Threat Intel Weekly #09 — Week ending 08 Mar 2026

📅 Coverage period: 2026-03-01 → 2026-03-08 | 14 CVEs reviewed | 7 CISA KEV additions

🔴 Critical Vulnerabilities (CVSS ≥ 9.0)

🔴 CVE-2026-2999 — IDExpert Windows Logon Agent RCE (CVSS 9.8)

Vendor: Changing Information Technology (Changingtec)
Affected: IDExpert Windows Logon Agent ≤ 2.8.4.250925
CWE: CWE-494 — Download of Code Without Integrity Check
Attack Vector: Network (Unauthenticated)

The IDExpert Windows Logon Agent — deployed for MFA in Windows enterprise environments — exposes a network-facing component that accepts a URL parameter. When a crafted request is sent containing a malicious URL, the agent fetches the file from that URL and executes it locally without performing any origin verification, code signing check, or integrity validation. No authentication is required.

A companion vulnerability, CVE-2026-3000, follows the same pattern but loads a DLL instead of an EXE.

Why it's dangerous: MFA agents run as privileged system services (often SYSTEM). Compromising this component means full OS-level control before any user interaction. Since MFA agents are directly network-reachable by design, the attack surface is wide.

Detection: Monitor for LogonAgent.exe initiating outbound HTTP/HTTPS to non-whitelisted IPs, or spawning unexpected child processes (cmd.exe, powershell.exe, wscript.exe). Watch for file writes to %TEMP% or the agent install directory followed immediately by process creation.

Remediation:

1. Update to the patched version — contact Changingtec support to confirm the fixed build.
2. Egress filtering — block outbound connections from the logon agent process to untrusted external hosts.
3. AppLocker / WDAC — enforce application whitelisting so only signed binaries can execute under the agent's process tree.
4. Network isolation — if the agent only needs to reach an internal MFA server, firewall it to that IP range.

Severity: Critical | Attack Vector: NETWORK
References: NVD · CVE Detail

🟠 High Severity Vulnerabilities (CVSS 7.0–8.9)

🟠 CVE-2026-3400 — Tenda AC15 Stack Buffer Overflow (CVSS 8.8)

Vendor: Tenda
Affected: AC15 firmware ≤ 15.13.07.13
CWE: CWE-121 — Stack-Based Buffer Overflow
Attack Vector: Network

The /goform/TextEditingConversion endpoint in Tenda AC15's httpd binary accepts a wpapsk_crypto2_4g parameter and copies it into a fixed-size stack buffer using an unsafe function with no length validation. Sending a payload longer than ~512 bytes overwrites the stack return address, allowing an attacker to redirect execution to arbitrary shellcode or ROP gadgets.

No official patch from Tenda as of 2026-03-08.

Mitigations:

• Ensure the web UI is not exposed to the internet (disable WAN management)
• Move router management to a trusted, isolated VLAN
• Apply IPS signatures to block POST to /goform/TextEditingConversion with anomalously long parameters
• Consider device replacement if no patch materialises

Severity: High | Attack Vector: NETWORK
References: NVD · CVE Detail

🟠 CVE-2026-3398 / CVE-2026-3399 — Tenda F453 Stack Overflows (CVSS 8.8)

Vendor: Tenda
Affected: F453 firmware 1.0.0.3
Function: fromAdvSetWan
CWE: CWE-121 — Stack-Based Buffer Overflow

Two separate stack overflow vulnerabilities in the fromAdvSetWan function of Tenda F453 firmware. Same class of bug as CVE-2026-3400. No official patch exists. Apply the same network-level mitigations: no WAN-exposed management interface, VLAN isolation.

Severity: High | Attack Vector: NETWORK
References: NVD · CVE Detail

🟠 CVE-2026-3409 — DB-GPT importlib RCE (Zero-Day, CVSS 7.3)

Vendor: eosphoros-ai
Affected: db-gpt 0.7.5 (current latest as of 2026-03-08)
CWE: CWE-94 — Code Injection
Status: ⚠️ Unpatched Zero-Day

Two flaws chain together for unauthenticated RCE:

1. Authentication bypass — check_api_key() returns None for all paths starting with /api/v1, exposing every internal endpoint without credentials.
2. Unsafe importlib.exec_module — the AWEL Flow Import endpoint (/api/v1/serve/awel/flow/import) accepts a ZIP file, extracts it, and calls loader.exec_module() on the included __init__.py without any sandboxing, AST inspection, or signature check.

