Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.
🚨 Critical: CISA Known Exploited Vulnerabilities
These vulnerabilities are being actively exploited in the wild. Immediate action required.
CVE-2022-20775: Cisco SD-WAN Path Traversal Vulnerability
Vendor/Product: Cisco SD-WAN
Description: Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
Required Action: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
CISA Due Date: 2026-02-27
Reference: CVE-2022-20775 - NVD
CVE-2026-20127: Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability
Vendor/Product: Cisco Catalyst SD-WAN Controller and Manager
Description: Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Required Action: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
CISA Due Date: 2026-02-27
Reference: CVE-2026-20127 - NVD
CVE-2026-25108: Soliton Systems K.K FileZen OS Command Injection Vulnerability
Vendor/Product: Soliton Systems K.K FileZen
Description: Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-03-17
Reference: CVE-2026-25108 - NVD
CVE-2025-49113: RoundCube Webmail Deserialization of Untrusted Data Vulnerability
Vendor/Product: Roundcube Webmail
Description: RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-03-13
Reference: CVE-2025-49113 - NVD
CVE-2025-68461: RoundCube Webmail Cross-site Scripting Vulnerability
Vendor/Product: Roundcube Webmail
Description: RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-03-13
Reference: CVE-2025-68461 - NVD
📰 This Week’s Security News
Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023
Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to co…
Read more: Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023
Chinese cyberspies breached dozens of telecom firms, govt agencies
Google’s Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese threat actor that used SaaS API calls to hide malicious traffi…
Read more: Chinese cyberspies breached dozens of telecom firms, govt agencies
Marquis sues SonicWall over backup breach that led to ransomware attack
Marquis Software Solutions has filed a lawsuit against SonicWall, accusing the cybersecurity company of gross negligence and misrepresentation that allegedly led to a ransomware attack disrupting oper…
Read more: Marquis sues SonicWall over backup breach that led to ransomware attack
✅ What You Should Do This Week
- Immediate: Patch CVE-2022-20775, CVE-2026-20127 (actively exploited)
- Verify: Check your systems against CISA KEV catalog
- Monitor: Review Azure AD sign-in logs for suspicious activity
- Audit: Verify MFA is enforced for all privileged accounts
- Backup: Test your disaster recovery procedures
💡 Expert Analysis
This week’s focus is on Cisco SD-WAN vulnerabilities that have been actively exploited since 2023. This is particularly concerning for financial services organizations.
Why This Matters:
The CVE-2026-20127 authentication bypass is critical because:
- Allows complete administrative access without credentials
- Has been exploited in the wild for over 2 years before disclosure
- Affects network fabric management (can manipulate entire SD-WAN deployments)
Priority Actions for Financial Services:
- Today: Check if you use Cisco SD-WAN (vManage, vSmart controllers)
- Immediate: Follow CISA Emergency Directive 26-03
- This Week:
- Review network segmentation around SD-WAN controllers
- Enable enhanced logging for SD-WAN access
- Verify no unauthorized configuration changes occurred
The RoundCube vulnerabilities (CVE-2025-49113, CVE-2025-68461) are also critical if you use webmail:
- Deserialization vulnerability = Remote Code Execution
- Affects authenticated users (insider threat or compromised accounts)
- Patch immediately if using RoundCube
Azure-Specific Recommendation:
If migrating from on-prem SD-WAN to Azure Virtual WAN, now is a good time to accelerate that migration to reduce attack surface.
Questions? Contact me for a complimentary Azure security assessment.
📬 Stay Updated
Subscribe to receive weekly security digests directly in your inbox.
Questions or feedback? Contact us
GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.