All news with #cisco tag

🔍 The Cisco Talos Year in Review synthesizes vast telemetry and Talos IR casework into practical intelligence for defenders. Incident responders should use the report to build realistic tabletop scenarios, validate detections, and stress-test IR plans focusing on dominant TTPs such as valid account abuse, credential dumping, and MFA bypasses. Map findings to MITRE ATT&CK and prioritize vulnerabilities and detections accordingly. It also highlights evolving phishing themes and nascent AI-enabled threats that should shape training and threat-hunting priorities.

🔒 Cisco Talos reports attackers are exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js applications to run an automated credential-harvesting campaign. The operation uses a framework called NEXUS Listener and deploys scripts into standard temporary directories to extract environment secrets, SSH keys, cloud tokens, API keys, and command histories. Researchers observed at least 766 hosts compromised across multiple cloud providers, with sensitive data exfiltrated in chunks to a C2 server over HTTP. Administrators should apply React2Shell patches, rotate exposed credentials immediately, enforce IMDSv2, enable secret scanning, and deploy WAF/RASP protections and least-privilege controls.

🔍 Researchers at Cisco Talos discovered that an apparent security lapse exposed the backend of a campaign exploiting the four-month-old React2Shell (CVE-2025-55182) Next.js flaw. A password-protected database and web application holding harvested credentials, tokens, SSH keys, and API secrets was briefly accessible, letting analysts view the attackers' dashboard. The automated campaign compromised hundreds of hosts in a single day and prompted notifications to affected providers while urging immediate patching.

🔒Cisco has released patches for a critical authentication bypass in its Integrated Management Controller (IMC), tracked as CVE-2026-20093. The flaw, caused by incorrect handling of password changes, can be exploited via specially crafted HTTP requests to gain unauthenticated admin access. Affected platforms include standalone UCS C-Series, UCS E-Series, Catalyst 8300, and 5000 Series systems. Administrators should apply updates and restrict IMC exposure immediately.

🔒 Cisco released patches for two critical vulnerabilities in its management software that carry a CVSS score of 9.8. CVE-2026-20093 in the Integrated Management Controller (IMC) allows an unauthenticated attacker to bypass authentication and change any user password via a crafted HTTP request. CVE-2026-20160 affects Smart Software Manager On‑Prem and can enable remote command execution as root due to an exposed internal service. Cisco provided fixed releases and urges customers to update immediately; there are no known in-the-wild exploits to date.

🔐 In this episode of the Talos Threat Perspective, Hazel Burton examines how identity is being used to gain, extend, and maintain access inside environments. Drawing on the 2025 Talos Year in Review, the video outlines how attackers target identity systems and MFA workflows, establish persistent high-trust access, and use internal phishing to move laterally. It also explores risks from over-permissioned AI agents and identity-linked access, and how adversaries blend into normal user behaviour, complicating detection and containment.

🔒 Cisco has released patches for a critical Integrated Management Controller (IMC) authentication bypass (CVE-2026-20093) that allows unauthenticated, remote attackers to gain Admin privileges by sending a crafted HTTP password-change request. The flaw affects CIMC on UCS C-Series and E-Series servers and permits altering any account password, including Admin. Cisco's PSIRT reports no known in-the-wild exploitation or public proof-of-concept yet and stresses there are no workarounds, so customers should upgrade to fixed software immediately.

🔒 The Cisco Talos 2025 Year in Review, discussed by Christopher Marshall and Peter Bailey, highlights accelerating attacker speed and a shift toward identity as the primary battleground. The report shows rapid weaponization of new flaws alongside persistent exploitation of legacy, end-of-life infrastructure, and a sharp rise in fraudulent device registration. Defenders are urged to prioritize identity controls, visibility, lifecycle discipline, and secure AI governance to keep pace.

🔐 Cisco has confirmed a breach of its internal development environment after threat actors leveraged credentials stolen in the recent Trivy supply-chain compromise. Attackers used a malicious GitHub Action to harvest CI/CD credentials and clone more than 300 repositories, including source for AI-powered products and some customer code. Multiple AWS keys were also taken and used in limited unauthorized activity. Cisco has isolated affected systems, begun reimaging, and is rotating credentials while investigating ongoing fallout tied to related supply-chain attacks.

🔒 Cisco Talos disclosed multiple vulnerabilities impacting Canva Affinity, TP-Link Archer AX53, and HikVision face recognition terminals. Researchers identified 19 EMF-related issues in Canva Affinity, including out-of-bounds reads and a type confusion that can lead to memory corruption and arbitrary code execution. TP-Link’s AX53 contains 10 vulnerabilities across tmpServer, tdpServer and SSH hostkey handling that range from buffer overflows to write-what-where flaws and credential exposure via MITM. A HikVision SADP XML parser stack-based buffer overflow can be triggered by a malicious network packet. All identified issues have been patched following coordinated disclosure; users should apply vendor updates and consider Snort rule coverage for detection.

