The Weekly Breach: 7 Maximum CVSS Flaws and the DarkSword Exploit Unveiled

The past seven days have been an exceptionally busy period for cybersecurity defenders. Between March 16 and March 23, a staggering 1,348 new vulnerabilities were identified and logged. While the sheer volume is enough to give any system administrator a headache, the severity of several specific flaws marks this week as a critical turning point for infrastructure security.

Of the total vulnerabilities, 75 were rated as Critical, and 346 were classified as High. Perhaps most concerning is that 416 of these flaws already have public exploits or technical disclosures available, drastically shortening the window for organizations to patch before they are targeted.

Seven vulnerabilities hit the maximum possible CVSS score of 10.0 this week. These flaws are often the most dangerous because they frequently allow for remote, unauthenticated access with full system control.

• Cisco Secure Firewall (CVE-2026-20131): A critical vulnerability in the web-based management interface of Cisco’s FMC software could allow a remote attacker to execute arbitrary Java code as root.
• UniFi Network Application (CVE-2026-22557): A path traversal flaw in the widely used UniFi networking suite could allow an attacker to access and manipulate sensitive files on the underlying system.
• Azure Cloud Shell (CVE-2026-32169): Microsoft’s cloud-based shell environment is vulnerable to Server-Side Request Forgery (SSRF), which could allow an unauthorized attacker to elevate their privileges over the network.
• Step CA (CVE-2026-30836): This online certificate authority for DevOps has a critical flaw that fails to safeguard against unauthenticated certificate issuance, potentially allowing attackers to forge trusted identities.

The WordPress ecosystem continues to be a primary target for researchers and attackers alike. This week alone, 132 vulnerabilities were reported within various WordPress plugins and themes.

A notable example is CVE-2026-2580 (CVSS 7.5), which affects the “WP Maps” suite of plugins. This flaw allows unauthenticated attackers to perform time-based SQL injection to extract sensitive information from a website’s database. Because these plugins are used for store locators and directory listings, the potential for data theft is significant.

The Internet of Things (IoT) remains a fragile frontier. Tenda devices were hit with 15 new vulnerabilities this week, most of which have public exploits ready to use.

• CVE-2026-4565 (Tenda AC21): A remote buffer overflow in the router’s network control functions. The report explicitly states, “The exploit is now public and may be used,” making it a high-priority target for automated botnets.
• CVE-2026-4558 (Linksys MR9600): A similar flaw in Linksys routers involves the “SmartConnect” feature, allowing attackers to manipulate system configurations through a remote execution vector.

While mobile devices are being targeted for surveillance, web servers are being hit for total control. Two major framework vulnerabilities have seen active exploitation this week:

• Craft CMS (CVE-2025-32432): This code injection flaw carries a CVSS score of 10.0. It allows attackers to achieve remote code execution (RCE) with very low complexity. Because it provides a direct path to the heart of a web application, it has become a primary target for automated exploitation scripts.
• Laravel Livewire (CVE-2025-54068): With a CVSS score of 9.2, this flaw allows unauthenticated attackers to execute remote commands. The issue lies in how component properties are “hydrated” during updates, allowing an attacker to inject malicious logic without needing a single set of credentials.

Perhaps the most alarming development involves the DarkSword exploit chain. Since late 2025, this sophisticated toolkit has been used by both state-sponsored actors and commercial surveillance vendors to target victims globally. The chain relies on multiple zero-day vulnerabilities (CVE-2025-31277, CVE-2025-43520, CVE-2025-43510) in the Apple ecosystem that allow for a full device takeover.

Once a device is compromised via a “watering hole” website, attackers deploy one of three specialized malware families:

• GHOSTBLADE: A JavaScript-based dataminer that harvests a massive swath of personal info, including iMessage and WhatsApp communications, browser history, and crypto wallet data.
• GHOSTKNIFE: A persistent backdoor used to exfiltrate location history and signed-in account credentials.
• GHOSTSABER: A versatile tool used for remote JavaScript execution and deep-level system enumeration.