Cybersecurity

Cisco, Five Eyes alliance urge immediate patching for Cisco Catalyst SD-WAN zero day

OpenAI refused to assist in online smear and other misdeeds, Shinyhunters pressures Odido with first leak of stolen data, Only a small fraction of new vulnerabilities are exploited, Mississippi Medical Center closed through Friday, Anthropic denies it won't support military cyber action, much more

Cynthia B Brumfield

26 Feb 2026 — 12 min read

Check out my latest CSO piece that spells out how the Five Eyes cybersecurity agencies are warning that a critical Cisco SD-WAN vulnerability is under active exploitation and should be patched immediately.

Metacurity is a daily intelligence layer for people who must stay current on the critical happenings in the cybersecurity realm.

We scan thousands of sources on the web to decode the narrative, surface overlooked signals, and connect the dots others miss.

Every day, Metacurity delivers independent, analytical, and daily intelligence that sits outside the cybersecurity echo chamber and reputation economy of other newsletters. Along with the headline-grabbing news items, Metacurity delivers news of developments you won't see in other cybersecurity newsletters.

Please consider supporting Metacurity's continued existence by upgrading your subscription. Thank you.

Upgrade my subscription

Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks.

CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations.

Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) for reporting the vulnerability.

In an advisory published today, Cisco said the issue stems from a peering authentication mechanism that "is not working properly."

"This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system," reads the Cisco CVE-2026-20127 advisory.

"A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric."

Cisco Catalyst SD-WAN is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system. It uses a controller to route traffic between sites over encrypted connections securely.

By adding a rogue peer, an attacker can insert a malicious device into the SD-WAN environment that appears legitimate. That device could then establish encrypted connections and advertise networks under the attacker's control, potentially allowing them to move deeper into the organization's network.

A separate advisory from Cisco Talos says the flaw was actively exploited in attacks and is tracking the malicious activity under "UAT-8616," which it assesses with high confidence was conducted by a highly sophisticated threat actor.

Talos reports that its telemetry shows exploitation dates back to at least 2023, with intelligence partners stating the threat actor likely escalated to root by downgrading to an older software version, exploiting CVE-2022-20775 to gain root access, and then restoring the original firmware version.

On February 25, 2026, CISA issued Emergency Directive 26-03 requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates, and investigate potential compromises tied to CVE-2026-20127 and CVE-2022-20775.

CISA said the exploitation poses an imminent threat to federal networks and that devices must be patched by 5:00 PM ET on February 27, 2026.

A joint hunt and hardening guide from CISA and the UK's National Cyber Security Centre warned that malicious actors are targeting Cisco Catalyst SD-WAN deployments globally to add rogue peers, then conduct follow-on actions to achieve root access and maintain persistent control. (Lawrence Abrams / Bleeping Computer)

OpenAI issued an update to its latest report on disrupting malicious uses of AI noting among things that its ChatGPT AI service refused to assist an individual associated with Chinese law enforcement in planning an online campaign to discredit the Japanese prime minister.

The San Francisco-based startup detailed requests by the user that included editing status reports on a wider net of covert influence operations against domestic and foreign adversaries. OpenAI interpreted the evidence it gathered as indicative of a “large-scale, resource-intensive and sustained” effort by Chinese law enforcement to suppress dissent.

It also said it identified a series of misdeeds that included romance scams targeting Indonesians, a social media content farm linked to Russia, and more accounts deemed likely to have originated in China seeking information from US officials.

The plan targeting Sanae Takaichi, Japan’s first female prime minister, surfaced in mid-October, in the days leading up to her election, when she criticized the state of human rights in Inner Mongolia, according to OpenAI. The user sought help in crafting a plan that would amplify negative comments about Takaichi, accuse her of far-right leanings, and increase online pressure, the company said. (Vlad Savov / Bloomberg)

The scammers used OpenAI's models to generate social media content promoting fake scam recovery services. Source: OpenAI.

The cybercriminal group Shinyhunters has published on the dark web the first batch of data it stole from Dutch telco giant Odido, which contains private information and financial data from hundreds of thousands of customers and former customers who have not had Odido subscriptions for years.

Shinyhunters warned that additional data could be published over the next 16 days if Odido does not pay the more than 1 million euros it demands as ransom.

The leaked files also contain sensitive internal notes on financially vulnerable customers. (Jasper Bunskoek, Wouter van Dijke and Daniël Verlaan / RTL News and Joost Schellevis / ROS)

Related: IOPlus, Techzine, NL Times

Researchers at VulnCheck report that would-be attackers spent 2025 swimming in a sea of more than 40,000 newly published vulnerabilities, but only 1% of those defects, just 422, were exploited in the wild.

