End-of-Day report
Timeframe: Donnerstag 19-03-2026 18:00 - Freitag 20-03-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security
A new analysis of endpoint detection and response (EDR) killers has revealed that 54 of them leverage a technique known as bring your own vulnerable driver (BYOVD) by abusing a total of 34 vulnerable drivers. EDR killer programs have been a common presence in ransomware intrusions as they offer a way for affiliates to neutralize security software before deploying file-encrypting malware.
https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html
Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams
Google on Thursday announced a new "advanced flow" for Android sideloading that requires a mandatory 24-hour wait period to install apps from unverified developers in an attempt to balance openness with safety. The new changes come against the backdrop of a developer verification mandate the tech giant announced last year that requires all Android apps to be registered by verified developers to be installed on certified Android devices.
https://thehackernews.com/2026/03/google-adds-24-hour-wait-for-unverified.html
New Fake Zoom Meeting Invite Scam Spreads Malware on Windows PCs
The attack usually begins with a simple email that looks exactly like a standard Zoom invitation, featuring a large button to start the meeting. However, instead of going to the official Zoom website, it launches a series of fake security checks. [..] According to Sublime Security-s blog post, shared with Hackread.com, the most surprising part is what happens after you click join. Instead of a real call, the browser runs JavaScript to create a live, interactive simulation of a meeting. This allows scammers to include fictitious participants such as Matthew Karlsson and Sarah Chen. To make it feel real, the script even triggers choppy audio and warnings about a Network Issue, but this is just a trick to make the user believe their software is glitching and needs a fix.
https://hackread.com/fake-zoom-meeting-invite-scam-windows-pc-malware/
Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets
A new supply chain attack targeting Trivy has been disclosed today by Paul McCarty, marking the second distinct compromise affecting the Trivy ecosystem in March. This latest incident impacts GitHub Actions, and is separate from the earlier OpenVSX compromise involving the VS Code extension.
https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
Vulnerabilities
New -PolyShell- flaw allows unauthenticated RCE on Magento e-stores
A newly disclosed vulnerability dubbed PolyShell affects all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover. [..] Adobe has released a fix, but it is only available in the second alpha release for version 2.4.9, leaving production versions vulnerable. [..] There are no signs of the issue being actively exploited in the wild, but eCommerce security company Sansec warns that "the exploit method is circulating already" and expects automated attacks to start soon.
https://www.bleepingcomputer.com/news/security/new-polyshell-flaw-allows-unauthenticated-rce-on-magento-e-stores/
Oracle Security Alert for CVE-2026-21992 - 19 March 2026
This Security Alert addresses vulnerability CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager. This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.
https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
OpenWrt: Service-Releases schließen kritische Sicherheitslücken
Das OpenWrt-Projekt hat die Service-Releases 25.12.1 und 24.10.6 veröffentlicht. Die korrigieren einige kleinere Fehler, aber auch als kritisches Risiko eingestufte Sicherheitslücken. Wer OpenWrt einsetzt, sollte daher zeitnah die Aktualisierungen anwenden. (CVE-2026-30872, CVE-2026-32721, CVE-2026-30873, CVE-2026-30874)
https://heise.de/-11219084
Diverse Attacken auf Dell Secure Connect Gateway Policy Manager möglich
Auch wenn es in der Warnmeldung zu den Lücken keine Hinweise auf bereits laufende Attacken gibt, sollten Admins nicht zu lange zögern und zeitnah die gepatchte Version 5.34.00.14 installieren. Alle vorigen Ausgaben sind den Entwicklern zufolge angreifbar. (CVE-2026-25646, CVE-2026-22610, CVE-2026-24734)
https://heise.de/-11219110
LWN: Security updates for Friday
https://lwn.net/Articles/1063990/
QNAP: Vulnerability in QVR Pro
https://www.qnap.com/en-us/security-advisory/QSA-26-07
QNAP: Multiple Vulnerabilities in QuNetSwitch (ADRA NDR)
https://www.qnap.com/en-us/security-advisory/QSA-26-11
QNAP: Vulnerability in Media Streaming Add-on
https://www.qnap.com/en-us/security-advisory/QSA-26-09
QNAP: Multiple Vulnerabilities in QuRouter (PWN2OWN 2025)
https://www.qnap.com/en-us/security-advisory/QSA-26-12
QNAP: Vulnerability in QuFTP Service
https://www.qnap.com/en-us/security-advisory/QSA-26-15
Kubernetes CVE-2026-4342: ingress-nginx comment-based nginx configuration injection
https://github.com/kubernetes/kubernetes/issues/137893
Chrome: Google schließt 26 Sicherheitslücken im Webbrowser
https://heise.de/-11218696