I was in a vendor briefing a few weeks ago where the presenter walked us through a “defense in depth” architecture: firewall at the edge, endpoint management across the fleet, AI assistant in the SOC. Solid logos, clean slide. The kind of stack that looks right in a board deck or a QBR. Everyone in the room nodded. I nodded. And the whole time I kept thinking about how many of those layers have become exactly what attackers target first.

That’s the throughline this week. The vulnerabilities making headlines aren’t in obscure libraries or forgotten apps. They’re in SD-WAN management consoles, firewalls with Active Directory integration, and AI agents with access to everything on your network. The most exploited real estate right now is the security stack itself.

Top Story

AI Agents Are Becoming Enterprise Attack Surface Before You’ve Fully Deployed Them

Source: https://krebsonsecurity.com/2026/03/how-ai-assistants-are-moving-the-security-goalposts/​

TLDR Brian Krebs documents how AI agents are reshaping enterprise attack surface faster than security programs can respond, with exposed management interfaces leaking credentials, supply chain attacks silently installing rogue agents, and prompt injection manipulating agents that already hold trusted internal access. The risk model applies to any AI assistant your organization gives access to files, email, or internal systems.

Why It Matters to Enterprises You don’t have to be running OpenClaw for this to be your problem. Simon Willison’s “lethal trifecta,” private data access plus untrusted content exposure plus external communication channels, maps onto most productivity AI deployments already in use. If your security team is evaluating AI tools, the review needs to include what happens when the agent is manipulated, not just what it’s authorized to do. The supply chain risk is acute: a compromised plugin repository can silently push a rogue agent onto a developer machine with full inherited permissions, and it looks like a normal update.

What to Do This Week – Inventory every AI agent in your environment, including tools provisioned outside IT’s purview – Assess each agent against the lethal trifecta: private data, untrusted input, and outbound communications – Verify that AI tool management interfaces are not exposed beyond localhost or internal networks – Add AI agent capabilities and integrations to your third-party software risk assessment process – Define and document what actions AI agents are and are not authorized to take autonomously

Big Stories

Cisco SD-WAN Exploitation Widens as Two More CVEs Are Confirmed Active

Source: https://www.securityweek.com/cisco-warns-of-more-catalyst-sd-wan-flaws-exploited-in-the-wild/​

What Happened Cisco confirmed on March 5 that two recently patched Catalyst SD-WAN Manager vulnerabilities are actively exploited: CVE-2026-20128, an information disclosure flaw granting elevated DCA user privileges, and CVE-2026-20122, an API flaw allowing remote authenticated attackers to overwrite arbitrary files and escalate to root.

This follows last week’s disclosure of CVE-2026-20127, a critical zero-day enabling remote authentication bypass to admin, which threat group UAT-8616 chained with CVE-2022-20775 to achieve full persistence on compromised devices.

Why It Matters SD-WAN Manager is a management plane. Compromise doesn’t just expose one appliance; it exposes network architecture, device configurations, and credentials for everything under management. The chaining behavior is worth pausing on: attackers combined a current high-severity flaw with a four-year-old CVE to achieve persistence, which means that if CVE-2022-20775 moved through your vulnerability management cycle as a routine patch, your team may not have flagged it as an ongoing exploitation risk. The assumption these attacks falsify is that patching an older CVE closes the door on it permanently; chains don’t work that way.

FortiGate Exploitation Turns a Firewall Problem Into an AD Problem

Source: https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html​

What Happened SentinelOne documented a campaign targeting FortiGate appliances in healthcare, government, and managed service provider environments. Attackers exploited known vulnerabilities or weak credentials to access the devices, then extracted configuration files containing encrypted LDAP service account credentials used for Active Directory integration.

In one confirmed case, the attacker decrypted those credentials, authenticated directly to Active Directory, enrolled rogue workstations, and began lateral movement well before the organization detected the intrusion.

Why It Matters The failure this campaign exposes isn’t in the firewall configuration; it’s in the assumption that a security appliance and a directory service are separate trust domains. Most FortiGate deployments integrate with Active Directory to enforce role-based policies, which means the device holds credentials that unlock identity infrastructure. When an attacker breaks into your perimeter device, they may not need to pivot through your network at all; the service account the device was already holding does the work. Any edge device with AD integration is a potential identity threat surface, and most security programs haven’t modeled it that way.

Quick Hits

North Korea Is Using AI to Stay Hired Longer Microsoft documented North Korean IT worker groups using generative AI to build personas, generate deepfake documents, and sustain employment by meeting performance expectations in unfamiliar technical roles. Your contractor vetting process was designed to catch human imposters, not AI-augmented operatives who pass live technical screens. https://cyberscoop.com/microsoft-north-korea-ai-operations/​

The Trump Cyber Strategy Is Five Pages Long Six pillars, deliberate vagueness, no implementation blueprint, and an emphasis on offensive capabilities arriving after a year of gutting the federal cyber workforce. As national posture it matters; as operational guidance, it offers almost nothing. https://cyberscoop.com/trump-cybersecurity-strategy/​

CISA Tagged Another Ivanti EPM Flaw as Actively Exploited CVE-2026-1603, a high-severity authentication bypass in Ivanti Endpoint Manager, hit CISA’s Known Exploited Vulnerabilities catalog with a March 23 patch deadline. Ivanti has accumulated multiple KEV entries over two years; if it’s in your environment, the pattern matters more than any individual score. https://www.bleepingcomputer.com/news/security/cisa-recently-patched-ivanti-epm-flaw-now-actively-exploited/​

Wrapping it up

There’s a version of security architecture that made sense five years ago. Controls at the perimeter, hardened endpoints, monitored network. The implicit model was that security infrastructure was the protection layer and everything behind it was protected. Every story in this issue challenges that model.

The pattern isn’t novel techniques. Attackers figured out the fastest path to a compromised environment runs through the tools meant to secure it. Management consoles holding credentials for every device they manage. Firewalls with privileged access to identity infrastructure. AI agents with access to everything you’ve ever sent or stored. The security layer became the attack surface because organizations granted these tools privileged access without modeling what happens when the device itself gets owned.

The question isn’t about patch timelines or vendor response quality. It’s about trust architecture. Somewhere in your environment, systems with broad privileged access were never modeled as threats. The assumption that the things protecting you are exempt from “what if this gets owned?” is the one worth retiring.