Cisco has issued a security advisory warning that a critical authentication bypass vulnerability in its Catalyst SD-WAN platform is being actively exploited in zero-day attacks. The flaw, tracked as CVE-2026-20127, impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in both on-premises and SD-WAN Cloud deployments. Cisco’s threat hunting team said that the flaw has been exploited in the wild since at least 2023. The activity is being tracked under the cluster name “UAT-8616.”
In a separate report, Cisco Talos has detailed an ongoing malicious campaign attributed to a threat actor tracked as ‘UAT-10027.’ The group is deploying a novel backdoor, dubbed “Dohdoor,” which leverages DNS-over-HTTPS (DoH) for stealthy command-and-control (C&C) communications and can download and execute additional payloads. The campaign targets organizations in the US education and healthcare sectors through a multi-stage attack chain.
Trend Micro has patched two critical vulnerabilities in its Apex One endpoint security platform that could allow remote code execution (RCE) on vulnerable Windows systems. Tracked as CVE-2025-71210 and CVE-2025-71211, both flaws stem from path traversal weaknesses in the Apex One management console, enabling attackers to execute malicious code. The vendor has also fixed two privilege escalation flaws (CVE-2025-71212, CVE-2025-71213).
Separately, Juniper Networks addressed a critical vulnerability (CVE-2026-21902) in its Junos OS Evolved operating system for PTX Series routers. The flaw, caused by incorrect permission assignment in the On-Box Anomaly Detection framework, could allow an unauthenticated attacker to execute code remotely with root privileges.
SolarWinds has released patches for four high-severity vulnerabilities in its Serv-U managed file transfer software, addressing flaws that could enable remote code execution with elevated privileges. The issues are fixed in Serv-U version 15.5.4. CVE-2025-40538 is caused by broken access control and could allow attackers to execute arbitrary code and create system administrator accounts. Other three vulnerabilities (CVE-2025-40539, CVE-2025-40540, and CVE-2025-40541) involve type confusion and insecure direct object reference issues, which could also be exploited to achieve remote code execution.
Taiwanese networking company Zyxel has rolled out security updates to fix a high-risk vulnerability affecting more than a dozen router models. The flaw, tracked as CVE-2025-13942, is a command injection bug in the UPnP function of Zyxel 4G LTE/5G NR CPE devices, DSL/Ethernet CPE, Fiber ONTs, and wireless extenders. The vulnerability allows unauthenticated remote attackers to execute operating system commands on impacted devices by sending specially crafted UPnP SOAP requests.
The Cybersecurity and Infrastructure Security Agency (CISA) has added a recently disclosed FileZen system command injection flaw to its Known Exploited Vulnerabilities (KEV) indicating active exploitation. The vulnerability, tracked as CVE-2026-25108, allows an authenticated user to execute arbitrary commands on affected systems through specially crafted HTTP requests.
The agency has also flagged as exploited two RoundCube Webmail bugs (CVE-2025-49113, CVE-2025-68461), and an OS command injection vulnerability affecting BeyondTrust Remote Support (CVE-2026-1731).
Akamai has released a technical breakdown of CVE-2026-21513, a description of its root cause, and an analysis of its exploitation. The report also provides indicators of compromise (IOCs) to help defenders minimize exposure to the threat.
Google’s Threat Intelligence Group (GTIG), Mandiant, and industry partners have disrupted a large-scale cyber espionage campaign attributed to a suspected Chinese threat actor that concealed malicious communications within legitimate SaaS traffic. The operation, active since at least 2023, targeted telecommunications providers and government networks across Africa, Asia, and the Americas. As part of the campaign, 53 organizations across 42 countries were compromised, with suspected infections spanning at least 20 additional countries.
BlueVoyant’s Security Operations Center (BVSOC) has spotted a targeted social engineering attack against a European financial institution engaged in regional development and reconstruction initiatives. The activity has been attributed to the Russia-aligned threat group known as Mercenary Akula, tracked by CERT-UA as UAC-0050.
North Korean state-backed hackers linked to the Lazarus Group are targeting US healthcare organizations in a wave of extortion attacks leveraging the Medusa ransomware. The attackers deployed a mix of custom and publicly available tools, including Comebacker, a backdoor previously linked to Diamond Sleet; Blindingcan, a remote access trojan; ChromeStealer and Infohook credential theft utilities; the well-known credential dumping tool Mimikatz; a custom proxy tool RP_Proxy; and the data transfer utility Curl.
Researchers at Elastic Security Labs have uncovered an active ClickFix campaign that leverages compromised legitimate websites to deploy a sophisticated, custom-built remote access trojan (RAT) dubbed ‘Mimicrat.’ Unlike more common ClickFix operations that lead to infostealer infections, the observed campaign deploys a five-stage infection chain installing a native C implant designed for persistence and lateral movement.
