Introduction
A critical zero-day vulnerability in Cisco SD-WAN, tracked as CVE-2026-20127, is being actively exploited by threat actors to bypass authentication and gain administrative privileges on affected systems, allowing for remote code execution. This vulnerability has been observed being used in conjunction with a path traversal vulnerability, CVE-2022-20775, to escalate privileges. Meanwhile, the Lazarus Group, a North Korea-linked threat actor, has launched a Medusa ransomware campaign targeting healthcare organizations and other entities. Additionally, SolarWinds has patched critical flaws in its Serv-U file transfer software, highlighting the importance of regular software updates and vulnerability management. These threats pose a significant risk to organizations and individuals, emphasizing the need for urgent action to protect against them.
The stakes are high, with multiple government agencies issuing warnings and guidance on mitigating the Cisco SD-WAN vulnerability, including CISA's Known Exploited Vulnerabilities (KEV) Catalog. The Lazarus Group's use of Medusa ransomware and other malware, such as Comebacker backdoor and Blindingcan RAT, demonstrates the ongoing threat of nation-state sponsored cyberattacks. Furthermore, the SolarWinds patches underscore the importance of keeping software up-to-date to prevent exploitation of critical vulnerabilities.
Cisco SD-WAN Zero-Day Under Active Exploitation
The zero-day vulnerability in Cisco SD-WAN exists because of an improper authentication mechanism, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account, and then access NETCONF to manipulate network configuration for the SD-WAN fabric. According to CISA, multiple government agencies have issued warnings and guidance on mitigating the vulnerability, including adding CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) Catalog. As reported by BleepingComputer, Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks.
Lazarus Group's Medusa Ransomware Campaign
The Lazarus Group is using Medusa ransomware in targeted attacks on healthcare organizations and other entities. The group is also leveraging other malware, including Comebacker backdoor and Blindingcan RAT, to gain initial access and escalate privileges. According to The Hacker News, the Lazarus Group has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East. As reported by Dark Reading, the group is also using Infohook info stealer in its recent attacks.
The campaign highlights the ongoing threat of nation-state sponsored cyberattacks, with the Lazarus Group linked to North Korea. The attacks have been observed targeting entities in the Middle East and U.S. healthcare sector, emphasizing the need for organizations to prioritize cybersecurity and protect against these threats.
SolarWinds Patches Critical Serv-U Flaws
SolarWinds has patched four critical vulnerabilities in its Serv-U file transfer software, including a broken access control vulnerability that allows an attacker to create a system admin user and execute arbitrary code. The vulnerabilities have a CVSS score of 9.1, indicating a critical severity level, and users are advised to update their software as soon as possible to prevent potential exploitation. According to The Hacker News, one of the vulnerabilities, CVE-2025-40538, is a broken access control vulnerability that allows an attacker to create a system admin user and execute arbitrary code.
The patches highlight the importance of regular software updates and vulnerability management in preventing cyberattacks. Organizations should prioritize keeping their software up-to-date to prevent exploitation of critical vulnerabilities like those patched by SolarWinds. As emphasized by CISA, regular software updates and vulnerability management are crucial in preventing cyberattacks and protecting against threats like the Cisco SD-WAN zero-day vulnerability.
Recommendations and Takeaways
To protect against these threats, organizations should:
- Prioritize patching the Cisco SD-WAN zero-day vulnerability (
CVE-2026-20127) and updating their Serv-U software to prevent exploitation. - Be aware of the Lazarus Group's Medusa ransomware campaign and take steps to protect against it, including implementing robust cybersecurity measures and conducting regular threat hunts.
- Remain vigilant and stay informed about emerging cyber threats to protect themselves and their assets.
- Implement network perimeter controls, such as ensuring control components are behind a firewall, isolating virtual private network (VPN) interfaces, and using internet protocol (IP) blocks for manually provisioned edge IPs.
- Use pairwise keys for control and data plane security, limit session timeout to the shortest period possible, and forward logs to a remote syslog server.
By following these recommendations and staying informed about emerging cyber threats, organizations can protect themselves against the Cisco SD-WAN zero-day vulnerability, the Lazarus Group's Medusa ransomware campaign, and other critical threats. As emphasized by CISA, regular software updates, vulnerability management, and robust cybersecurity measures are crucial in preventing cyberattacks and protecting against threats.