Remediation (no vendor patch available):

• Block POST /api/v1/serve/awel/flow/import at the reverse proxy / WAF from untrusted networks
• Apply hotfix to check_api_key() to enforce token validation for sensitive paths
• Run the process as a non-root user — most Docker deployments run as root, which maximises blast radius
• Monitor the eosphoros-ai/DB-GPT repository for a patched release

Severity: High | Attack Vector: NETWORK
References: NVD · CVE Detail

🟠 CVE-2024-47886 — Chamilo LMS Phar Deserialization RCE (CVSS 7.2)

Vendor: Chamilo
Affected: Chamilo LMS 1.11.12 – 1.11.26
Plugin: vchamilo (Virtualization)
CWE: CWE-502 — Deserialization of Untrusted Data
Fixed In: Chamilo 1.11.28

PHP's phar:// stream wrapper automatically deserializes archive metadata when a filesystem function like is_dir() is called on a phar path. The vchamilo plugin's manage.testdatapath.php accepts a user-controlled dataroot parameter combined with a user-controlled course_real_root setting, constructing a path passed directly to is_dir().

Exploit chain: An admin sets course_real_root to phar://, uploads a phpggc-generated payload (polyglot PNG containing a Monolog gadget chain), then triggers execution by requesting the vulnerable path.

Remediation:

• Upgrade to Chamilo 1.11.28 — the official fix empties the vulnerable script
• If upgrading is blocked: delete or rename manage.testdatapath.php and disable the vchamilo plugin
• Upgrade to PHP 8.0+ where automatic Phar metadata deserialization is disabled by default
• WAF rule: block phar:// in URI query parameters

Severity: High | Attack Vector: NETWORK
References: NVD · CVE Detail

🟡 Medium Severity Vulnerabilities (CVSS < 7.0)

🟡 CVE-2026-3406 — Online Art Gallery Shop SQL Injection (CVSS 7.3)

Vendor: ProjectWorlds
Affected: Online Art Gallery Shop 1.0
File: /admin/registration.php — fname parameter
CWE: CWE-89 — SQL Injection

The registration handler directly concatenates $_POST['fname'] into a SQL INSERT statement with no sanitization. An attacker can break the string context and inject arbitrary SQL — dumping the database, adding admin accounts, or dropping tables.

Fix: Replace direct concatenation with PDO prepared statements. All parameters in the registration flow (lname, email, password) share the same pattern and must also be parameterized. Never store passwords in plaintext — use password_hash() with bcrypt/Argon2.

Severity: Medium | Attack Vector: NETWORK
References: NVD · CVE Detail

🟡 CVE-2026-3410 — Society Management System SQL Injection (CVSS 7.3)

Vendor: itsourcecode
Affected: Society Management System 1.0
File: /admin/check_studid.php — student_id parameter
CWE: CWE-89 — SQL Injection

This endpoint is typically exposed without session authentication to support real-time student ID availability checks during registration. The student_id value is concatenated directly into a SELECT query, making it a trivially exploitable unauthenticated entry point. Easily automated with sqlmap.

Fix: Parameterize the query. Since the expected input is a student ID, also validate that student_id is numeric via filter_var($id, FILTER_VALIDATE_INT) before it reaches the database layer.

Severity: Medium | Attack Vector: NETWORK
References: NVD · CVE Detail

🟡 CVE-2026-3411 — University Management System SQL Injection (CVSS 7.3)

Vendor: itsourcecode
Affected: University Management System 1.0
File: /admin_single_student_update.php — ID parameter
CWE: CWE-89 — SQL Injection

Same root-cause pattern as CVE-2026-3410 — raw $_GET['ID'] concatenated into a SELECT/UPDATE query. No official patch as of disclosure. Disable display_errors in production to prevent table structure leakage through SQL error messages.

Fix: Use prepared statements (PDO::prepare with ? placeholders). Validate that ID is an integer before it reaches the database layer.