A coordinated attack is targeting software developers by using fake job-related coding projects. The attackers create malicious repositories that look like legitimate Next.js web app projects or technical assessment tests and share them during job interviews. Security researchers from Microsoft Defender found that the attackers hosted the fake projects on Bitbucket and discovered several similar repositories with the same code structure and malicious behavior.
A recently observed npm supply-chain campaign dubbed ‘SANDWORM_MODE’ is infecting developer environments, siphoning CI/CD secrets, and targeting AI coding assistants. The attack resembles previous “Shai-Hulud” campaigns, embedding malicious code into npm packages that steals system data, access tokens, API keys, and environment secrets. It then propagates automatically by abusing compromised npm and GitHub identities.
A Russian-speaking, financially motivated threat actor has compromised more than 600 FortiGate firewall devices worldwide after leveraging commercial generative AI tools to automate and scale attacks. The attackers didn’t exploit zero-day or legacy vulnerabilities in Fortinet’s products, instead, the operation targeted FortiGate devices that had management interfaces exposed to the internet, implemented weak or reused passwords, and lacked multi-factor authentication.
Another financially motivated campaign, dubbed ‘Diesel Vortex,’ has stolen more than 1,600 unique login credentials from freight and logistics operators across the United States and Europe in a phishing campaign that leveraged 52 malicious domains. The campaign has been active since September 2025 and targeted platforms critical to the freight industry, including DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source.
A series of targeted phishing campaigns have been observed in Taiwan that exploit local business processes to distribute Winos 4.0, also known as ValleyRat, along with a range of malicious plugins.
The CrowdStrike Global Threat Report 2026 says that AI-enabled cyberattacks surged by 89% in 2025 compared to the previous year. Threat actors increasingly used machine learning and Large Language Models (LLMs) to enhance social engineering, malware development, disinformation campaigns, and other malicious activities. Rather than creating entirely new attack methods, attackers primarily leveraged AI to refine and optimize existing techniques, making their campaigns more efficient and effective.
OpenAI said it banned accounts tied to Chinese law enforcement, romance scams, and influence operations for misusing ChatGPT. Scammers used the chatbot to create ads for a fake dating service that lured victims into paying large sums.
Cybersecurity researchers at Trellix have disclosed details of a new cryptojacking campaign that leverages pirated software bundles to deploy a customized XMRig miner on compromised systems, combining social engineering with worm-like propagation and kernel-level exploitation.
The US Department of the Treasury announced sanctions targeting the owner of Operation Zero, a Russian exploit broker. Among the sanctioned individuals are two members of the Trickbot cybercrime gang, who are alleged to have supported Operation Zero and operated their own exploit brokerage firm. In parallel, Peter Williams, a former Trenchant executive from Australia, was sentenced to over seven years for stealing the company’s hacking tools and selling them to Operation Zero. He also faces three years of supervised release and a $1.3 million forfeiture. Williams admitted stealing eight tools between 2022 and 2025, receiving millions in cryptocurrency.
Rapid7 released a report detailing the history of RAMP, a notorious Russian cybercrime forum that went dark last month after law enforcement authorities seized a portion of its infrastructure, and its role in the ransomware ecosystem. RAMP operated since 2021 as a hub for ransomware operators, affiliates, and initial access brokers.
Aleksanteri Kivimäki, previously part of the Lizard Squad, was sentenced to nearly seven years in prison for hacking Finnish psychotherapy chain Vastaamo as “ransom_man,” publishing patient records, and demanding cryptocurrency ransoms, which led to at least one reported suicide. The breach affected over 20,000 patients and bankrupted the clinic.
A Ukrainian national has been sentenced to five years in prison for providing stolen identities to North Korean IT workers who used them to infiltrate dozens of US companies. Oleksandr Didenko, 39, of Kyiv, Ukraine, pleaded guilty in November 2025 to aggravated identity theft and conspiracy to commit wire fraud. According to court documents, Didenko stole the identities of US citizens and sold them to overseas IT workers through the UpWorkSell online platform, which has since been seized by the US Justice Department.
Spanish authorities have arrested four alleged members of the hacktivist group Anonymous Fénix for their involvement in a series of distributed denial-of-service (DDoS) attacks targeting government and public sector websites. According to Spain’s Guardia Civil, the unnamed suspects were responsible for launching attacks against government, political, and other public entities.
A 26-year-old man was arrested in São Paulo for running a fake cell tower scam from his apartment. Police said he used illegal equipment to hijack cellphone signals and send fraudulent SMS messages. With help from Agência Nacional de Telecomunicações (Anatel), authorities tracked the signal to his home and seized electronic devices for investigation.