Previous brief: Cyber Threat Brief — March 20 2026
Threat count: 3 qualifying threats (1 new CVE, 2 CISA KEV additions)
Key highlights:
- CVE-2026-33017 (Langflow): Critical (CVSS 9.3) unauthenticated RCE in the popular AI pipeline platform. Exploited in the wild within 20 hours of advisory publication on March 17 — Sysdig observed 6 unique attacker IPs conducting multi-phase exploitation including credential harvesting and data exfiltration. C2 infrastructure identified at
173.212.205[.]251:8443.
- CISA KEV — March 20 additions: Five CVEs added to the Known Exploited Vulnerabilities catalog, of which two have high enterprise detection value: Craft CMS unauthenticated RCE (CVE-2025-32432, CVSS 10.0) and Laravel Livewire RCE (CVE-2025-54068, CVSS 9.2). Three Apple client-side CVEs also added but excluded from detailed coverage due to limited enterprise log source applicability.
1. CVE-2026-33017: Langflow Unauthenticated RCE — Exploited Within 20 Hours of Disclosure
Summary
A critical unauthenticated remote code execution vulnerability in Langflow, an open-source AI pipeline orchestration platform, was disclosed on March 17, 2026 and exploited in the wild within 20 hours. The vulnerability (CVSS 9.3) stems from a missing authentication check on the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint combined with direct code injection via exec() with no sandboxing. Langflow is widely deployed for building LLM-powered applications and RAG pipelines, making this particularly impactful for organizations running AI/ML infrastructure. All versions through 1.8.1 are affected. Sysdig’s Threat Research Team observed automated exploitation from 6 unique source IPs within 48 hours, progressing through mass scanning, active reconnaissance, and data exfiltration phases — all without a public PoC existing at the time.
What’s New (Last 24 Hours)
- Sysdig published detailed analysis on March 20 documenting three distinct exploitation phases observed in honeypots
- Phase 1: Mass scanning from 4 coordinated IPs delivering identical payloads (automated tooling)
- Phase 2: Active reconnaissance from a different IP using pre-staged infrastructure and custom Python exploit scripts
- Phase 3: Data exfiltration from a sixth IP address, targeting
/etc/passwd, environment variables, .env files, database configurations, and cloud credentials
- C2 server confirmed at
173.212.205[.]251:8443 receiving exfiltrated data from phases 2 and 3
- No public PoC exists — attackers reverse-engineered working exploits from the advisory description alone
- Callback infrastructure observed using
oastify.com, interact.sh, and dnslog.cn for initial validation
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
POST /api/v1/build_public_tmp/{flow_id}/flow with data parameter | Network / Exploit | T1190 – Exploit Public-Facing Application | Web server access logs, WAF logs | Alert on POST requests to this endpoint containing a data parameter from external sources |
C2 IP 173.212.205[.]251:8443 | IOC / Network | T1071.001 – Web Protocols | Firewall logs, proxy logs, NetFlow | Block and alert on outbound connections to this IP:port |
Outbound connections to oastify.com, interact.sh, dnslog.cn | IOC / Network | T1071.001 – Web Protocols | DNS logs, proxy logs | Alert on DNS queries or HTTP requests to these callback validation services from server infrastructure |
Python exec() execution of attacker-controlled code in Langflow worker processes | TTP / Execution | T1059.006 – Python | EDR process telemetry, application logs | Monitor Langflow worker processes for unexpected child process spawning |
Credential harvesting of .env files, database configs, cloud credentials | TTP / Collection | T1552.001 – Credentials In Files | File access monitoring, EDR | Monitor for bulk reads of .env and configuration files from Langflow process context |
| Custom Python dropper scripts staged on attacker infrastructure | TTP / Execution | T1059.006 – Python | EDR, Sysmon | Alert on Python scripts downloaded and executed by Langflow processes |
Potential Detection Coverage Based on MITRE ATT&CK Technique
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|
| Initial Access | T1190 – Exploit Public-Facing Application |
| Execution | T1059.006 – Command and Scripting Interpreter: Python |
| Credential Access | T1552.001 – Unsecured Credentials: Credentials In Files |
| Collection | T1005 – Data from Local System |
| Command and Control | T1071.001 – Application Layer Protocol: Web Protocols |
| Exfiltration | T1041 – Exfiltration Over C2 Channel |
Sources
2. CVE-2025-32432: Craft CMS Unauthenticated RCE — Added to CISA KEV March 20
Summary
CISA added CVE-2025-32432 to the Known Exploited Vulnerabilities catalog on March 20, 2026, confirming active exploitation of this critical (CVSS 10.0) unauthenticated remote code execution vulnerability in Craft CMS. The flaw exploits improper handling of untrusted input in the image transformation endpoint, allowing attackers to achieve RCE through a three-stage attack: session file poisoning with malicious PHP, __class bypass in the image transform endpoint to load the PhpManager gadget, and execution of the poisoned session file. Craft CMS is a widely deployed PHP content management system. All versions from 3.0.0-RC1 through 5.6.16 are affected. The vulnerability was originally disclosed and patched in April 2025, but CISA’s KEV addition confirms ongoing exploitation against unpatched instances.
