Aggregator

Venture Capitalist Nick Davidov Points to Market Demand, Vulnerability Trends
Anthropic's new AI-powered code security tool may have triggered a market selloff this week, but venture capitalists aren't rewriting their investment plans for cybersecurity vendors, said Nick Davidov, co-founder and managing partner at San Francisco-based venture capital firm DVC.

Bulgaria's Largest Furniture Retailer Remington.bg Breached with 150,000+ Customer and Order Records for Sale

Exploitation of a maximum severity authentication bypass zero-day vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager has been reported. Immediate patching is recommended to thwart ongoing attacks.

Key takeaways:

1. CVE-2026-20127 is an Authentication Bypass Vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager. Patches have been released and no workarounds are currently available.
    
2. Exploitation in the wild has been observed for this zero-day by a threat actor tracked as UAT-8616.
    
3. Multiple government agencies have issued alerts on this active exploitation and multiple publications include threat hunting guidance for devices that may have been compromised.

Change log

Update March 5: This blog has been updated to include a reference to CVE-2026-20128 and CVE-2026-20122, two additional SD-WAN Manager vulnerabilities that Cisco has confirmed have been exploited in the wild.

Click here to review the change history

March 5:This blog has been updated to include a reference to CVE-2026-20128 and CVE-2026-20122, two additional SD-WAN Manager vulnerabilities that Cisco has confirmed have been exploited in the wild.
 

Background

On February 25, Cisco released a security advisory (cisco-sa-sdwan-rpa-EHchtZk) to address a maximum severity severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage.

CVEDescriptionCVSSv3CVE-2026-20127Cisco Catalyst SD-WAN Controller/Manager Authentication Bypass Vulnerability10.0

On March 5, Cisco updated security advisory (cisco-sa-sdwan-authbp-qwCX8D4v) to note that two of the CVEs addressed in the advisory have been found to have been exploited in the wild.

CVEDescriptionCVSSv3CVE-2026-20122Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite Vulnerability 7.1CVE-2026-20128Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability5.5Analysis

CVE-2026-20127 is a critical severity authentication bypass vulnerability in Cisco’s Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted requests to an affected system, allowing them to log into an affected device as a high-privileged user. Using this access, the attacker could modify network configurations for the SD-WAN fabric. According to the advisory, this vulnerability has been exploited in the wild in limited attacks. The advisory further clarifies that this flaw affects vulnerable versions regardless of the device's configuration and no workaround steps are available, however temporary mitigation guidance is available in the security advisory.

CISA releases an Emergency Directive for CVE-2026-20127

Coinciding with the release of the security advisory for CVE-2026-20127, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released emergency directive (ED) 26-03 titled Mitigate Vulnerabilities in Cisco SD-WAN Systems. The ED directs Federal Civilian Executive Branch (FCEB) agencies to take immediate action to identify any Cisco Software-Defined Wide-Area Networking (SD-WAN) systems. The ED notes that CVE-2026-20127 and CVE-2022-20775, a privilege escalation vulnerability affecting SD-WAN devices, pose imminent risk to federal networks. While the ED applies to FCEB agencies, any users who have not yet mitigated their SD-WAN devices for either of these CVEs should take immediate action as threat actors have been observed exploiting these vulnerabilities.

As ongoing exploitation has been observed, Cisco’s security advisory does include indicators of compromise which can aid defenders in identifying if their device has been compromised. Nation state-sponsored actors, including Salt Typhoon and Volt Typhoon have been known for past exploitation of Cisco devices, so it’s imperative that immediate action is taken to remediate these vulnerabilities.

In addition to CISA, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) also released an alert warning of exploitation of CVE-2026-20127. The ACSC was credited in the Cisco security advisory for reporting the flaw to Cisco and the ACSC alert also includes a threat hunting guide co-authored by multiple agencies including CISA, the National Security Agency (NSA), the Canadian Centre for Cyber Security (Cyber Centre), the New Zealand National Cyber Security Centre (NCSC-NZ) and the United Kingdom National Cyber Security Centre (NCSC-UK).

Exploitation attributed to UAT-8616

While the alerts from the government agencies and Cisco's security advisory did not provide attribution for the attacks targeting CVE-2026-20127, Cisco’s Talos threat intelligence team released a blog attributing the threat activity to UAT-8616. Cisco Talos notes that UAT-8616 is assessed “with high confidence” as “a highly sophisticated cyber threat actor.” The blog by Cisco Talos includes guidance for investigating compromised devices as well as details the exploitation activity that they have observed.

Cisco announces additional SD-WAN vulnerabilities have been exploited

In an update to security advisory cisco-sa-sdwan-authbp-qwCX8D4v, Cisco noted that CVE-2026-20122 and CVE-2026-20128 have been exploited in the wild. While the advisory did not link the exploitation of these flaws to any threat actor, the timing of these updates, just a week after the disclosure of CVE-2026-20127, immediate patching is recommended to ensure protection from these flaws.

Proof of concept

At the time this blog was published on February 25, no public proof-of-concept (PoC) exploit had been identified. We anticipate that if a PoC is released, additional attackers will begin to leverage the exploit to conduct mass scanning and exploitation against vulnerable devices.

