DNS Security Guidance Update From NIST; Trivy Supply Chain Compromises Continue; Update Oracle Identity Manager and Web Services Manager to Fix Critical Flaw

The US National Institute of Standards and Technology (NIST) has updated its guidance for Domain Name System (DNS) security. The document, Secure Domain Name System (DNS) Deployment Guide, was last updated in 2013. The preface acknowledges that "since the previous version was published, the ways in which DNS is used and deployed have changed significantly, and this revision provides an updated set of discussions and recommendations for securing modern DNS deployments." The guidance offers five "high-level recommendations": employ protective DNS wherever technically feasible to provide additional networkwide security capabilities; encrypt internal and external DNS traffic wherever feasible; deploy DNS Security Extensions (DNSSEC) to protect the integrity of DNS data; deploy dedicated DNS servers to reduce attack surfaces; and follow all technical guidance on ensuring that DNS deployments and the DNS protocol are as secure and resilient as possible. The revised document addresses understanding DNS as a component of an organization's security strategy; managing threats to authoritative services; managing threats to recursive/forwarding services; and managing threats to stub resolvers. IT also includes a DNS Protocol tutorial.

Trivy, Aqua Security's open-source security scanner widely used in continuous integration/delivery (CI/CD) pipelines, has been compromised in ongoing supply chain attacks throughout late February and March 2026. In the first attack, the repository was renamed and made private, several releases and associated assets were deleted from GitHub, and a malicious artifact was pushed to the Open VSIX marketplace within the Trivy extension for VS Code. Analysis by Step Security revealed that an autonomous AI-powered bot was carrying out a widespread attack on multiple open-source CI/CD pipelines and had stolen a Personal Access Token (PAT) to take over the Trivy repository. Aqua removed the vulnerable workflow and VS Code extension artifact, revoked the token, and restored and republished the repository. However, on March 19, Trivy maintainers observed a threat actor using a credential stolen in the first attack "to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware and replace all 7 tags in aquasecurity/setup-trivy with malicious commits." Then on March 22, "a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images." While the maintainers state they had rotated secrets and tokens, "the process wasn't atomic and attackers may have been privy to refreshed tokens." Users should rotate secrets, search for exfiltration artifacts, pin GitHub actions to full SHA hashes, and audit Trivy versions and GitHub Action references. You are affected if you used Trivy v0.69.4 binaries from GitHub, Deb, or RPM; v0.69.4 container images from GHCR, ECR public, or Docker Hub; container images v0.69.5 and v0.69.6 from Docker Hub; and GitHub Actions aquasecurity/trivy-action before 0.35.0 or aquasecurity/setup-trivy before 0.2.6. All malicious elements have been removed from all sources at the time of this writing.

Oracle has released an unscheduled Security Alert to address a critical vulnerability (CVE-2026-21992) affecting the REST WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager. Both are part of Oracle's Fusion Middleware suite. The flaw, which is remotely exploitable without authentication, could allow attackers to achieve remote code execution. It is not clear whether the vulnerability has been actively exploited. Users are urged to apply updates or mitigations as soon as possible.

Researchers at Sysdig say attackers started exploiting a critical unauthenticated remote code execution (RCE) vulnerability in the Langflow open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG) pipelines within a day of its disclosure. The vulnerability (CVE-2026-33017) was disclosed on Tuesday, March 17, 2026, and the Sysdig Threat Research Team (TRT) detected exploitation within 20 hours of that disclosure. It appears the "attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances." Within 25 hours, the attackers exfiltrated data, including "keys and credentials, which provided access to connected databases and potential software supply chain compromise."

Ubiquiti has published a security advisory urging users to patch a maximum-severity flaw in the UniFi Network application, affecting official release version 10.1.85 and earlier, release candidate version 10.2.93 and earlier, and UniFi Express (UX) version 9.0.114 and earlier. CVE-2026-22557, CVSS score 10.0, allows an attacker with access to the network to manipulate system files and take over user accounts by exploiting a path traversal vulnerability in the UniFi Network application. The same advisory also covers a CVSS 7.7 authenticated NoSQL injection vulnerability allowing privilege escalation in the same versions of the UniFi app (CVE-2026-22557), and a CVSS 8.8 improper input validation vulnerability allowing unauthorized account access in UniFi Network Server version 10.1.85 and earlier (CVE-2026-22559). Users should update to UniFi Network application official release version 10.1.89 or later, release candidate version 10.2.97 or later, UniFi Express firmware 4.0.13 or later, and UniFi Network Server version 10.1.89 or later.

Microsoft has released an unscheduled update to address an issue some users encountered after installing the March 2026 Windows security update that was released earlier this month. In some cases, users reported they were unable to sign in to Microsoft apps and services: when attempting sign-in, they instead saw a "no internet" error message. The out-of-band update released on Saturday, March 21 is cumulative, "includ[ing] all protections and improvements from the March 2026 Windows security update released March 10, 2026." The update is available for Windows 11 versions 25H2 and 24H2 devices that receive standard Windows updates, and can be installed through Windows Update or the Microsoft Update Catalog. The issue does not affect users who employ Microsoft Entra ID for app authentication.

The US Food and Drug Administration (FDA) has issued a Class II recall for several GE HealthCare Centricity medical imaging products because "User login credentials may be exposed on the local client workstation, which could allow an unauthorized individual to potentially impact system availability and/or manipulate data." The vulnerability affects Centricity Universal Viewer Software Versions 5.0 SP6 through UV 5.0 SP7.1; 6.0 through 6.0 Sp10.4.1; and 7.0 through 7.0 Sp2.0.1. Centricity Universal Viewer is a device that displays medical images including mammograms, and data from various imaging sources. GE Healthcare notified affected customers about the issue at the end of January 2026, and the FDA posted the notice on Monday, March 23. The FDA defines a Class II recall as "a situation in which use of or exposure to a violative product may cause temporary or medically reversible adverse health consequences or where the probability of serious adverse health consequences is remote."

Law enforcement authorities from Canada, Germany, and the US have taken steps to disrupt the command and control (C2) infrastructure used by multiple Internet of Things (IoT) botnets. The US Department of Defense Office of Inspector General’s (DoD OIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants that targeted multiple U.S.-registered internet domains, virtual servers, and other infrastructure. The four botnets are estimated to have compromised more than three million IoT devices, and access to them was sold to cybercriminals who used them to launch distributed denial-of-service (DDoS) attacks measuring up to 30 terabits per second. Germany's Bundeskriminalamt (BKA) Cyber and Public Prosecutor’s Office in Cologne (ZAC NRW) and Canada's Royal Canadian Mounted Police (RCMP), Ontario Provincial Police (OPP) and Sûreté du Québec (SQ) are involved in targeting individuals who operated the botnets. The operation also received help from Netherlands Politie, EUROPOL’s PowerOFF team, and 20 private sector partners.

A federal jury in North Carolina has found a former data analyst for a Washington, DC-based tech company guilty on six counts of extortion. Cameron Nicholas Curry worked as a contractor for the unnamed company from August through December 2023. When he learned that his contract was not going to be renewed, Curry began formulating his scheme. He stole the data during the term of his contract, and immediately following his termination began sending emails to employees and executives, threatening to leak the sensitive company information if they did not pay a ransom. The company notified the FBI about the incident on December 14, 2023, and paid Curry's ransom demand the following month. Curry faces up to 12 years in prison. As CyberScoop observes, this incident "underscores [the] immeasurable risks companies accept when employees, or contractors placed in roles by a third-party recruitment company, as was the case with Curry, are allowed to access sensitive data on a company-owned laptop."