< ciso
brief />
Tag Banner

All news with #cisco tag

237 articles · page 5 of 12

Chained Cisco Catalyst 9300 Flaws Could Cause DoS Outage

🔒 Cisco's Catalyst 9300 switches contain four vulnerabilities — two of which can be chained to escalate privileges and induce a denial-of-service by forcing the device into maintenance mode. Opswat's Unit 515 CIP Lab reported CVE-2026-20114 (command injection) and CVE-2026-20110 (insufficient sanitization), which together allow a low-privileged Lobby Ambassador account to gain higher privileges. Cisco released fixes in its March 25, 2026 IOS and IOS XE advisory; administrators should run the Software Checker, enable MFA for Lobby Ambassador accounts, and, where possible, set the privilege level for the 'start maintenance' command from the CLI.
read more →

Beers with Talos Breaks Down 2025 Year in Review Highlights

🔍 The Beers with Talos B team (Hazel, Bill, Joe and Dave) reviews the 2025 Talos Year in Review and highlights the most consequential cyber trends of the year. They discuss the rapid weaponization of newly disclosed vulnerabilities, widespread identity abuse, evolving ransomware tactics, and a notable rise in APT investigations. The conversation also addresses cyber activity tied to the situation in the Middle East and offers practical priorities for defenders heading into the coming year.
read more →

2025 Talos Year in Review — Speed, Scale, Staying Power

🔍 Cisco Talos’ 2025 Year in Review analyzes how adversaries increased the speed and scale of operations, creating sustained pressure on defenders. The report highlights three central themes: rapid exploitation of both newly disclosed and long-standing CVEs, attackers targeting the architecture of trust (identity and device controls), and deliberate focus on centralized systems and shared frameworks to amplify impact. Talos emphasizes prioritized mitigations—timely patching, stronger identity controls, and resilience for shared components—and directs readers to the full, ungated report for detailed telemetry and actionable guidance.
read more →

CISA Orders US Agencies to Patch Critical Cisco FMC Flaw

🔒 CISA has directed all federal civilian agencies to urgently patch a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) — tracked as CVE-2026-20131 with a CVSS score of 10. Cisco released a fix on 4 March after reports that the Interlock ransomware group had been exploiting the flaw as a zero day. Agencies were given just three days after KEV listing to patch or discontinue use due to active ransomware campaigns.
read more →

CISA Orders Feds to Patch Critical Cisco FMC Flaw by Sunday

⚠️ CISA has directed Federal Civilian Executive Branch agencies to patch CVE-2026-20131 in Cisco Secure Firewall Management Center by Sunday, March 22, citing active exploitation and maximum severity. Cisco says the web-based management interface suffers insecure deserialization that can allow an unauthenticated remote attacker to execute arbitrary Java code as root. The vendor published updates and warned there are no available workarounds; administrators should apply fixes immediately.
read more →

Ransomware Group Exploited Cisco Firewall Zero-Day

⚠️ Amazon disclosed that the ransomware group Interlock exploited a critical deserialization flaw in Cisco Secure Firewall Management Center (CVE-2026-20131) as a zero-day beginning January 26, roughly 38 days before Cisco released a patch on March 4. The bug carries a CVSS score of 10 and was addressed in Cisco’s semiannual firewall update alongside a second high-severity FMC issue. Using its MadPot honeypot network, Amazon captured attacker activity, recovered a malicious ELF binary, and traced a full attack chain that leveraged a single poorly secured staging server. The findings underscore the limits of patching alone and the need for layered defenses and urgent log hunting for provided indicators.
read more →

CISA Adds Cisco FMC Deserialization Flaw to KEV Catalog

⚠️ CISA has added CVE-2026-20131 to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The vulnerability involves deserialization of untrusted data in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management. This class of flaw is a common attack vector and poses significant risk. CISA reminds Federal Civilian Executive Branch agencies to remediate per BOD 22-01 and urges all organizations to prioritize timely remediation as part of normal vulnerability management.
read more →

