6 Mar 2026
Week in review
Greetings,
The Wikimedia Foundation moved quickly this week to contain a disruptive security incident after a self propagating JavaScript worm began vandalising Wikipedia pages and altering user scripts across multiple projects. Editors first raised the alarm on Wikipedia’s Village Pump, reporting sudden waves of automated edits inserting hidden scripts and defacing random pages. In response, Wikimedia engineers temporarily restricted editing platform wide while they investigated and began reverting malicious changes.
According to details logged in Wikimedia’s Phabricator tracker, the attack originated from a malicious script hosted on Russian Wikipedia. The file, User:Ololoshka562/test.js, was first uploaded in March 2024 and had been associated with earlier attempts to compromise wiki platforms. The worm appears to have been triggered when the script was executed in the browser of a Wikimedia employee account during routine testing of user authored code. It remains unclear whether the execution was accidental, intentional, or the result of a compromised account.
BleepingComputer’s review of the archived script shows that the worm spread by injecting a JavaScript loader into both user level and global configuration files. It modified the user common.js scripts and the global MediaWiki:Common.js causing every visitor who loaded those files to unknowingly propagate the worm further. This allowed the malicious code to persist and attempt to rewrite scripts with the privileges of each infected account.
Wikimedia engineers removed the malicious code and restored normal editing operations, although a detailed post-incident report has not yet been published.
Cisco warns of max severity Secure FMC flaws giving root access
Date: 2026-03-04
Author: Bleeping Computer
[See AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2026.2114/, https://portal.auscert.org.au/bulletins/ESB-2026.2104/]
Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software.
Secure FMC is a web or SSH-based interface for admins to manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection.
Both vulnerabilities can be exploited remotely by unauthenticated attackers: the authentication bypass flaw (CVE-2026-20079) allows attackers to gain root access to the underlying operating system, while the remote code execution (RCE) vulnerability (CVE-2026-20131) lets them execute arbitrary Java code as root on unpatched devices.
ClawJacked attack let malicious websites hijack OpenClaw to steal data
Date: 2026-03-01
Author: Bleeping Computer
Security researchers have disclosed a high-severity vulnerability dubbed "ClawJacked" in the popular AI agent OpenClaw that allowed a malicious website to silently bruteforce access to a locally running instance and take control over it.
Oasis Security discovered the issue and reported it to OpenClaw, with a fix being released in version 2026.2.26 on February 26.
OpenClaw is a self-hosted AI platform that has recently surged in popularity for enabling AI agents to autonomously send messages, execute commands, and manage tasks across multiple platforms.
New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel
Date: 2026-03-02
Author: The Hacker News
Cybersecurity researchers have disclosed details of a now-patched security flaw in Google Chrome that could have permitted attackers to escalate privileges and gain access to local files on the system.
The vulnerability, tracked as CVE-2026-0628 (CVSS score: 8.8), has been described as a case of insufficient policy enforcement in the WebView tag. It was patched by Google in early January 2026 in version 143.0.7499.192/.193 for Windows/Mac and 143.0.7499.192 for Linux.
Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets
Date: 2026-03-03
Author: The Hacker News
Microsoft on Monday warned of phishing campaigns that use phishing emails and OAuth URL redirection mechanisms to bypass conventional email and browser defenses.
The activity targets government and public-sector organizations, aiming to redirect victims to attacker-controlled infrastructure without stealing their tokens. The company described the attacks as an identity-based threat that abuses OAuth’s standard, by-design behavior rather than exploiting vulnerabilities or stealing credentials.
This is achieved using a legitimate OAuth feature that allows IDPs to redirect to a landing page, typically in error scenarios or other defined flows.
CISA flags VMware Aria Operations RCE flaw as exploited in attacks
Date: 2026-03-03
Author: Bleeping Computer
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.1808/]
CISA has added a VMware Aria Operations vulnerability tracked as CVE-2026-22719 to its Known Exploited Vulnerabilities catalog, flagging the flaw as exploited in attacks.
Broadcom also warned that it is aware of reports indicating the vulnerability is exploited but says it cannot independently confirm the claims.
The vulnerability was originally disclosed and patched on February 24, 2026, as part of VMware's VMSA-2026-0001 advisory, which was rated Important with a CVSS score of 8.1.
ESB-2026.2162 – Red Hat OpenShift AI (RHOAI): CVSS (Max): 9.8
Red Hat has disclosed multiple security vulnerabilities, including several critical CVEs. The update mitigates over 30 reported vulnerabilities affecting components within the OpenShift AI platform.
ESB-2026.2114 – Cisco Secure Firewall Management Center Software: CVSS (Max): 10.0
A critical vulnerability (CVE-2026-20079) in Cisco Secure Firewall Management Center could allow an unauthenticated remote attacker to bypass authentication and execute commands to gain root access.
ESB-2026.2037 – IBM MQ: CVSS (Max): 9.8
Multiple OpenSSL vulnerabilities affecting the Advanced Message Security (AMS) component of IBM MQ on IBM i could allow denial-of-service or potential code execution in certain scenarios.
ESB-2026.2024 – Google Android: CVSS (Max): 9.8
The March 2026 Android Security Bulletin addresses multiple vulnerabilities across Android components, including a critical flaw that could allow remote code execution without user interaction, with fixes included in devices running the 2026-03-05 security patch level or later.
ESB-2026.2004 – firefox-esr: CVSS (Max): 10.0
Multiple vulnerabilities in Mozilla Firefox ESR could allow attackers to execute arbitrary code, escape the sandbox, bypass same-origin policy protections, or disclose sensitive information, and have been fixed in firefox-esr version 140.8.0esr-1~deb11u1 for Debian 11.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
