< ciso
brief />
Tag Banner

All news with #cisco tag

237 articles

Talos: Multiple Vulnerabilities in WolfSSL, GeoVision, VTK

🔒 Cisco Talos disclosed multiple vulnerabilities across WolfSSL, GeoVision, and VTK-DICOM, all of which have been patched by vendors in line with Cisco’s disclosure policy. The findings include three WolfSSL issues (two improper input validation and one integer underflow), 14 GeoVision advisories spanning 37 CVEs, and one heap-based buffer overflow in VTK-DICOM. Snort rules to detect exploit attempts are available from Snort.org. Discoveries were made by Ankur Tyagi, Philippe Laulheret, and Emmanuel Tacheau of Cisco Talos.
read more →

Winning 54% of the Time: SOC Decisions and Threats

🎾 This week’s Threat Source reflects on decision-making in cybersecurity through a tennis analogy, arguing defenders need context and resilience rather than perfection. Cisco Talos details the China-nexus actor UAT-7810 expanding ORB networks by exploiting Ruckus and ASUS router vulnerabilities and deploying new backdoors like LONGLEASH and DOGLEASH. Additional briefs cover an AI-assisted ransomware incident, AirDrop/Quick Share flaws, a Tenda firmware backdoor, Estonia’s AI agent IDs, and new phishing and coinminer detections.
read more →

ARToken PhaaS reveals EvilTokens Microsoft 365 toolkit

🛡️ Cisco Talos uncovered a React-based ARToken management panel exposing 80+ API endpoints and client-side code that reveals expanded phishing capabilities. The platform, tied to the EvilTokens ecosystem, automates Microsoft 365 account compromise by stealing authentication tokens, obtaining persistent Primary Refresh Tokens (PRTs), and accessing Outlook, SharePoint, and OneDrive. ARToken deploys Cloudflare Workers, supports multi-tenant affiliate operations, and includes tools for BEC automation and mailbox monitoring.
read more →

CISA orders urgent patches for exploited Cisco and PLM flaws

🔔 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has set a June 28 deadline under BOD 26-04 for federal agencies to patch a critical Cisco Unified Communications Manager Server SSRF vulnerability, CVE-2026-20230, which is being actively exploited. Cisco released a patch on June 3 and labeled the issue critical after a proof-of-concept existed; subsequent reports showed active attacks writing arbitrary files. CISA also added a critical RCE flaw, CVE-2026-12569, affecting PTC Windchill and FlexPLM products to its Known Exploited Vulnerabilities list, requiring immediate remediation.
read more →

Threat Actor Exploited Cisco SD‑WAN Zero‑Day

🔒 A Google (Mandiant) report warns that a threat actor exploited a severe Cisco SD‑WAN vulnerability (CVE-2026-20245) at least two months before disclosure. The flaw, a high-severity (CVSS 7.8) privilege escalation in the CLI of Cisco Catalyst SD-WAN Controller, allowed authenticated local attackers to upload crafted files and execute commands as root. Cisco disclosed the issue on June 4 and began releasing fixes on June 10, while Mandiant detailed related unauthorized peering and credential-theft activity stretching back to late 2025.
read more →

Malicious AI agent skill bypasses security checks

🛡️ A faux AI agent skill called brand-landingpage bypassed static security scanners and reached over 26,000 users via an Instagram ad, highlighting risks as enterprises adopt AI-driven tools. The skill pointed agents to a fake Stitch SDK hosted on a domain controlled by researchers, which initially redirected to the real Google Stitch site to pass review. After distribution, the researchers changed the hosted content to instruct agents to download a script that collected email addresses, demonstrating how mutable external resources let malicious behaviors slip past static reviews. Security vendors and scanners from Cisco, Nvidia, and skills.sh marked the skill safe during testing.
read more →

Cisco Unified CM SSRF Flaw Now Being Exploited

🛡️ Threat actors are actively exploiting a critical vulnerability in Cisco Unified Communications Manager and its SME edition, tracked as CVE-2026-20230 (CVSS 8.6). The flaw stems from improper input validation in handling specific HTTP requests, enabling unauthenticated SSRF and arbitrary file writes that could lead to root escalation. Exploitation requires the WebDialer service to be enabled (disabled by default); Cisco has released patches in 14SU6 and 15SU5 and recommends disabling WebDialer if immediate patching is not possible.
read more →

Fake AI Agent Skill Bypasses Security Checks

🛡️ A security firm, AIR, created a benign but deceptive AI agent skill named brand-landingpage, pushed it through a major skill marketplace and promoted it with an Instagram ad, and reports it reached roughly 26,000 agents including corporate accounts. Scanners from vendors like Cisco and NVIDIA marked the package safe because the skill pointed to external setup documentation rather than embedding malicious code. AIR later swapped the external page to deliver a harmless payload that collected email addresses, demonstrating how scanners miss links that can be rewritten after review. The experiment highlights structural trust problems with skills and common mitigations such as pinning versions and vetting external references.
read more →

Human behavior shapes cybersecurity outcomes

🛰️ Cisco Talos' Threat Source newsletter reflects on how human behavior, context, and competing priorities often override rational security decisions. The piece links a Spielberg film theme to cybersecurity, noting that knowledge alone doesn't ensure action — organizations struggle with budgets, workloads, and urgency. Talos highlights practical controls like segmentation, backups, and MFA, and showcases a new reverse-engineering method that pairs local AI agents with tools like vbdec to accelerate analysis while protecting sensitive binaries.
read more →

