Originally reported by The Hacker News, SANS ISC, MSRC Security Updates
TL;DR
A critical Cisco SD-WAN authentication bypass vulnerability has been exploited in the wild since 2023, while Google disrupted a China-linked APT that breached 53 organizations across 42 countries. Supply chain attacks continue with malicious NuGet packages impersonating Stripe libraries and vulnerabilities in AI coding assistants enabling remote code execution.
The Cisco SD-WAN zero-day (CVE-2026-20127) with CVSS 10.0 has been actively exploited since 2023, enabling complete authentication bypass. Combined with widespread APT campaign targeting critical infrastructure, this represents active exploitation of maximum-severity vulnerabilities.
Cisco disclosed a maximum-severity authentication bypass vulnerability in its Catalyst SD-WAN infrastructure that has been actively exploited since 2023. The flaw, tracked as CVE-2026-20127 with a CVSS score of 10.0, affects Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage).
The vulnerability allows unauthenticated remote attackers to completely bypass authentication mechanisms and gain administrative access to affected systems. Given the three-year exploitation timeline and the critical nature of SD-WAN infrastructure in enterprise networks, organizations should prioritize immediate patching of affected systems.
Google's Threat Analysis Group (TAG) successfully disrupted infrastructure belonging to UNC2814, a suspected China-nexus cyber espionage group that breached at least 53 organizations across 42 countries. The group, dubbed GRIDTIDE, has maintained a long operational history targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas.
The disruption effort involved coordination with industry partners to neutralize the threat actor's command and control infrastructure. The campaign's scope demonstrates the persistent threat posed by state-sponsored actors against critical infrastructure and government entities worldwide.
Cybersecurity researchers identified a malicious NuGet package named "StripeApi.Net" designed to impersonate the legitimate Stripe.net library, which has over 75 million downloads. The package targets the financial sector by attempting to steal API tokens and credentials from developers integrating payment processing capabilities.
Separately, multiple security vulnerabilities were discovered in Anthropic's Claude Code AI-powered coding assistant. These flaws could enable remote code execution and API credential theft through exploitation of configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables.
The Scattered LAPSUS$ Hunters (SLH) cybercrime collective has been observed offering substantial financial incentives to recruit women for voice phishing campaigns. According to Dataminr research, the group offers between $500 and $1,000 upfront per call for IT help desk social engineering attacks, indicating a systematic approach to scaling their operations.
Microsoft's Security Response Center published information on several vulnerabilities this week:
CVE-2025-67733: Valkey RESP protocol injection vulnerability via Lua error_replyCVE-2026-21863: Malformed Valkey cluster bus message leading to remote denial of serviceCVE-2025-62878: Path traversal vulnerability in Local Path Provisioner via pathPattern parametersCVE-2025-61143: NULL pointer dereference in libtiff affecting versions up to v4.7.1CVE-2025-11563: wcurl path traversal vulnerability with percent-encoded slashesAdditionally, several Linux kernel fixes were disclosed including crypto virtio spinlock protection (CVE-2026-23229), HFS filesystem cleanup issues (CVE-2025-71230), and XFS use-after-free conditions (CVE-2026-23223).
Originally reported by The Hacker News, SANS ISC, MSRC Security Updates