← Back to Blog
Security Briefing4 min read2026-04-22

Security Briefing, April 22 2026: Cisco SD-WAN Exploitation, France Titres Breach, and NGate NFC Theft

This morning’s threat picture is ugly in a very familiar way. Edge infrastructure is still getting hit, government identity data is still a rich target, and mobile payment workflows are being turned into theft rails.


Top line: Three signals matter today: internet-facing network management remains exploitable, public-sector identity portals remain high-value breach targets, and Android payment abuse keeps getting cheaper and stealthier.


1. CISA says another Cisco Catalyst SD-WAN flaw is being actively exploited

BleepingComputer reports that CISA added Cisco Catalyst SD-WAN Manager flaw CVE-2026-20133 to the KEV catalog based on evidence of active exploitation. Cisco had previously described the bug as an information disclosure issue caused by insufficient file system access restrictions, but the real operational message is simpler: internet-facing management planes keep turning into high-value intrusion points.


2. France Titres confirms a breach tied to citizen account data

France Titres, the French government agency behind key identity and registration workflows, disclosed a breach after a threat actor claimed to be selling data. According to the agency statement cited by BleepingComputer, exposed data may include login IDs, names, emails, dates of birth, account identifiers, and for some people addresses, phone numbers, and place of birth. That is exactly the kind of record set that powers phishing, impersonation, and account-recovery abuse.


3. NGate is back, now hiding inside a trojanized NFC payment app

ESET research covered by BleepingComputer shows a new NGate Android variant using a malicious version of HandyPay to steal NFC payment card data and card PINs, with campaigns focused on Brazil. The important shift is not just the malware family itself. It is the attacker economics: a legitimate app workflow can be repurposed cheaply, with less noise, to capture data that later enables unauthorized payments or NFC cash-out fraud.


What security teams should do today

  1. Check whether any Cisco Catalyst SD-WAN Manager instances are exposed, unpatched, or missing the latest hunt guidance.
  2. Brief customer support, identity, and fraud teams on likely follow-on phishing tied to the France Titres breach.
  3. Push mobile-security guidance around NFC abuse, sideloaded APKs, and default payment-app prompts.
  4. Frame all three stories the same way: trusted admin, identity, and payment workflows are still the cleanest path to damage.

Sources


Bottom line: Bottom line: the common thread today is not exotic malware wizardry. It is attackers abusing workflows defenders still assume are normal, trusted, and low-drama. That assumption keeps getting people burned.

Find the trust breaks before they become incidents

KENSAI helps teams surface exposed attack paths across cloud, collaboration, identity, mobile, and internet-facing systems before those weak links turn into breaches.

Free Scan →

Stay sharp.

🗡️ KENSAI Security Team