27 Feb 2026
Week in review
Greetings,
Intelligence agencies across the Five Eyes alliance, made up by Australia, Canada, New Zealand, the United Kingdom and the United States, have issued an urgent joint warning following the discovery of a “highly sophisticated” cyber campaign targeting Cisco Catalyst SD WAN controllers. According to the advisory, attackers have been actively exploiting a newly uncovered zero day vulnerability, tracked as CVE 2026 20127, which carries the highest possible severity rating. The flaw allows unauthenticated remote actors to bypass authentication and gain administrative access to SD WAN control systems, placing core network infrastructure at immediate risk.
Cisco Talos confirmed that the threat actor behind the campaign, identified as UAT 8616, paired the new zero day with an older 2022 privilege escalation vulnerability (CVE-2022-20775) to achieve root level access. Investigators found that the attackers leveraged deep protocol knowledge to infiltrate trusted network peers, insert rogue controllers, downgrade firmware to exploit the older flaw, then restore systems to cover their tracks. These techniques enabled persistent, stealthy access across critical infrastructure for nearly three years without detection.
U.S. cyber security officials have responded with an emergency directive, warning that the exploited vulnerabilities pose an imminent threat to federal agencies. Security experts note that the attack is particularly severe, as SD WAN technology centralises routing, segmentation, encryption and policy enforcement into a single management plane, meaning that compromising one controller potentially grants influence over every connected branch. Investigators also report that the attackers systematically deleted logs and forensic artefacts, further complicating detection and response.
Agencies across all Five Eyes nations are urging organisations to immediately apply Cisco’s security updates, conduct thorough threat hunting activities and validate the integrity of their SD WAN environments.
Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023
Date: 2026-02-25
Author: Bleeping Computer
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.1820/]
Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks.
CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations.
Critical SolarWinds Serv-U flaws offer root access to servers
Date: 2026-02-24
Author: Bleeping Computer
SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers.
Serv-U is the company's self-hosted Windows and Linux file transfer software that comes with both Managed File Transfer (MFT) and FTP server capabilities, enabling organizations to securely exchange files via FTP, FTPS, SFTP, and HTTP/S.
Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
Date: 2026-02-21
Author: Bleeping Computer
Amazon is warning that a Russian-speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks.
A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls.
Recent RoundCube Webmail Vulnerability Exploited in Attacks
Date: 2026-02-23
Author: Security Week
The US cybersecurity agency CISA on Friday warned of two RoundCube Webmail vulnerabilities being exploited in the wild.
Prevalent within government and enterprise networks, RoundCube Webmail is a popular target for hackers, who have been observed exploiting flaws in the email client within days of public disclosure.
This was the case in June last year with CVE-2025-49113 (CVSS score of 9.9), a post-authentication remote code execution (RCE) issue that was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Friday.
VMware Aria Operations Vulnerability Could Allow Remote Code Execution
Date: 2026-02-24
Author: Bleeping Computer
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.1808/]
Broadcom has released patches for several vulnerabilities affecting VMware Aria Operations, including high-severity flaws.
The most important of the newly patched vulnerabilities based on CVSS score (8.1) is CVE-2026-22719, a command injection issue that can be exploited by an unauthenticated attacker.
ESB-2026.1820 – Cisco Catalyst SD-WAN
An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non -root user account.
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, bypass of the same-origin policy, information disclosure or privilege escalation.
ESB-2026.1767 – InSAT MasterSCADA BUK-TS
Successful exploitation of these vulnerabilities may allow remote code execution.
ESB-2026.1808 – VMware Products
VMware Aria Operations contains a command injection vulnerability. Broadcom has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