As the deluge of vulnerabilities grows every year, and CVSS ratings lose significance for vulnerability management prioritization, some defenders are turning to research on known exploited vulnerabilities to narrow their scope of work and place more emphasis on verified risks.

“The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to,” Caitlin Condon, vice president of security research at VulnCheck, said. “Prioritization is still a huge problem.”

Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, Condon added. “The indicators of risk that used to be semi-reliable, now no longer are.” (Matt Kapko / CyberScoop)

Related: VulnCheck, Industrial Cyber, BetaNews

The University of Mississippi Medical Center said it has canceled regularly scheduled clinic appointments and elective procedures through Friday as it continues to restore systems after a Feb. 19 cyberattack that targeted the hospital network.

UMMC said in a statement that it is making “significant progress” and added, “Through diligent, around-the-clock work, UMMC is hopeful that it will be able to resume normal clinic operations as soon as Monday.” The cancellations extend statewide disruptions in care to more than a week, the statement said.

The medical center said the attack compromised its IT network and forced a shutdown of all network systems, including electronic patient health records, and that patients across Mississippi have missed appointments and surgeries. Jimmie Elaine White of Brandon said she had a follow-up appointment scheduled Feb. 19 to review ultrasound results and has been unable to reschedule. “I’m worried that I’m going to have a stroke,” she said.

UMMC said all its hospitals and emergency departments in Jackson, Madison County, Holmes County, and Grenada remain open and that canceled appointments will be rescheduled. Baptist Memorial said it has increased staffing and “welcomed patients in our emergency department and clinics to help offset any immediate needs and meet increased demands for health care in our community,” spokesperson Kimberly Alexander said. (Jon Ross Myers / Tippah News)

A confrontation between Anthropic and the Pentagon has exposed the Defense Department’s reliance on Anthropic in a head-to-head military rivalry with US adversaries, including China.

Yet the battle also amplifies the tension between Silicon Valley and the Pentagon over who controls the future of AI as a tool of war and surveillance, including whether the rapidly evolving technology can be used in a lawful manner.

Amodei and his team have shown little intention of backing down and insist they’re on the right side of history. Only last month, CEO Dario Amodei was sounding dire warnings about the threat posed by fully autonomous weapons and the risks that AI might end up spying on the very people it’s meant to protect. Hegseth is demanding that Anthropic drop those two tenets to allow the Pentagon to deploy military AI unencumbered by the company’s safety requirements.

Moreover, Amodei and his team deny the account of a December phone call during which the CEO said the company wouldn't allow military action using Anthropic technology.

An Anthropic spokesperson rejected the Pentagon official’s description of the December call, reported earlier by Semafor, as “patently false. Dario didn't say this, and every iteration of our proposed contract language would enable our models to support missile defense and similar uses,” the spokesperson said.

During that call, Anthropic conceded the Defense Department could use its AI tools for missile defense and cyber operations, according to a person familiar with the matter. Unsatisfied, the Pentagon continues to pressure Anthropic to further loosen its usage rules in a disagreement that has stretched on for at least two months. (Katrina Manson, Maggie Eastland, and Kendall Taggart / Bloomberg)

Ruslan Satuchin, a Moscow resident, has been accused of trying to extort money from the notorious Conti ransomware group by posing as an officer of Russia’s Federal Security Service (FSB), according to local media reports.

Russian outlet RBC, citing sources familiar with the investigation, reported on Wednesday that Satuchin allegedly presented himself as an FSB officer and demanded a large payment from Conti members in exchange for avoiding criminal prosecution.

The scheme allegedly began in September 2022, when Satuchin contacted one of Conti’s members and claimed to influence law enforcement activities targeting the group, the sources said.

Satuchin denies wrongdoing. He is being held in pre-trial detention in Moscow after a criminal case was formally opened in September 2025. Police said he could interfere with witnesses if released. Defense lawyers requested house arrest, citing his family ties and saying he did not attempt to flee despite knowing about the investigation.

If convicted, he could face up to 10 years in prison and a fine of up to 1 million rubles ($13,000). (Daryna Antoniuk / The Record)

Related: RBC, TechNadu

Five major UK news organisations have banded together with the aim of developing shared AI licensing standards.

Financial Times CEO Jon Slade called for the formation of a “NATO for news” at an industry conference last year.

