Wednesday War Room – 03/18/2026

This Wednesday the theme is painfully consistent: legacy exposure is getting harvested, browser/web content trust keeps getting punched in the face, and software supply chain compromises are scaling again.

Author

J.W. Croley
March 18, 2026

In partnership with

Attio is the AI CRM for modern teams.

Connect your email and calendar, and Attio instantly builds your CRM. Every contact, every company, every conversation, all organized in one place.

Then Ask Attio anything:

  • Prep for meetings in seconds with full context from across your business

  • Know what’s happening across your entire pipeline instantly

  • Spot deals going sideways before they do

No more digging and no more data entry. Just answers.

The convergence of social engineering sophistication, unpatched critical vulnerabilities, and coordinated criminal collaboration signals a new phase of threat actor maturity that demands immediate executive attention and strategic response.

Critical Telnetd Root RCE

Risk Level: Critical

Business Impact: Unauthenticated remote code execution as root can turn any exposed server into a foothold, pivot point, or botnet node—fast.

What You Need to Know: A critical buffer overflow in GNU InetUtils telnetd allows unauthenticated attackers to achieve root-level RCE via the LINEMODE SLC handler, tracked as CVE-2026-32746, with exploitation risk amplified by how often telnet is left enabled “just for legacy.”

Why This Matters:

  • Telnet exposure is usually unmonitored legacy debt—attackers love quiet, cheap wins.

  • Root RCE means instant persistence, credential access, and lateral movement options.

  • If it’s reachable, it will be scanned and tested at scale.

Executive Actions:

🛑 Disable Telnet everywhere; block port 23 at the edge and internally where feasible.

🩹 Patch/upgrade GNU InetUtils on any remaining systems that truly can’t remove telnet immediately.

🧭 Scan for unexpected Telnet exposure (internal + external) and treat findings as incidents.

🧱 Segment legacy systems and restrict egress so compromise can’t freely beacon or pivot.

Apple Ships “Background Security Improvements” Fix

Risk Level: High

Business Impact: WebKit Same-Origin Policy bypass can enable cross-site data access, session risk, and targeted compromise via malicious web content.

What You Need to Know: Apple pushed its first Background Security Improvements update to patch a WebKit cross-origin issue that can bypass Same-Origin Policy protections, tracked as CVE-2026-20643, without requiring a full OS upgrade on supported devices.

Why This Matters: 

  • Browsers are the front door for execs and admins—web content is a delivery channel.

  • SOP bypasses undermine trust assumptions inside web apps and sessions.

  • “Targeted” today can become “broad” once techniques spread.

Executive Actions: 

📱 Enforce iOS/iPadOS/macOS compliance for browser security updates via MDM where applicable.

🔐 Prioritize patches for high-risk users (execs, admins, finance, HR).

🔎 Monitor for ATO signals: new device registrations, unusual locations, repeated session prompts.

🧾 Ensure your IR playbook includes mobile/session invalidation steps (not just password resets).

Wing FTP Server Vulnerability Added to KEV

Risk Level: High

Business Impact: Information disclosure can become an exploit-chain enabler, especially when it helps attackers reliably weaponize follow-on flaws.

What You Need to Know: CISA added Wing FTP Server CVE-2025-47813 to KEV due to active exploitation, noting it can expose the server’s local installation path and help enable chaining with more severe issues; details are summarized in CISA KEV alert and reinforced by reporting in The Hacker News write-up and SecurityWeek coverage.

Why This Matters: 

  • KEV means it’s being used against real orgs… not a theoretical lab problem.

  • “Small” disclosures often become the missing puzzle piece for reliable RCE chains.

  • FTP servers are frequently exposed and forgotten until they become an incident.

Executive Actions: 

🩹 Patch/upgrade Wing FTP to the fixed release and confirm the version running in production.

🔒 Restrict access (VPN/allowlists) and remove unnecessary internet exposure.

🧾 Review logs for suspicious authenticated activity, unusual enumeration, and chained exploit attempts.

🧱 Segment the service and restrict egress to reduce post-compromise tooling and exfil paths.

Leadership Insight:

This window isn’t “busy.” It’s normal now…

Exploited legacy services, browser trust erosion, supply-chain compromise at scale, and ransomware pressure on critical services.

The winning orgs are the ones that can verify patch reality fast, reduce exposure by default, and treat developer + network control planes as privileged infrastructure.

Are you tracking agent views on your docs?

AI agents already outnumber human visitors to your docs — now you can track them.