Solution

Cisco has released patches for affected versions of Cisco Catalyst SD-WAN devices as outlined in the table below. Note that these fixed versions address CVE-2026-20127, CVE-2026-20122 and CVE-2026-20128 as well as additional vulnerabilities that have not been exploited :

Affected VersionFixed VersionVersions prior to 20.9Migrate to a fixed release20.920.9.8.2 (Estimated to be released on February 27)20.1120.12.6.120.12.520.12.5.320.12.620.12.6.120.1320.15.4.220.1420.15.4.220.1520.15.4.220.1620.18.2.120.1820.18.2.1

The advisory notes that versions 20.11, 20.13, 20.14, 20.16 and versions prior to 20.9 have reached their end of maintenance and customers should upgrade to a supported release.

Identifying affected systems

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-20127, CVE-2022-20775, CVE-2026-20122 and CVE-2026-20128 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Cisco Catalyst SD-WAN devices by using the following query: Document Title contains Cisco Catalyst SD-WAN

 Get more information

• Cisco cisco-sa-sdwan-rpa-EHchtZk Security Advisory
• Cisco cisco-sa-sd-wan-priv-E6e8tEdF Security Advisory
• Cisco cisco-sa-sdwan-authbp-qwCX8D4v Security Advisory
• CISA ED 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems
• Australian Signals Directorate’s Australian Cyber Security Centre Alert: Exploitation of Cisco SD-WAN appliances
• Cisco Talos: Active exploitation of Cisco Catalyst SD-WAN by UAT-8616

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Exploitation of a maximum severity authentication bypass zero-day vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager has been reported. Immediate patching is recommended to thwart ongoing attacks.

Key takeaways:

1. CVE-2026-20127 is an Authentication Bypass Vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager. Patches have been released and no workarounds are currently available.
    
2. Exploitation in the wild has been observed for this zero-day by a threat actor tracked as UAT-8616.
    
3. Multiple government agencies have issued alerts on this active exploitation and multiple publications include threat hunting guidance for devices that may have been compromised.

Background

On February 25, Cisco released a security advisory (cisco-sa-sdwan-rpa-EHchtZk) to address a maximum severity severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage.

CVE Description CVSSv3 CVE-2026-20127 Cisco Catalyst SD-WAN Controller/Manager Authentication Bypass Vulnerability 10.0 Analysis

CVE-2026-20127 is a critical severity authentication bypass vulnerability in Cisco’s Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted requests to an affected system, allowing them to log into an affected device as a high-privileged user. Using this access, the attacker could modify network configurations for the SD-WAN fabric. According to the advisory, this vulnerability has been exploited in the wild in limited attacks. The advisory further clarifies that this flaw affects vulnerable versions regardless of the device's configuration and no workaround steps are available, however temporary mitigation guidance is available in the security advisory.

CISA releases an Emergency Directive for CVE-2026-20127

Coinciding with the release of the security advisory for CVE-2026-20127, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released emergency directive (ED) 26-03 titled Mitigate Vulnerabilities in Cisco SD-WAN Systems. The ED directs Federal Civilian Executive Branch (FCEB) agencies to take immediate action to identify any Cisco Software-Defined Wide-Area Networking (SD-WAN) systems. The ED notes that CVE-2026-20127 and CVE-2022-20775, a path traversal vulnerability affecting SD-WAN devices, pose imminent risk to federal networks. While the ED applies to FCEB agencies, any users who have not yet mitigated their SD-WAN devices for either of these CVEs should take immediate action as threat actors have been observed exploiting these vulnerabilities.

As ongoing exploitation has been observed, Cisco’s security advisory does include indicators of compromise which can aid defenders in identifying if their device has been compromised. Nation state-sponsored actors, including Salt Typhoon and Volt Typhoon have been known for past exploitation of Cisco devices, so it’s imperative that immediate action is taken to remediate these vulnerabilities.

In addition to CISA, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) also released an alert warning of exploitation of CVE-2026-20127. The ACSC was credited in the Cisco security advisory for reporting the flaw to Cisco and the ACSC alert also includes a threat hunting guide co-authored by multiple agencies including CISA, the National Security Agency (NSA), the Canadian Centre for Cyber Security (Cyber Centre), the New Zealand National Cyber Security Centre (NCSC-NZ) and the United Kingdom National Cyber Security Centre (NCSC-UK).

Exploitation attributed to UAT-8616

While the alerts from the government agencies and Cisco's security advisory did not provide attribution for the attacks targeting CVE-2026-20127, Cisco’s Talos threat intelligence team released a blog attributing the threat activity to UAT-8616. Cisco Talos notes that UAT-8616 is assessed “with high confidence” as “a highly sophisticated cyber threat actor.” The blog by Cisco Talos includes guidance for investigating compromised devices as well as details the exploitation activity that they have observed.

Proof of concept

At the time this blog was published on February 25, no public proof-of-concept (PoC) exploit had been identified. We anticipate that if a PoC is released, additional attackers will begin to leverage the exploit to conduct mass scanning and exploitation against vulnerable devices.

