Patch Now or Pay Later: The Major Vulnerabilities Defining Cybersecurity in 2026
From Ivanti zero-days to Chrome's third exploited flaw of the year, 2026 has already delivered a relentless stream of high-severity vulnerabilities. Here is a breakdown of the most dangerous exploits active right now — and what organisations need to do about them.
It is only mid-March, and 2026 has already made its mark on the cybersecurity calendar. The volume of vulnerabilities being disclosed has climbed to record levels, and more alarming than the count is the speed: proof-of-concept exploit code now regularly appears within hours of disclosure, and mass exploitation campaigns often begin within days. What follows is a detailed look at the vulnerabilities that have already defined the threat landscape in 2026.
Ivanti EPMM: Two Critical Zero-Days Hit Enterprise Mobile Fleets (CVE-2026-1281 & CVE-2026-1340)
Few vendors have been as persistently targeted as Ivanti, and 2026 opened with another pair of critical blows. On January 29, Ivanti disclosed two zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product — a widely-deployed mobile device management platform used across enterprise environments. Both CVE-2026-1281 and CVE-2026-1340 carry a maximum-severity CVSS score of 9.8. Both allow unauthenticated remote attackers to execute arbitrary code on the underlying server — no credentials, no user interaction required.
CVE-2026-1281 exploits unsafe legacy bash scripts in the Apache web server's URL rewriting mechanism, reachable through the In-House Application Distribution feature. CVE-2026-1340 targets a near-identical flaw in the Android File Transfer Configuration component via separate HTTP endpoints. The root cause in both cases is the same: attacker-controlled input being passed directly into bash without sanitisation.
CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog on the same day as disclosure and gave federal agencies just three days to patch — an extraordinarily compressed remediation window. Confirmed victims included the Dutch Data Protection Authority and the Council for the Judiciary in the Netherlands. Unit 42 from Palo Alto Networks identified more than 4,400 internet-exposed EPMM instances through Cortex Xpanse telemetry, and GreyNoise recorded 269 exploitation sessions in a single day on February 8, with 83% of activity tracing to a single bulletproof hosting IP registered in Saint Petersburg, Russia.
Post-exploitation activity has been aggressive: attackers deployed web shells, reverse shells, cryptominers, and persistent backdoors. Within 24 hours of proof-of-concept code appearing on GitHub, Rapid7's honeypot recorded hundreds of inbound connections from more than 130 unique IP addresses. The campaign has since evolved from tightly scoped zero-day exploitation into what watchTowr describes as 'global mass exploitation by a wide mix of opportunistic actors.' Ivanti has released RPM patches requiring no downtime, but critically, these do not survive version upgrades and must be reapplied after any update. Any organisation with an internet-facing EPMM deployment should treat the system as potentially compromised and initiate incident response, not merely patch.
Cisco SD-WAN: Authentication Bypass Targeting Federal Networks (CVE-2026-20127)
On February 25, CISA and the UK National Cyber Security Centre issued a joint advisory warning that vulnerabilities in Cisco software-defined wide-area network (SD-WAN) systems are being actively exploited and linked to ongoing malicious operations targeting federal networks. CVE-2026-20127 allows a remote unauthenticated attacker to bypass authentication entirely and gain full administrative privileges on affected Cisco SD-WAN Controller and Manager systems. A companion vulnerability, CVE-2022-20775, enables an authenticated local attacker to escalate to root via improper CLI access controls — together, they form a credible path from network perimeter to full infrastructure control.
CISA responded by issuing Emergency Directive 26-03 and supplemental Hunt and Hardening Guidance. The particular concern with SD-WAN systems is their architectural position: a compromised SD-WAN controller does not merely expose a single device, it can provide access to the routing and policy layer of an organisation's entire wide-area network. Sophos and other security vendors released IDS and IPS detection rules to assist with identification while patches are deployed.
Broadcom VMware Aria Operations: Unauthenticated RCE in Enterprise Monitoring (CVE-2026-22719)
On March 3, CISA added CVE-2026-22719 to the KEV catalog after confirming active exploitation of Broadcom's VMware Aria Operations platform — formerly vRealize Operations, a widely deployed enterprise tool for monitoring and managing virtualised infrastructure. The flaw is a command injection vulnerability in the product's support-assisted migration feature, allowing an unauthenticated attacker to execute arbitrary commands on the underlying system. Because VMware Aria Operations sits at the centre of virtualised environment management, a compromise gives attackers a privileged vantage point over the entire virtual infrastructure and a platform for lateral movement into managed systems.
Qualcomm Chipsets: Memory Corruption in Billions of Android Devices (CVE-2026-21385)
Also added to the KEV catalog on March 3, CVE-2026-21385 is a memory corruption vulnerability affecting multiple Qualcomm chipsets — the processors that power the majority of Android smartphones and a large share of enterprise and IoT devices. Memory corruption bugs in chipset firmware are among the most consequential class of vulnerability because they can undermine security controls implemented at higher software layers. CISA's confirmation of active exploitation indicates this flaw is already being weaponised, most likely in targeted attacks against high-value individuals given the complexity of hardware-level exploitation. Mobile security teams should prioritise Android security bulletin updates across all managed devices without delay.
