CISA KEV Expands as Malware Campaigns Target Enterprise Infrastructure

This week’s threat landscape was marked by confirmed exploitation of critical enterprise technologies, prompting urgent action from federal authorities. Five vulnerabilities were added to the CISA Known Exploited Vulnerabilities (KEV) catalog, affecting widely deployed products from Cisco, Roundcube Webmail, and Soliton Systems K.K.’s FileZen platform - underscoring the continued focus of threat actors on identity systems, network infrastructure, and file transfer solutions.  

Advanced threat activity this week highlighted the continued targeting of enterprise infrastructure and communication platforms by sophisticated threat actors. Cisco Talos reported active exploitation of an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart), which allowed unauthenticated remote attackers to send crafted requests and gain administrative access as an internal, high-privileged, non-root user - creating significant exposure across enterprise network environments. At the same time, TeamT5 confirmed that a critical PHP object deserialization vulnerability in Roundcube Webmail has been actively exploited since April 2025 by the China-linked APT group CamoFei, enabling remote code execution following account compromise and impacting organizations across the APAC region.

Key points:

• 5 vulnerabilities added to the CISA KEV catalog  
• China-Linked APT exploited Roundcube Webmail at scale
• Cisco SD-WAN zero-day exploitation attributed to UAT-8616

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-20127 - Authentication Bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager

An Authentication Bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager could allow an unauthenticated remote attacker to bypass authentication and obtain administrative access to an affected system. The issue arises from a flawed peering authentication mechanism within Cisco Catalyst SD-WAN Controller (formerly vSmart) and Manager (formerly vManage), where crafted requests can circumvent intended access controls. Successful exploitation enables login as an internal, high-privileged, non-root administrative user, granting access to NETCONF and the ability to manipulate SD-WAN fabric configurations. The vulnerability was reportedly exploited as a zero-day, highlighting the risk of unauthorized control over enterprise network infrastructure. Cisco has addressed this issue in its official security advisory, and due to confirmed in-the-wild exploitation, the vulnerability has been added to the CISA KEV catalog, underscoring the urgency of immediate patching and access control hardening.

CVE-2026-25108 - OS Command Injection vulnerability in Soliton Systems K.K FileZen

An OS Command Injection vulnerability affecting the FileZen file transfer appliance, allowing authenticated users to execute arbitrary operating system commands on the underlying server. The flaw arises when the optional Antivirus Check feature is enabled, where improper input handling during interaction with antivirus components introduces the injection vector. Exploitation requires a logged-in user to send a specially crafted HTTP request, creating risk of privilege escalation and potential full system compromise. Soliton Systems K.K. has addressed the issue in FileZen version 5.0.11, and due to confirmed in-the-wild exploitation, the vulnerability has been added to the CISA KEV catalog.

CVE-2025-49113 - Deserialization of Untrusted Data vulnerability in RoundCube Webmail

A Deserialization of Untrusted Data vulnerability has been identified in Roundcube Webmail, enabling authenticated users to achieve remote code execution due to improper validation of the_from URL parameter in program/actions/settings/upload.php. The flaw stems from unsanitized $_GET['_from'] input, which can trigger PHP object deserialization when session variable names begin with an exclamation mark (!), leading to session corruption and PHP object injection. Affected versions include releases prior to 1.5.10 and 1.6.x prior to 1.6.11, with fixes issued in June 2025 under version 1.5.10 LTS and 1.6.11. Following disclosure by security researcher Kirill Firsov, attackers reportedly reverse-engineered the patch within 48 hours and began circulating working exploits, increasing the risk of widespread compromise particularly for internet-exposed instances running on ports 2083, 2086, 2087, and 2096. With proof-of-concept code and underground exploit listings observed, the vulnerability has now been added to the CISA KEV catalog, underscoring the urgency of immediate remediation.

