Security Check-in Quick Hits: Trivy Supply Chain Breach, Oracle Critical RCE, Cisco Firewall Zero-Day Ransomware Exploits, and CISA KEV Updates Rock the Cybersecurity World

For March 22, 2026

Trivy Vulnerability Scanner Hit by Sophisticated Supply-Chain Attack

A major supply-chain breach targeted the popular open-source Trivy vulnerability scanner and its GitHub Actions. Threat actors (tracked as TeamPCP/DeadCatx3) used stolen credentials from an earlier March 2026 incident to force-push malicious commits across 75 of 76 version tags in the aquasecurity/trivy-action repository. They replaced the entrypoint.sh script and trojanized Trivy v0.69.4 binaries with an infostealer.

The malware scans for credentials (SSH keys, cloud tokens, database configs, Terraform/Jenkins files, crypto wallets), exfiltrates data to a typosquatted C2 server (scan.aquasecurtiy[.]org) or a victim-created GitHub repo, and installs persistent systemd Python payloads. It even parses GitHub Actions runner memory for secrets. Over 10,000 workflows rely on these actions, creating massive blast radius for CI/CD pipeline compromises. The malicious release lived for ~3 hours; tags were active up to 12 hours.

Impact: Full environment compromise—attackers could pivot to cloud accounts, Kubernetes clusters, and internal systems. Organizations using affected tags or v0.69.4 should assume breach.

Action now: Rotate all secrets immediately, audit systems for the tpcp.tar.gz artifact or sysmon.py payload, and rebuild pipelines from clean sources. Aqua Security recommends treating environments as fully compromised.

Oracle Drops Out-of-Band Patch for Critical Unauthenticated RCE (CVE-2026-21992)

Oracle issued an urgent Security Alert for CVE-2026-21992—a critical (CVSS 9.8) remote code execution flaw in Oracle Identity Manager and Oracle Web Services Manager (Fusion Middleware components). The unauthenticated, network-based vulnerability requires zero user interaction or privileges and can be triggered via HTTP access to exposed REST Web Services or Web Services Security endpoints.

Impact: High confidentiality, integrity, and availability compromise—full system takeover possible in internet-facing deployments.

Affected: Versions 12.2.1.4.0 and 14.1.2.1.0 (both products). Patches are live via My Oracle Support (KB878741); the alert was updated March 20, 2026.

Action now: Patch immediately—especially external instances. Unsupported versions should be upgraded. Prioritize reviewing and restricting access to the vulnerable endpoints.

Cisco Secure Firewall Management Center Zero-Day (CVE-2026-20131) Actively Exploited in Ransomware

Cisco’s Secure Firewall Management Center (FMC) Software and Security Cloud Control (SCC) are under active attack via CVE-2026-20131—a critical deserialization of untrusted data flaw (CWE-502) in the web management interface. Unauthenticated remote attackers send crafted Java objects to achieve root-level arbitrary code execution.

CISA added it to the KEV catalog due to confirmed ransomware use. Attackers compromise perimeter management consoles to map networks, exfiltrate data, and deploy encryption payloads.

Impact: Total control of firewall policies and deep network pivots—devastating for enterprise defenses.

Deadline: Federal agencies must remediate by March 22, 2026.

Action now: Apply Cisco’s patches immediately. If patching is delayed, restrict or disable web management interface access. CISA and Cisco strongly urge all organizations to prioritize this in vulnerability management programs.

CISA Adds Actively Exploited Flaws to KEV Catalog—Including Critical Craft CMS and Apple DarkSword Zero-Days

CISA updated its Known Exploited Vulnerabilities catalog with five new entries under active exploitation. Highlights include a Craft CMS bug scored CVSS 10.0 and Apple zero-days tied to the sophisticated DarkSword iOS malware campaign (one tracked as CVE-2025-32432).

Federal agencies have until April 3, 2026, to patch. These additions signal real-world exploitation chains targeting content management systems and mobile devices.

Impact: Immediate risk to unpatched federal and enterprise systems; DarkSword has used multiple zero-days since 2025 for targeted iOS attacks.

Action now: Check your Craft CMS, Apple devices, and related systems against CISA’s catalog. Apply patches urgently and monitor for exploitation indicators.

These stories dominated X conversations because they highlight ongoing supply-chain risks, the speed of zero-day weaponization in ransomware, and the need for rapid patching. Stay vigilant—rotate secrets, patch aggressively, and monitor CISA alerts. Follow verified cybersecurity accounts for real-time updates, and consider enabling multi-factor authentication everywhere. What issue are you tackling first in your environment?