Operation Escaneo exposes Latin American intrusions

🔍 New research from CloudSEK reveals Operation Escaneo, a coordinated campaign targeting government and financial entities across Latin America after attackers left a staging server exposed. The group exploited internet-facing appliances and known vulnerabilities in Fortinet and Ivanti devices, plus Apache Tomcat, Windows, and Log4Shell flaws. Attackers used custom reconnaissance (Kimera), webshells, reverse tunnels and a compromised Cisco router to exfiltrate large volumes of sensitive data.
read more →

Chainguard launches Athena coalition to protect OSS

🔒 Chainguard has launched Athena, an industry coalition announced on June 16 to protect open-source software from attacks facilitated by frontier AI models. Founding members include BNY, Cisco, Cloudflare, Docker, JPMorganChase, PwC and others. Athena pools vulnerability findings into a shared platform, applies private patches and provides mitigations to members before public disclosure. The initiative aims to coordinate upstream fixes and partner with the Linux Foundation for broader incident response support.
read more →

Cisco SD‑WAN flaw highlights management‑plane risk

🔒 Cisco has issued patches for a vulnerability in Cisco Catalyst SD‑WAN Manager that allowed authenticated users with write access to create or overwrite files via a flawed file upload API, potentially enabling later privilege escalation to root. The flaw, tracked as CVE‑2026‑20262, affected all deployment types and had been subject to limited exploitation; Cisco advised upgrading to fixed releases and reviewing logs for suspicious uploads such as index.jsp and .war files. Analysts warn that compromise of the management plane can lead to network‑wide control‑plane impact and recommend isolating, hardening, and tightly monitoring SD‑WAN managers as Tier‑0 assets.
read more →

Cisco issues patches for SD‑WAN file upload flaw

🔒 Cisco has released updates fixing a medium‑severity flaw in Cisco Catalyst SD‑WAN Manager (CVE‑2026‑20262) that is being actively exploited. The bug allows an authenticated attacker with write access to create or overwrite files via a vulnerable web UI file upload API, which can be leveraged to escalate privileges. Affected on‑prem and cloud SD‑WAN deployments have fixes available across multiple release tracks; customers are urged to apply patches and audit logs for suspicious WAR uploads.
read more →

Cisco fixes SD‑WAN Manager zero‑day exploited to root

🛡️ Cisco has released patches for a zero-day in Catalyst SD-WAN Manager (formerly SD-WAN vManage), tracked as CVE-2026-20262, which was exploited to escalate to root privileges. The flaw affects all deployment types and results from insufficient validation of user-supplied file uploads, allowing authenticated low-privilege attackers to create or overwrite files via a crafted HTTP request. Cisco PSIRT confirmed active exploitation, provided IOCs, and strongly urged customers to upgrade to fixed releases.
read more →

CISA Adds Cisco, Chrome and Arista Flaws to KEV

🔒 CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. The flaws include an authenticated command injection in Cisco Catalyst SD-WAN Manager (CVE-2026-20245), a V8 out-of-bounds read/write in Google Chrome (CVE-2026-11645), and a tunnel decapsulation issue in Arista EOS (CVE-2026-7473). Agencies must remediate or mitigate these issues by June 23, 2026.
read more →

Microsoft June 2026 Patch Tuesday: Key Fixes

🛡️ Microsoft released its June 2026 security update addressing 206 vulnerabilities, including 32 marked critical. Talos highlights multiple RCEs across Windows components, Office, Azure services, and other products, and calls out several vulnerabilities as more likely to be exploited. Cisco Talos published Snort 2 and Snort 3 rules to detect exploitation attempts and urges customers to update rule packs promptly.
read more →

Active privilege escalation flaw in Cisco SD‑WAN Manager

🔒 Cisco warns of an actively exploited high-severity vulnerability in Catalyst SD‑WAN Manager that allows authenticated attackers to escalate privileges to root. The flaw, tracked as CVE-2026-20245, requires local access and netadmin privileges but can be chained with prior authentication bypass bugs. Cisco recommends upgrading to the latest versions, checking edge device configurations, saving logs, and contacting TAC if indicators of compromise are found.
read more →

Cisco warns of active exploit in SD‑WAN Manager

🔒 Cisco has disclosed a high-severity vulnerability, CVE-2026-20245, affecting Catalyst SD‑WAN Manager deployments including on-premises and cloud variants. The flaw allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root by uploading a crafted file due to insufficient input validation. Cisco noted limited cases of configuration changes pushed to edge devices and advised applying fixes for related authentication bypass flaws (CVE-2026-20182) while monitoring /var/log/scripts.log for IoCs.
read more →

Critical Cisco SD‑WAN Manager zero‑day enables root

🔒 Cisco warned of a high‑severity, unpatched zero‑day (CVE-2026-20245) in the Catalyst SD‑WAN Manager actively exploited to escalate to root. The flaw affects all deployment types and results from insufficient validation of user‑supplied input, allowing local attackers with netadmin privileges to perform command injection by uploading crafted files. Cisco noted limited cases of configuration changes pushed to edge devices and advised contacting TAC and producing admin‑tech logs for investigation. Patches are not yet available; customers were urged to install fixes for related CVE-2026-20182.
read more →

Cisco Live report: AI, networking, and wellbeing

🐶 At Cisco Live U.S. in Las Vegas, the author describes the conference pace, the value of quiet spaces and noise-canceling gear, and the welcome presence of therapy dogs sponsored by Splunk. Discussions at the event centered on AI from an infrastructure and security lens, including the daunting scale of data and associated defense challenges. Cisco Talos highlights expansion of its Threat Hunting program using AI-driven telemetry plus expert validation to find advanced intrusions like a recent KongTuke C2 discovery.
read more →