Cyber Threat Brief — March 21 2026
Previous brief: Cyber Threat Brief — March 20 2026
1. Langflow Unauthenticated RCE — CVE-2026-33017
TL;DR: Critical (CVSS 9.3) unauthenticated RCE in Langflow AI pipeline platform via exec() on an unauthed endpoint — exploited in the wild within 20 hours of disclosure with no public PoC. Sysdig observed 6 attacker IPs conducting credential harvesting and data exfiltration through C2 at 173.212.205[.]251:8443.
What’s New:
- Sysdig published detailed analysis on March 20 documenting three exploitation phases: mass scanning, active recon, and data exfiltration
- 6 unique source IPs exploiting within 48 hours — attackers reverse-engineered exploits from advisory alone (no public PoC)
- C2 server confirmed at
173.212.205[.]251:8443; callback validation viaoastify.com,interact.sh,dnslog.cn - Exfil targets:
/etc/passwd,.envfiles, database configs, cloud credentials - All versions through 1.8.1 affected
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /api/v1/build_public_tmp/{flow_id}/flow with data param | Network / Exploit | T1190 | WAF, web server logs | Alert on POST to this endpoint from external sources |
C2 IP 173.212.205[.]251:8443 | IOC / Network | T1071.001 | Firewall, proxy, NetFlow | Block and alert on outbound connections |
DNS to oastify.com, interact.sh, dnslog.cn | IOC / Network | T1071.001 | DNS logs, proxy | Alert on queries to these callback services from servers |
| Unexpected child processes from Langflow workers | TTP / Execution | T1059.006 | EDR process telemetry | Monitor Langflow workers for anomalous process spawning |
Bulk reads of .env, DB configs, cloud creds | TTP / Collection | T1552.001 | File access monitoring, EDR | Alert on config file access from Langflow process context |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator, Suspicious Process Spawned by Web Server | No Langflow-specific or AI/ML platform exploitation rules |
| Elastic | Web Shell Detection: Script Process Child of Common Web Processes, Suspicious Python Child Process | No Langflow-specific rules |
| Sigma | Webshell Detection via Process Execution, Suspicious Python Script Execution | No AI/ML platform exploitation signatures |
Sources: Sysdig · The Hacker News · SecurityWeek
2. Craft CMS Unauthenticated RCE — CVE-2025-32432
TL;DR: CISA added this CVSS 10.0 Craft CMS RCE to KEV on March 20, confirming active exploitation. Three-stage attack chain (session file poisoning → __class bypass → PHP execution) requires no authentication; multiple public PoCs exist and hundreds of servers were previously compromised.
What’s New:
- Added to CISA KEV March 20 — confirms ongoing exploitation against unpatched instances
- BOD 22-01 federal remediation deadline applies (typically 3 weeks from addition)
- Three-stage exploit chain well-documented with multiple public PoCs
- All versions from 3.0.0-RC1 through 5.6.16 affected; patched in April 2025
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST to actions/assets/generate-transform with __class in body | Network / Exploit | T1190 | WAF, web server logs | Alert on __class string in POST body to this endpoint |
PHP payloads in storage/runtime/sessions/ | File / Persistence | T1505.003 | FIM, EDR | Monitor session dir for anomalous PHP content |
| PHP execution from session storage paths | TTP / Execution | T1059.004 | EDR process telemetry | Alert on PHP spawning from session storage dirs |
| Anomalous outbound connections from CMS workers | Network | T1071.001 | Firewall, proxy | Baseline and alert on post-exploitation C2 |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | W3WP Spawning Shell, Web Shell Indicator | No Craft CMS-specific __class deserialization or session poisoning detection |
| Elastic | Web Shell Detection: Script Process Child of Common Web Processes | Post-exploitation only; no exploit-phase detection |
| Sigma | IIS/Apache Suspicious POST Request, Webshell Detection via File Creation | No Craft CMS-specific rules |
Sources: CISA · Craft CMS · OPSWAT
3. Laravel Livewire Unauthenticated RCE — CVE-2025-54068
TL;DR: CISA added this CVSS 9.2 Livewire v3 RCE to KEV on March 20, confirming active exploitation. Attackers exploit a hydration bypass to inject GuzzleHttp\Psr7\FnStream objects that trigger RCE via __destruct — no authentication or APP_KEY required.
What’s New:
- Added to CISA KEV March 20 — confirms active exploitation of unpatched instances
- Public PoC available demonstrating hydration bypass and GuzzleHttp gadget chain
- No authentication or APP_KEY knowledge required — bypasses APP_KEY requirement entirely
- Only Livewire v3 affected (3.0.0-beta.1 through 3.6.3); patched in 3.6.4
- BOD 22-01 federal remediation deadline applies
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Livewire update requests with GuzzleHttp\Psr7\FnStream refs | Network / Exploit | T1190 | WAF, web server logs | Alert on serialized PHP object refs to GuzzleHttp/FnStream |
| Malformed synthetic tuples in Livewire update payloads | Network / Exploit | T1190 | WAF, application logs | Inspect /livewire/update for anomalous property payloads |
PHP __destruct chains from web context | TTP / Execution | T1059.004 | EDR, app logs | Monitor for unexpected process spawning from PHP-FPM/web workers |
Oversized POST requests to /livewire/update | Network | T1190 | WAF, web proxy | Baseline normal payload sizes; alert on anomalies |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | W3WP Spawning Shell, Linux PHP Process Spawning Shell | No Laravel/Livewire deserialization or PHP gadget chain rules |
| Elastic | Web Shell Detection, PHP Deserialization Attack Detected | Moderate — has some PHP deserialization coverage |
| Sigma | Suspicious PHP Child Process, Web Server Spawning Suspicious Process | No Laravel/Livewire-specific rules |
Sources: CISA · Synacktiv · Security Online
CISA KEV Update — March 20, 2026
Five CVEs added. Two covered above (CVE-2025-32432, CVE-2025-54068). Remaining three are Apple client-side vulnerabilities (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) — buffer overflow and locking bugs. Action: Ensure Apple fleet patched to latest OS via MDM; detection is patch compliance monitoring.
Previously Covered — Status Updates
- CVE-2026-20131 (Cisco FMC): Public PoC repo appeared on GitHub (
p3Nt3st3r-sTAr/CVE-2026-20131-POC); assume increased exploitation risk for unpatched instances. March 19 brief. - PolyShell (Magento): No new developments. Exploit circulating; no production patch available. March 20 brief.