CXO Brief — Week Ahead — March 30, 2026
F5 BIG-IP Was Misclassified for Five Months. Now It's Being Exploited as a Full RCE.
When F5 patched CVE-2025-53521 in October 2025, they called it a denial-of-service flaw. CVSS 7.5. Five months later, they reclassified it as full remote code execution. CVSS 9.8. CISA added it to the KEV catalog on March 28 after confirming active exploitation, with a federal remediation deadline of today. Every organization that deprioritized this patch because "it's just a DoS" now has an unpatched RCE on internet-facing infrastructure. If your vuln management program doesn't track vendor reclassifications, it just failed you.
Supply Chain Attacks Are Hitting Faster and Wider
Crunchyroll lost 6.8 million user records after ShinyHunters compromised a TELUS outsourcing partner. Separately, attackers pushed malicious versions of the Telnyx Python SDK to PyPI on March 27, part of a coordinated campaign that also hit Trivy, Checkmarx, and LiteLLM. The pattern: attackers are targeting the seams between organizations, not the organizations themselves. If your vendor risk program still treats third-party access as a checkbox exercise, it is behind.
The New White House Cyber Strategy Wants to Get Out of Your Way. Read the Fine Print.
The Trump Administration's Cyber Strategy for America promises regulatory streamlining, no more "costly checklists," and a bigger role for the private sector. For CISOs at regulated firms, this is a shift from prescriptive compliance toward outcome-based security. Sounds great until you realize it also means less cover when something goes wrong. The strategy commits federal agencies to post-quantum cryptography and zero-trust. Track which mandates trickle into federal contract requirements by Q3.
AI Agents Are Creating a New Class of Identity Risk
AI agents are operating autonomously inside enterprise environments with production access, and most security teams have no governance framework for them. The WEF's 2026 Global Cybersecurity Outlook flags AI-related vulnerabilities as the fastest-growing risk category, with 87% of organizations reporting concern. If your identity team is not treating AI agents as non-human identities requiring their own access policies and audit trails, you are accumulating risk quietly.
Watch This
The PyPI supply chain campaign that hit Telnyx, Trivy, Checkmarx, and LiteLLM in the same week is not opportunistic. It is coordinated targeting of developer and security tooling simultaneously. If this continues into April, expect a broader conversation about whether PyPI's trust model needs fundamental rethinking.
Across the DoGood network, we're tracking how security teams are governing non-human identities — from AI agents to service accounts to third-party integrations. More on that Wednesday.
The CXO Brief is powered by the DoGood network — 5,000+ IT leaders sharing what they're actually working on.
Know a CIO who needs this? Forward it — they can subscribe here.