Threat
alerts

CVE-2026-20127 is a critical authentication bypass vulnerability (CVSS Base Score: 10.0) affecting the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The vulnerability has been exploited in the wild as a zero-day since at least 2023 by a highly sophisticated threat actor tracked by Cisco Talos as UAT-8616. This flaw allows an unauthenticated, remote attacker to bypass authentication mechanisms and obtain high-level administrative privileges on affected systems.

Exploitation of CVE-2026-22769, a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines (CVSS 10.0), represents a tactical pivot by the PRC-nexus threat cluster UNC6201. As organisations strengthen traditional endpoint defenses, this actor has redirected focus toward the "security blind spots" of enterprise infrastructure, providing a quiet environment for high-fidelity espionage.

The disclosure of CVE-2026-1731 marks a significant escalation in the exploitation of unauthenticated remote code execution (RCE) vulnerabilities within enterprise-tier management consoles. The flaw resides in a Java-based deserialisation engine where the absence of a look-ahead object filter allows attackers to inject malicious serialised payloads via the administrative API.

A coordinated investigation has revealed that the official update infrastructure for Notepad++ was compromised by the state-linked threat actor Lotus Blossom. Between June and December 2025, attackers hijacked the application's update mechanism to deliver a previously undocumented backdoor, identified as Chrysalis, to selected targets. The compromise involved the breach of a hosting provider to redirect update traffic, rather than the alteration of the Notepad++ source code itself.

Mustang Panda is a persistent, China-aligned cyber-espionage collective active since at least 2012, primarily targeting the economic data of national governments, and critical infrastructure operators. In the recent years, researchers documented a significant pivot from simple data collection to active surveillance.

Researchers at Push Security have uncovered ConsentFix, a sophisticated evolution of browser-based phishing that weaponises the trust in the OAuth 2.0 framework. Unlike traditional attacks that rely on fake login pages, the campaign exploits legitimate authentication processes of First-Party Microsoft applications as they are implicitly trusted and often "pre-consented" within corporate networks, allowing them to bypass the security.

Veeam Software disclosed a suite of critical vulnerabilities impacting its flagship Backup & Replication (VBR) platform. These flaws, most notably CVE-2025-59470 and CVE-2025-55125, facilitate Remote Code Execution (RCE), allowing attackers to compromise the backup infrastructure. A successful exploit provides a centralised hub for data exfiltration and enables attackers to irreversibly encrypt or delete recovery points, effectively neutralising an organisation's ransomware recovery capabilities.

Jamf Threat Labs has identified a significant evolution in the deployment tactics of the MacSync Stealer malware. Previously reliant on social engineering techniques such as "ClickFix" or "drag-to-terminal" instructions, threat actors have shifted towards a more sophisticated approach. The malware is now being distributed as a code-signed Swift application, significantly increasing its ability to bypass standard macOS security controls.

Rapid7 Labs has uncovered a new, actively developing Malware-as-a-Service (MaaS) threat known as "SantaStealer". Currently promoted via Telegram and underground forums (specifically the Russian-language forum Lolz), this malware is an evolution of the previously identified "BluelineStealer".