Breaking: Four CVEs Under Active Exploitation — Cisco SD-WAN, Dell RecoverPoint, Chrome, RoundCube
Breaking Threat Briefing — 3 March 2026
Prepared: 03 March 2026, 12:05 CET
Coverage window: Last 6 hours / Past 7 days (items confirmed as active this week)
Status: DRAFT — not for publication
---
1. Cisco Catalyst SD-WAN — Authentication Bypass + Privilege Escalation
Confidence: Confirmed (CISA Emergency Directive + Cisco advisory)
CVEs: CVE-2026-20127 (CVSS 10.0) · CVE-2022-20775 (CVSS 7.8)
Products: Cisco Catalyst SD-WAN Manager (formerly vManage), Catalyst SD-WAN Controller (formerly vSmart)
CISA issued Emergency Directive 26-03 on 25 February, ordering all federal civilian agencies to inventory, collect forensic artefacts from, and patch their Cisco SD-WAN infrastructure by 26–27 February. Cisco confirms exploitation has been ongoing since at least 2023.
CVE-2026-20127 allows an unauthenticated remote attacker to bypass authentication and gain high-privileged administrative access to the SD-WAN management plane. From there, an attacker can manipulate SD-WAN fabric configuration via NETCONF. CVE-2022-20775 is a path traversal flaw that allows an authenticated local attacker to escalate to root via the CLI — used in combination with the auth bypass to achieve full control.
Enterprise impact: Any organisation running Cisco Catalyst SD-WAN (formerly vManage/vSmart) is at risk. Exploitation allows complete network fabric takeover.
Action:
Patch immediately. No workaround available for CVE-2026-20127.
Follow CISA's Hunt & Hardening Guidance (linked below).
Collect forensic artefacts even if patched — assume possible prior compromise.
Sources:
CISA ED 26-03: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
Cisco advisory (CVE-2026-20127): https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
Cisco advisory (CVE-2022-20775): https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sd-wan-priv-E6e8tEdF.html
KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Supplemental guidance: https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
---
2. Dell RecoverPoint for Virtual Machines — Hard-coded Credentials (CVSS 10.0)
Confidence: Confirmed (CISA KEV + Mandiant/Google Cloud reporting)
CVE: CVE-2026-22769
Product: Dell RecoverPoint for Virtual Machines (RP4VMs)
Dell shipped production versions of RecoverPoint for VMs with hard-coded credentials accessible via the Tomcat Manager interface (port 443). An unauthenticated remote attacker who can reach the management interface can log in with the static credentials, gain OS-level root access, and establish persistent backdoors. Mandiant (Google Cloud) reported that the vulnerability has been actively exploited in the wild — attribution sourced from their public blog.
CISA added this to KEV on 18 February with a 3-day remediation deadline (21 February), reflecting its assessed severity.
Enterprise impact: Organisations using Dell RecoverPoint for VM backup and disaster recovery are at risk of complete system compromise. Internet-reachable instances face the highest exposure.
Action:
Apply Dell's remediation script immediately: https://www.dell.com/support/kbdoc/en-us/000426742/recoverpoint-for-vms-apply-the-remediation-script-for-dsa
Review DSA-2026-079: https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
Audit external exposure of RP4VM management interfaces.
Treat any previously exposed instance as potentially compromised.
Sources:
Dell DSA-2026-079: https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
Mandiant/Google Cloud blog (referenced in KEV notes): https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
---
3. Google Chromium — CSS Use-After-Free (CVE-2026-2441)
Confidence: Confirmed (Google advisory + CISA KEV)
CVE: CVE-2026-2441 (CVSS 8.8)
Products: Google Chrome, Microsoft Edge, Opera — all Chromium-based browsers
Google disclosed and patched a use-after-free vulnerability in Chromium's CSS engine, confirmed as actively exploited in the wild at time of disclosure. A remote attacker can exploit this via a crafted web page to achieve heap corruption, potentially leading to arbitrary code execution in the browser context. CISA added it to KEV, confirming active exploitation.
Enterprise impact: Affects the majority of enterprise browser deployments. Exploitation requires only a user visiting a malicious or compromised page — no additional interaction needed.
Action:
Force-update Chrome, Edge, and other Chromium-based browsers across the enterprise immediately.
Chrome: Settings > Help > About Google Chrome (triggers update).
Consider emergency push via MDM/endpoint management if auto-update is disabled.
Sources:
CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
The Hacker News coverage: https://thehackernews.com/2026/02/cisa-flags-four-security-flaws-under.html
---
4. RoundCube Webmail — RCE + XSS (February additions)
Confidence: Confirmed (CISA KEV)
CVEs: CVE-2025-49113 (RCE via deserialization) · CVE-2025-68461 (XSS via SVG)
Product: RoundCube Webmail
Two RoundCube vulnerabilities were added to the CISA KEV catalog in February, both confirmed as actively exploited. CVE-2025-49113 allows authenticated remote code execution via deserialization of untrusted data in the settings upload handler. CVE-2025-68461 is an XSS flaw exploitable via an SVG animate tag — consistent with the credential-harvesting campaigns historically associated with RoundCube exploitation.
Enterprise impact: Organisations running self-hosted RoundCube webmail (common in European government, education, and SME environments) are at risk. RCE can lead to full mail server compromise and credential theft at scale.
Action:
Upgrade to RoundCube 1.6.12 or 1.5.12 (addresses both CVEs).
Release notes: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
Due date per CISA: 13 March 2026.
Sources:
CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
RoundCube release (CVE-2025-68461): https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
RoundCube release (CVE-2025-49113): https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
---
Editorial Notes
Priority ranking for article: Cisco SD-WAN (#1 — Emergency Directive, 3-year exploitation, CVSS 10), Dell RecoverPoint (#2 — CVSS 10, active exploitation confirmed), Chrome (#3 — ubiquity, drive-by risk), RoundCube (#4 — niche but high-value target, pair well as a sidebar).
Tone: Calm and actionable. These are all patch-and-verify situations with clear vendor guidance available.
Attribution note: Dell RecoverPoint exploitation was attributed by Mandiant to "UNC6201" in their public blog. This is Mandiant's own designation — acceptable to cite with proper sourcing.
Possible angle: The Cisco SD-WAN story is the lead — a CVSS 10 auth bypass exploited for 3 years that triggered a full CISA Emergency Directive is the rare "drop everything" item.