Now the FT, The Guardian, The Telegraph, BBC, and Sky News have founded SPUR: the Standards for Publisher Usage Rights coalition.

They started discussions in response to concerns over unlicensed scraping of content by AI companies, deciding they should work together on potential solutions.

They aim to develop shared industry standards on ways journalism can be used sustainably for AI tools, ensuring this is “transparent and scalable” and protects publishers’ intellectual property.

Guardian chief executive Anna Bateson, FT CEO Jon Slade, Telegraph CEO Anna Jones, BBC director general Tim Davie, and Sky News executive chairman David Rhodes have co-signed an open letter to their “fellow leaders in global media” to explain the idea behind SPUR.

They said: “Across the industry, our reporting, our archives, our original content, have become foundational training material for AI systems. This material has been scraped, copied, and reused with no common standards to enable permission or payment, weakening the economic model that supports journalism. The lack of transparency about how AI answers are created risks eroding public trust in both the news and the technologies used to access it. (Charlotte Tobitt / Press Gazette)

Blockchain research company Chainalysis released its annual analysis of the ransomware economy, finding that while claimed attacks grew by 50%, victim payment rates dropped to a record low of 28%.

Chainalysis tracked about $820 million in payments to ransomware actors in 2025, but noted the figure is expected to rise to $900 million as they attribute more incidents and payments to ransomware gangs. In 2024, the figure was initially tracked as $813 million and eventually grew to $892 million as more payments were discovered.

The company’s researchers attributed the stark increase in attacks and slowdown in payments to several factors impacting the ransomware ecosystem.

Companies are getting better at incident response, they said, and regulatory scrutiny has increased to the point where payouts are now heavily discouraged. (Jonathan Greig / The Record)

Related: Chainalysis, Bleeping Computer

In their latest annual threat report, researchers at Darktrace report a 20% year‑over‑year increase in publicly disclosed vulnerabilities, even as attackers increasingly bypass these weaknesses in favor of credential abuse and identity‑led intrusions.

The trend is reinforced by attackers’ growing focus on stealing high‑value identities. More than 8.2 million phishing emails targeted VIPs in 2025, amounting to over a quarter of all phishing activity identified in that period, reflecting a deliberate effort to compromise privileged accounts that can unlock broader access across cloud and SaaS ecosystems.

Once inside, attackers use legitimate tools and permissions to disguise their attack as normal activity, making lateral movement fast and difficult to detect. Detecting and responding to identity abuse across these highly distributed environments has become one of the hardest problems in cybersecurity.

Related: Darktrace

The top ransomware families observed in Darktrace incidents in 2025.

Top French football club Olympique de Marseille has moved to reassure supporters after a recent cyberattack attempt, saying in a statement that fans’ bank data and passwords were not compromised.

An attempted intrusion in recent days targeted the club, the source of which has not been disclosed. The situation was assessed swiftly and brought under control. The update came while the squad recuperates in Marbella after a run of poor results.

The club said the incident was contained without major impact. Club operations are continuing as normal and in safe conditions, while enquiries continue in the affected area. (OneFootball)

Related: Sarawak Tribune, L'EQUIPE

Software engineer Sammy Azdoufal's effort to steer his new DJI robot vacuum with a video game controller inadvertently granted him a sneak peek into thousands of people’s homes.

While building his own remote-control app, Sammy Azdoufal reportedly used an AI coding assistant to help reverse-engineer how the robot communicated with DJI’s remote cloud servers. But he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.

The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools, all without their owners ever knowing.

He shared his findings with The Verge, which quickly contacted DJI to report the flaw. While DJI tells Popular Science the issue has been “resolved,” the dramatic episode underscores warnings from cybersecurity experts who have long warned that internet-connected robots and other smart home devices present attractive targets for hackers. (Mack DeGeurin / Popular Science)

Tel Aviv-based cybersecurity firm Gambit Security said on Wednesday it had raised $61 million in a Series A venture funding round as it emerged from more than a year in "stealth mode."

Spark Capital, Kleiner Perkins, and Cyberstarts participated in the round. (Steven Scheer / Reuters)

Best Thing of the Day: Public Sector Services Getting Safer in the UK

Serious security weaknesses in UK public sector websites are fixed 6 times faster – cutting the average time from nearly 2 months to just over a week as a result of the country's Blueprint for modern digital government, published in January 2025.

Worst Thing of the Day: Making Cybercrime Pro-Woman

The SLH collective is actively recruiting female individuals for their voice phishing (vishing) campaign, offering upfront payments for social engineering calls targeting IT help desks.