws faster than its community can absorb them. Two new CVEs landed in the past 72 hours, and the Hacker News thread calling it "a security nightmare dressed up as a daydream" is trending at 380 points as of publication.

CVE-2026-32056 (CVSS 7.5, disclosed March 21) affects versions before 2026.2.22: the tool fails to sanitize shell startup environment variables in its system.run function, allowing attackers to inject malicious files like .bash_profile and achieve code execution before any allowlist kicks in. CVE-2026-32025 lets attackers bypass authentication on loopback deployments by tricking users into opening a malicious page and brute-forcing the gateway password.

What makes this especially dangerous is the shadow-IT angle. Token Security found that 22% of enterprise customers have employees running OpenClaw without IT approval on corporate machines connected to internal networks. Every OpenClaw vulnerability is now potentially a business network problem. Dark Reading notes earlier flaws like CVE-2026-25253 already gave attackers a way to steal authentication tokens.

Update to version 2026.2.25 or later. If you don't know whether your developers are running OpenClaw, inventory first, then patch.

Xakep.ru reports that law enforcement disrupted the infrastructure of four botnets — Aisuru, Kimwolf, JackSkid, and Mossad — in a coordinated operation. The article details takedown methods and the botnets' roles in DDoS-for-hire and credential-stuffing campaigns. This is notable because it parallels the Tycoon 2FA takedown pattern: coordinated infrastructure seizures that temporarily suppress criminal services but rarely eliminate the operators. No English-language coverage has appeared yet.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru covers research by RKS-Global examining eight alternative Telegram clients for Android. The worst offender, Telega (over 1 million Google Play installs), activated a hidden function on March 18 that redirects all traffic through its own servers in Kazan, Russia — substituting encryption keys to enable classic man-in-the-middle interception of all messages in plaintext. Graph Messenger and iMe also transmit analytics to Yandex and VK infrastructure. If your organization permits alternative Telegram clients, this is an immediate operational concern.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru reports the Linux Foundation is implementing new measures to shield open-source maintainers from the growing flood of AI-generated pull requests and issue reports — low-quality submissions that waste reviewer time and can introduce subtle vulnerabilities. This connects directly to today's supply-chain and AI-integrity themes: the same pipelines Bruce Schneier demonstrated can be poisoned are also being clogged with noise.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A text editor that can hack you, an MFA system that protects nothing, and the most-starred project on GitHub shipping shell execution with the security posture of a screen door.

Somewhere, a Tycoon 2FA subscriber is refreshing Telegram waiting for the new dashboard URL the way the rest of us wait for a restaurant to reopen after renovation.

Stay paranoid. It's working.

If someone you know is still protecting their org with SMS codes and vibes, forward this their way.