Mar 26, 2026
This week on Hacking News, we're covering five stories that all
share one theme: the things we trust most are the things being
targeted.
Cisco disclosed two CVSS 10.0 vulnerabilities in their Secure
Firewall Management Center — the centralized brain that manages
entire firewall fleets — giving unauthenticated attackers root
access. Pakistan-linked APT36 has turned AI coding tools into a
malware assembly line, flooding Indian government networks with
disposable "vibeware" variants in a strategy Bitdefender calls
"Distributed Denial of Detection." Google dropped the largest
Android security update in almost eight years — 129 vulnerabilities
— including a Qualcomm zero-day already under targeted exploitation
across 234 chipsets. A China-linked threat cluster called UAT-9244
is burrowing into South American telecom infrastructure with three
brand-new malware families spanning Windows, Linux, and edge
devices. And LexisNexis confirmed a cloud breach after a threat
actor exploited an unpatched React app and found the database
password was... Lexis1234.
⏱️ Timestamps
0:00 — Cold Open: What do you call a hackable firewall manager?
1:21 — Welcome & CTA
2:01 — Story 1: Cisco Secure FMC — Two CVSS 10.0 Vulnerabilities
(CVE-2026-20079 & CVE-2026-20131)
5:33 — Story 2: APT36 "Vibeware" — AI-Generated Malware at
Industrial Scale
9:13 — Story 3: Google Android March 2026 — 129 Patches + Qualcomm
Zero-Day (CVE-2026-21385)
12:34 — Story 4: UAT-9244 / FamousSparrow — China-Linked APT Hits
South American Telecoms
16:26 — Story 5: LexisNexis Cloud Breach — React2Shell, Weak
Passwords, Gov Data
20:14 — Recap & Key Takeaways
22:40 — Outro
🔑 Key Takeaways
Network security appliances are high-value targets. The Cisco
FMC vulnerabilities follow the same pattern as the SD-WAN
disclosure — if the management plane is compromised, everything
downstream is at risk.
AI is changing the economics of malware, not the sophistication.
APT36's vibeware shows the real threat is volume, not brilliance.
Detection teams may need to rethink approaches for floods of
low-quality polyglot variants.
Mobile patching remains the ecosystem's Achilles' heel. 129 Android
vulnerabilities, including an exploited Qualcomm zero-day across
234 chipsets. Google releases patches; manufacturers control the
timeline.
Telecom targeting is not slowing down. UAT-9244 demonstrates
continued investment in multi-platform telecom compromise toolkits
— Windows, Linux, and edge devices simultaneously. P2P C2 and ORB
expansion make detection exceptionally difficult.
Cloud security basics still matter more than anything. The
LexisNexis breach wasn't a zero-day — it was an unpatched app, an
overly permissive IAM role, and a weak password. Fundamentals
remain the most impactful things any organization can do.
📚 Sources
Story 1 — Cisco FMC:
Cisco Advisory: cisco-sa-onprem-fmc-authbypass-5JPp45V2
Cisco Advisory: cisco-sa-fmc-rce-NKhnULJh
The Stack — "Two CVSS 10s in Cisco firewall management found
internally"
Security Affairs — "Cisco fixes maximum-severity Secure FMC
bugs"
Singapore CSA: Alert AL-2026-021
Story 2 — APT36 Vibeware:
Bitdefender — "APT36: A Nightmare of Vibeware"
Dark Reading — "Nation-State Actor Embraces AI Malware Assembly
Line"
HackRead — "Pakistan-Linked APT36 Floods Indian Govt Networks"
SC Media — "AI-generated vibeware spread in new APT36 campaign"
Story 3 — Android March 2026:
Google Android Security Bulletin — March 2026
CyberScoop — "Google addresses actively exploited Qualcomm
zero-day"
The Hacker News — "Google Confirms CVE-2026-21385"
SecurityWeek — "Android Update Patches Exploited Qualcomm
Zero-Day"
CISA KEV Catalog — CVE-2026-21385
Story 4 — UAT-9244:
Cisco Talos — "UAT-9244 targets South American telecommunication
providers"
BleepingComputer — "Chinese state hackers target telcos with new
malware toolkit"
The Hacker News — "China-Linked Hackers Use TernDoor, PeerTime,
BruteEntry"
Story 5 — LexisNexis:
BleepingComputer — "LexisNexis confirms data breach as hackers
leak stolen files"
The Register — "LexisNexis Legal & Professional confirms data
breach"
SecurityWeek — "New LexisNexis Data Breach Confirmed"
The Record — "LexisNexis says hackers accessed legacy data"
Cybernews — "Hackers claim LexisNexis breach exposing 400K
users"
⚠️ The content presented by Exploit Brokers by Forgebound Research
is for educational and informational purposes only. Cipherceval is
a cybersecurity educator and commentator — not your personal
security consultant, legal counsel, or professional advisor. The
information shared here reflects publicly available research,
industry reporting, and the host's personal perspective. It does
not constitute professional security consulting or individualized
guidance for your specific environment. Always consult with
qualified professionals for decisions affecting your systems and
security posture.