March 2026 Threat Report: New Critical Risks Span the Enterprise Attack Surface

This month exposed new cyber security risks at all levels of enterprise IT infrastructure. New critical vulnerability exposure emerged in perimeter networking gear and core network appliances. Other risks included actively exploited flaws in major browsers, enterprise email clients, agentic workflow platforms, core OS components, and virtually every other aspect of the enterprise IT ecosystem. In 2026, hunting for new vulnerabilities regularly is a fundamental cyber security activity and an essential component of an Exposure Management approach to cybersecurity.

Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

CitrixBleed 3: Memory Leak in Citrix Netscaler ADC and Gateway Actively Exploited

CVE-2026-3055 (CVSS 9.3) is a memory disclosure flaw that is exploitable remotely and without authentication. The root cause is insufficient input validation allowing out-of-bounds memory read access [CWE-125]. The flaw affects NetScaler ADC and NetScaler Gateway appliances configured as a SAML Identity Provider (IDP), reported to be a common single-sign-on (SSO) configuration.

Active reconnaissance for authentication methods in the /cgi/GetAuthMethods endpoint was reported 3 days post-disclosure. On March 30th, CVE-2026-3055 was added to CISA’s KEV list and was reported as actively exploited by other sources. A full technical analysis with exploit code has been published. The flaw resembles previous memory leak flaws affecting Netscaler ADC and Gateway, dubbed CitrixBleed and CitrixBleed 2, whose use for initial access is well documented [1][2][3][4]. Several national cyber security agencies have issued alerts for the new CVEs [5][6][7][8][9][10][11][12][13][14][15][16][17][18].

Citrix reported another high severity flaw in the same report. CVE-2026-4368 (CVSS 7.7) is a race condition bug that can cause user session mix-up on gateway or AAA virtual server configurations. See the official security advisory for more information, including affected versions for both new CVEs. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check to identify appliances that are potentially vulnerable to CVE-2026-3055 [19] and a similar check for CVE-2026-4368 [20].

SharePoint Actively Exploited, RegPwn, and Other Emerging Microsoft Risks

CVE-2026-20963 (CVSS 8.8, EPSS ≥ 91st pctl) affecting Microsoft SharePoint and published in January 2026, was added to CISA’s KEV list in March. The flaw is caused by improper deserialization of untrusted data [CWE-502] and could allow arbitrary remote code execution (RCE) to an authenticated attacker. The vulnerability attracted global attention from national CERT agencies [1][2][3][4][5][6][7][8][9][10][11]. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for Microsoft SharePoint Server 2019 and Microsoft SharePoint Enterprise Server 2016 [12][13].

Other high-profile risks affecting Microsoft products in March 2026 include:

• CVE-2026-24291 (CVSS 7.8): An incorrect permission assignment for a critical resource [CWE-732] in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized local attacker to elevate privileges and modify Windows Registry keys. Dubbed RegPwn, full technical descriptions [14][15] and proof-of-concept (PoC) exploit code are publicly available, increasing risk. The OPENVAS ENTERPRISE FEED includes registry checks for vulnerability detection across Windows OS versions.
• CVE-2026-26110 (CVSS 7.8): A type confusion flaw [CWE-843] in Microsoft Office allows an unauthorized local attacker to execute arbitrary code with high-level privileges. The OPENVAS ENTERPRISE FEED includes package version detection for Windows and macOS versions of Microsoft Office [16][17].
• CVE-2026-26113 (CVSS 7.8): An untrusted pointer dereference vulnerability [CWE-822] in Microsoft Office allows an unauthorized local attacker to execute arbitrary code with high-level privileges. The OPENVAS ENTERPRISE FEED includes package version detection for Windows and macOS versions of Microsoft Office [16][17] and SharePoint for Windows [18][19].

CVE-2026-33017: Langflow API Actively Exploited for Unauthenticated RCE

CVE-2026-33017 (CVSS 9.8, EPSS ≥ 90th pctl) is an unauthenticated RCE flaw that can be exploited via malicious HTTP request. The CVE affects any network-exposed Langflow instances prior to version 1.9.0. CVE-2026-33017 has been reported as actively exploited by multiple sources [1][2]. Several technical analyses [2][3][4] and public PoC exploits [3] exist, increasing the risk. Multiple CERT alerts have been issued globally [5][6][7][8][9].

Langflow is an open-source “low-code” platform for building, testing, and deploying agentic AI and LLM-enabled workflows. The flaw exists in Langflow’s API endpoint for building public flows. By design, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without authentication. The official Langflow API documentation states that Build Public Tmp only works for workflows marked as public in the database. The vulnerability arises when the optional data parameter is supplied: Langflow uses attacker-controlled flow code, which may contain arbitrary Python code, instead of the stored code from the database. This code is passed to exec() without sandboxing, resulting in unauthenticated RCE.

