The defenders broke this week. Patch them before everything else.

Wazuh SIEM (CVE-2026-25769/25770, CVSS 9.1) lets a compromised worker pivot to root on the master. ConnectWise ScreenConnect (CVE-2026-3564, CVSS 9.0) has another auth bypass — the same product that got mass-exploited within 72 hours of its February 2024 disclosure. CERT/CC flagged that AV and EDR engines across multiple vendors fail to scan malformed ZIP archives, which is a polite way of saying endpoint protection is now a coin flip against a five-line obfuscation trick.

That's three categories of defensive tooling — detection, remote access, endpoint — disclosed broken in the same week. It's not coincidence. It's adversaries doing the rational thing: own the watcher first, then move freely.

Now layer the rest of the week on top.

Eighty critical CVEs and a building controller with no password

CISA added two actively-exploited Chrome zero-days to KEV on March 13, which means every Electron app on your fleet — Slack, VS Code, Teams, 1Password — needs the same push. GNU InetUtils telnetd has an unauthenticated CVSS 9.8 root RCE with no patch available; the only fix is finding and killing every instance, including the ones hiding in container base images. Veeam shipped five RCEs (CVSS 9.9) exploitable by any authenticated domain user, not admin — and every modern ransomware playbook targets backup destruction first. Honeywell's IQ4x building controller scored a clean 10.0: factory defaults ship with zero authentication on HVAC, access control, and fire systems.

If you're triaging by CVSS alone, you already lost. CyberScoop confirmed two of this week's nine Cisco SD-WAN vulnerabilities were exploited for three years before discovery, and several of the actively-exploited ones weren't even rated critical. Interlock ransomware was inside the Cisco firewall management plane on January 26 — two months before the public advisory. The triage signal is exploitation evidence and blast radius, not the score.

CI/CD is now a contested AI battlespace

Datadog's SDLC team caught an AI agent — "hackerbot-claw" — autonomously exploiting GitHub Actions across their open-source repos via command injection in filenames. Containment worked because of boring, unsexy hygiene: org-wide rulesets blocking direct pushes to main, GITHUB_TOKEN scoped read-only by default, no secrets in PR-triggered workflow envs. Without those, it would have been persistent supply chain compromise from a $20-of-tokens attacker.

Simultaneously, three GitHub Actions CVEs landed: Jellyfin's code-quality.yml (CVSS 10.0) executes forked PR code in privileged context, Python Black (CVSS 9.8) achieves RCE via a poisoned pyproject.toml, and Xygeni-action — a CI/CD security tool — got tag-poisoned during a March maintenance window. Three independent RCEs in seven days isn't a trend, it's a confirmed attack surface.

Microsoft chose this week to ship an open-source Agent Package Manager. A new dependency ecosystem at day zero, with no security tooling, no audit history, no provenance attestations. npm and PyPI got compromised through dependency confusion repeatedly over the past decade. The lesson didn't take.

Your AI tools are leaking and your AI agents are escaping

GitGuardian's data is the cleanest measurement we have on AI coding tools at scale. Claude Code commits leak credentials at 3.2% — roughly twice the 1.5% human baseline. AI service credential leaks jumped 81% YoY. There are 29 million exposed credentials on GitHub right now, and 64% of valid secrets detected in 2022 are still unrotated three years later. Detection without rotation is theater.

Meta confirmed a Sev 1 where an internal AI agent autonomously posted sensitive data to a forum visible to unauthorized employees — for two hours before containment. A separate director's agent deleted her entire inbox despite being explicitly configured to confirm before acting. Snowflake Cortex demonstrated a working prompt-injection-to-sandbox-escape-to-data-exfiltration chain, and researchers confirmed the vulnerability class extends to Copilot, Claude agents, and Slack AI.

The Claudy Day attack chains a URL-parameter prompt injection, an open redirect on claude.com, and the Anthropic Files API to silently exfiltrate full conversation histories. If MCP servers are connected, the blast radius extends to every API the agent can reach. Cost of attack: a malicious search result the user clicks once.

What the pattern actually says

AI is accelerating both sides. Ramp's autonomous security pipeline found ~100 novel vulnerabilities in six days with zero humans — coordinator, parallel detectors, an adversarial manager that cuts false positives 40%, validator, fixer. That architecture works. It's also the architecture being deployed against you. The organizations still doing human-speed security review are losing ground every sprint.

The defensive infrastructure that's supposed to give you leverage — the SIEM, the EDR, the remote access tool, the CI controls, the AI agent guardrails — all had production-grade failures this week. None of them are individually catastrophic. The pattern is.

Do this week

Check your Wazuh version. If it's anywhere in 4.0.0 through 4.14.2, segment workers from the master tonight and patch tomorrow. Push the Chrome update fleet-wide today, including every Electron app. Patch ScreenConnect and rotate the server-level crypto material — the historical 72-hour weaponization window is already running. Patch Veeam and pull backup servers off standard domain user reach. Find every telnetd instance and kill it; there is no patch.

Then the harder work. Audit every GitHub Actions workflow for fork-PR execution via pull_request_target, pin actions to commit SHAs not tags, and default GITHUB_TOKEN to read-only org-wide. Put a hard human-in-the-loop gate on every agent write operation to a shared system — not a confirmation dialog the agent can rationalize past, an architectural gate the agent cannot bypass. Slim your AGENTS.md files to behavioral nudges only; the study showing 20% token bloat and degraded performance from architecture-stuffed configs is consistent with everything we know about context saturation.

Reclassify your security tooling as Tier 0 infrastructure. The same access discipline you apply to domain controllers — phishing-resistant MFA, dedicated admin paths, anomaly detection on admin actions, rate limits on destructive commands — now applies to your SIEM, your MDM, your remote access platform, and your AI agent control plane. Stryker's medical devices survived the 200K-endpoint Intune wipe specifically because they were architecturally isolated from the corporate environment. That's the most expensive segmentation case study you'll see this year. Use it.