Welcome to Tech Alerts – March 2026
We know your time is scarce. That’s why we’ve created this newsletter: to cut through the noise and deliver only the most critical, high-impact alerts. Whether it’s a zero-day exploit requiring an immediate patch or a new trend in social engineering, our goal is to keep you informed, prepared, and one step ahead.
In this week’s briefing:
- Cisco FMC — Unauthenticated RCE
- BYOVD — 54 EDR Killers exploiting 35 signed drivers
- Veeam Backup & Replication – RCE chain
- Microsoft Teams — A0Backdoor via DLL Sideloading
- OAuth Redirect Abuse — Malware targeting government organisations
Monitoring the threats so you don’t have to. Here are this month’s essentials.
TOP 5 – MARCH 2026
1. Cisco FMC — Unauthenticated RCE
Java deserialisation vulnerability in the Firewall Management Centre web interface.
Exploited as a zero-day by the Interlock gang since January 2026, more than a month before the Cisco patch (4 March).
Allows arbitrary code execution as root without any authentication. Post-exploitation toolkit observed: Java/JS RATs, in-memory web shell, reverse HTTP proxies, ConnectWise ScreenConnect.
2. BYOVD — 54 EDR Killers exploiting 35 signed drivers
Loading legitimate, vulnerable drivers to gain Ring 0 (kernel) access.
Enables the termination of EDR processes, modification of kernel callbacks and disabling of protections whilst remaining within the Microsoft signed driver trust model.
Routinely deployed as a pre-encryption step in modern ransomware operations. (MITRE T1562.001)
3. Veeam Backup & Replication – RCE chain
Injection via a malformed ‘Interval’ or ‘Order’ parameter, allowing remote code execution (RCE) as postgres, without user interaction, via the network.
Three related CVEs (CVSS 6.7–7.2) also allow root RCE via a configuration file and arbitrary file writing. Affected: VBR ≤ 13.0.1.180.
Fixed in 13.0.1.1071. Veeam history: almost systematic ransomware exploitation in the days following public disclosure.
4. Microsoft Teams — A0Backdoor via DLL Sideloading
Attack chain: spam flood → impersonation of IT support via Teams → remote access via Quick Assist → signed MSI deployed from a personal Microsoft cloud storage account.
The MSI loads a malicious hostfxr.dll file which decrypts a shellcode in memory (AES, SHA-256 derived key) after detecting a sandbox.
The Teams vector is still largely absent from phishing awareness programmes.
5. OAuth Redirect Abuse — Malware targeting government organisations
Abuse of a legitimate OAuth feature: registering a malicious app in a tenant controlled by the attacker, with a redirect URL pointing to a rogue infrastructure.
Link distributed with an intentionally invalid scope → delivery of a ZIP archive → PowerShell + DLL sideloading (steam_monitor.exe) → C2.
Some campaigns combined with EvilProxy to harvest session cookies (AitM).
No vulnerabilities to patch; defence relies on auditing OAuth apps registered in Entra ID and raising awareness.