The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable instances of Langflow. Users should upgrade to version 1.9.0.

Living On The Edge: Perimeter Security Risks Emerging in March 2026

Exploitation of perimeter networking devices has been consistently measured as a top initial-access vector in cyber breaches. New vulnerabilities affecting key perimeter devices are published continuously and defenders need to be able to detect and patch these exposed entry points reliably. Here are several high-risk vulnerabilities affecting perimeter networking devices that emerged in March 2026:

New Cisco Firewall Flaws Ignite Perimeter Risk

Cisco published a group of 48 CVEs affecting its firewall product line, including two critical CVSS 10 vulnerabilities. One of these, CVE-2026-20131, was soon added to CISA’s KEV list. Active exploitation was also confirmed by Cisco. Ransomware attacks exploiting CVE-2026-20131 have been attributed to the Interlock threat actor. Numerous national CERT advisories have been issued globally [1][2][3][4][5][6][7][8][9][10][11][12][13][14].

Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for all 48 CVEs disclosed in Cisco’s security advisory, and a family of tests dedicated to Cisco software flaws. Users are advised to identify affected products in their network, apply patches immediately, and conduct breach assessments by hunting for any indicators of compromise (IoCs) [15]. The highest risk CVEs from the group are described below:

• CVE-2026-20131 (CVSS 10, EPSS 71st pctl): Insecure deserialization [CWE-502] of a user-supplied Java byte stream allows unauthenticated Java RCE with root privileges. The flaw affects the web-based management interface of Cisco Secure Firewall Management Center (FMC). If the FMC management interface is not internet accessible, the attack surface is significantly reduced.
• CVE-2026-20079 (CVSS 10, EPSS 90th pctl): An flawed system process is created at boot time that allows a remote attacker to bypass authentication [CWE-288] via crafted HTTP requests and execute script files. This may allow an attacker to obtain root privileges on the underlying OS. A full technical analysis and PoC exploit code are publicly available, increasing the risk. CVE-2026-20079 affects the web interface of Cisco Secure FMC.

CVE-2026-22557: CVSS 10 Unauthenticated Account Takeover on Ubiquiti UniFi Network Application

CVE-2026-22557 (CVSS 10) allows unauthorized account takeover through a path-traversal flaw [CWE-22] that lets attackers manipulate files on the underlying system. Public technical details are available and researchers assess that automated exploitation is trivial. Risk is also elevated because Ubiquiti network products are widely used. Multiple national CERT agencies have issued alerts globally [1][2][3][4][5].

Another CVE published in the same vendor advisory imposes additional high risk:

• CVE-2026-22559 (CVSS 8.8): An input validation flaw that is exploitable via social engineering if an attacker can trick the victim with network access to a Ubiquiti UniFi Network Application web interface to click on a malicious link.

CVE-2026-22557 affects Ubiquiti UniFi Network Application version 10.1.85 and earlier, Release Candidate 10.2.93 and earlier, and UniFi Express version 9.0.114 and earlier. OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances. Mitigation instructions for both aforementioned CVEs are available on the vendor’s official security advisory.

Other Notable Security Risks Affecting Perimeter Networking Devices

Other emerging threats to perimeter networking devices in March 2026 include:

F5 BIG-IP APM Access Policy

CVE-2025-53521 (CVSS 7.5) is an actively exploited flaw that allows attackers to trigger Denial of Service (DoS) on F5 BIG-IP if an APM Access Policy is configured on a virtual server. National CERT agencies have issued alerts [1][2][3][4][5][6][7][8][9][10][11][12][13][14]. The OPENVAS ENTERPRISE FEED provides package-level detection for CVE-2025-53521 and a dedicated family of F5 security checks.

Juniper Networks Junos OS Evolved on PTX Series

CVE-2026-21902 (CVSS 9.8) is an Incorrect Permission Assignment for Critical Resource flaw [CWE-732] that allows unauthenticated RCE as root. CVE-2026-21902 affects the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series. The On-Box Anomaly detection framework is enabled by default. This flaw affects all PTX Series 25.4 versions before 25.4R1-S1-EVO and 25.4R2-EVO. This issue does not affect Junos OS Evolved versions before 25.4R1-EVO or Junos OS. A detailed technical description is publicly available reducing the burden for exploit development. Numerous national CERT agencies have published alerts [1][2][3][4][5][6][7][8][9][10][11]. An active check and a remote banner check are available in the OPENVAS ENTERPRISE FEED and a dedicated family of authenticated security checks for JunOS. See the vendor’s official advisory for more information.

