03/11/2026-03/18/2026 Wing FTP Server Flaw, Python Repositories Compromised, Flaws in Linux AppArmor And More.

1. AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE

Cybersecurity researchers have uncovered a new data exfiltration method targeting AI code execution environments via DNS queries. BeyondTrust found that Amazon Bedrock AgentCore Code Interpreter allows outbound DNS requests even in sandbox mode, enabling attackers to bypass network isolation.This behavior can be abused to create command-and-control channels, execute commands, and exfiltrate sensitive data—especially if the system’s IAM role has excessive permissions. Attackers can send instructions through DNS records, retrieve payloads, and establish persistent access.

Although reported in 2025, Amazon considers this intended functionality and recommends using VPC mode and DNS firewalls for stronger isolation.
Separately, a flaw in LangSmith (CVE-2026-25750) allowed token theft and account takeover via malicious links, now patched. Meanwhile, critical vulnerabilities in SGLang could enable remote code execution through unsafe deserialization, highlighting growing security risks in AI infrastructure.

2. CISA Flags Wing FTP Server Flaw as Actively Exploited in Attacks

CISA has warned U.S. agencies to secure Wing FTP Server against an actively exploited vulnerability that could be used in remote code execution (RCE) attacks.
Tracked as CVE-2025-47813, the flaw allows low-privileged attackers to reveal the application’s installation path through error messages. While not critical alone, it can be chained with other vulnerabilities, including an RCE flaw (CVE-2025-47812) and a password disclosure bug.

These issues were patched in version 7.4.4, but attackers began exploiting them shortly after disclosure. Proof-of-concept code has also been released, increasing the risk.

CISA added the flaw to its Known Exploited Vulnerabilities catalog and gave federal agencies two weeks to patch. Although the directive targets government systems, all organizations are strongly urged to update immediately to prevent ongoing attacks.

3. Python Repositories Compromised in GlassWorm Aftermath

Threat actors are exploiting credentials stolen in the GlassWorm campaign to compromise GitHub accounts and inject malware into Python repositories. Discovered by StepSecurity, the attacks began around March 8 and target Django apps, ML projects, PyPI packages, and Streamlit dashboards, likely aiming to steal cryptocurrency and sensitive data.Using stolen credentials, attackers modify repositories by rebasing legitimate commits, inserting obfuscated malicious code, and force-pushing changes. This method, called ForceMemo, hides traces by keeping original commit messages and author dates intact.The malware avoids Russian-language systems and retrieves instructions from a Solana blockchain address, then downloads and executes encrypted payloads while maintaining persistence.

Hundreds of repositories have been affected. The campaign builds on GlassWorm, a malware strain first seen in 2025 that steals credentials and crypto assets. It has since evolved into a multi-platform threat, also targeting VS Code extensions and NPM packages using more stealthy delivery techniques.

4. Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation

Cybersecurity researchers from Qualys have disclosed nine vulnerabilities in the Linux AppArmor module, collectively called CrackArmor. These flaws, present since 2017, allow unprivileged users to bypass protections, escalate privileges to root, and weaken container isolation. The issues stem from “confused deputy” vulnerabilities, where attackers manipulate trusted processes to perform malicious actions. By exploiting AppArmor profile handling, attackers can bypass namespace restrictions, execute arbitrary code, and even disable security controls. The flaws also enable denial-of-service attacks, kernel memory exposure, and techniques like KASLR bypass. In some cases, attackers could modify critical files (e. g., /etc/passwd) or gain full system control.

The vulnerabilities affect Linux kernels since version 4.11 across distributions like Ubuntu, Debian, and SUSE. With millions of systems impacted, immediate kernel patching is strongly recommended, as temporary mitigations are insufficient to fully address the risks.

5. CISA Adds n8n RCE Flaw to List of Known Exploited Vulnerabilities

CISA has added a critical remote code execution flaw in n8n to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch within two weeks. Tracked as CVE-2025-68613, the flaw was disclosed in December 2025 and allows authenticated attackers to execute arbitrary code with the same privileges as the n8n process. This could lead to full system compromise, unauthorized data access, and execution of system-level commands.The vulnerability affects versions from 0.211.0 up to patched releases (1.120.4, 1.121.1, 1.122.0) and received a CVSS score up to 9.9. Exploits show that workflow expressions can access the Node.js environment, enabling command execution via the UI or API. Over 24,000 instances remain exposed. Due to active exploitation risks, agencies must patch by March 25, 2026.