CISA adds the Coruna iOS exploit kit targeting 23 vulnerabilities to its Known Exploited Vulnerabilities list. Cisco Catalyst SD-WAN CVE-2026-20127 faces mass exploitation from hundreds of IPs. Google's 2025 zero-day report reveals 90 exploited zero-days — half targeting enterprises. Plus: ArmorCode and Evervault funding rounds, BoryptGrab stealer on GitHub, and Rockwell ICS flaws exploited in the wild.
CISA has added 23 vulnerabilities exploited by the Coruna iOS exploit kit to its Known Exploited Vulnerabilities (KEV) catalog. The nation-state-grade exploit kit targets iOS versions 13 through 17.2.1, chaining multiple flaws for full device compromise.
| Stage | Vulnerability Type | Impact |
|---|---|---|
| Initial Access | WebKit memory corruption | Remote code execution via malicious web content |
| Sandbox Escape | Kernel privilege escalation | Break out of WebKit sandbox |
| Persistence | Security framework bypass | Circumvent code signing and app sandboxing |
| Full Compromise | Kernel read/write primitive | Complete device control, data exfiltration |
Federal agencies face a mandatory patching deadline. All organizations should update iOS devices to the latest version immediately and audit their fleet for devices running iOS 13–17.2.1. Enterprise MDM solutions should enforce minimum OS version policies.
WatchTowr researchers report that CVE-2026-20127, a critical authentication bypass in Cisco Catalyst SD-WAN Manager, is now under mass exploitation from numerous unique IP addresses worldwide.
| Metric | Value |
|---|---|
| Unique attacking IPs | 400+ observed by WatchTowr |
| Geographic spread | Global — US, EU, APAC origins |
| First exploitation | Late February 2026 (targeted) |
| Mass exploitation onset | March 6, 2026 |
| Affected versions | All Catalyst SD-WAN Manager prior to patch |
Patch immediately — Cisco released emergency patches. If patching isn't possible, restrict management interface access to trusted networks only. Check logs for unauthorized administrative sessions and API calls. Assume compromise if exposed to the internet.
Google's Threat Analysis Group (TAG) and Mandiant have published their annual zero-day exploitation report for 2025, documenting 90 zero-day vulnerabilities exploited in the wild — with a dramatic shift toward enterprise product targeting.
| Year | Total Zero-Days | Enterprise-Targeted | Top Attribution |
|---|---|---|---|
| 2023 | 62 | 24 (39%) | Spyware vendors |
| 2024 | 73 | 33 (45%) | Spyware vendors |
| 2025 | 90 | 45 (50%) | Spyware vendors + China |
The 50% enterprise targeting rate signals that attackers are shifting from consumer endpoints to enterprise infrastructure. Network security appliances (firewalls, VPNs) are now the #1 target class — organizations must prioritize patching edge devices and implementing defense-in-depth for network perimeters.
ArmorCode, the application security posture management (ASPM) company, has raised $16 million in new funding to accelerate development of its exposure management platform.
The ASPM market continues to grow as organizations struggle with tool sprawl — the average enterprise runs 40+ security tools generating thousands of alerts daily. Consolidation platforms like ArmorCode address alert fatigue by providing unified visibility and intelligent prioritization.
Evervault has closed a $25 million Series B round to expand its developer-focused encryption and data orchestration platform.
As data privacy regulations tighten globally, Evervault's approach of making encryption developer-friendly addresses a critical gap. Most breaches exploit data stored in plaintext or with weak encryption — Evervault aims to make strong encryption the path of least resistance for developers.
Security researchers have identified over 100 malicious GitHub repositories distributing the BoryptGrab information stealer, targeting browser credentials, cryptocurrency wallet data, and session tokens.
Verify GitHub repositories before cloning — check account age, commit history, and contributor profiles. Use dependency scanning tools in CI/CD pipelines. Never run code from unfamiliar repositories without review. Consider using GitHub's verified publisher badges as a trust signal.
A Rockwell Automation ICS vulnerability originally disclosed in 2021 is now being actively exploited in the wild, highlighting the persistent risk of unpatched industrial control systems.
This exploitation underscores the OT patching gap — vulnerabilities disclosed years ago remain unpatched in many industrial environments. Organizations must implement network segmentation, monitor OT traffic for anomalies, and prioritize patching internet-facing ICS components. The convergence of IT and OT means enterprise vulnerabilities directly impact industrial safety.
| Threat / Event | Severity | Action Required |
|---|---|---|
| Coruna iOS exploit kit → KEV | 🔴 Critical | Patch all iOS devices, enforce MDM minimum versions |
| Cisco SD-WAN CVE-2026-20127 | 🔴 Critical | Patch immediately, restrict management access |
| Google 90 zero-days report | 🟠 High | Prioritize edge device patching, defense-in-depth |
| ArmorCode $16M raise | 🟢 Info | Evaluate ASPM for vulnerability consolidation |
| Evervault $25M Series B | 🟢 Info | Consider encryption-as-code for data protection |
| BoryptGrab on GitHub | 🟠 High | Audit dependencies, scan for malicious packages |
| Rockwell ICS exploitation | 🔴 Critical | Patch OT systems, segment networks, monitor traffic |
KENSAI continuously scans for vulnerabilities, misconfigurations, and indicators of compromise — detecting threats like Coruna exploit chains and SD-WAN bypasses before attackers strike.
Start Free Security ScanStay vigilant. Stay protected.
🗡️ KENSAI Product & Research Team