Google Chrome: Three Zero-Days Exploited in the First Ten Weeks (CVE-2026-2441, CVE-2026-3909 & CVE-2026-3910)
Chrome, the browser used by billions of people worldwide, has already accumulated three actively exploited zero-days in 2026 — and it is only mid-March. The year opened with CVE-2026-2441, a high-severity use-after-free vulnerability in Chrome's CSS handling, patched in mid-February. A use-after-free bug occurs when a programme continues to access memory after it has been freed, creating exploitable conditions for code execution inside the browser sandbox.
Then, on March 12, Google issued an emergency out-of-band patch addressing two further zero-days discovered by its own Threat Analysis Group just two days earlier. CVE-2026-3909 is an out-of-bounds write vulnerability in Skia, the open-source 2D graphics library Chrome uses to render web content and UI elements. Attackers can trigger it through a specially crafted HTML page, potentially overwriting adjacent memory regions to crash the browser or execute arbitrary code. CVE-2026-3910 is an inappropriate implementation flaw in V8, Chrome's JavaScript and WebAssembly engine. V8 vulnerabilities are particularly attractive to attackers because JavaScript executes constantly during normal browsing — a remote attacker can trigger the flaw simply by getting a user to visit a malicious web page, with no additional interaction required.
Google has confirmed that exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild and is withholding full technical details until the majority of the user base has updated. CISA has mandated federal agencies patch by March 27. The fixed version is Chrome 146.0.7680.75 or later. Critically, the vulnerabilities also affect other Chromium-based browsers including Microsoft Edge, Brave, and Opera — patching Chrome alone is not sufficient if an organisation runs multiple Chromium-based browsers. Google's Threat Intelligence Group reported that 90 zero-days were exploited in the wild in 2025, up from 78 in 2024, with enterprise technologies accounting for a record 48% of observed cases. Chrome's 2026 trajectory is already tracking higher.
Microsoft March Patch Tuesday: 80+ Flaws, Six Rated "More Likely to be Exploited"
Microsoft's March 2026 Patch Tuesday addressed more than 80 vulnerabilities across its products, with six designated by the company as 'more likely to be exploited' — a label Microsoft applies when it assesses that reliable exploit code exists or will likely be developed imminently. All six high-priority flaws are privilege escalation bugs: CVE-2026-24289 and CVE-2026-26132 are use-after-free vulnerabilities in the Windows Kernel; CVE-2026-23668 is a race condition in the Windows Graphics Component; and CVE-2026-24291 affects the Windows Accessibility Infrastructure service.
Security firm Immersive noted that CVE-2026-24291 is 'highly prized by threat actors' because it allows reliable escalation from a limited user account to SYSTEM privileges — full control over the system, enabling complete bypass of endpoint detection tools. Also notable in this batch: CVE-2026-26144, a cross-site scripting bug in Excel that could weaponise Microsoft Copilot Agent to exfiltrate data from a target, and CVE-2026-23669, a remote code execution flaw in the Windows Print Spooler — a service with a long and painful history of critical vulnerabilities. The Dutch National Cyber Security Center separately flagged CVE-2026-26123 in Microsoft Authenticator for Android and iOS, which could be exploited via a rogue app to intercept a user's authentication flow in a man-in-the-middle attack.
What the Pattern Tells Us
Several themes connect the most dangerous vulnerabilities of 2026's early months, and understanding them is more useful than memorising individual CVE numbers.
Management-plane infrastructure is the primary target. Ivanti EPMM, Cisco SD-WAN, and VMware Aria Operations are all control-plane systems that sit above the ordinary application layer and govern or monitor entire environments. Compromising them does not expose a single server — it provides a privileged vantage point over an entire network. Nation-state actors and sophisticated ransomware groups have recognised this and are concentrating their attention accordingly.
Patch velocity is no longer adequate. The window between disclosure and mass exploitation has collapsed to days or hours. A patching cadence calibrated to monthly maintenance windows is structurally incompatible with this environment. Organisations need emergency processes that can respond to KEV-listed vulnerabilities within hours, not weeks.
Browsers are a primary enterprise attack vector. Three Chrome zero-days in ten weeks is not a browser-specific anomaly — it reflects the reality that modern browsers are the most powerful and universally-deployed software on corporate endpoints, executing untrusted code from the internet by design. Enterprise browser management, rapid patch deployment, and network-level inspection of browser traffic are non-negotiable baseline controls.
AI frameworks are an emerging attack surface that most security programmes have not yet fully absorbed. As AI orchestration tools, model-serving platforms, and agent frameworks are pushed into production at pace, the security of the underlying software has not kept up. Security teams that have not added AI framework monitoring to their vulnerability management programmes are increasingly exposed in ways that traditional asset inventories do not capture.
The pace of vulnerability disclosure and exploitation in 2026 is not going to slow down. What organisations can change is how quickly they detect exposure, how efficiently they deploy fixes, and whether their security programmes are oriented around exploit reality rather than theoretical severity scores. For every vulnerability listed above, a patch exists. The question is whether it has been applied.