Cisco warns of max severity Secure FMC flaws giving root access
Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software.
Secure FMC is a web or SSH-based interface for admins to manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection.
Both vulnerabilities can be exploited remotely by unauthenticated attackers: the authentication bypass flaw (CVE-2026-20079) allows attackers to gain root access to the underlying operating system, while the remote code execution (RCE) vulnerability (CVE-2026-20131) lets them execute arbitrary Java code as root on unpatched devices.
„An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device,“ the CVE-2026-20079 advisory reads.
Source: Bleeping computer / Securityweek / Infosecurity magazine / CISCO security advisory
Link: https://www.infosecurity-magazine.com/news/cisco-issues-patches-48/
CISA warns that RESURGE malware can be dormant on Ivanti devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices.
The update focuses on the implant’s undetected latency on the appliances and its „sophisticated network-level evasion and authentication techniques“ that enable covert communication with the attacker.
CISA originally documented the malware on March 28 last year, saying that it can survive reboots, create webshells for stealing credentials, create accounts, reset passwords, and escalate privileges.
Source: Bleeping computer
Zyxel warns of critical RCE flaw affecting over a dozen routers
Taiwan networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that can allow unauthenticated attackers to gain remote command execution on unpatched devices.
Tracked as CVE-2025-13942, this command injection security flaw was found in the UPnP function of Zyxel 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and wireless extenders.
Zyxel says that unauthenticated remote attackers can exploit it to execute operating system (OS) commands on an affected device using maliciously crafted UPnP SOAP requests.
However, CVE-2025-13942 attacks will likely be more limited than the severity rating suggests, as successful exploitation requires UPnP and WAN access to be enabled, with the latter disabled by default.
„It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled,“ Zyxel said. „Users are strongly advised to install the patches to maintain optimal protection.“
Source: Bleeping computer / Securityweek
Link: https://www.securityweek.com/zyxel-patches-critical-vulnerability-in-many-device-models/
How AI Assistants are Moving the Security Goalposts
AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey.
The new hotness in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot) — has seen rapid adoption since its release in November 2025. OpenClaw is an open-source autonomous AI agent designed to run locally on your computer and proactively take actions on your behalf without needing to be prompted.
If that sounds like a risky proposition or a dare, consider that OpenClaw is most useful when it has complete access to your entire digital life, where it can then manage your inbox and calendar, execute programs and tools, browse the Internet for information, and integrate with chat apps like Discord, Signal, Teams or WhatsApp.
Other more established AI assistants like Anthropic’s Claude and Microsoft’s Copilot also can do these things, but OpenClaw isn’t just a passive digital butler waiting for commands. Rather, it’s designed to take the initiative on your behalf based on what it knows about your life and its understanding of what you want done.
Source: Krebs on security
Link: https://krebsonsecurity.com/2026/03/how-ai-assistants-are-moving-the-security-goalposts/#more-73278
New Dohdoor malware campaign targets education and health care
Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”
Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively.
UAT-10027 targeted victims in the education and health care sectors in the United States through a multi-stage attack chain.
Talos observed the actor misused various living-off-the-land executables (LOLBins) to sideload the Dohdoor and has set up the C2 infrastructure behind reputable cloud services, such as Cloudflare, to enable stealth C2 communication.
The campaign involves a multi-stage attack chain, where initial access is likely achieved through social engineering phishing techniques. The infection chain executes a PowerShell script that downloads and runs a Windows batch script from a remote staging server through a URL. Subsequently, the batch script facilitates the download of a malicious Windows dynamic-link library (DLL), which is disguised as a legitimate Windows DLL file.
The batch script then executes the malicious DLL dubbed as Dohdoor, by sideloading it to a legitimate Windows executable. Once activated, the Dohdoor employs the DNS-over-HTTPS (DoH) technique to resolve command-and-control (C2) domains within Cloudflare’s DNS service.
Utilizing the resolved IP address, it establishes an HTTPS tunnel to communicate with the Cloudflare edge network, which effectively serves as a front for the concealed C2 infrastructure. Dohdoor subsequently creates backdoored access into the victim’s environment, enabling the threat actor to download the next-stage payload directly into the victim machine’s memory and execute the potential Cobalt Strike Beacon payload, reflectively within legitimate Windows processes.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
People, Policies, and Purpose: Framing Acceptable Use and Human Behavior in Information Security
Many breaches don’t start with sophisticated hackers; they start with ordinary users doing ordinary things in unsafe ways. Let’s look at 3 ways to work toward helping people in our organizations understand better how to safeguard everyone’s information.
Because there are as many ways to create a policy as there are organizations – compounded with the numerous requirements from regulations – I won’t attempt to provide a one-size-fits-all policy for each of these. Part of the process of becoming a professional with policies is learning about all the options while also satisfying the requirements of your org. I’ve provided several links in the Resources section at the end of this article so you can check out options if you need inspiration or a headstart.
Source: Secjuice