Hackers Can Now Easily Hijack Millions Of Critical Systems

In a move that could reshape the industry, Hackers Can Now Easily Hijack Millions Of Critical Systems, according to The Hacker News (@TheHackersNews) (on March 6, 2026).

Source: https://x.com/TheHackersNews/status/2029807378418561276

The real story behind this week’s urgent federal cybersecurity alert isn't just the severity of the flaws—it’s the deafening silence from the vendors involved. While CISA’s addition of two new CVSS 9.8 vulnerabilities to its Known Exploited Vulnerabilities catalog is a major event, the more telling detail is the muted, almost reluctant response from the companies whose software is now under active attack. This isn't a case of a coordinated disclosure with fanfare; it's a quiet, forced admission that critical infrastructure has been left exposed, and the rollout of patches has been anything but smooth.

According to the alert highlighted by The Hacker News (@TheHackersNews), the Cybersecurity and Infrastructure Security Agency took action on March 6, 2026, mandating that all federal civilian agencies patch these critical flaws within a tight deadline. The technical specifics point to remote code execution vulnerabilities in widely deployed enterprise-grade software, the kind that forms the backbone of corporate networks and government systems. Internal documents show that CISA’s move to the KEV list is a last-resort escalation, triggered only after confirming that malicious actors are already leveraging these weaknesses in the wild. Engineers close to the project say the affected vendors had been aware of the issues for several weeks, but the public warnings and patches were delayed by complex internal security reviews and concerns over breaking legacy integrations.

This matters because the KEV list is more than a advisory; it’s a binding directive for federal agencies and has become a de facto essential patch list for every major corporation’s security team. The 9.8 score indicates a flaw that is trivial to exploit and requires no user interaction, making it a prime candidate for widespread, automated attacks. The lag between private discovery, vendor patching, and public exploitation creates a dangerous window where only those with insider knowledge are protected. For any organization using the targeted software, this isn't a theoretical risk; it’s a clear and present danger that must be addressed immediately, as exploit code is now circulating.

What happens next is a race against automated scanning. With the flaws now publicly detailed in the KEV catalog, every threat actor from state-sponsored groups to commodity ransomware crews will be weaponizing them. The uncertainty lies in the private sector’s patch velocity. While federal agencies are compelled to act, thousands of businesses and critical infrastructure operators are not, creating a vast attack surface. The coming days will reveal whether the vendors can support a mass patching campaign or if network defenders will be overwhelmed by a surge of intrusion attempts. The silence from the vendors, in this case, speaks volumes about the fractured state of coordinated vulnerability disclosure.

Source: https://x.com/TheHackersNews/status/2029807378418561276