Hey there,

It's Cipherceval — What do you call a security appliance that's supposed to protect your entire firewall infrastructure, but can be taken over by an unauthenticated attacker with a single HTTP request? This week we've got five stories and they all share one theme: the things we trust most are the things being targeted. From two CVSS 10.0 Cisco flaws to a nation-state AI malware assembly line, the largest Android update in 8 years, a China-linked telecom APT, and a breach caused by the password Lexis1234. Let's get into it.

Cisco disclosed 48 firewall vulnerabilities on March 4 — but two sit at the very top of the severity scale. CVE-2026-20079 is an authentication bypass caused by an improperly initialized boot-time process. An unauthenticated attacker sends crafted HTTP requests and gets root access to the device that manages your entire firewall fleet. That's the golden goose of hacking right there.

CVE-2026-20131 is a completely separate issue — remote code execution via insecure Java deserialization in the FMC web interface. Both carry CVSS 10.0, both have a scope of "Changed" (exploiting FMC compromises managed firewall devices), and no workarounds exist. Patch only.

This connects to HN64's Cisco SD-WAN story (CVE-2026-20127) — Five Eyes agencies revealed years-long APT exploitation on network infrastructure without EDR coverage. The researcher behind CVE-2026-20079, Brandon Sakai, disclosed a similar FMC flaw last August. These appliances are living on the edge — literally and figuratively.

Bitdefender documented APT36 (Pakistan-linked, aka Transparent Tribe) using AI coding tools to mass-produce malware variants across Nim, Zig, Crystal, Rust, Go, and .NET. They're calling it "Distributed Denial of Detection" — flooding Indian government targets with disposable polyglot binaries to exhaust defensive engines rather than bypass them through sophistication.

The malware is objectively bad — one credential stealer had a placeholder instead of a C2 address, another reset its own timestamp every run. Classic AI output: syntactically correct, logically unfinished. But volume is the strategy. Even if 90% gets caught, the remaining 10% only needs to work once. And some does work — LuminousCookies successfully bypassed App-Bound Encryption to steal Chrome/Edge credentials via browser process injection.

C2 runs through Google Sheets, Slack, Discord, and Supabase — Living Off Trusted Services (LOTS). The pattern from HN63 and HN64 continues: AI isn't making attackers smarter per se — it's making them faster and harder to keep up with.

Google's March 2026 Android Security Bulletin patches 129 vulnerabilities — the highest since April 2018. The headline is CVE-2026-21385, a memory corruption flaw in a Qualcomm display driver affecting 234 chipsets. Google says it's under "limited, targeted exploitation" — that's the language for commercial spyware vendors (NSO Pegasus, Intellexa Predator ecosystem).

CISA added it to the KEV catalog on March 3 with a March 24 federal deadline. Also patched: CVE-2026-0006 (CVSS 9.8) — remote code execution, no privileges, no user interaction. That's as bad as it gets for any operating system.

The update splits across two patch levels (2026-03-01 and 2026-03-05). The Android fragmentation problem persists: Google releases patches, but manufacturers control when you get them. Pixel first, everyone else… weeks or months.

Cisco Talos documented UAT-9244, a China-linked APT targeting South American telecom providers since 2024 with three new malware families: TernDoor (Windows backdoor, SparrowDoor lineage via DLL side-loading), PeerTime (Linux P2P backdoor compiled for ARM/AARCH/PowerPC/MIPS — targets embedded systems and edge devices without EDR), and BruteEntry (GoLang scanner turning compromised systems into Operational Relay Boxes/ORBs that brute-force Tomcat, Postgres, SSH).

Talos assesses high confidence overlap with FamousSparrow and Tropic Trooper. The Salt Typhoon question? Shared target profile, but no confirmed connection. That's responsible attribution. The combination of Windows, Linux, and edge device compromise simultaneously is what makes this dangerous — footholds on every layer make detection exponentially harder. Whoever controls the telecom backbone can surveil an entire country's communications.

FulcrumSec breached LexisNexis Legal & Professional's AWS infrastructure on Feb 24 via React2Shell in an unpatched React frontend. Once inside, the ECS task role had read access to everything — production Redshift, 17 VPC databases, AWS Secrets Manager. The RDS master password? Lexis1234. Security by obscurity does not work, and neither does security by "I'll change the password later."

Exfiltrated: 3.9M database records, ~400K user profiles, 21K enterprise accounts, 53 plaintext AWS secrets, and 118 .gov accounts (federal judges, DOJ attorneys, SEC staff). LexisNexis says it's "mostly legacy, deprecated data from prior to 2020." But as FulcrumSec pointed out — which definition of "customer data" excludes 400,000 named individuals with email addresses and phone numbers?

Second breach in two years. The cover-up is always worse than the crime, but in this case, the crime itself is pretty rough.

1. Network security appliances are high-value targets. The Cisco FMC vulnerabilities follow the same pattern as the SD-WAN disclosure. If the management plane is compromised, everything downstream is at risk.

2. AI is changing the economics of malware, not the sophistication. APT36's vibeware shows the real threat is volume. Detection teams may need to rethink approaches for floods of low-quality polyglot variants.

3. Mobile patching remains the ecosystem's Achilles' heel. 129 vulnerabilities, including an exploited Qualcomm zero-day across 234 chipsets. Google releases patches; manufacturers control the timeline.

4. Telecom targeting is not slowing down. UAT-9244 demonstrates continued investment in multi-platform compromise — Windows, Linux, and edge devices simultaneously. P2P C2 and ORB expansion make detection exceptionally difficult.

5. Cloud security basics still matter more than anything. The LexisNexis breach wasn't a zero-day — it was an unpatched app, an overly permissive IAM role, and a weak password. Fundamentals remain the most impactful defenses.

🎧 Watch/Listen to the Full Episode

Catch the full breakdown on YouTube, Spotify, or Apple Podcasts — search "Exploit Brokers by Forgebound Research."

Found this valuable? Forward it to someone who touches a computer.