This Week in Cybersecurity
The first week of March 2026 opened with a sobering reality check from Google: 90 zero-day vulnerabilities were actively exploited in 2025, with enterprise technology accounting for a record 48% of all exploits. Commercial spyware vendors have now surpassed nation-states as the leading exploiters — a fundamental shift in the threat landscape.
On the defensive side, law enforcement delivered a major win. Europol and Microsoft dismantled Tycoon2FA, the phishing-as-a-service platform that was bypassing MFA for over 500,000 organizations monthly. Meanwhile, CISA issued an emergency directive for Cisco SD-WAN after a CVSS 10 authentication bypass was confirmed exploited since 2023.
This was also a heavy week for breaches: LexisNexis confirmed a cloud breach exposing 400K profiles including federal judges and DOJ attorneys, and Cloudflare's inaugural threat report revealed it now blocks 230 billion cyber threats daily.
Top Stories
Google: 90 Zero-Days Exploited in 2025 — Enterprise Tech at All-Time High
Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities actively exploited in 2025, down from 98 in 2024 but still far above the pre-2021 baseline. The most alarming shift: enterprise software and appliances now account for 48% of all zero-day exploitation — an all-time high. Commercial spyware vendors surpassed nation-states as the leading exploiters for the first time, with browsers and mobile devices remaining primary targets.
Cisco SD-WAN CVSS 10 Zero-Day: CISA Emergency Directive
A maximum-severity authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20127, CVSS 10.0) has been actively exploited by threat actor UAT-8616 since 2023, compromising government and critical infrastructure networks. CISA issued Emergency Directive 26-03, requiring federal agencies to apply patches within 72 hours — the first emergency directive of 2026.
Europol Dismantles Tycoon2FA Phishing Platform
An international coalition led by Europol and Microsoft took down Tycoon2FA, a phishing-as-a-service platform that used adversary-in-the-middle techniques to bypass MFA and targeted over 500,000 organizations monthly. The operation seized 330 domains and stopped 87.5 million phishing messages. A key suspect was identified in Pakistan.
LexisNexis Cloud Breach Exposes Government Data
LexisNexis Legal & Professional confirmed a data breach after threat actor FulcrumSec exploited an unpatched React2Shell vulnerability to exfiltrate 2.04 GB of data from AWS infrastructure, including profiles of federal judges and DOJ attorneys. The breach exposed 400,000 user profiles from government, law enforcement, and legal organizations.
Cloudflare: 230 Billion Daily Threats, Bots at 94% of Logins
Cloudflare's inaugural threat intelligence report reveals its network blocks 230 billion cyber threats daily, with DDoS attacks doubling to 47.1 million and bots accounting for 94% of all login attempts. The report highlights a fundamental shift from "breaking in" to "logging in" — credential abuse now dominates over traditional exploitation.
Operation Epic Fury: 60+ Hacktivist Groups Enter Iran Conflict
Following the joint U.S.-Israeli military operation against Iran, Palo Alto Networks Unit 42 documented an unprecedented cyber escalation with 60+ hacktivist groups conducting retaliatory attacks. Weaponized Android apps mimicking Israel's RedAlert emergency system were deployed alongside DDoS campaigns and website defacements across both sides.
More Headlines This Week
-
BlackCat Insider Threat: Two former cybersecurity incident responders pleaded guilty to moonlighting as BlackCat ransomware affiliates, attacking five companies including three healthcare organizations while employed at legitimate security firms. Read more →
-
Android March 2026 Patches: Google addressed 129 vulnerabilities including an actively exploited Qualcomm zero-day (CVE-2026-21385) affecting 234 chipsets. Read more →
-
Mail2Shell Zero-Click RCE: A CVSS 10 zero-click vulnerability in FreeScout helpdesk allows full server compromise by simply sending a malicious email. Patched in FreeScout 1.8.207. Read more
-
VMware Aria Operations KEV: CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities catalog after confirming active exploitation of this command injection flaw. Read more →
-
Satellite Receiver RCE: A critical unauthenticated RCE in IDC SFX SuperFlex satellite receivers via default SNMP community string puts broadcast infrastructure at risk. Read more →
-
Phobos Admin Guilty Plea: Russian national Evgenii Ptitsyn pleaded guilty to operating the Phobos ransomware-as-a-service platform that victimized 1,000+ organizations and extorted $39M+. Read more →
-
Gambling Ring Bust: Spanish-Ukrainian police dismantled a criminal organization exploiting war refugees to launder nearly EUR 4.75 million through online gambling platforms. Read more →
New on the Lab
Project: Deception Technology Lab
Deploy a full deception technology stack using T-Pot and OpenCanary to capture real attacker behaviour, generate threat intelligence, and sharpen your incident detection skills. This hands-on project walks you through honeypot deployment, log aggregation, and alert tuning.
HOWTO: Microsoft Entra PIM — Just-in-Time Admin Access
Step-by-step guide to deploying Microsoft Entra Privileged Identity Management (PIM) for just-in-time role activation, approval workflows, access reviews, and eliminating standing privileged access. Essential reading for any organization pursuing Zero Trust identity.
AI Leaderboard Update
The AI Leaderboard has been refreshed with March 6 rankings. Notable movements:
Chatbot Arena (ELO):
- Claude Opus 4.6 retains #1 at ELO 1504 (non-thinking variant now leads)
- Gemini 3.1 Pro Preview debuts at #2 (1500)
- New entry: Grok 4.20 Beta1 at #4 (1493) and GPT-5.4 (high) at #7 (1480)
Key Shift: The top 10 now includes four Google models (Gemini 3.1 Pro, Gemini 3 Pro, Gemini 3 Flash) plus new entries from xAI and OpenAI, making it the most competitive leaderboard we have seen.
By the Numbers
| Metric | Value |
|---|---|
| Zero-days exploited in 2025 | 90 (48% enterprise) |
| Cisco SD-WAN CVSS score | 10.0 (max) |
| Tycoon2FA domains seized | 330 |
| LexisNexis profiles exposed | 400,000 |
| Cloudflare daily threats blocked | 230 billion |
| Phobos victims worldwide | 1,000+ |
| Android CVEs patched | 129 |
| Hacktivist groups in Epic Fury | 60+ |
CosmicBytez Labs — IT & Cybersecurity Intelligence Hub