Solution

Cisco has released patches for affected versions of Cisco Catalyst SD-WAN devices as outlined in the table below:

Affected Version Fixed Version Versions prior to 20.9 Migrate to a fixed release 20.9 20.9.8.2 (Estimated to be released on February 27) 20.11 20.12.6.1 20.12.5 20.12.5.3 20.12.6 20.12.6.1 20.13 20.15.4.2 20.14 20.15.4.2 20.15 20.15.4.2 20.16 20.18.2.1 20.18 20.18.2.1

The advisory notes that versions 20.11, 20.13, 20.14, 20.16 and versions prior to 20.9 have reached their end of maintenance and customers should upgrade to a supported release.

Identifying affected systems

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-20127 and CVE-2022-20775 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Cisco Catalyst SD-WAN devices by using the following query: Document Title contains Cisco Catalyst SD-WAN

  Get more information

• Cisco cisco-sa-sdwan-rpa-EHchtZk Security Advisory
• CISA ED 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems
• Australian Signals Directorate’s Australian Cyber Security Centre Alert: Exploitation of Cisco SD-WAN appliances
• Cisco Talos: Active exploitation of Cisco Catalyst SD-WAN by UAT-8616

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Authentication Bypass Vulnerability Exploited in the Wild appeared first on Security Boulevard.

These are the top threats you should know about this week.

These are the top threats you should know about this week.

A breach of TriZetto software first described by counties in Oregon affected millions of Americans overall, according to public data released this week by the company.

The mobile threat landscape is witnessing a significant shift toward professionalized cybercriminal operations, driven by the increasing availability of sophisticated malicious tools. A new and potent threat known as SURXRAT has recently emerged, operating as a high-functioning Remote Access Trojan designed to compromise Android devices. Unlike simple malicious applications that rely on basic tricks, this […]

The post SURXRAT Android RAT Attacking Users Gain Complete Device-Control and Data Exfiltration appeared first on Cyber Security News.

Физики предложили «стохастическую сирену» для уточнения скорости расширения Вселенной.

AttackIQ has released a new attack graph that emulates the behaviors exhibited by BlackByte ransomware, a strain operated under the Ransomware-as-a-Service (RaaS) model that emerged in July 2021. Since its emergence, BlackByte has targeted organizations worldwide, including entities within U.S. critical infrastructure sectors such as Government, Financial Services, Manufacturing, and Energy.

The post Emulating the Mutative BlackByte Ransomware appeared first on AttackIQ.

The post Emulating the Mutative BlackByte Ransomware appeared first on Security Boulevard.

A vulnerability was found in SAP Management Console. It has been rated as problematic. This impacts an unknown function. This manipulation causes cross site scripting. This vulnerability is tracked as CVE-2022-35226. The attack is possible to be carried out remotely. No exploit exists. Applying a patch is the recommended action to fix this issue.

A vulnerability identified as critical has been detected in SAP 3D Visual Enterprise Author 9. This impacts an unknown function of the file CoreCadTranslator.exe of the component SAT File Handler. Performing a manipulation results in memory corruption. This vulnerability is identified as CVE-2022-39803. The attack can be initiated remotely. There is not any exploit available. It is suggested to install a patch to address this issue.

A vulnerability labeled as critical has been found in SAP 3D Visual Enterprise Author 9. Affected is an unknown function of the file CoreCadTranslator.exe of the component SLDRP File Handler. Executing a manipulation can lead to memory corruption. This vulnerability is tracked as CVE-2022-39804. The attack can be launched remotely. No exploit exists. A patch should be applied to remediate this issue.

A vulnerability marked as critical has been reported in SAP 3D Visual Enterprise Author 9. Affected by this vulnerability is an unknown functionality of the component CGM File Handler. The manipulation leads to memory corruption. This vulnerability is listed as CVE-2022-39805. The attack may be initiated remotely. There is no available exploit. To fix this issue, it is recommended to deploy a patch.

A vulnerability described as critical has been identified in SAP 3D Visual Enterprise Author 9. Affected by this issue is some unknown functionality of the file CoreCadTranslator.exe of the component SLDDRW File Handler. The manipulation results in memory corruption. This vulnerability is cataloged as CVE-2022-39806. The attack may be launched remotely. There is no exploit available. It is advisable to implement a patch to correct this issue.

A vulnerability classified as critical has been found in SAP 3D Visual Enterprise Author 9. This affects an unknown part of the file ObjTranslator.exe of the component OBJ File Handler. This manipulation causes stack-based buffer overflow. This vulnerability is registered as CVE-2022-39808. Remote exploitation of the attack is possible. No exploit is available. Applying a patch is the recommended action to fix this issue.

A vulnerability classified as critical was found in SAP 3D Visual Enterprise Author 9. This vulnerability affects unknown code of the file TeighaTranslator.exe of the component DWG File Handler. Such manipulation leads to memory corruption. This vulnerability is documented as CVE-2022-41167. The attack can be executed remotely. There is not any exploit available. It is best practice to apply a patch to resolve this issue.