Multiple Vulnerabilities in Google Android OS
Could Allow Remote Code Execution

Multiple vulnerabilities have been identified in the Google Android operating system. The most critical of these flaws could allow an attacker to execute code remotely on affected devices.

Android is a mobile operating system developed by Google and used on a wide range of devices, including smartphones, tablets, and smartwatches. If successfully exploited, the most severe vulnerability could enable attackers to run malicious code on the device. Depending on the privileges of the compromised component, attackers may be able to install applications, view or modify data, delete files, or create new accounts with full administrative rights.

Google has reported that CVE-2026-21385 may already be experiencing limited, targeted exploitation.

Affected Systems

• Android devices running patch levels prior to March 5, 2026

Risk Level

• Large and Medium Businesses: High
• Small Businesses: Medium

Recommended Actions

• Ensure all Android devices are updated to the latest available security patch level.
• Implement the Principle of Least Privilege, limiting administrative permissions only to users who require them.

Reference
https://source.android.com/docs/security/bulletin/2026/2026-03-01#framework

Multiple Vulnerabilities in Cisco Products
Could Allow Remote Code Execution

Multiple vulnerabilities have been discovered in several Cisco security products. The most severe of these flaws could allow an attacker to execute code remotely on affected systems.

The vulnerabilities impact several Cisco firewall and management platforms, including:

• Cisco Secure Firewall Management Center (FMC) – A centralized management platform used to configure and monitor Cisco firewalls.
• Cisco Secure Firewall Adaptive Security Appliance (ASA) Software – The core operating system that powers the Cisco ASA family of firewalls.
• Cisco Secure Firewall Threat Defense (FTD) – A unified software image for Cisco Firepower appliances that combines ASA firewall functionality with Snort intrusion prevention, URL filtering, and advanced malware protection.

Successful exploitation of the most critical vulnerabilities could allow an attacker to execute arbitrary code with root privileges, potentially leading to a complete compromise of the affected device.

Affected Systems

• Cisco Secure Firewall Management Center (FMC) versions prior to 10.0.1
• Cisco Secure Firewall Adaptive Security Appliance (ASA) Software versions prior to 9.23.1.26
• Cisco Secure Firewall Threat Defense (FTD) Software versions prior to 7.7.11

Risk Level

• Large and Medium Businesses: High
• Small Businesses: Medium

Recommended Actions

• Ensure all Cisco products are updated to the latest available software versions.
• Implement the Principle of Least Privilege, restricting elevated permissions to only those users who require them.
  

https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75736

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpn-m9sx6MbC

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpn-dos-SpOFF2Re

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-FCvLD6vR

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sql-injection-2qH6CcJd

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ikev2-dos-eBueGdEG

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-esp-dos-uv7yD8P5

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-scpcxt-filecpy-rgeP73nE

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ospf-ZH8PhbSW

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dnd-dos-bpEcg7B7

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-cmd-inj-mTzGZexf

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-saml-LktTrwZP

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-xss-uwjc4HR

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-luainject-VescqgmS

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inject-S9ZM4EJf

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftdfmc-dir-trav-wERgjhWq

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-aclbypass-dos-CVxVRSvQ

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort3ssl-FBEKYXpH

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort-bypass-rLggKzVF

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tcp-dos-rHfqnwRg

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-multi-dos-XFWkWSwz

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort3-vbavuls-96UcVVed

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssh-keybypass-cr5xPUSf

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-desync-n5AVzEQw

Vulnerability in pac4j-jwt (JwtAuthenticator)
Could Allow Authentication Bypass

A vulnerability has been discovered in pac4j-jwt (JwtAuthenticator) that could allow an attacker to bypass authentication controls.

pac4j-jwt is a Java module within the pac4j security framework used to generate, validate, and manage JSON Web Tokens (JWTs) for securing web applications and services. The module supports both signed and encrypted tokens and commonly relies on the Nimbus JOSE+JWT library to handle authentication, user profile generation, and signature configuration.

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to bypass authentication mechanisms and log in as any user—including administrators—without knowing valid credentials or secrets. This could allow attackers to gain unauthorized access and perform actions with elevated privileges.

Affected Systems

• pac4j-jwt 4.x: Versions prior to 4.5.9
• pac4j-jwt 5.x: Versions prior to 5.7.9
• pac4j-jwt 6.x: Versions prior to 6.3.3

Risk Level

• Large and Medium Businesses: High
• Small Businesses: High

Recommended Actions

• Apply the latest security updates provided by pac4j-jwt or vendors that include this library as soon as possible after appropriate testing.
• Implement the Principle of Least Privilege, limiting administrative or elevated permissions to only users who require them.

Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29000

Possible U.S.-Developed Exploit Framework
Identified in Global iOS Attacks

Researchers have identified a large-scale campaign involving an iOS exploit framework that has reportedly compromised at least 42,000 devices, according to CyberScoop.

The framework, known as “Coruna,” is believed to have originally been developed by the U.S. government before being leaked and later repurposed by cybercriminal groups and foreign nation-state actors. Security researchers from iVerify and the Google Threat Intelligence Group (GTIG) have published separate reports analyzing the toolkit and its use in ongoing attacks.

According to GTIG, the Coruna exploit kit includes five complete iOS exploit chains and a total of 23 exploits. The framework is notable for its advanced capabilities, including the use of non-public exploitation techniques and methods designed to bypass built-in iOS security protections.

Researchers have observed the toolkit being used in attacks by China-based cybercriminal groups, as well as by a Russian espionage actor targeting Ukrainian individuals and organizations.

iVerify researchers describe the activity as the first known large-scale criminal campaign exploiting mobile phones—including iOS devices—using tools likely originally developed by a nation-state.

Iran’s MuddyWater Infiltrates Multiple U.S. Organizations

The Iranian state-sponsored threat actor MuddyWater (also known as Seedworm or Static Kitten) has compromised several organizations in the United States and abroad, according to researchers at Symantec.

In early February 2026, the group reportedly infiltrated multiple entities, including a U.S. bank, an airport, several U.S. and Canadian non-profit organizations, and the Israeli operations of a U.S.-based software company. During these intrusions, the attackers deployed a newly identified backdoor called “Dindoor,” as well as a Python-based backdoor known as “Fakeset.”

The activity continued even after U.S. and Israeli military strikes on Iran beginning on February 28, 2026. Researchers note that it remains unclear whether the ongoing conflict has disrupted MuddyWater’s operations. However, the group’s existing access to networks in the United States and Israel prior to the escalation of hostilities places it in a potentially dangerous position to conduct further cyberattacks.

The U.S. government has attributed MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS).