Cybersecurity Radar — 2026-03-25

🔴 Critical Incidents & Breaches

DarkSword iOS Exploit Kit Confirmed in Active Campaigns

A sophisticated iOS exploit toolkit dubbed DarkSword has been confirmed as actively deployed in the wild, using a chain of six flaws — including three zero-days — to achieve full device takeover on iOS versions 18.4 through 18.7. The kit has been tied to threat actors UNC6748, PARS Defense, and Russian group UNC6353, enabling rapid data theft from iPhones across at least four countries.

The attack is notable for targeting high-value individuals and government entities, with the exploit chain bypassing modern iOS mitigations entirely. No patch has yet been issued for the three zero-days.

Interlock Ransomware Exploits Cisco FMC Zero-Day (CVE-2026-20131) for Root Access

The Interlock ransomware group has been observed actively exploiting CVE-2026-20131, a critical insecure deserialization flaw in Cisco Firepower Management Center (FMC). The vulnerability carries a CVSS score of 10.0 — the maximum possible — and allows an unauthenticated remote attacker to bypass authentication and execute arbitrary Java code, effectively granting root access to affected systems.

The exploitation has been confirmed in the wild, with Interlock actors using the vulnerability as an initial access vector before deploying ransomware payloads. Organizations running Cisco FMC should treat this as an emergency and prioritize patching or isolation immediately.

Trio-Tech International Ransomware Breach — Stolen Data Published

US chip testing firm Trio-Tech International initially downplayed a ransomware attack, stating it wasn't "material" — but threat actors subsequently published stolen data, escalating the incident. The company's initial minimization of the breach now appears premature, as the data leak poses significant supply chain and intellectual property risks given Trio-Tech's role in semiconductor testing.

The incident underscores the increasing danger of underestimating ransomware intrusions: even when attackers appear to retreat, exfiltrated data can be weaponized long after the initial compromise.

🛡️ Vulnerability Alerts

CISA Emergency Directive 26-03 — SD-WAN Vulnerabilities (CVE-2026-20127 & CVE-2022-20775)

CISA has issued Emergency Directive 26-03, requiring all federal agencies to immediately inventory their SD-WAN systems, apply available mitigations, and assess for compromise related to CVE-2026-20127 and CVE-2022-20775. The directive signals active exploitation of SD-WAN infrastructure and elevated risk to government networks.

Federal civilian agencies face strict compliance deadlines. Non-federal organizations operating SD-WAN products should treat this as a high-urgency signal.

CVE-2026-27183 — OpenClaw Dispatch-Wrapper Shell Approval Bypass

A newly published vulnerability, CVE-2026-27183, affects OpenClaw versions and involves a bypass in the system.run dispatch-wrapper handling. The flaw allows attackers to skip shell wrapper approval requirements by circumventing the approval classifier and execution planner. Published March 23, 2026, this vulnerability enables potentially unauthorized command execution in affected environments.

Patch status is not yet confirmed. Administrators should monitor NVD for updates.

32% of Top-Exploited Vulnerabilities Are Over a Decade Old

A new report published March 24, 2026 reveals that enterprise vulnerability exploitation is accelerating, with a striking finding: 32% of the most commonly exploited vulnerabilities are over 10 years old. This is compounded by surging ransomware activity, MFA-bypass attacks, email-based threats, and growing AI-driven risks.

The data points to a persistent remediation gap: organizations continue to leave well-known, long-patched vulnerabilities unaddressed, giving threat actors easy footholds without needing novel exploits.

1 sources

helpnetsecurity.com

helpnetsecurity.com

📊 Threat Landscape Analysis

The incidents and vulnerabilities from the past 24 hours reveal several converging threat trends:

1. Mobile is now a primary attack surface. DarkSword's six-vulnerability iOS chain demonstrates that nation-state actors have heavily invested in mobile device exploitation. The use of three zero-days in a single kill chain signals a level of capability previously rare outside top-tier APT groups. With iOS 18.4–18.7 affected, this is not a legacy-device problem.

2. Ransomware groups are chasing critical infrastructure access vectors. Interlock's use of a CVSS 10.0 Cisco FMC zero-day (CVE-2026-20131) shows ransomware gangs are no longer purely opportunistic — they are actively hunting for firewall and network management platform flaws to maximize blast radius. The Trio-Tech incident reinforces this pattern in the semiconductor supply chain.

3. Legacy vulnerabilities remain the silent majority of exploitation. The finding that 32% of exploited vulnerabilities are over 10 years old, combined with CISA's SD-WAN emergency directive, reveals a systemic patching dysfunction across both public and private sectors. Attackers are rationally exploiting low-cost, well-understood vulnerabilities rather than burning expensive zero-days.

4. SD-WAN and network infrastructure are under active attack. CISA's Emergency Directive 26-03 specifically targets SD-WAN systems, a class of infrastructure that was widely deployed during the remote-work wave and has not received proportionate security scrutiny.

Industries most targeted this cycle: Semiconductor/chip manufacturing (Trio-Tech), government/defense (DarkSword, CISA directive), and enterprise networks broadly (Cisco FMC, SD-WAN).

⚡ Action Items for Defenders

1. Patch or isolate Cisco FMC systems immediately. CVE-2026-20131 has a CVSS score of 10.0 and is being actively exploited by Interlock ransomware. If patching is not immediately possible, isolate affected FMC instances from untrusted networks and restrict management plane access.

2. Comply with CISA Emergency Directive 26-03 — even if you're not a federal agency. Inventory all SD-WAN systems and apply available mitigations for CVE-2026-20127 and CVE-2022-20775. Conduct compromise assessments on SD-WAN infrastructure given active exploitation signals.

3. Audit and patch your backlog of legacy vulnerabilities. Given that 32% of exploited vulnerabilities are over 10 years old, run a prioritized scan to identify and remediate CVEs older than 5 years that remain unpatched in your environment. Use CISA's Known Exploited Vulnerabilities catalog as your triage guide.

4. Evaluate iOS device posture for iOS 18.4–18.7. DarkSword targets these specific iOS versions with three unpatched zero-days. High-value targets (executives, government users, legal teams) should consider emergency mobile device management (MDM) controls, network monitoring for unusual exfiltration patterns, and readiness to isolate devices pending an Apple patch.

5. Review incident disclosure procedures. The Trio-Tech situation demonstrates the reputational and operational risk of downplaying ransomware incidents. Organizations should ensure their incident response playbooks include clear criteria for materiality assessment and proactive stakeholder communication before threat actors publish stolen data.

👀 What to Watch Next

1. Apple's response to DarkSword zero-days. With three unpatched iOS zero-days actively exploited across four countries by multiple threat actors, an out-of-band Apple security update is likely imminent. Watch for an emergency iOS update targeting CVEs tied to the DarkSword chain — and deploy it immediately upon release.

2. Cisco FMC patch release timeline for CVE-2026-20131. Cisco has not yet issued a public patch for this CVSS 10.0 zero-day as of press time. Monitor Cisco's PSIRT channel for an emergency advisory. Expect the patch to arrive within days given the severity and active exploitation.

3. Escalation of ransomware attacks on semiconductor supply chain. The Trio-Tech breach may be the first visible incident in a broader campaign targeting chip testing and semiconductor manufacturing firms. Watch for similar incidents at other firms in the semiconductor ecosystem, particularly those with connections to defense or export-controlled technology.

Cybersecurity Radar is published daily. All information is sourced from verified research results and public disclosures. Verify critical details directly with linked sources before taking action.