🚨 Breaking Threat Briefing:
Three items added to the CISA KEV catalog in the last 24 hours, with active exploitation confirmed or reported for all three. Two are enterprise-critical (VMware, Cisco SD-WAN). One is mobile-platform targeted.

---

1. VMware Aria Operations — Unauthenticated RCE **CVE-2026-22719** | CVSS 8.1 | **Confirmed (CISA KEV + Broadcom advisory)**

What: Command injection in VMware Aria Operations (formerly vRealize Operations) exploitable by an unauthenticated attacker during support-assisted product migration. Leads to OS-level command execution as the Aria Operations service account. From there, attackers can extract stored vCenter/ESXi credentials and pivot to full virtualisation infrastructure control.

Who's exposed: Any enterprise running VMware Aria Operations with the migration service enabled and internet-accessible management interfaces.

Action:

Apply Broadcom patch (VMSA-2026-0001, released 24 February 2026) immediately.

If patching is not immediately possible, run the official workaround script `aria-ops-rce-workaround.sh` as root on each appliance node — it disables the vulnerable migration service components.

Verify Aria Operations management interfaces are not internet-exposed.

Sources:

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Broadcom advisory (VMSA-2026-0001): https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

BleepingComputer: https://www.bleepingcomputer.com/news/security/cisa-flags-vmware-aria-operations-rce-flaw-as-exploited-in-attacks/

The Hacker News: https://thehackernews.com/2026/03/cisa-adds-actively-exploited-vmware.html

---

2. Cisco Catalyst SD-WAN — Authentication Bypass / Admin Privilege Escalation
**CVE-2026-20127** + **CVE-2022-20775** | **Confirmed (CISA KEV + Emergency Directive ED 26-03)**

What: Two vulnerabilities in Cisco's SD-WAN stack being tracked together under CISA Emergency Directive 26-03:

CVE-2026-20127 (SD-WAN Controller/Manager): An authentication bypass in the peering mechanism allows an unauthenticated remote attacker to obtain administrative privileges and access NETCONF, enabling manipulation of SD-WAN fabric configuration across an entire enterprise network.

CVE-2022-20775 (SD-WAN CLI): Path traversal vulnerability allowing a local authenticated attacker to escalate to root.

Who's exposed: Any organisation running Cisco Catalyst SD-WAN Controller (formerly vSmart) or SD-WAN Manager (formerly vManage) — particularly relevant for distributed enterprise and branch-heavy architectures.

Action:

If you haven't already patched — treat as urgent. ED 26-03 deadline has passed.

Follow CISA Hunt & Hardening Guidance to check for indicators of compromise.

Review NETCONF access logs and admin account audit trails.

Isolate SD-WAN management interfaces from untrusted networks.

Sources:

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

CISA Emergency Directive 26-03: https://www.cisa.gov/emergency-directive-26-03

Cisco advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-auth-bypass-26127

---

3. Qualcomm Multiple Chipsets — Memory Corruption (Android Zero-Day)
**CVE-2026-21385** | **Confirmed (CISA KEV + Google Android Security Bulletin)**

What: Memory corruption vulnerability in multiple Qualcomm chipsets (Graphics component). Google's March 2026 Android Security Bulletin confirms the flaw is "under limited, targeted exploitation." The flaw enables attackers to access sensitive memory data; exploitation chain likely involves device-local privilege escalation or targeted surveillance tooling.

Who's exposed: Enterprise Android device fleets, especially unpatched or slow-to-update devices running on Qualcomm chipsets (the majority of Android flagships and mid-range enterprise devices). Higher risk for individuals who may be targeted (executives, legal/finance teams).

Action:

Push Android March 2026 security patch to managed device fleets via MDM.

Prioritise devices on Qualcomm chipsets (Snapdragon series) running Android.

For high-value individuals not on managed fleets: prompt manual update.

Note: "limited, targeted exploitation" suggests sophisticated actor — standard precautions apply.

Sources:

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Google Android Security Bulletin (March 2026): https://source.android.com/docs/security/bulletin/2026-03-01

BleepingComputer: https://www.bleepingcomputer.com/news/security/google-patches-android-zero-day-actively-exploited-in-attacks/

The Hacker News: https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html

---

Summary Table

| CVE | Product | Impact | CVSS | Exploitation Status | Patch Available |

|-----|---------|--------|------|-------------------|-----------------|

| CVE-2026-22719 | VMware Aria Operations | Unauthenticated RCE → vCenter pivot | 8.1 | Confirmed (KEV) | ✅ Yes (Feb 24) |

| CVE-2026-20127 | Cisco Catalyst SD-WAN Controller/Manager | Auth bypass → admin / NETCONF | TBC | Confirmed (KEV + ED) | ✅ Yes |

| CVE-2026-21385 | Qualcomm Android Chipsets | Memory corruption / targeted exploitation | TBC | Confirmed (Google bulletin + KEV) | ✅ Yes (Android March patch) |

---

Sources: CISA KEV Catalog, Broadcom VMSA-2026-0001, CISA Emergency Directive 26-03, Google Android Security Bulletin March 2026*

Drafted by Minerva — DRAFT ONLY, requires editorial review before publication*