Interlock Ransomware Exploits Cisco FMC Zero-Day Patch Alert

🔒 AWS analysis reveals that the Interlock ransomware group has exploited CVE-2026-20131, a critical RCE in the web-based management interface of Cisco Secure Firewall Management Center (FMC), in active attacks since January 26. The flaw can permit an unauthenticated attacker to execute arbitrary Java code as root and carries a 10.0 CVSS score. AWS recommends applying Cisco patches, reviewing IoCs and hunting for PowerShell staging, custom Java/JavaScript RATs, memory-resident webshells and unauthorized ScreenConnect deployments.
read more →

Interlock Exploited Cisco FMC Zero-Day Since January

🔒 The Interlock ransomware gang exploited a maximum-severity remote code execution flaw in Cisco Secure Firewall Management Center as a zero-day beginning January 26, 2026. Cisco released a patch for CVE-2026-20131 on March 4, warning it allowed unauthenticated attackers to execute arbitrary Java code as root on unpatched devices. Amazon's threat team reported Interlock had been exploiting the vulnerability for 36 days prior to public disclosure.
read more →

Interlock Ransomware Exploits Cisco FMC Zero-Day Campaign

⚠️ Amazon Threat Intelligence warns of an active Interlock ransomware campaign exploiting a critical Cisco Secure Firewall Management Center vulnerability tracked as CVE-2026-20131 (CVSS 10.0). The flaw enables insecure deserialization of a user-supplied Java byte stream, allowing unauthenticated remote code execution as root. Amazon telemetry shows zero-day exploitation since January 26, 2026, and the actor's toolkit includes multi-platform backdoors, reconnaissance scripts, and infrastructure-laundering components.
read more →

Interlock Ransomware Exploits Cisco FMC Zero-Day Campaign

🛡️ Amazon Threat Intelligence identified an active Interlock ransomware campaign exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center, with exploitation observed beginning January 26, 2026—36 days before Cisco publicly disclosed the flaw on March 4, 2026. A misconfigured attacker-controlled staging server exposed Interlock's full operational toolkit, including custom remote access trojans, reconnaissance scripts, a fileless Java webshell, and infrastructure-laundering scripts. Organizations running Cisco Secure FMC should immediately apply Cisco patches, review the provided indicators of compromise, and hunt for signs of lateral movement and data staging.
read more →

Fake Enterprise VPN Installers Steal Company Credentials

🔒 A threat actor tracked as Storm-2561 is distributing spoofed enterprise VPN clients impersonating vendors such as Ivanti, Cisco, and Fortinet to harvest corporate VPN credentials. The campaign uses SEO poisoning to push victims to convincing fake vendor pages that link to a GitHub-hosted ZIP containing a malicious MSI installer. When run, the installer places a fake Pulse.exe, drops a loader (dwmapi.dll) and a Hyrax infostealer variant (inspector.dll), captures credentials and configuration files, then displays an installation error and redirects victims to the legitimate vendor site to avoid immediate suspicion.
read more →

Reflections on Diversity, Threats, and Cyber Guidance

🔒The author opens this week’s Threat Source newsletter with personal reflections on being raised by a single mother, connecting those experiences to the gender imbalance in STEM and cybersecurity. He cites sobering statistics — for example, women comprise 28.2% of the global STEM workforce and occupy only 16% of CISO roles — and highlights mentorship programs like WiCyS and CTFs. Talos also summarizes a March 10 update on cyber activity tied to the Middle East conflict and provides practical defensive advice for destructive malware, DDoS, and website defacement.
read more →

CISA Emergency Directive Targets Exploited Cisco SD-WAN

🔔 CISA has issued Emergency Directive 26-03 after reports that threat actors are actively exploiting a critical authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20127, CVSS 10). The directive instructs federal agencies to inventory affected systems, forward logs externally, collect forensic artifacts, apply vendor updates, hunt for signs of compromise and rebuild infrastructure if root access is detected. Agencies must report remediation and logging actions to CISA by multiple deadlines through March 23, 2026.
read more →