What’s New (Last 24 Hours)
- CISA added CVE-2025-32432 to the KEV catalog on March 20, 2026, confirming active exploitation
- Federal agencies must remediate by the BOD 22-01 deadline (typically 3 weeks from addition)
- The three-stage exploit chain is well-documented and multiple PoCs exist publicly
- Hundreds of servers were previously reported as compromised; KEV addition signals continued or renewed campaign activity
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
POST requests to actions/assets/generate-transform containing __class in body | Network / Exploit | T1190 – Exploit Public-Facing Application | WAF logs, web server access logs | Alert on POST requests to this endpoint with __class string in request body |
| PHP session file writes containing attacker payloads | TTP / Persistence | T1505.003 – Web Shell | File integrity monitoring, EDR | Monitor storage/runtime/sessions/ directory for anomalous PHP content in session files |
| Unexpected PHP execution from session storage directories | TTP / Execution | T1059.004 – Unix Shell | EDR process telemetry | Alert on PHP process spawning from session storage paths |
| Outbound connections from Craft CMS web workers post-exploitation | Network | T1071.001 – Web Protocols | Firewall logs, proxy logs | Baseline and alert on anomalous outbound connections from CMS server processes |
Potential Detection Coverage Based on MITRE ATT&CK Technique
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|
| Initial Access | T1190 – Exploit Public-Facing Application |
| Execution | T1059.004 – Command and Scripting Interpreter: Unix Shell |
| Persistence | T1505.003 – Server Software Component: Web Shell |
| Defense Evasion | T1036 – Masquerading (polyglot session file) |
Sources
3. CVE-2025-54068: Laravel Livewire Unauthenticated RCE — Added to CISA KEV March 20
Summary
CISA added CVE-2025-54068 to the Known Exploited Vulnerabilities catalog on March 20, 2026, confirming active exploitation of this critical (CVSS 9.2) unauthenticated remote code execution vulnerability in Livewire, a widely-used full-stack framework for Laravel. The vulnerability exploits a flaw in Livewire v3’s component property hydration mechanism — during the hydration process that synchronizes client-side state with server-side properties, a crafted update payload bypasses validation and sanitization, causing the framework to interpret untrusted input as executable code. Attackers inject malicious objects using GuzzleHttp\Psr7\FnStream and __destruct magic methods to trigger RCE. Livewire v3 powers potentially millions of Laravel applications. All versions from 3.0.0-beta.1 through 3.6.3 are affected. The vulnerability was originally disclosed in July 2025 and patched in version 3.6.4, but the KEV addition confirms unpatched instances remain under active attack.
What’s New (Last 24 Hours)
- CISA added CVE-2025-54068 to the KEV catalog on March 20, 2026, confirming active exploitation
- Federal agencies must remediate per BOD 22-01 deadline
- Public PoC code is available demonstrating the hydration bypass and GuzzleHttp gadget chain
- No authentication or APP_KEY knowledge required — this bypassed the APP_KEY requirement entirely
- The vulnerability is unique to Livewire v3 and does not affect v1 or v2
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
Livewire HTTP update requests containing GuzzleHttp\Psr7\FnStream class references | Network / Exploit | T1190 – Exploit Public-Facing Application | WAF logs, web server logs | Alert on Livewire update POST requests containing serialized PHP object references to GuzzleHttp or FnStream |
| Malformed synthetic tuples in Livewire component update payloads | Network / Exploit | T1190 – Exploit Public-Facing Application | WAF logs, application logs | Inspect Livewire /livewire/update endpoint for anomalous property update payloads |
PHP __destruct magic method execution chains from web context | TTP / Execution | T1059.004 – Unix Shell | EDR, application logs | Monitor for unexpected process spawning from PHP-FPM or Apache/Nginx worker processes serving Laravel apps |
POST requests to /livewire/update with oversized or unusual payloads | Network | T1190 – Exploit Public-Facing Application | WAF, web proxy | Baseline normal Livewire update payload sizes and alert on anomalies |
Potential Detection Coverage Based on MITRE ATT&CK Technique
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|
| Initial Access | T1190 – Exploit Public-Facing Application |
| Execution | T1059.004 – Command and Scripting Interpreter: Unix Shell |
| Persistence | T1505.003 – Server Software Component: Web Shell (potential post-exploitation) |
| Defense Evasion | T1055 – Process Injection (PHP object injection via deserialization) |
Sources
CISA KEV Update — March 20, 2026
CISA added five vulnerabilities to the Known Exploited Vulnerabilities catalog on March 20, 2026. Two are covered in detail above (CVE-2025-32432, CVE-2025-54068). The remaining three are Apple client-side vulnerabilities with limited enterprise detection applicability:
- CVE-2025-31277 — Apple Multiple Products Buffer Overflow
- CVE-2025-43510 — Apple Multiple Products Improper Locking
- CVE-2025-43520 — Apple Multiple Products Classic Buffer Overflow
Recommended action: Ensure Apple device fleet is patched to the latest OS versions via MDM. These are client-side memory corruption bugs — detection is primarily through endpoint patch compliance monitoring rather than network-based signatures.
Previously Covered — Status Updates
- CVE-2026-20131 (Cisco FMC): A public PoC repository appeared on GitHub (
p3Nt3st3r-sTAr/CVE-2026-20131-POC). Organizations with unpatched Cisco FMC instances should assume increased exploitation risk. See March 19 brief for full coverage.
- PolyShell (Magento): No significant new developments since yesterday’s coverage. Exploit continues to circulate; no production patch available. See March 20 brief.