All news with #cisco tag

🔒 Cisco issued updates for a maximum-severity vulnerability (CVE-2026-20223) in Secure Workload that allows unauthenticated, remote access to REST API endpoints. The flaw permits crafted API requests to read sensitive data and change configurations across tenant boundaries with Site Admin privileges. Affected versions include Release 3.9 and earlier (migrate), 3.10 (fixed in 3.10.8.3), and 4.0 (fixed in 4.0.3.17). Cisco discovered the issue internally and reports no evidence of exploitation in the wild.

🔒 A critical vulnerability in the on-premises Cisco Secure Workload platform can let a remote, unauthenticated attacker gain site admin privileges by sending a crafted HTTP request to an internal REST API. Cisco assigned CVE-2026-20223 a CVSS score of 10.0 and says the issue stems from insufficient validation and authentication of REST API access. Only on-prem deployments must act immediately by upgrading to the patched versions; SaaS has already been fixed. Cisco reported no known exploitation in the wild at the time of disclosure.

📝 This edition of the Threat Source newsletter blends career reflection with active threat intelligence. The author argues that being ungovernable — intellectually curious and challenging — can accelerate growth when paired with the right peers. Cisco Talos also documents a Chinese-language BadIIS MaaS campaign, highlighting indicators like embedded demo.pdb strings and recommending IIS monitoring and updated endpoint detections.

🔒 Cisco released patches for a maximum-severity vulnerability in Secure Workload (formerly Tetration) that allowed unauthenticated attackers to gain Site Admin privileges by abusing internal REST APIs. The flaw, tracked as CVE-2026-20223, stems from insufficient validation and authentication of API endpoints and could let attackers read sensitive data and change configurations across tenant boundaries. Cisco provided fixed releases for on-premises deployments and has already remediated the issue in the SaaS offering; no workarounds exist.

🔒 Cisco Talos disclosed multiple vulnerabilities affecting TP‑Link, Adobe Photoshop, OpenVPN, and Norton VPN. Most issues were patched by vendors under Cisco’s third‑party disclosure policy; the Norton installer flaw was observed in use before a patch was available. The TP‑Link Archer AX53 firmware contains eight issues including buffer overflow and several command injection and config‑control flaws that allow code execution or arbitrary file access. Talos recommends applying vendor updates and using updated Snort rules to detect exploitation.

⚠ Cisco has disclosed a maximum-severity authentication bypass in its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager platforms that has been observed exploited in the wild. The flaw lets unauthenticated remote actors craft control-connection requests to bypass peer authentication and gain administrative privileges. Cisco has released updates and urges immediate patching because no workarounds exist. The issue is tracked as CVE-2026-20182 with a CVSS score of 10.0 and was added to CISA’s KEV list.

🔒 CISA has added CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller, to its Known Exploited Vulnerabilities catalog and requires Federal Civilian Executive Branch agencies to remediate by May 17, 2026. The flaw is rated 10.0 (CVSS) and allows an unauthenticated remote attacker to obtain administrative privileges. Cisco links active exploitation to threat cluster UAT-8616 and advises customers to follow its advisories and mitigation guidance.

⚠ Cisco warns of an actively exploited authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182) rated 10.0, affecting on-premises and SD-WAN Cloud Manager deployments. The vulnerability stems from a peering authentication mechanism that "is not working properly" and can grant high-privileged, non-root administrative access and NETCONF control. Cisco detected exploitation in May, released security updates as the only full remediation, and advises restricting management-plane access and reviewing peering and auth logs for IOCs.

🔧 Cisco Talos argues that rapid advances in AI-driven code analysis will soon expose decades of latent software defects, triggering a likely surge in vulnerability disclosures and urgent patches. While AI can augment human reviewers by scanning code at scale, threat actors will also use these tools to find exploits. Organizations should reassess patch prioritization, scale deployment processes, and plan for systems that cannot be quickly patched. Talos recommends zero trust, centralized logging, PowerShell script block logging, and updated incident response playbooks.