CISA warns of active exploitation: Ivanti EPM, Cisco SD‑WAN

⚠️ CISA warns that an authentication-bypass bug in Ivanti Endpoint Manager (CVE-2026-1603), patched Feb. 9, is being actively exploited to leak stored credentials. The agency also added related SolarWinds and VMware defects to its Known Exploited Vulnerabilities catalog. CISA updated an emergency directive for Cisco SD‑WAN flaws (CVE-2026-20127, CVE-2022-20775), citing signs of long-running exploitation and imposing new reporting and log-submission requirements for federal agencies, including a March 26 deadline.
read more →

Talos Discloses DirectX, OpenFOAM, Libbiosig Vulnerabilities

🛡️ Cisco Talos’ Vulnerability Discovery & Research team disclosed multiple vulnerabilities affecting Microsoft DirectX, OpenCFD OpenFOAM, and the BioSig project’s libbiosig library. Most issues have been patched by their respective vendors in accordance with Cisco’s disclosure policy, while the DirectX local privilege escalation remains unpatched. Talos published detailed advisories and Snort rule guidance to detect exploitation. Affected CVEs include CVE-2025-68623, CVE-2025-61982, CVE-2025-64736, CVE-2026-22891, and CVE-2026-20777.
read more →

Vendors Race to Define Post-Quantum Cryptography Roadmap

🔐 Security vendors are reframing post-quantum cryptography (PQC) from a theoretical concern into an operational priority, emphasizing discovery, inventory, and crypto-agility across enterprise environments. Companies such as Palo Alto Networks, Cisco, and Cloudflare are packaging visibility, assessment, and compensating-controls while specialist firms like SandboxAQ deliver continuous monitoring via AQtive Guard. With NIST standards finalized and a 2030 readiness horizon, vendors stress phased migration and prioritization for long-lived sensitive data. The market is competitive as providers position to guide enterprises through complex modernization and legacy constraints.
read more →

CISO Priorities for 2026: AI, Identity, and Resilience

🔐 2026 will bring faster, cheaper, and more credible cyberattacks as AI and automation lower the skill barrier for attackers. Industry leaders from Banco Santander, Vodafone, NordVPN, Sophos, and Cisco emphasize a shift from perimeter defenses to identity-centric, automated, resilience-focused models. Priority actions include continuous identity verification, integrated AI-driven security, XDR consolidation, supply-chain risk management, and stronger detection, response, and data-protection controls implemented with minimal customer friction.
read more →

Cisco issues emergency patches for critical firewall flaws

🚨 Cisco released its March 4 semiannual firewall update addressing 25 security advisories and 48 CVEs, led by two “perfect 10” flaws in Secure Firewall Management Center (FMC). CVE-2026-20079 (authentication bypass) and CVE-2026-20131 (insecure deserialization) both carry CVSS scores of 10 and can yield unauthenticated root access via the web management interface. Cisco reports no known exploitation yet and offers no workarounds; administrators should remove public FMC exposure until patches can be applied.
read more →

Cisco Confirms Active Exploitation of SD‑WAN Manager Flaws

🔔Cisco has confirmed active exploitation of two vulnerabilities in Catalyst SD‑WAN Manager (formerly SD‑WAN vManage). CVE-2026-20122 (CVSS 7.1) permits an authenticated remote attacker with valid read‑only API credentials to overwrite arbitrary files on the local filesystem, while CVE-2026-20128 (CVSS 5.5) could allow an authenticated user to obtain Data Collection Agent (DCA) privileges. Cisco has released fixes across affected 20.x releases and urges immediate upgrades and mitigations such as restricting access, disabling HTTP, securing appliances behind firewalls, changing default passwords, and monitoring logs for unexpected activity.
read more →