Severity: Medium | Attack Vector: NETWORK
References: NVD · CVE Detail

🟡 CVE-2026-3405 — JeeSite Path Traversal (CVSS 3.1)

Vendor: thinkgem
Affected: JeeSite ≤ 5.15.1
CWE: CWE-22 — Path Traversal

Low-severity path traversal in the Connection Handler component. Requires authenticated, low-privilege access and high attack complexity. Mitigate with input canonicalization (File.getCanonicalPath() + base directory whitelist) and WAF rules blocking ../, ..%2f, ..%5c patterns.

Note: Related CVE-2026-3404 (XXE in CasOutHandler.java) affects the same version — audit both if you run JeeSite.

Severity: Low | Attack Vector: NETWORK
References: NVD · CVE Detail

🚨 CISA Known Exploited Vulnerabilities — Added This Week

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog between 2026-03-01 and 2026-03-08.

CVE-2026-22719 — VMware Aria Operations Command Injection (CVSS 8.1)

Advisory: VMSA-2026-0001 | Added to KEV: 2026-03-04

An unauthenticated attacker can inject OS commands through crafted input to the support-assisted migration workflow in VMware Aria Operations, resulting in system-level code execution.

Same advisory also covers: CVE-2026-22720 (Stored XSS, CVSS 8.0) and CVE-2026-22721 (Privilege Escalation, CVSS 6.2).

If immediate patching is blocked, Broadcom released workaround script aria-ops-rce-workaround.sh (KB 430349) — must be run on every node in the cluster.

Severity: High | Attack Vector: NETWORK
References: NVD · CVE Detail · VMSA-2026-0001

CVE-2026-21385 — Qualcomm Chipset Memory Corruption (CVSS 7.8)

Added to KEV: 2026-03-03 | CWE: CWE-190 — Integer Overflow

An integer overflow in the graphics memory management subsystem (kgsl driver) allows a local low-privilege attacker to corrupt heap memory and escalate to kernel execution. Affects 470+ Qualcomm chipset models including Snapdragon 8 Elite, 8 Gen 1/2/3, X55/X65 5G modems, and automotive/IoT platforms (SA8155P, SA8295P, RB5).

Android patch level required: 2026-03-05 or later. Push the March 2026 Android Security Bulletin to all affected devices. For unpatched devices: restrict untrusted app execution, disable ADB on production hardware, and segment IoT/automotive units to restricted VLANs.

Severity: High | Attack Vector: LOCAL
References: NVD · CVE Detail · Qualcomm Bulletin

CVE-2021-22681 — Rockwell Logix Authentication Bypass (CVSS 9.8)

Added to KEV: 2026-03-05 | ICS/OT Impact

An insufficiently protected cryptographic key in Rockwell Studio 5000 Logix Designer and RSLogix 5000 allows an unauthenticated attacker to impersonate an engineering workstation, gaining full read/write access to PLC logic. This directly threatens industrial control environments (manufacturing, utilities, water treatment).

Affected: ControlLogix 5550–5580, CompactLogix 1768–5480, GuardLogix 5570/5580, SoftLogix 5800, Studio 5000 v21+, RSLogix 5000 v16–v20.

Immediate actions:

1. Set controller physical Mode Switch → RUN (prevents unauthorized downloads)
2. Block TCP 44818 (EtherNet/IP) at network boundary; whitelist only known engineering workstation IPs
3. Deploy CIP Security on supported controllers (ControlLogix 5580, CompactLogix 5380)
4. For legacy hardware: use 1783-CSP CIP Security Proxy
5. Enable Change Detection and Audit Logs in FactoryTalk AssetCentre

Severity: Critical | Attack Vector: NETWORK
References: NVD · CVE Detail · Rockwell Advisory

CVE-2017-7921 — Hikvision Improper Authentication (CVSS 10.0)

Re-added to KEV: 2026-03-05 — nearly 9 years old and still under active exploitation

Hikvision cameras V5.2.0–V5.4.5 allow full authentication bypass by appending a crafted Base64 auth token to any sensitive endpoint. Attackers can capture live snapshots, download encrypted configuration files (decryptable with public tools to reveal plaintext credentials), and pivot into internal networks.

The 2026 resurgence is driven by automated Shodan/Censys scanners pairing this with CVE-2021-36260 (RCE) for persistent OT/ICS access. Grey market and counterfeit cameras cannot receive official firmware and are permanently vulnerable — replace or physically air-gap them.

Minimum secure firmware versions:

Severity: Critical | Attack Vector: NETWORK
References: NVD · CVE Detail

This Week's TL;DR