🔒 Cisco has released fixes for a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182) that it says has been exploited in limited attacks. The flaw allows a remote unauthenticated attacker to become an authenticated peer and obtain administrative privileges by abusing the peering authentication mechanism. Affected deployments include On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP); Cisco urges immediate patching and recommends auditing /var/log/auth.log for suspicious peering or publickey entries.

🔔 Talos reports active, in-the-wild exploitation of multiple Cisco Catalyst SD‑WAN vulnerabilities, including CVE-2026-20182 and a chained set (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) that enable unauthorized access, persistent webshell deployment, and privilege escalation. The threat cluster UAT-8616 and other adversaries have deployed JSP webshells such as XenShell, Godzilla, and Behinder and have installed miners, C2 implants, and reconnaissance and tunneling tools post-compromise. Customers should urgently apply Cisco updates, follow Talos detection guidance and Snort/ClamAV signatures, and engage TAC for incident support and remediation.

⚠️ CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-14 after confirming active exploitation. The agency warns that such vulnerabilities are common attack vectors and present significant risk to the federal enterprise. CISA directs organizations to follow Emergency Directive 26-03 and BOD 22-01 guidance, assess exposure, and apply mitigations or discontinue affected Cisco SD-WAN products if mitigations are not available.

🌳 The Threat Source newsletter urges cybersecurity professionals to step away from screens and engage in tactile hobbies to reset mental focus and foster creative problem solving. The author describes a miniature‑painting session at the office and recommends simple anchors — walking, knitting, building a keyboard — to refresh cognition. Separately, Cisco Talos flags a rise in phone‑number‑based scam infrastructure and urges clustering of telephony IOCs.

⚠️ Cisco released patches for a high-severity denial-of-service vulnerability (CVE-2026-20188) affecting Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO). The issue stems from inadequate rate limiting on incoming connections and can be exploited remotely by unauthenticated actors to exhaust connection resources and crash systems. Affected releases include CNC 7.1 and earlier and NSO 6.3 and earlier; fixed releases and mitigations are detailed in Cisco's advisory. Cisco's PSIRT says it is not aware of active exploitation but strongly urges customers to upgrade to patched software to avoid manual reboots and service disruption.

🔐 Cisco Talos has observed the CloudZ RAT paired with a previously undocumented plugin, Pheno, harvesting SMS messages and one-time passwords by abusing Microsoft's Phone Link functionality. Pheno scans for Phone Link processes and confirms active paired sessions before extracting synced SMS content from local SQLite files, allowing attackers to capture OTPs without touching the victim's mobile device. Observed since January 2026, the campaign uses a Rust loader, a .NET payload deployed via regasm.exe, and multiple anti-analysis techniques; Talos published IoCs and ClamAV signatures to aid detection.

📞 Cisco Talos analyzed phone numbers extracted from scam emails and found that API-driven VoIP provisioning enables large-scale, low-cost operations that are difficult to trace. Attackers rotate through sequential DID blocks, use cool-down windows, and frequently recycle numbers across multiple lures and attachment types. In a Feb 26–Mar 31, 2026 dataset of 1,652 numbers, the median lifespan was ~14 days; Sinch was the most abused provider. Talos recommends using phone numbers as anchors for cross-channel threat mapping.

🔒 Cisco Talos researchers disclosed an intrusion leveraging the CloudZ remote access tool and an undocumented plugin named Pheno to harvest credentials and one‑time passwords. The attackers abused Microsoft's Phone Link PC-to-phone bridge to monitor SMS/OTP data without deploying malware on the mobile device. The campaign, active since at least January 2026, uses a fake ConnectWise ScreenConnect dropper, a .NET loader and modular plugins to establish persistence and encrypted C2 communications.

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.

🔒 Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.

🔐 Cisco Talos’ Year in Review, authored by Hazel Burton, highlights how lower barriers to attack and rapid proof-of-concept development are stressing defenders. The report shows attackers increasingly rely on valid accounts, credential abuse, and management-plane targets while still producing detectable anomalous behavior. Recommended priorities include hardening IAM, prioritizing patching by exposure, improving visibility into legacy components, and securing systems that broker trust.