A CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN has been actively exploited since 2023. CarGurus confirms 12.4 million users compromised by ShinyHunters. A cybercrime supergroup is paying women $1,000 per call to social-engineer IT help desks. Plus: SolarWinds patches four critical Serv-U RCE flaws and a defense contractor gets 87 months for selling exploits to Russia.
Cisco has disclosed a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage). The flaw allows remote, unauthenticated attackers to log in as a high-privileged internal user and manipulate the entire SD-WAN fabric via NETCONF.
The vulnerability stems from a broken peering authentication mechanism. Attackers exploit it to add rogue peers to the SD-WAN environment — effectively injecting malicious devices that appear legitimate and can route traffic through attacker-controlled infrastructure.
Cisco Talos tracks the activity as UAT-8616 and attributes it with high confidence to a highly sophisticated threat actor. Telemetry shows exploitation dating back to at least 2023. The actor escalated to root by downgrading firmware to exploit an older vulnerability (CVE-2022-20775), then restoring the original version to evade detection.
The disclosure was coordinated between Cisco, the Australian Cyber Security Centre (ASD's ACSC), CISA (Emergency Directive 26-03), and UK authorities.
Automotive marketplace CarGurus has confirmed a data breach affecting over 12.4 million users. The ShinyHunters group claimed responsibility, stating they exfiltrated personally identifiable information and internal corporate data.
This follows ShinyHunters' attack on Wynn Resorts, where employee data was stolen — though the listing was later removed from the leak site after apparent negotiations.
Impact: If you or your employees used CarGurus, monitor for phishing campaigns leveraging the stolen data. Credential stuffing attacks are expected within days.
The cybercrime supergroup Scattered LAPSUS$ Hunters (SLH) — a merger of LAPSUS$, Scattered Spider, and ShinyHunters — is now actively recruiting women to conduct voice phishing (vishing) attacks against IT help desks.
According to Dataminr's threat intelligence, SLH offers $500–$1,000 per call plus pre-written scripts. The strategy: female voices may have higher success rates when impersonating employees calling help desks for password resets or MFA bypasses.
SLH has a documented history of MFA prompt bombing, SIM swapping, and help desk social engineering. This recruitment campaign signals an industrialization of social engineering — moving from opportunistic attacks to paid, organized call center operations.
SolarWinds has patched four critical vulnerabilities in Serv-U file transfer software that could allow remote code execution. While the flaws require administrative privileges, Serv-U has been a historically targeted product (remember the 2021 supply chain attack).
File transfer appliances remain the #1 initial access vector for ransomware groups. MOVEit, GoAnywhere, Citrix ShareFile — and now Serv-U again. If you run Serv-U, patch before exploit code inevitably drops.
Google's Threat Intelligence Group (GTIG), Mandiant, and international partners have disrupted a global espionage campaign attributed to Chinese threat actor UNC2814. The group has been active since at least 2017, targeting organizations across 42 countries.
The attackers used legitimate SaaS API calls to disguise malicious traffic, making detection exceptionally difficult. Targets included telecom providers and government agencies — classic intelligence collection objectives.
Former U.S. defense contractor executive Peter Williams has been sentenced to 87 months in federal prison for selling cyber exploits to a Russian broker. The case underscores the ongoing risk of insider threats in the defense supply chain.
Two separate supply chain campaigns discovered this week:
Developer teams: Audit your NuGet dependencies and be suspicious of any repository linked from unsolicited job interviews.
American medical device manufacturer UFP Technologies disclosed a cyberattack with confirmed data theft and file-encrypting malware. The healthcare sector continues to be disproportionately targeted — attackers know patient data commands premium ransoms and regulatory pressure forces fast payments.
✅ Cisco SD-WAN Detection — Scan for CVE-2026-20127 and vulnerable configurations
✅ Supply Chain Monitoring — Track malicious packages across NuGet, npm, PyPI
✅ AI-Powered Remediation — Get patches, not just alerts. Auto-generated PRs for your codebase.
✅ NIS2 Compliance — German-language reports for regulatory requirements
332,000+ CVEs indexed. AI-generated patches. GitHub PR automation.
Start Free TrialStay secure. Stay vigilant.
🗡️ KENSAI Security Team