Critical and High-Severity Flaws in HPE Aruba Networking Products

Hewlett-Packard Enterprise (HPE) published an advisory on March 10th, disclosing one critical and three high-severity CVEs in their Aruba networking AOS-CX switches. Multiple national CERT advisories were issued globally for the group of vulnerabilities [1][2][3][4][5][6][7][8][9][10][11][12]. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check for all CVEs disclosed in the advisory, which are described below. Users are strongly encouraged to identify any vulnerable AOS-CX appliances in their environment and update to the most recent version.

• CVE-2026-23813 (CVSS 9.8): An improper authentication flaw [CWE-287] in the web-based management interface of AOS-CX switches allows an unauthenticated remote attacker to circumvent existing authentication controls, including resetting the admin password.
• CVE-2026-23814 (CVSS 8.8): A command injection flaw [CWE-77] affecting the parameters of certain AOS-CX command-line interface (CLI) commands could allow an authenticated low-privilege remote attacker to inject malicious commands.
• CVE-2026-23815 (CVSS 7.2): A command injection flaw [CWE-77] in a custom binary used in the AOS-CX CLI could allow an authenticated remote attacker with high privileges to execute unauthorized commands.
• CVE-2026-23816 (CVSS 7.2): A command injection flaw [CWE-77] in the command line interface of AOS-CX switches could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
• CVE-2026-23817 (CVSS 6.5): A vulnerability in the web-based management interface of AOS-CX switches could allow an unauthenticated remote attacker to redirect users to an arbitrary URL [CWE-601].

A Spotlight on Shadow IT: OpenClaw (Clawd/Moltbot) AI Agent

OpenClaw (previously Clawd and Moltbot) is an open-source agentic AI assistant that can execute system-level tasks on behalf of a human user. OpenClaw’s capabilities include sending email, reading and writing files, and interacting with web services and APIs. The software was originally released as Clawd in November 2025, was rebranded to Moltbot in early 2026, and then rebranded again to OpenClaw [1].

Despite OpenClaw’s rise in popularity, criticism from the security community has been harsh [2][3][4][5]. Germany’s BSI listed over 60 vulnerabilities, and since its release, over 200 CVEs have been issued for the popular but unstable AI agent including 32 critical severity CVEs released in March 2026 alone. The most severe of the vulnerabilities allow unauthenticated RCE in the OpenClaw context. National CERT alerts have been issued for the product [1][2][3].

Considering the operational risks to unauthorized access and data security that OpenClaw poses to organizations, it should be banned from use. The OPENVAS ENTERPRISE FEED includes remote and local authenticated product detection for OpenClaw. Security teams can set alerts to notify them if OpenClaw is detected within their network.

Unauthenticated RCE in Wazuh Manager via Cluster Mode Worker Nodes

CVE-2026-25769 (CVSS 9.1) is an RCE that allows an authorized attacker with access to a cluster worker node to execute code on the master node as root. The root cause is flawed deserialization of untrusted data [CWE-502]. Risk is elevated because successful compromise of any worker in cluster mode can lead to full root-level compromise of the master node. A full technical analysis and PoC exploit kit are publicly available for CVE-2026-25769 lowering the barrier for attackers. Several national CERT agencies have issued alerts [1][2][3].

Five other CVEs were included in the disclosure by Wazuh including one additional critical severity flaw: CVE-2025-30201 (CVSS 9.1) allows authenticated attackers to force NTLM authentication through malicious UNC paths via agent configuration settings, potentially leading NTLM relay attacks [CWE-294] for privilege escalation and RCE. Technical detail and a PoC exploit are publicly available online.

The newly disclosed CVEs affect various version ranges of Wazuh Manager, but all require patching to version 4.14.3 or higher. The OPENVAS ENTERPRISE FEED includes detection for all aforementioned CVEs [1][2][3][4], and prior vulnerabilities affecting Wazuh. Users should consult Wazuh’s security advisories for specific details on each vulnerability.

n8n Agentic Workflow Platform Exposes New Critical Flaws

In recent months numerous critical and high-severity vulnerabilities have been exposed in the popular agentic workflow platform n8n. Attackers are starting to take advantage; on March 11th, 2026, CVE-2025-68613 (CVSS 8.8) was added to CISA’s KEV list. CVE-2025-68613 and other n8n flaws were covered in Part 2 of the January 2026 Threat Report.

