Market & Momentum - 03/23/2026

From AI red-team breakthroughs to fresh zero-day exploits, this week’s threat forecast shows offense and defense racing neck-and-neck. Here’s what to watch—and what to fix—before the gap closes.

J.W. Croley
March 23, 2026

In partnership with

Here’s how I use Attio to run my day.

Attio is the AI CRM with conversational AI built directly into your workspace. Every morning, Ask Attio handles my prep:

Surfaces insights from calls and conversations across my entire CRM
Update records and create tasks without manual entry
Answers questions about deals, accounts, and customer signals that used to take hours to find

All in seconds. No searching, no switching tabs, no manual updates.

Ready to scale faster?

Start now →

This week opens with sharpened enterprise risk around actively exploited web stacks, identity-system RCE exposure, and “silent” mobile compromise, showing how attackers are balancing fast exploit velocity with high-trust targeting.

 📈 Risk Forecast – The Week Ahead 📉 

Trend (Macro)	Likelihood	Direction	Signal for the Week
Active exploitation of web framework / CMS vulnerabilities (KEV pressure)	82%	🔺 Rising	Exploited web app footholds are being operationalized rapidly.
Identity & access platform RCE exposure	75%	🔺 Rising	Identity services remain a “one bug = many outcomes” risk.
Mobile spyware / full-chain compromise expanding beyond niche targets	70%	🔺 Rising	Web-delivered exploit chains reduce attacker friction dramatically.
Ransomware-driven service disruption (state/local + mid-market)	68%	🔺 Rising	Operational paralysis is still the favored leverage play.
Patch governance compression (more “must patch now” moments)	66%	➡ Stable	Triage pressure keeps increasing across infra + app stacks.

 🔎 Key Watchlist Items 🔍 

CISA adds 5 actively exploited flaws (Apple + Craft CMS + Laravel Livewire) — When CISA moves, you move; this set signals current attacker focus on web stacks and endpoint exposure, so treat KEV-five as a week-one patch mandate, not a “next sprint” request.
Oracle Identity Manager critical unauthenticated RCE (CVE-2026-21992) — Identity platforms don’t fail gracefully; Oracle issued an emergency update for a critical bug that can enable remote code execution, making CVE-2026-21992 the kind of issue you validate fast, then confirm with telemetry (not just change tickets).
DarkSword iPhone spyware risk is going mainstream — Researchers describe a web-delivered exploit chain that can compromise iPhones at scale when users don’t update, which turns mobile exposure into enterprise exposure via DarkSword (especially for executives, finance leaders, and incident commanders who live in email/chat).
Bay Area city services disrupted by ransomware — Foster City is the latest reminder that ransomware doesn’t need to “exfiltrate everything” to win; service disruption alone forces emergency measures, so treat FosterCity as a governance cue: continuity planning and IR readiness are now operational necessities.
Craft CMS exploitation chain has real-world tooling and repeatability — The web stack side of the KEV story isn’t theoretical: attacker playbooks show repeatable steps to gain foothold and upload management tools; this is why CraftRCE patching needs immediate verification across internet-facing instances.
Laravel Livewire RCE through deserialization/unmarshaling risk — If you run Livewire in production, this is not a “dev problem”—it’s a pre-auth remote execution story waiting for a scanner to find you; treat Livewire-RCE as an appsec + ops coordination event (patch, WAF rules, and exposure reduction).

88% resolved. 22% loyal. Your stack has a problem.

Those numbers aren't a CX issue — they're a design issue. Gladly's 2026 Customer Expectations Report breaks down exactly where AI-powered service loses customers, and what the architecture of loyalty-driven CX actually looks like.

Get the report

 📊 Emerging Patterns 📊 

Web stack exploitation is staying hot because frameworks/CMS instances are widespread, inconsistently patched, and often directly exposed.
Identity-layer vulnerabilities carry disproportionate blast radius: compromise there is rarely contained to one app.
Mobile compromise is becoming a business risk, not a personal risk—especially when leadership devices are targeted through web delivery.
Ransomware keeps winning with disruption-first tactics: downtime, degraded services, and forced emergency decisions remain high-leverage.

 ⏰ Call to Action ⏰ 

KEV triage discipline: inventory impacted Apple endpoints and any Craft/Livewire deployments; patch and confirm success via device/app telemetry.
Identity platform hardening: if Oracle Identity Manager is in scope, patch immediately, restrict management interfaces, review auth logs for anomalous admin behavior, and validate EDR coverage on supporting hosts.
Mobile posture for VIPs: enforce minimum OS versions, reduce “temporary exceptions,” tighten conditional access, and assume mobile is part of your enterprise identity chain.
Web app exposure reduction: identify all public Craft/Livewire surfaces, minimize reachable endpoints, and add WAF protections where patch timing isn’t instant.
Ransomware continuity: confirm offline backups, test restore paths, rehearse service-degradation playbooks, and ensure “who declares emergency posture” is pre-decided.

 ⚡ Monday Motivation ⚡ 

Speed isn’t chaos. Speed is repeatable patch governance… the ability to act quickly without breaking your visibility or your business.

This week’s theme: the attack surface you don’t inventory is the breach you can’t explain. Patch fast, verify faster, and treat identity + web exposure as the same risk conversation.

J.W.

(P.S. Forward this to the SOC, infrastructure owners, identity leadership, and application owners to align urgency and governance.)

Attio is the AI CRM for modern teams.

Connect your email and calendar and Attio instantly builds your CRM. Every contact, every company, every conversation — organized in one place. Then ask it anything. No more digging, no more data entry. Just answers.

Start your free trial →