CVE-2025-68461 - Cross-Site Scripting vulnerability in RoundCube Webmail

A Cross-Site Scripting vulnerability has been identified in Roundcube Webmail, arising from improper handling of the <animate> tag within Scalable Vector Graphics (SVG) files. The flaw affects versions prior to 1.5.12 and 1.6.x prior to 1.6.12, and was remediated in December 2025 with the release of versions 1.5.12 and 1.6.12. Discovered by CrowdStrike, the issue allows attackers to embed a specially crafted SVG file within a malicious email, triggering arbitrary JavaScript execution as soon as the image is rendered in the webmail interface. Such exploitation could lead to session hijacking, credential theft, unauthorized actions, or silent redirection to phishing pages without further user interaction. Due to confirmed exploitation risk, the vulnerability has recently been added to the CISA KEV catalog, emphasizing the need for immediate patching.

CVE-2022-20775 - Path Traversal vulnerability in Cisco SD-WAN

A Path Traversal vulnerability in Cisco SD-WAN could allow an authenticated local attacker to gain elevated privileges due to improper access controls within the application CLI, ultimately enabling arbitrary command execution as the root user. According to Cisco Talos, exploitation activity targeting Cisco Catalyst SD-WAN infrastructure has demonstrated sophisticated vulnerability chaining techniques. In observed campaigns, threat actors first leveraged CVE-2026-20127, an authentication bypass vulnerability, to obtain administrative access to exposed controllers. The attackers then performed a software downgrade to reintroduce the previously patched CVE-2022-20775, exploiting it to escalate privileges to root before restoring the original software version to evade detection while retaining the full control. This multi-stage approach highlights a deliberate strategy to achieve deep persistence and unrestricted manipulation of SD-WAN network configurations. Due to the severity and confirmed exploitation patterns, this vulnerability has been added to the CISA KEV catalog, emphasizing the urgency of remediation and strict access control enforcement.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Cisco SD-WAN zero-day exploitation attributed to UAT-8616

According to Cisco Talos, CVE-2026-20127, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart), was actively exploited, allowing unauthenticated remote attackers to send crafted requests and gain administrative access as an internal, high-privileged, non-root user. Talos tracked the exploitation and subsequent post-compromise activity under the cluster name “UAT-8616,” assessing the actor with high confidence as a sophisticated threat group. Investigation revealed that exploitation activity dated back to at least 2023, with the actor reportedly performing a software version downgrade to reintroduce CVE-2022-20775, exploiting it for root privilege escalation before restoring the original software version to maintain covert access. The campaign reflected an ongoing pattern of targeting network edge devices to establish long-term persistence within high-value organizations, including critical infrastructure sectors.

China-Linked APT exploited Roundcube Webmail at scale

According to TeamT5, CVE-2025-49113, a critical post-authentication PHP object deserialization vulnerability in Roundcube Webmail has been actively exploited since April 2025 by the China-linked APT group CamoFei. Successful exploitation enables remote code execution through compromised Roundcube accounts, followed by deployment of malicious tools including the open-source webshell Godzilla and the remote access trojan Pupy, with observed targeting of educational institutions in Taiwan and government agencies in Pakistan and Myanmar.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

This week’s threat activity underscored the accelerating pace at which adversaries exploit critical enterprise technologies, with confirmed attacks targeting Cisco Catalyst SD-WAN, Roundcube Webmail, and Soliton FileZen - all now reflected in the CISA KEV catalog. The focus on authentication bypass, remote code execution, and edge infrastructure compromise highlights a strategic push toward identity and network control systems. In such a rapidly evolving landscape, organizations must move beyond reactive patching and adopt proactive vulnerability intelligence. Loginsoft Vulnerability Intelligence (LOVI) empowers security teams with real-time exploitation insights and risk-based prioritization, enabling faster mitigation before threats escalate into operational disruption.

FAQs

1) What is Cisco Catalyst SD-WAN and what does it do?

Cisco Catalyst SD-WAN is a software-defined wide area networking (SD-WAN) solution designed to securely connect enterprise branch offices, data centers, cloud environments, and remote users over distributed networks. It centralizes network management and control through controllers (formerly vSmart and vManage), enabling organizations to optimize traffic routing, enforce security policies, and improve application performance across multiple locations

2) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

3) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

4) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.