Whoa, that escalated quickly. This just got sent out by the press folks at the Federal Communications Commission (FCC). The FCC says it has decided that all foreign-made consumer-grade Internet routers are henceforth prohibited from receiving FCC authorization and are therefore prohibited from being imported for use or sale in the United States.

"Update Follows Determination by Executive Branch Agencies that Consumer-Grade Routers Produced in Foreign Countries Threaten National Security

WASHINGTON, March 23, 2026—Today, the Federal Communications Commission updated its Covered List to include all consumer-grade routers produced in foreign countries. Routers are the boxes in every home that connect computers, phones, and smart devices to the internet. This followed a determination by a White House-convened Executive Branch interagency body with appropriate national security expertise that such routers “pose unacceptable risks to the national security of the United States or the safety and security of United States persons.”

"The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

"This action does not affect any previously-purchased consumer-grade routers. Consumers can continue to use any router they have already lawfully purchased or acquired."

"Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations. Interested applicants are encouraged to submit applications to [email protected]."

Not sure how many consumer-grade routers will be left for sale if it really is a ban on approvals for any foreign-made consumer routers like they said, and not just a bunch of already restricted Chinese makers like Huawei and ZTE.

https://www.fcc.gov/document/fcc-updates-covered-list-include-foreign-made-consumer-routers

FCC's "covered list" of "thou shalt not entities": https://www.fcc.gov/supplychain/coveredlist

This is a crazy, developing story. And here you thought *your* organization's patch management routines were strict: From Christopher Kunz at Heise:

"A serious security vulnerability in the Windchill and FlexPLM products prompted a nationwide police response over the weekend. At the behest of the Federal Criminal Police Office (BKA), officers from across Germany were dispatched to alert affected companies – an unprecedented move. Administrators, whose weekends were disrupted, expressed their irritation – some of whom don't even use the compromised software."

"When the editorial team received a tip late Sunday morning about a critical security vulnerability in Windchill and FlexPLM , it sounded like a routine report: A deserialization vulnerability in specialized software, even with a CVSS score of 10, doesn't cause any alarm at heise security. The situation was apparently quite different at the Federal Criminal Police Office (BKA): By that time, they had already alerted the state criminal police offices (LKA) in various federal states, which dispatched police officers to affected companies during the night. As several readers reported to us in the forum , police officers were standing outside company and private premises in the dead of night."

https://www.heise.de/news/WTF-Polizei-rueckte-Samstagnacht-wegen-Zero-Day-aus-11221345.html

ICYMI (from the not-all-cyber-news-is-horrible dept), a cyberattack on a U.S. vehicle breathalyzer company has left drivers across the United States stranded and unable to start their vehicles. This story positively cries out for a headline-writing contest. TechCrunch reports:

"The company, Intoxalock, says on its website that it is “currently experiencing downtime” after a cyberattack on March 14. Intoxalock sells breathalyzer devices that fit into vehicle ignition switches, and is used by people who are required to provide a negative alcohol breath sample to start their car."

https://techcrunch.com/2026/03/20/cyberattack-on-vehicle-breathalyzer-company-leaves-drivers-stranded-across-the-us/

New, by me: 'CanisterWorm' Springs Wiper Attack Targeting Iran

A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language.

https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/