VulnHub

Researchers from Cisco Talos have found that attackers are exploiting the email notification systems of popular SaaS platforms like GitHub and Jira to distribute phishing and spam emails. By sending these malicious emails from the platforms' own servers, the attackers bypass standard email security measures such as SPF, DKIM, and DMARC. This tactic allows them to deliver phishing messages that appear legitimate, effectively tricking users into engaging with the content. This incident raises serious concerns for organizations using these platforms, as it highlights a potential vulnerability in their email communication processes. Users of GitHub and Jira should be particularly vigilant about unexpected emails, even if they seem to come from trusted sources.

A significant credential harvesting campaign has been detected, utilizing the React2Shell vulnerability (CVE-2025-55182) to gain access to sensitive data from 766 Next.js hosts. Attackers are stealing various credentials, including database logins, SSH private keys, AWS secrets, Stripe API keys, and GitHub tokens. This operation has been linked to a threat group that Cisco Talos is monitoring. The widespread nature of this breach is concerning, as it affects a range of developers and companies using Next.js, potentially compromising their applications and user data. Companies need to be vigilant and take immediate steps to secure their systems against this threat.

Cisco has been targeted in a cyberattack that resulted in the theft of source code from its internal development environment. This breach was made possible through the use of stolen credentials linked to a prior supply chain attack on Trivy, a tool used for scanning container vulnerabilities. The attackers gained access to sensitive source code belonging not only to Cisco but also to its customers, raising serious concerns about the security of their products and services. This incident emphasizes the risks associated with credential theft and the potential for significant impacts on a wide range of users who rely on Cisco's technology. Companies should assess their security protocols to prevent similar breaches in the future.

The Interlock ransomware group has been exploiting a severe zero-day vulnerability in Cisco Secure Firewall Management Center software, identified as CVE-2026-20131, since January 26, prior to its public disclosure. This vulnerability allows for insecure deserialization, which can lead to unauthorized access and potential takeover of affected systems. Organizations using Cisco's Secure Firewall Management Center should be particularly vigilant, as the attacks have been ongoing for over a month, posing a significant risk to network security. The situation emphasizes the urgent need for timely security updates and monitoring to protect against such exploitation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted government agencies about two significant security vulnerabilities affecting the Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint. Both flaws, identified as CVE-2025-66376 and another not specified in the article, have been found to be actively exploited by attackers. The CVE-2025-66376 vulnerability has a CVSS score of 7.2, indicating a moderate to high risk. Organizations using these platforms are urged to apply the necessary patches to protect against potential attacks. The exploitation of these vulnerabilities underscores the need for timely updates and vigilance in cybersecurity practices, especially for government entities.

The Interlock ransomware gang has been actively exploiting a serious remote code execution vulnerability in Cisco's Secure Firewall Management Center (FMC) software since late January. This flaw, classified as having maximum severity, allows attackers to execute arbitrary code on affected systems, putting organizations at significant risk. Companies using this software should be particularly vigilant, as the vulnerability is being exploited in ongoing attacks. Cisco has not yet released a patch to address this issue, which raises concerns about the potential for widespread impact. Organizations relying on Cisco FMC should prioritize security measures and closely monitor any unusual activity to safeguard their networks.

Amazon Threat Intelligence has issued a warning regarding an active ransomware campaign known as Interlock, which is exploiting a significant vulnerability in Cisco's Secure Firewall Management Center (FMC) Software. This vulnerability, identified as CVE-2026-20131, has a maximum severity score of 10.0 and stems from an insecure deserialization of user-supplied Java byte streams. This flaw could allow attackers to gain root access without authentication, posing a serious risk to organizations using affected Cisco products. The exploitation of this vulnerability is concerning as it enables unauthorized access, potentially leading to data breaches and system compromises. Companies using Cisco FMC Software must take immediate action to protect their systems from this ongoing threat.

Cisco has confirmed that two vulnerabilities in the Catalyst SD-WAN Manager are currently being exploited by attackers. The first vulnerability, identified as CVE-2026-20122, has a CVSS score of 7.1 and allows authenticated remote users to overwrite files on the local file system. This could lead to significant disruptions and unauthorized access to sensitive data. Organizations using the Catalyst SD-WAN Manager should take immediate action to address these vulnerabilities, as they pose a serious risk to network security. It’s crucial for affected users to monitor their systems closely and apply any available patches as soon as possible.

A new threat actor known as UAT-9921 has been targeting the technology and financial services sectors using a malware framework called VoidLink. Cisco Talos researchers discovered that UAT-9921 has been active since at least 2019, though this is the first time they have employed VoidLink in their attacks. The malware's modular design suggests it can be adapted for various purposes, raising concerns about its potential to evolve and impact a wide range of systems within these industries. Companies in the tech and finance sectors should be vigilant and enhance their security measures to defend against this emerging threat. The situation highlights the ongoing challenges organizations face in protecting sensitive information from sophisticated cyber attacks.