Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Every year at RSA Conference, I spend time with security leaders who are trying to solve the same fundamental challenge. They know what strong security operations should look like, but the path to building and sustaining that capability inside their own organization has become increasingly difficult. The market is shifting from buying tools to buying outcomes.

Starting the week of March 9, 2026, Arctic Wolf observed malicious activity in customer environments potentially linked to the exploitation of CVE-2025-32975 on unpatched Quest KACE Systems Management Appliance (SMA) instances that were publicly exposed to the internet. This vulnerability was patched in May 2025. Quest KACE SMA is an on-premises appliance for centralized endpoint management, providing inventory, software deployment, patching, and endpoint monitoring capabilities.

Endpoint security encompasses the processes and technologies used to protect end-user devices—including laptops, servers, mobile devices, IoT systems, and any connected asset with access to corporate resources. As organizations become more distributed and adversaries become more sophisticated, the endpoint has evolved into both a preferred target for threat actors and a pivotal control point within a modern security architecture.

On March 11, 2026, U.S. medical technology company Stryker Corporation disclosed a cyber attack that disrupted its global internal networks and Microsoft systems, leaving thousands of employees unable to access corporate systems and devices inoperable. In its SEC filing, Stryker stated it has no indication of ransomware or malware, considers the incident contained, and is assessing the full impact, with no timeline provided for full restoration.

Security leaders are being squeezed from both sides. On one side, threat actors are scaling operations with AI automation, using it to craft more convincing social engineering attacks, accelerating reconnaissance, and improving lateral movement. On the other side, defenders are drowning in telemetry, suffering under staffing constraints, and facing the harsh reality that threat actors don’t keep business hours.

On March 12, 2026, Veeam released fixes for multiple high and critical severity vulnerabilities in their Backup & Replication product that could allow remote code execution (RCE), privilege escalation, and credential theft. Arctic Wolf has not identified publicly available proof-of-concept exploits for these vulnerabilities, nor have we observed any exploitation.

On March 4, 2026, Cisco released fixes for two maximum-severity vulnerabilities impacting Cisco Secure Firewall Management Center (FMC), which is used to centrally manage Cisco Secure Firewall devices. Arctic Wolf has not observed threat actors exploiting these vulnerabilities, nor have any public proof-of-concept exploits been reported.

On March 03, 2026, pac4j released fixes for a maximum severity vulnerability in pac4j-jwt, tracked as CVE-2026-29000. The flaw arises from improper verification of cryptographic signatures in the JwtAuthenticator component when processing encrypted JWTs (JWE). A remote, unauthenticated threat actor who knows the server’s RSA public key can bypass authentication and impersonate arbitrary users (including administrators) by submitting a crafted JWE whose inner token is an unsigned PlainJWT.

The modern threat landscape is an ever-evolving battlefield of innovation and escalation. Thanks to the rapid adoption of artificial intelligence, both attackers and defenders now have powerful new tools at their disposal. But who has the edge when it comes to the artificial intelligence (AI) arms race? Unsurprisingly, the answer is complicated.

Between January 2025 and January 2026, Arctic Wolf tracked an extensive cyber espionage campaign that we assess was conducted by SloppyLemming (also known as Outrider Tiger and Fishing Elephant), an India-nexus threat actor, targeting government entities and critical infrastructure operators in Pakistan and Bangladesh.