Cyble CRIL tracked 1,641 vulnerabilities between March 4–10, 2026, with 175 having public PoC exploits and 200 rated critical under CVSS v3.1; CISA added multiple legacy and actively exploited flaws to its KEV catalog. High-impact issues include authentication bypasses and remote code execution in Juniper Junos, Cisco SD‑WAN, pac4j‑jwt, Qwik, IDC SFX, and several EV charging platforms, disproportionately impacting Energy and Transportation sectors. #JuniperJunos #CiscoSDWAN
Keypoints
- Cyble CRIL tracked 1,641 vulnerabilities for the week of March 4–10, 2026, with 175 public PoCs increasing exploitation risk.
- 200 vulnerabilities were rated critical under CVSS v3.1 (61 critical under CVSS v4.0), indicating a high volume of severe flaws.
- Top critical IT flaws include CVE-2026-21902 (Juniper Junos RCE/auth bypass), CVE-2026-20127 (Cisco SD‑WAN auth bypass), and CVE-2026-29000 (pac4j‑jwt token forgery).
- Multiple critical ICS/OT advisories (9 advisories covering 24 vulns) affect vendors such as Mobiliti, ePower, Everon, Labkotec, Mitsubishi Electric, Hitachi Energy, and Delta Electronics.
- CISA expanded its KEV catalog with legacy and actively exploited vulnerabilities (e.g., CVE-2021-22681, CVE-2017-7921), underscoring persistent real-world exploitation.
- Energy and Transportation sectors are heavily impacted (Energy appears in 62.5% of ICS cases), with EV charging ecosystems identified as a critical convergence point for IT/OT risks.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to exploit internet-exposed services for RCE and auth bypass in multiple products; (‘allowing unauthenticated attackers to send crafted requests and execute arbitrary code as root.’)
- [T1203] Exploitation for Client Execution – Unsafe deserialization in Qwik’s server-side RPC was exploited to achieve remote code execution; (‘unsafe deserialization in Qwik’s server-side RPC mechanism… arbitrary code execution on the backend server.’)
- [T1552] Unsecured Credentials – Hardcoded credentials and exposed credentials in devices allowed unauthorized access and remote command execution; (‘hardcoded credentials and unauthenticated remote code execution in IDC SFX Series Satellite Receivers.’)
- [T1550] Use of Valid Accounts – Forging authentication tokens in pac4j-jwt enabled impersonation of any user, including administrators; (‘allows attackers with access to a public key to forge authentication tokens and impersonate any user, including administrators.’)
- [T1021] Remote Services – Authentication bypass in Cisco SD‑WAN enabled administrative access that facilitated traffic manipulation and lateral movement across enterprise networks; (‘bypass peering authentication and gain administrative access… enables traffic manipulation, lateral movement, and persistent access’).
Indicators of Compromise
- [CVE] Tracked vulnerability identifiers cited in the report – CVE-2026-21902, CVE-2026-20127, and other CVEs such as CVE-2026-26051 and CVE-2026-22552 (and additional CVEs referenced throughout).
- [Product/System ] Affected products and infrastructure referenced as targets – Juniper Junos OS, Cisco SD‑WAN controllers, and EV charging platforms such as Mobiliti and ePower.
- [Advisories/KEV ] Public advisories and known exploited entries used as context for active exploitation – CISA KEV entries including CVE-2021-22681 and CVE-2017-7921, plus publicly available PoCs and underground forum discussions.
Read more: https://cyble.com/blog/cyble-weekly-vulnerabilities-report-mar-19/