🔒 The Talos 2025 Year in Review synthesizes Cisco telemetry, incident response cases, and Talos research into a free, cross‑functional report highlighting identity-focused attacks, supply‑chain risks, and phishing trends. Key findings include React2Shell as the most targeted CVE, ToolShell ranking third, and Qilin as the dominant ransomware variant. The report warns that attackers increasingly compromise network infrastructure — especially ADCs and management platforms — to bypass MFA and escalate across environments, and recommends prioritizing patching and treating these devices as identity control points.

🔍 In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a double-header review of the newly released Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats. The conversation draws on Cisco telemetry, Talos original research, and Talos Incident Response engagements to move beyond headlines and identify actionable trends. Highlights include the professionalization of ransomware-as-a-service, the persistent exploitation of decade-old vulnerabilities, and practical guidance to help defenders prioritize mitigations and shrink their attack surface for the year ahead.

🔒 Cisco's Catalyst 9300 switches contain four vulnerabilities — two of which can be chained to escalate privileges and induce a denial-of-service by forcing the device into maintenance mode. Opswat's Unit 515 CIP Lab reported CVE-2026-20114 (command injection) and CVE-2026-20110 (insufficient sanitization), which together allow a low-privileged Lobby Ambassador account to gain higher privileges. Cisco released fixes in its March 25, 2026 IOS and IOS XE advisory; administrators should run the Software Checker, enable MFA for Lobby Ambassador accounts, and, where possible, set the privilege level for the 'start maintenance' command from the CLI.

🔍 The Beers with Talos B team (Hazel, Bill, Joe and Dave) reviews the 2025 Talos Year in Review and highlights the most consequential cyber trends of the year. They discuss the rapid weaponization of newly disclosed vulnerabilities, widespread identity abuse, evolving ransomware tactics, and a notable rise in APT investigations. The conversation also addresses cyber activity tied to the situation in the Middle East and offers practical priorities for defenders heading into the coming year.

🔍 Cisco Talos’ 2025 Year in Review analyzes how adversaries increased the speed and scale of operations, creating sustained pressure on defenders. The report highlights three central themes: rapid exploitation of both newly disclosed and long-standing CVEs, attackers targeting the architecture of trust (identity and device controls), and deliberate focus on centralized systems and shared frameworks to amplify impact. Talos emphasizes prioritized mitigations—timely patching, stronger identity controls, and resilience for shared components—and directs readers to the full, ungated report for detailed telemetry and actionable guidance.

🔒 CISA has directed all federal civilian agencies to urgently patch a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) — tracked as CVE-2026-20131 with a CVSS score of 10. Cisco released a fix on 4 March after reports that the Interlock ransomware group had been exploiting the flaw as a zero day. Agencies were given just three days after KEV listing to patch or discontinue use due to active ransomware campaigns.

⚠️ CISA has directed Federal Civilian Executive Branch agencies to patch CVE-2026-20131 in Cisco Secure Firewall Management Center by Sunday, March 22, citing active exploitation and maximum severity. Cisco says the web-based management interface suffers insecure deserialization that can allow an unauthenticated remote attacker to execute arbitrary Java code as root. The vendor published updates and warned there are no available workarounds; administrators should apply fixes immediately.

⚠️ Amazon disclosed that the ransomware group Interlock exploited a critical deserialization flaw in Cisco Secure Firewall Management Center (CVE-2026-20131) as a zero-day beginning January 26, roughly 38 days before Cisco released a patch on March 4. The bug carries a CVSS score of 10 and was addressed in Cisco’s semiannual firewall update alongside a second high-severity FMC issue. Using its MadPot honeypot network, Amazon captured attacker activity, recovered a malicious ELF binary, and traced a full attack chain that leveraged a single poorly secured staging server. The findings underscore the limits of patching alone and the need for layered defenses and urgent log hunting for provided indicators.

⚠️ CISA has added CVE-2026-20131 to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The vulnerability involves deserialization of untrusted data in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management. This class of flaw is a common attack vector and poses significant risk. CISA reminds Federal Civilian Executive Branch agencies to remediate per BOD 22-01 and urges all organizations to prioritize timely remediation as part of normal vulnerability management.

🔒 AWS analysis reveals that the Interlock ransomware group has exploited CVE-2026-20131, a critical RCE in the web-based management interface of Cisco Secure Firewall Management Center (FMC), in active attacks since January 26. The flaw can permit an unauthenticated attacker to execute arbitrary Java code as root and carries a 10.0 CVSS score. AWS recommends applying Cisco patches, reviewing IoCs and hunting for PowerShell staging, custom Java/JavaScript RATs, memory-resident webshells and unauthorized ScreenConnect deployments.