Cybersecurity Radar — 2026-03-27

---

Threat Alert

GlassWorm Campaign Evolves Into Multi-Stage Attack Framework Cybersecurity researchers flagged a new evolution of the GlassWorm campaign, now delivering a sophisticated multi-stage framework capable of comprehensive data theft and installing remote access tools on compromised systems. The campaign targets browser environments and represents a significant escalation in threat actor capability. The full scope of victims is not yet confirmed, but the browser-centric delivery vector means a wide population of enterprise and consumer users is at risk.

Microsoft Teams Vishing Campaign Grants Attackers Remote Access A Microsoft Teams-based vishing (voice phishing) campaign has been observed tricking employees into granting remote access to corporate systems using a legitimate Windows tool already present on their machines — requiring no malware download. This social engineering technique is particularly difficult to detect through traditional endpoint defenses. The attack highlights a growing trend of abusing trusted, native tools to bypass security controls.

Ransomware Paralyzes Foster City, California for Six Days Foster City, California declared a state of emergency after ransomware paralyzed city networks for six days. The incident disrupted municipal services and forced emergency operations protocols. The attack is part of a continuing wave of ransomware targeting local government infrastructure, where patching cycles and budgets often lag behind the private sector.

---

Critical Vulnerabilities & Patches

CVE-2026-33017 — Langflow Remote Code Execution (CISA KEV, Added 2026-03-25) CISA added CVE-2026-33017 affecting the Langflow AI workflow platform to its Known Exploited Vulnerabilities catalog on March 25, 2026, with a remediation due date of April 8, 2026. The vulnerability enables remote code execution and is confirmed to be actively exploited in the wild. Organizations using Langflow should treat this as a high-priority remediation item given the mandatory federal agency patching deadline.

• Severity: Critical
• Patch status: Patch available; federal agencies must remediate by April 8, 2026

CVE-2026-2745 — GitLab WebAuthn Two-Factor Authentication Bypass GitLab has remediated a critical vulnerability in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1. The flaw could allow an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to accounts. Given how widely GitLab is deployed in software development pipelines, this vulnerability poses significant supply chain risk if left unpatched.

• Severity: Critical (authentication bypass)
• Affected versions: All GitLab CE/EE < 18.8.7, < 18.9.3, < 18.10.1
• Patch status: Fixed in 18.8.7, 18.9.3, 18.10.1

Apple Multiple Products — CISA KEV Entry (Added 2026-03-25) CISA's Known Exploited Vulnerabilities catalog entry updated March 25, 2026 also includes vulnerabilities in Apple Multiple Products alongside the Langflow entry. Exploitation is confirmed in the wild. Apple users and enterprise device managers should prioritize applying the latest Apple security updates immediately.

• Severity: High / Critical (per CISA KEV listing)
• Patch status: Apply latest Apple OS and app updates

---

Expert Analysis

Kaspersky MDR & IR Report 2026: Cyberattack Trends Defined by Speed and Stealth

Kaspersky's Global Security Services Report for 2026, published March 25, offers a detailed retrospective of cyberattack trends uncovered through its Managed Detection and Response (MDR) service and real-world Incident Response (IR) cases throughout 2025. The findings are sobering: attackers are moving faster, staying more covert, and increasingly targeting enterprise infrastructure rather than consumer endpoints.

The report arrives at a moment when the broader threat landscape is confirming its warnings. According to separate analysis from KnowBe4 (published March 25, 2026), the total count of publicly reported unique vulnerabilities is on track to exceed 100,000 in 2026, with zero-days being exploited at a faster pace than ever. Bright Defense's March 2026 statistics reinforce this: zero-day exploitation hit 90 confirmed cases in 2025 — up 15% year-over-year — with nearly half targeting enterprise infrastructure.

What makes the Kaspersky report particularly significant is its IR data: real-world case analysis showing the tactics and dwell times attackers use once inside enterprise networks. For defenders, the critical takeaway is that detection-and-response capability matters as much as perimeter defense. Organizations relying solely on preventative controls are being outpaced by threat actors who exploit the gap between vulnerability disclosure and patch deployment.

The report also reinforces a trend identified by Cybersecurity Dive this week: experts are warning against reflexively shifting security budgets to AI at the expense of foundational defensive measures that remain highly effective. Rushing to AI tools without maintaining robust patch management, MFA enforcement, and incident response readiness leaves organizations more exposed, not less.

---

Defense & Industry Updates

F5 Labs Weekly Threat Bulletin — March 25, 2026 F5 Labs published its weekly threat bulletin on March 25, 2026, covering the top active threats organizations should be tracking this week. The bulletin provides actionable threat intelligence covering network-layer attacks, application vulnerabilities, and emerging adversary tactics relevant to enterprise defenders. Organizations using F5 infrastructure should review this bulletin for current IoCs and recommended defensive configurations.

Expert Consensus: Don't Abandon Foundational Security for AI Hype Cybersecurity Dive, reporting March 25, 2026, highlights a growing expert consensus warning businesses not to shift security budgets disproportionately toward AI tools at the expense of proven defensive measures. Security professionals stress that AI-powered defenses are supplements, not replacements, for rigorous patch management, employee security training, MFA enforcement, and incident response planning. Organizations tempted by vendor AI narratives are cautioned to audit whether foundational controls are solid before layering new technology on top.

---

Reader Action Items

1. Patch Langflow immediately (CVE-2026-33017): CISA has confirmed active exploitation with a federal remediation deadline of April 8. Any internet-exposed or internally accessible Langflow instance should be patched or isolated today.

2. Update GitLab to 18.8.7, 18.9.3, or 18.10.1: CVE-2026-2745 allows unauthenticated bypass of WebAuthn 2FA. Update immediately, especially if your GitLab instance handles CI/CD pipelines or sensitive source code.

3. Apply the latest Apple security updates: CISA confirmed active exploitation of Apple product vulnerabilities added to the KEV catalog on March 25. Check for pending updates on all Apple devices in your fleet.

4. Train employees to recognize Teams-based vishing: The Microsoft Teams vishing campaign requires no malware — just social engineering. Run awareness training specifically focused on remote access request scenarios and verify all remote access grants through out-of-band channels.

5. Review your ransomware resilience posture: The Foster City ransomware incident is a reminder that local and regional organizations are high-value targets. Verify that offline backups are current, test your incident response playbook, and ensure RDP and VPN endpoints are not exposed without MFA.