Flawed expression evaluation has been a common cause of vulnerabilities. n8n expressions are specially formatted strings that allow dynamic manipulation of data for batch processing tasks, among other use cases. The highest-risk CVEs affecting n8n that emerged in March 2026 include:

• CVE-2026-27495 (CVSS 9.9): An authenticated user with workflow permissions can exploit a vulnerability in the JavaScript Task Runner to execute arbitrary code outside the sandbox boundary. On instances using the default internal Task Runners this could result in full compromise of the n8n host. Exploitability depends on Task Runners being enabled with the N8N_RUNNERS_ENABLED=true setting.
• CVE-2026-27577 (CVSS 9.9): An authenticated user with workflow permissions can abuse crafted expression parameters to trigger unintended command execution on the n8n host. This flaw allows bypass of security measures put in place to restrict command execution capabilities.
• CVE-2026-33696 (CVSS 8.8): An authenticated user with workflow permissions can exploit a prototype pollution vulnerability in the XML and GSuiteAdmin nodes. By supplying crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype` and achieve RCE.
• CVE-2026-33660 (CVSS 9.4): An authenticated user with workflow permissions can use the Merge node’s “Combine by SQL” mode to read local files on the n8n host and achieve RCE.

The OPENVAS ENTERPRISE FEED includes detection for all CVEs mentioned above [1][2][3][4] and other known n8n flaws. Each flaw affects various v1.x and v2.x instances of n8n. In many cases, if patches cannot be applied immediately, system administrators may disable affected nodes using the NODES_EXCLUDE environment variable. However, there are no workarounds offering full mitigation for any of the CVEs. Mitigation depends on updating to the latest version of n8n. See n8n’s security advisories for a complete list of vulnerabilities with descriptions.

Other Notable Critical Risk CVEs Emerging in March 2026

Let’s wrap up this month’s threat report with a quick-fire of other emerging threats in March 2026:

CVE-2026-3564 (CVSS 9.0) in ConnectWise ScreenConnect prior to version 26.1

An attacker with access to configuration files can extract a device’s machine key and use it for session authentication. ScreenConnect is a remote support and remote access platform that lets IT staff securely connect to attended or unattended devices. Several national CERT alerts have been issued [1][2][3]. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances.

CVE-2026-27944 (CVSS 9.8) in Nginx UI prior to v2.3.3

An unauthenticated remote attacker can download a full backup of the underlying system containing sensitive data, including user credentials, session tokens, SSL private keys, and Nginx server configurations. The flaw is due to the /api/backup endpoint being accessible without authentication and disclosing the encryption keys to decrypt the backup. Full technical analysis and PoC exploits are publicly available [1][2] and several national CERT alerts have been issued [3][4][5][6][7][8]. Nginx UI is a web user interface for the Nginx web server. The OPENVAS ENTERPRISE FEED includes an active check to identify affected instances.

CVE-2025-66168 (CVSS 8.8) in Apache ActiveMQ Message Broker

An integer overflow flaw [CWE-190] results in failure to properly validate the MQTT control packet’s remaining length field. Exploitation may lead to unexpected behavior including Denial of Service (DoS). The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected Apache ActiveMQ instances. See the vendor’s announcement for more details.

CVE-2026-1603 (CVSS 7.3, EPSS 65th pctl) in Ivanti Endpoint Manager prior to 2024 SU5

A new actively exploited authentication bypass vulnerability [CWE-288] could be exploited to leak credential data from Ivanti Endpoint Manager devices before version 2024 SU5. The OPENVAS ENTERPRISE FEED includes a remote banner check to detect CVE-2026-1603 and CVE-2026-1602 (CVSS 6.5). The two CVEs were disclosed in February 2026, and patches are available from Ivanti’s security advisory. No PoC exploit or detailed technical analysis are publicly available.

CVE-2026-21643 (CVSS 9.8) in FortiClientEMS v7.4.x prior to v7.4.5

An improper neutralization of special elements allows SQL injection [CWE-89] in Fortinet FortiClientEMS 7.4.x prior to v7.4.5. Exploitation can lead to unauthenticated RCE via specifically crafted HTTP requests. A technical root-cause analysis has been published potentially enabling rapid exploit development. Numerous national CERT alerts have been issued [1][2][3][4][5][6][7][8][9][10][11][12][13]. The OPENVAS ENTERPRISE FEED provides a remote banner check for CVE-2026-21643. Update to version 7.4.5 or later. See Fortinet’s official advisory for more information.

Summary

March 2026 brought new cyber risk at all levels of enterprise IT infrastructure. Perimeter networking gear and network appliances were hit especially hard. Other emerging threats included actively exploited flaws in major browsers, enterprise email clients, agentic workflow platforms, core OS components, and virtually every other aspect of the enterprise IT ecosystem. In 2026, hunting for new vulnerabilities regularly is a fundamental cyber security activity, and an essential component of an Exposure Management approach to cybersecurity.

Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.