March 2026 security update: Rapid‑fire intrusions and infrastructure attacks mark a turning point for defenders

Today’s threat landscape

Adversaries are getting faster – accelerated by AI

The arms race between attackers and defenders has entered a new phase, with artificial intelligence firmly at its center. According to CrowdStrike's 2026 Global Threat Report, the average cybercrime breakout time - the window between initial access and lateral movement - plummeted to just 29 minutes in 2025, a 65% increase in speed over the previous year. The fastest observed breakout clocked in at a staggering 27 seconds. The real-world impact of this acceleration was noted by Sysdig's Threat Research team. 

The team documented an AI-assisted cloud intrusion that achieved full administrative access to an AWS environment in under 10 minutes. The attacker exploited credentials found in public S3 buckets and used large language models to automate reconnaissance, generate malicious code, and make real-time privilege-escalation decisions across 19 AWS principals. 

Meanwhile, Google's Threat Intelligence Group revealed that state-sponsored actors from China, Iran, North Korea, and Russia are actively abusing its Gemini AI model across all attack stages - from target profiling and phishing lure creation to vulnerability analysis and C2 development. On the other hand, nations like Sweden have launched comprehensive AI strategies, aiming to leverage world-leading research in machine learning and AI security to counterbalance these threats.  

Top 3 vulnerabilities 

Four critical vulnerabilities in SolarWinds Serv-U grant root access

SolarWinds has patched four critical vulnerabilities in Serv-U, its widely deployed managed file transfer and FTP/SFTP server. Each one allows an attacker to execute code with root or administrator privileges, potentially leading to complete server takeover.  

CVE-2025-40538 is a broken access-control issue that enables an attacker with domain or group admin privileges to create a system administrator account and run arbitrary code as root. CVE-2025-40539 and CVE-2025-40540 are type confusion bugs that trigger memory corruption and enable root-level code execution, while CVE-2025-40541 is an Insecure Direct Object Reference (IDOR) vulnerability with the same impact.  

All four are remotely exploitable, low-complexity, and require no user interaction. They do, however, require existing administrative credentials. As Orca Security noted, when admin credentials are compromised through phishing or credential spraying, these flaws dramatically amplify the impact.  

All versions below 15.5.4 are affected. Organizations must update to 15.5.4 or later to address the vulnerabilities. 

Markdown links turn Windows 11 Notepad into an attack vector 

Microsoft has fixed a remote code execution vulnerability in Windows 11 Notepad, addressed in its February 2026 Patch Tuesday. The vulnerability, tracked as CVE-2026-20841, stems from Microsoft's addition of Markdown support, which introduced clickable links inside text files. 

The issue is a command injection flaw. When a user opens a Markdown file and clicks a crafted link, Notepad passes the URL directly to the operating system without validation. Attackers could embed file:// paths or special protocol handlers like ms-appinstaller:// that silently launch executables or download remote programs without any security warning. The malicious code runs with user permissions. The attack is simple: an attacker sends the victim a Markdown file disguised as release notes or documentation. The victim clicks on the embedded link, which triggers execution. 

Windows Notepad (Store version) builds before 11.2510 are affected by the vulnerability. Microsoft's fix adds a confirmation dialog for non-HTTP/HTTPS links. The Notepad update rolls out automatically via the Microsoft Store, and the February cumulative updates KB5077181 (Windows 11) and KB5075912 (Windows 10) also address the issue. 

Critical Juniper PTX router vulnerability allows full device takeover - without credentials  

Juniper Networks has issued an emergency security update for a critical vulnerability in PTX Series routers running Junos OS Evolved, high-performance core routers used by ISPs, telecom operators, and cloud data centers. 

Tracked as CVE-2026-21902, the vulnerability resides in the On-Box Anomaly Detection framework, a built-in service meant to be accessible only by internal processes. Due to incorrect permission assignment, it is instead exposed on an externally reachable port. Since the service runs as root and is enabled by default, a remote attacker can execute arbitrary code with full root privileges - no credentials needed. Successful exploitation grants complete control of the router. 

The vulnerability affects Junos OS Evolved running on PTX Series models from version 25.4R1 up to the fixed version 25.4R1-S1-EVO. Standard Junos OS is not affected. As a workaround, restrict access via firewall filters/ACLs or disable the service. 

Industry News

Europe's critical infrastructure under siege 

Europe's essential services - including telecoms, railways, and energy pipelines - are facing an unprecedented wave of cyberattacks. To meet the moment, Sweden announced national roaming during heightened preparedness: if one mobile network goes down - whether due to attack or sabotage - subscribers will be able to switch to another operator's network via their phone settings, a practical resilience measure other nations may soon consider. 

The Dutch telecom industry did not fare as well last month. Odido suffered one of Europe's most significant recent data breaches when the notorious ShinyHunters group gained access to the personal data of 6.2 million customers and former subscribers. Stolen records - including names, addresses, IBANs, and passport details - began appearing on the dark web, with the attackers demanding over one million euros in ransom and threatening to release more data over sixteen days. 

Meanwhile, a Cyfirma report confirmed a sharp escalation: energy and utilities organizations appeared in 43% of observed APT campaigns this quarter, up from 13% previously, with ransomware victims in the sector surging over 60%. CERT Polska also documented coordinated destructive attacks against Poland's energy sector, while Germany's Deutsche Bahn had its booking systems disrupted by a DDoS attack, continuing a pattern of suspected sabotage against German rail infrastructure. 

Last month's incidents paint a sobering picture for any business leader relying on the continent’s critical infrastructure, underscoring the urgency of securing both IT and OT environments as they continue to converge.