This Month in Security: March 2026 - Cisco Firewall Zero-Days, Foreign Router Ban, and the LiteLLM Supply Chain Attack

This photo by IStockPhoto is licensed under IStockPhoto.

‍

‍

March 2026 brought a surge of destructive cyberattacks and high-stakes vulnerabilities, emphasizing the fragility of both enterprise network infrastructure and centralized endpoint management systems. From a pro-Iran hacktivist group deploying data-wiping commands against a major medical technology vendor, to ransomware gangs weaponizing a Cisco firewall. Meanwhile, the discovery of highly sophisticated mobile exploit kits, a devastating open-source supply chain attack targeting AI developers, and a broad, infrastructure-heavy Microsoft Patch Tuesday kept security teams scrambling to prioritize fixes.

‍

Critical Zero-Day Exploits

‍

Threat actors heavily targeted perimeter defenses, enterprise databases, and mobile operating systems this month, in some cases leveraging critical flaws weeks before vendors were even aware of them.

• Cisco Secure Firewall Management Center RCE (CVE-2026-20131): Disclosed in early March, this critical insecure deserialization flaw allows unauthenticated remote attackers to execute arbitrary Java code as root. Amazon threat intelligence revealed that the Interlock ransomware gang actively exploited this vulnerability as a zero-day for 36 days prior to public disclosure, giving them a massive head start to compromise enterprise firewalls (AWS Security Blog).
• Microsoft SQL Server Privilege Escalation (CVE-2026-21262): One of the publicly disclosed zero-days addressed during Microsoft's March Patch Tuesday. This flaw allows an authenticated attacker to quietly elevate their privileges over a network to full database administrator (sysadmin) status, granting them the ability to read, alter, or delete highly sensitive corporate data (SentinelOne).
• Apple iOS Darksword Exploit Chain: Darksword is a sophisticated ‘hit-and-run’ iOS exploit chain targeting devices running versions 18.4 through 18.6.2. It rapidly exfiltrates sensitive data including credentials and cryptocurrency wallets. It is attributed to suspected Russian-aligned threat actors and leverages a chain of six vulnerabilities to gain kernel level access via compromised websites before it self deletes, evading detection (Lookout Threat Intel).

‍

Notable Threats and Incidents

‍

Ransomware groups and supply chain attackers displayed a willingness to execute highly destructive, disruptive attacks targeting everything from healthcare to the open-source ecosystems.

• LiteLLM Supply Chain Compromise: In a massive supply chain attack, threat actors compromised the PyPI credentials for LiteLLM, a wildly popular AI routing library with over 95 million monthly downloads. The attackers published malicious versions containing a Python backdoor that automatically executed to harvest cloud credentials, SSH keys, and Kubernetes secrets. The attack was quickly discovered and quarantined only after a bug in the malware caused an accidental "fork bomb" that crashed a security researcher's laptop. (FutureSearch)
• Wikipedia Global Read-Only Incident: Wikipedia was forced to temporarily lock down and enter read-only mode following a severe operational mistake. A Wikimedia Foundation security engineer running tests with a highly-privileged staff account inadvertently loaded a two-year-old malicious user script. Because of the account's extensive permissions, the script injected itself into the global JavaScript of every page, spreading rapidly and triggering mass alerts before the site could be taken offline to stop the bleeding. (Hacker News)
• Medusa & Qilin Ransomware Sprees: Ransomware operators remained highly active, with the Medusa gang claiming credit for crippling attacks against the University of Mississippi Medical Center (UMMC) and New Jersey's Passaic County government systems. Concurrently, the Qilin ransomware group struck multiple global targets, including a Texas construction firm and a major Puerto Rican food processor. (The Record)
• LexisNexis Data Breach: The data analytics giant suffered a breach due to an unpatched Reach2Shell vulnerability (which originally surfaced in late 2025). Hackers successfully accessed and leaked basic account information, though the company insists highly sensitive PII like Social Security numbers and financial data were not exposed. (Privacy Guides)

‍

Policy and Framework Updates

‍

Federal agencies took aggressive steps this month to mitigate risks stemming from vulnerable supply chains and actively exploited software.

• FCC Bans High-Risk Foreign Routers: The FCC's Public Safety and Homeland Security Bureau released a National Security Determination (DA 26-278) adding specific foreign-produced small and home office routers to the Covered List. The agency warned that malicious state-sponsored actors, such as those tied to Volt Typhoon, are increasingly leveraging these devices to build botnets and attack U.S. critical infrastructure. (FCC Public Notice DA 26-278)

‍

March Patches and Vulnerabilities

‍

• Microsoft Patch Tuesday: Microsoft addressed approximately 80 vulnerabilities this month, including two publicly disclosed flaws. Security experts warned that the sheer breadth of affected critical enterprise infrastructure—spanning Windows RRAS, Active Directory Domain Services, Azure workloads, and SQL Server—made it a highly volatile update requiring careful, risk-based prioritization rather than flat patching. (CrowdStrike)
• Microsoft Excel Copilot Exfiltration Risk (CVE-2026-26144): A notable information disclosure flaw in Excel was patched that could allow attackers to manipulate Copilot Agent mode. If exploited, it could cause the AI to exfiltrate sensitive data via unintended network egress, resulting in a dangerous zero-click information disclosure attack. (Zero Day Initiative)

‍

Key Takeaways for Staying Secure

‍

• Pin Dependencies and Delay Updates: The LiteLLM compromise proves the extreme danger of automatically pulling the latest package versions in CI/CD pipelines. Organizations must pin dependencies to cryptographic hashes and implement quarantine periods for new open-source releases to allow the community to detect supply chain malware before it hits production.
• Audit Perimeter and Firewall Infrastructure: The Interlock ransomware gang's early exploitation of Cisco firewalls proves that perimeter devices remain top-tier targets. Ensure all management interfaces are strictly segregated from the public internet, closely monitored, and patched aggressively.
• Adopt Risk-Based Patching: With Patch Tuesday affecting a massive swath of core Windows and Azure services, prioritize updates for internet-facing systems, database servers, and identity infrastructure before tackling less critical endpoint updates.
• Secure the Remote Workforce Edge: Following the FCC's recent warnings regarding foreign-produced routers, organizations should audit the networking equipment used by remote employees and implement zero-trust network access (ZTNA) to limit the blast radius of compromised home networks.
• Review Your Security Posture: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners. 

‍

About the Author

‍

Jordan Darrah is a Security Consultant at Cloud Security Partners. Jordan's interest in IT started when she was working as a menswear fashion designer and bridal seamstress. Since then, she has built a diverse technical background spanning hardware repair, systems administration, regulatory compliance, and penetration testing.

‍

Currently, Jordan specializes in application and cloud security assessments, where she evaluates system vulnerabilities and conducts penetration tests. Jordan holds multiple industry certifications, including CISSP, eJPT, and CompTIA PenTest+. She also runs an OSCP study group and maintains a blog where she breaks down concepts and tools for new security professionals.

‍