Breaking Threat Briefing: 7 March 2026
Breaking Threat Briefing
**7 March 2026 · 18:00 CET**
*Draft only — not for distribution*
---
Summary
Three confirmed exploitation campaigns are active this week: network infrastructure, virtualisation management, and mobile devices are all in scope. The Cisco SD-WAN cluster is the most operationally significant; the VMware Aria Operations flaw broadens the blast radius to virtualisation management planes; and the Apple iOS additions carry nation-state-grade exploit kit provenance. None of these are speculative. All are in CISA KEV or confirmed by the vendor.
---
Item 1: Cisco Catalyst SD-WAN: Authentication Bypass + Additional Exploited Flaws
**Status: CONFIRMED** (vendor advisory + CISA KEV + CISA Emergency Directive)
CVE-2026-20127 (CVSS 10.0): Authentication bypass in Cisco Catalyst SD-WAN Controller and Manager (formerly vSmart/vManage). Unauthenticated remote attackers can bypass authentication, gain administrative privileges, access NETCONF, and manipulate SD-WAN fabric configuration. Exploitation has been ongoing since at least 2023.
On top of the zero-day, Cisco confirmed this week that two additional flaws in SD-WAN Manager are now also actively exploited in the wild:
CVE-2026-20122: arbitrary file overwrite (high severity), requires valid read-only API credentials
CVE-2026-20128: information disclosure (medium severity), requires local access with valid vManage credentials
Impact: Full network fabric control is possible, enabling rogue peer insertion and deep lateral movement across SD-WAN-managed infrastructure. Federal agencies issued Emergency Directive 26-03 requiring inventory, forensic artifact collection, patching, and breach investigation.
Actions:
Immediately inventory all Cisco Catalyst SD-WAN Controller and Manager instances
Apply vendor patches (no workarounds exist for CVE-2026-20127)
Review for indicators: rogue peer additions, SSH key modifications, version downgrade/upgrade cycles
Treat logs showing these as high-fidelity IOCs
Sources:
Cisco advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
CISA Emergency Directive 26-03: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog (CVE-2026-20127, added 2026-02-25; CVE-2026-20122, CVE-2026-20128 added March 2026)
BleepingComputer: https://www.bleepingcomputer.com/news/security/cisco-flags-more-sd-wan-flaws-as-actively-exploited-in-attacks/
---
Item 2: Cisco Secure Firewall Management Center: Dual Max-Severity Flaws
**Status: CONFIRMED** (vendor advisory; exploitation not yet publicly confirmed as of briefing time)
CVE-2026-20079 (CVSS 10.0): Authentication bypass in Cisco Secure FMC web interface. Unauthenticated remote attackers can bypass authentication and execute script files to gain root access to the underlying OS. Root cause: improper system process created at boot.
CVE-2026-20131 (CVSS 10.0): Remote code execution in Cisco Secure FMC and Cisco Security Manager. Allows execution of arbitrary Java code as root by unauthenticated remote attackers.
Impact: Full compromise of firewall management infrastructure. An attacker who controls the FMC controls all managed Cisco firewalls: policy rules, traffic inspection, and network segmentation are all within reach. Both vulnerabilities are exploitable without credentials.
Actions:
Patch immediately. No known workarounds.
Treat FMC as highest-priority patching target this cycle
Monitor for unauthorised policy changes, rule additions, or administrative sessions
Note: Cisco has not confirmed active exploitation of these two flaws in the wild as of this writing. Treat as imminent given CVSS 10 and context of the active SD-WAN campaign.
Sources:
BleepingComputer: https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-secure-fmc-flaws-giving-root-access/
CyberScoop: https://cyberscoop.com/cisco-critical-vulnerabilities-secure-firewall-management-center-software/
---
Item 3: VMware Aria Operations: Unauthenticated Command Injection (RCE)
**Status: CONFIRMED** (CISA KEV, added 2026-03-03; Broadcom vendor advisory)
CVE-2026-22719: Command injection in VMware Aria Operations (formerly vRealize Operations / vROps). An unauthenticated remote attacker can inject commands via the support-assisted product migration feature, leading to remote code execution with elevated (root-level) privileges.
Impact: Full compromise of the virtualisation management plane. Aria Operations has visibility into and control over the entire VMware estate. Compromise enables enumeration of all VMs, modification of infrastructure, and pivot into any managed workload. FCEB agencies required to remediate by 24 March 2026.
Actions:
Apply Broadcom patches immediately (patches available; see vendor advisory)
Review Aria Operations for evidence of unexpected command execution or support migration activity
Restrict network access to management interfaces (not internet-exposed)
Sources:
CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog (CVE-2026-22719, added 2026-03-03)
BleepingComputer: https://www.bleepingcomputer.com/news/security/cisa-flags-vmware-aria-operations-rce-flaw-as-exploited-in-attacks/
Dark Reading: https://www.darkreading.com/cloud-security/vmware-aria-operations-bug-exploited-cloud-risk
The Hacker News: https://thehackernews.com/2026/03/cisa-adds-actively-exploited-vmware.html
---
Item 4: Apple iOS/iPadOS/macOS: Three CVEs from Coruna Exploit Kit Added to KEV
**Status: CONFIRMED** (CISA KEV, added 2026-03-05; linked to known exploit kit)
Three legacy Apple vulnerabilities added to KEV, all associated with the "Coruna" iOS exploit kit:
CVE-2023-41974: Use-after-free in iOS/iPadOS kernel. An app may execute arbitrary code with kernel privileges.
CVE-2021-30952: Integer overflow in Apple tvOS, macOS, Safari, iPadOS, watchOS via malicious web content → arbitrary code execution.
CVE-2023-43000: Use-after-free in macOS, iOS, iPadOS, Safari via malicious web content → memory corruption.
Impact: All three affect enterprise-relevant Apple platforms. The Coruna connection suggests these are used in targeted delivery chains, not mass exploitation. Still material for organisations with unpatched older Apple devices or delayed update cycles. FCEB deadline: 26 March 2026.
Actions:
Ensure all Apple devices (iOS, iPadOS, macOS, Safari) are on current supported versions
MDM-enrolled devices: verify patch compliance, particularly for older OS versions that may still be in use
Prioritise devices held by executives, legal, finance, security staff
Sources:
CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog (CVE-2023-41974, CVE-2021-30952, CVE-2023-43000, all added 2026-03-05)
SecurityWeek: https://www.securityweek.com/cisa-adds-ios-flaws-from-coruna-exploit-kit-to-kev/
---
Additional Context: Hikvision + Rockwell ICS Flaws (CISA KEV, 2026-03-05)
Not covered in depth here as they represent OT/ICS-specific risk rather than broad enterprise IT exposure, but worth flagging for organisations with operational technology environments:
CVE-2017-7921: Hikvision improper authentication (CVSS 9.8). Allows privilege escalation on surveillance systems.
CVE-2021-22681: Rockwell Automation Studio 5000 / Logix Controllers credential disclosure (CVSS 9.8). Could allow unauthorised connection to industrial controllers.
Both added to KEV 2026-03-05 with a 26 March remediation deadline.