Beyond Information Security

Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities

Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild.

The vulnerabilities in question are listed below –

  • CVE-2026-20122 (CVSS score: 7.1) – An arbitrary file overwrite vulnerability that could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. Successful exploitation requires the attacker to have valid read-only credentials with API access on the affected system.
  • CVE-2026-20128 (CVSS score: 5.5) – An information disclosure vulnerability that could allow an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. Successful exploitation requires the attacker to have valid vManage credentials on the affected system.

Patches for the security defects, along with CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133, were released by Cisco late last month in the following versions –

Earlier than Version 20.91 – Migrate to a fixed release.

  • Version 20.9 – Fixed in 20.9.8.2
  • Version 20.11 – Fixed in 20.12.6.1
  • Version 20.12 – Fixed in 20.12.5.3 and 20.12.6.1
  • Version 20.13 – Fixed in 20.15.4.2
  • Version 20.14 – Fixed in 20.15.4.2
  • Version 20.15 – Fixed in 20.15.4.2
  • Version 20.16 – Fixed in 20.18.2.1
  • Version 20.18 – Fixed in 20.18.2.1

„In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only,“ the networking equipment major said. The company did not elaborate on the scale of the activity and who may be behind it.

Source: The hacker news / Bleeping computer / Dark reading / Securityweek / CISCO Talos intelligence group

Link: https://thehackernews.com/2026/03/cisco-confirms-active-exploitation-of.html

Link: https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html

Link: https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/

Link: https://www.darkreading.com/vulnerabilities-threats/cisco-sd-wan-zero-day-exploitation-3-years

Link: https://www.securityweek.com/recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited/

Link: https://www.securityweek.com/cisco-patches-catalyst-sd-wan-zero-day-exploited-by-highly-sophisticated-hackers/

Link: https://www.securityweek.com/cisco-warns-of-more-catalyst-sd-wan-flaws-exploited-in-the-wild/

Link: https://blog.talosintelligence.com/uat-8616-sd-wan/

Where Multi-Factor Authentication Stops and Credential Abuse Starts

Organizations typically roll out multi-factor authentication (MFA) and assume stolen passwords are no longer enough to access systems. In Windows environments, that assumption is often wrong. Attackers still compromise networks every day using valid credentials. The issue is not MFA itself, but coverage.

Enforced through an identity provider (IdP) such as Microsoft Entra ID, Okta, or Google Workspace, MFA works well for cloud apps and federated sign-ins. But many Windows logons rely solely on Active Directory (AD) authentication paths that never trigger MFA prompts. To reduce credential-based compromise, security teams need to understand where Windows authentication happens outside their identity stack.

Source: The hacker news

Link: https://thehackernews.com/2026/03/where-multi-factor-authentication-stops.html

Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1

Google said it identified a „new and powerful“ exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.

The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said. It’s not effective against the latest version of iOS. The findings were first reported by WIRED.

„The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses,“ according to GTIG. „The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks.“

The kit is said to have circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed attacker, and finally, to a financially motivated threat actor operating from China by December.

It’s currently not known how the exploit kit changed hands, but the findings point to an active market for second-hand zero-day exploits, allowing other threat actors to reuse them for their own objectives. In a related report, iVerify said the exploit kit has similarities to previous frameworks developed by threat actors affiliated with the U.S. government.

Source: The hacker news / Securityweek

Link: https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html

Link: https://www.securityweek.com/nation-state-ios-exploit-kit-coruna-found-powering-global-attacks/

Link: https://www.securityweek.com/cisa-adds-ios-flaws-from-coruna-exploit-kit-to-kev/

CISA Adds Actively Exploited VMware Aria Operations Flaw CVE-2026-22719 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw impacting Broadcom VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild.

The high-severity vulnerability, CVE-2026-22719 (CVSS score: 8.1), has been described as a case of command injection that could allow an unauthenticated attacker to execute arbitrary commands.

„A malicious unauthenticated actor may exploit this issue to execute arbitrary commands, which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress,“ the company said in an advisory released late last month.

Source: The hacker news / Broadcom security advisory / Bleeping computer / Dark reading / Securityweek

Link: https://thehackernews.com/2026/03/cisa-adds-actively-exploited-vmware.html

Link: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

Link: https://www.bleepingcomputer.com/news/security/cisa-flags-vmware-aria-operations-rce-flaw-as-exploited-in-attacks/

Link: https://www.darkreading.com/cloud-security/vmware-aria-operations-bug-exploited-cloud-risk

Link: https://www.securityweek.com/vmware-aria-operations-vulnerability-could-allow-remote-code-execution/

Link: https://www.securityweek.com/vmware-aria-operations-vulnerability-exploited-in-the-wild/

SolarWinds Patches 4 Critical Serv-U 15.5 Flaws Allowing Root Code Execution

SolarWinds has released updates to address four critical security flaws in its Serv-U file transfer software that, if successfully exploited, could result in remote code execution.

The vulnerabilities, all rated 9.1 on the CVSS scoring system, are listed below –

  • CVE-2025-40538 – A broken access control vulnerability that allows an attacker to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges.
  • CVE-2025-40539 – A type confusion vulnerability that allows an attacker to execute arbitrary native code as root.
  • CVE-2025-40540 – A type confusion vulnerability that allows an attacker to execute arbitrary native code as root.
  • CVE-2025-40541 – An insecure direct object reference (IDOR) vulnerability that allows an attacker to execute native code as root.

SolarWinds noted that the vulnerabilities require administrative privileges for successful exploitation. It also said that they carry a medium security risk on Windows deployments as the services „frequently run under less-privileged service accounts by default.“

The four shortcomings affect SolarWinds Serv-U version 15.5. They have been addressed in SolarWinds Serv-U version 15.5.4.

Source: The hacker news / Bleeping computer / Securityweek

Link: https://thehackernews.com/2026/02/solarwinds-patches-4-critical-serv-u.html

Link: https://www.bleepingcomputer.com/news/security/critical-solarwinds-serv-u-flaws-offer-root-access-to-servers/

Link: https://www.securityweek.com/solarwinds-patches-four-critical-serv-u-vulnerabilities/

From Exposure to Exploitation: How AI Collapses Your Response Window

We’ve all seen this before: a developer deploys a new cloud workload and grants overly broad permissions just to keep the sprint moving. An engineer generates a „temporary“ API key for testing and forgets to revoke it. In the past, these were minor operational risks, debts you’d eventually pay down during a slower cycle.

But today, within minutes, AI-powered adversarial systems can find that over-permissioned workload, map its identity relationships, and calculate a viable route to your critical assets. Before your security team has even finished their morning coffee, AI agents have simulated thousands of attack sequences and moved toward execution.

AI compresses reconnaissance, simulation, and prioritization into a single automated sequence. The exposure you created this morning can be modeled, validated, and positioned inside a viable attack path before your team has lunch.

Source: The hacker news

Link: https://thehackernews.com/2026/02/from-exposure-to-exploitation-how-ai.html

Datenschutzeinstellungen

Wir nutzen Cookies, die für die Grundfuktionen der Website erforderlich sind. Ein Cookie ist eine Textdatei, mit deren Hilfe Einstellungen auf Ihrem Rechner gespeichert werden. Cookies richten auf Ihrem Rechner keinen Schaden an.

Datenschutzerklärung | Impressum