A state-sponsored iOS exploit kit chains six vulnerabilities for full device takeover. The Interlock ransomware gang exploits a critical Cisco Secure Firewall Management Center zero-day since January. Identity protection company Aura confirms 900,000 records breached. A Ubuntu privilege escalation flaw lets attackers gain root through systemd timing. Plus: ConnectWise ScreenConnect hijacking, 9 critical IP KVM flaws, XBOW raises $120M for autonomous offensive security, and tech giants invest $12.5M in open source security.
The DarkSword exploit kit is being used by state-sponsored hackers and commercial spyware vendors to achieve full device compromise on iPhones. If your organization handles sensitive data on iOS devices, verify you are running the latest iOS version immediately.
Security researchers have uncovered DarkSword, a sophisticated iOS exploit kit and delivery framework that chains six separate iOS vulnerabilities to achieve full device compromise. The exploit kit is being actively used by both state-sponsored threat actors and commercial spyware vendors for targeted surveillance operations.
DarkSword targets a wide range of personal information including messages, photos, location data, and critically — cryptocurrency wallet data. The exploitation chain requires no user interaction beyond visiting a compromised website or clicking a crafted link, making it a classic zero-click or one-click attack vector.
The Interlock ransomware gang has been exploiting a maximum-severity RCE vulnerability in Cisco's Secure Firewall Management Center since late January 2026. If your organization runs Cisco FMC, patch immediately.
The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software as a zero-day since late January 2026. The flaw allows unauthenticated attackers to execute arbitrary code on the management server, giving them control over firewall policies across the entire network.
This is particularly dangerous because Cisco FMC is the centralized management platform for Cisco's firewall infrastructure. Compromising FMC doesn't just give attackers a foothold — it gives them the keys to modify, disable, or bypass firewall rules across every managed device.
An identity protection company — the very type of service people use to protect themselves from breaches — has itself been breached. The irony underscores that no organization is immune.
Aura, a digital security company specializing in identity theft protection, has confirmed that an unauthorized party gained access to nearly 900,000 customer records containing names and email addresses. While the exposed data is limited to marketing contact information rather than the sensitive identity monitoring data Aura processes, the breach is deeply embarrassing for a company whose entire value proposition is protecting customers from exactly this type of incident.
This breach highlights a growing trend: security companies themselves becoming targets. When attackers compromise a security vendor, even a marketing database breach yields high-value targeting information. Every person in that database has self-identified as someone concerned about identity theft — making them prime targets for phishing campaigns impersonating Aura or similar services.
If you're an Aura customer, watch for phishing emails claiming to be "urgent security notices" from Aura. Verify any communications through official channels.
A high-severity privilege escalation flaw affects Ubuntu Desktop 24.04 and later. While exploitation requires a specific timing window, the result is complete root compromise.
Qualys Threat Research Unit has disclosed CVE-2026-3888 (CVSS 7.8), a privilege escalation vulnerability affecting default installations of Ubuntu Desktop 24.04 and later. The flaw allows an unprivileged local attacker to escalate to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles.
The vulnerability exploits a race condition in how snap-confine creates sandbox environments and how systemd-tmpfiles cleans up temporary directories. An attacker can manipulate the timing of these operations — within a 10-to-30-day window after system installation — to hijack the cleanup process and execute arbitrary code as root.
snap-confine (snap sandbox manager) + systemd-tmpfiles (temp directory cleanup)snap-confine and systemd-tmpfiles activity/tmp, /run, and /var/tmp for suspicious symlinks or permission changesConnectWise has issued a warning about a cryptographic signature verification vulnerability in ScreenConnect that could allow attackers to gain unauthorized access and escalate privileges. Given ScreenConnect's widespread use as a remote management tool — and its history of being targeted by ransomware operators — this vulnerability demands immediate attention.
The flaw involves improper validation of cryptographic signatures, which could allow an attacker to bypass authentication controls and hijack active ScreenConnect sessions. In a worst-case scenario, an attacker could take over remote management sessions and gain the same level of access as a legitimate administrator.
Eclypsium researchers have disclosed nine critical vulnerabilities across four popular IP KVM (Keyboard, Video, Mouse over IP) devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The most severe flaws allow unauthenticated attackers to gain root access or execute arbitrary code on these devices.
IP KVM devices provide remote BIOS/UEFI-level access to servers — making them extremely high-value targets. A compromised IP KVM device gives an attacker access below the operating system level, bypassing all software-based security controls entirely.
Organizations using IP KVM devices should isolate them on dedicated management networks, audit for default credentials, and apply firmware updates as soon as vendors release patches.
Autonomous offensive security firm XBOW has raised $120 million at a valuation exceeding $1 billion. The company's AI-powered platform autonomously discovers and validates software vulnerabilities — representing the growing trend of AI-driven security testing. This validates the market for automated penetration testing solutions, the same space where KENSAI operates with its multilingual, compliance-focused approach.
Anthropic, AWS, Google, Microsoft, and OpenAI have collectively invested $12.5 million into the Linux Foundation's long-term security initiatives focused on open-source software. The investment targets critical infrastructure projects that underpin most of the internet — addressing the long-standing "xkcd 2347" problem of unfunded open-source maintainers.
CISA has added an actively exploited Zimbra Collaboration Suite XSS vulnerability to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch within the standard 21-day deadline. Organizations running Zimbra should prioritize this update regardless of whether they fall under CISA's mandate.
Texas-based financial services provider Marquis revealed that a ransomware attack in August 2025 compromised data of over 672,000 individuals and disrupted operations at 74 banks across the United States. The delayed disclosure — seven months after the incident — raises questions about breach notification timelines.
According to Pentera's AI and Adversarial Testing Benchmark Report 2026, 67% of CISOs reported limited visibility into how AI is being used across their organizations. None of the 300 surveyed US security leaders claimed full visibility — highlighting the shadow AI problem as organizations rush to deploy AI systems without adequate security oversight.
| Threat | Severity | Impact | Action Required |
|---|---|---|---|
| DarkSword iOS Exploit | Critical | Full iPhone compromise, crypto theft | Update iOS, enable Lockdown Mode |
| Cisco FMC Zero-Day (Interlock) | Critical | Network-wide ransomware via firewall takeover | Patch FMC, restrict management access |
| Ubuntu CVE-2026-3888 | High | Root privilege escalation | Apply Ubuntu security updates |
| ConnectWise ScreenConnect | High | Remote session hijacking | Update ScreenConnect, audit sessions |
| IP KVM Vulnerabilities (9 flaws) | High | Unauthenticated root access | Isolate KVMs, update firmware |
| Aura Data Breach | Medium | 900K marketing records exposed | Watch for phishing, verify comms |
| Zimbra XSS (CISA KEV) | High | Active exploitation | Patch Zimbra immediately |
Today's briefing carries significant weight for organizations under NIS2 compliance obligations:
Run a free KENSAI security scan to identify vulnerabilities like the ones discussed in today's briefing — before attackers find them first.
Start Free Security Scan →Published by the KENSAI Security Research Team · March 19, 2026
Daily security briefings help organizations stay ahead of emerging threats. Follow our blog for continuous coverage.