GlassWorm Supply Chain Returns, Hits 400+ Repos/Packages/Extensions

Risk Level: Critical

Business Impact: Supply chain compromise can poison builds, steal tokens/secrets, and spread downstream into customers and production environments.

What You Need to Know: The GlassWorm campaign expanded into a coordinated wave hitting GitHub repos, npm packages, and VSCode/OpenVSX extensions, with details in BleepingComputer’s roundup and additional campaign mechanics described in StepSecurity’s ForceMemo analysis and The Hacker News report (account takeovers → force-push malware → stealthy token/secret theft).

Why This Matters:

  • Repo compromise becomes CI/CD compromise when tokens and secrets live in pipelines.

  • Force-push + preserved commit metadata is designed to bypass casual review.

  • This scales: one poisoned dependency can hit thousands of orgs quietly.

Executive Actions: 

💎 Enforce repo protections: block force-push on protected branches and require signed commits where possible.

🔑 Rotate developer/CI tokens and reduce scope + lifetime (assume exposure if affected tooling was used).

🧪 Add detection for “quiet” supply chain indicators: sudden dependency changes, new publishers, unusual CI egress.

🧱 Restrict CI runner egress and secrets access to only what the job truly needs.

Cisco SD-WAN Auth Bypass Risk Widens Beyond the “One CVE” Story

Risk Level: High 

Business Impact: Auth bypass into SD-WAN control components can lead to admin-level access, config tampering, traffic manipulation, and network-wide pivoting.

What You Need to Know: Cisco Talos and multiple researchers warned that exploitation narratives around SD-WAN are broader than a single PoC headline, with CVE-2026-20127 enabling auth bypass and administrative access in certain conditions, as summarized in Cybersecurity Dive coverage (including notes on PoC confusion and how attackers may chain related weaknesses in real campaigns).

Why This Matters: 

  • Network control-plane compromise lets attackers rewrite routes, access, and segmentation assumptions.

  • “PoC confusion” often delays remediation—attackers don’t wait for clarity.

  • SD-WAN sits at a high-leverage layer that can hide or enable follow-on actions.

Executive Actions:

🧯 Validate exposure and patch levels for SD-WAN components tied to the advisory conditions.

🔒 Restrict management access (allowlists/VPN) and enforce MFA for admin workflows.

🕵️ Monitor for anomalous admin activity: unexpected config changes, new users, unusual API calls.

🧱 Treat SD-WAN management systems as Tier-0 infrastructure (segmented, tightly logged, tightly controlled).

Medusa Ransomware Claims Major Hospital + County Attacks

Risk Level: High 

Business Impact: Healthcare and government disruption drives operational downtime, safety risk, extortion pressure, and high-cost recovery timelines.Healthcare service disruption, patient data exposure, operational shutdown

What You Need to Know: Medusa claimed responsibility for attacks impacting the University of Mississippi Medical Center and a New Jersey county, including ransom demands and threatened data leaks, according to The Record’s reporting.

Why This Matters: 

  • Ransomware is still a business-interruption weapon, not just an IT problem.

  • Leak threats compress decision time and increase the odds of mistakes under pressure.

  • Healthcare targets amplify downstream harm—patients and operations become collateral.

Executive Actions:

🧯 Validate offline/immutable backups and prove restore timelines (don’t assume).

🔐 Tighten privileged access and require step-up controls for admin actions on critical systems.

🧾 Confirm incident comms/legal workflows are ready before you need them (speed matters).

🕵️ Hunt for pre-ransom signals: unusual remote tooling, credential theft indicators, lateral movement patterns.

⚙️ Immediate Leadership Checklist ⚙️

🛑 Eliminate Telnet exposure; patch where removal isn’t immediately possible

🍏 Enforce Apple WebKit security update compliance for high-risk users

🩹 Patch Wing FTP and reduce internet exposure for file transfer services

💎 Tighten repo controls (no force-push on protected branches) and rotate CI/dev tokens

🌐 Lock down SD-WAN management access and monitor for config/admin anomalies

🧯 Re-validate ransomware readiness: backups, restore drills, and escalation playbooks

💡 If you’re still treating “legacy” like a harmless leftover, attackers will happily turn it into your next incident bridgehead. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Here's how I use Attio to run my day.

Attio's AI handles my morning prep — surfacing insights from calls, updating records without manual entry, and answering pipeline questions in seconds. No searching, no switching tabs, no manual updates.