Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cyber Security Weekly Briefing, 21-27 February
Urgent update to the stable channel of Chrome due to three vulnerabilities
Google has released an urgent update to the stable channel of Chrome for desktop, upgrading it to version 145.0.7632.109/110 on Windows and macOS and 144.0.7559.109 on Linux, with progressive rollout. This new version includes three patches: CVE-2026-2648 (CVSSv3 8.8), a buffer overflow in PDFium, CVE-2026-2649 (CVSSv3 8.8), an integer overflow in the V8 engine, and CVE-2026-2650 (CVSSv3 8.8), a buffer overflow in the Media component.
It should be noted that while Google had classified the first two flaws as high severity and the third as medium severity, CISA-ADP has classified all three as high severity by assigning them the same CVSSv3 score of 8.8. These flaws could allow external agents to compromise memory integrity and execute code remotely. Google is restricting access to the technical details of the bugs until the majority of the user base has applied the patches, thereby minimising the risk of active exploitation.
Immediate updating is recommended to ensure the isolation of browser processes.
SolarWinds fixes four critical flaws in Serv‑U
SolarWinds has released security updates to fix four critical vulnerabilities in Serv‑U that allow remote code execution with root or administrator privileges on unpatched servers. The most serious, CVE-2025-40538 (CVSSv3 7.2 according to NVD, but 9.1 according to SolarWinds), allows an attacker with elevated privileges to create a system administrator user and execute arbitrary code by exploiting an access control flaw.
Along with this, two type confusion vulnerabilities and one IDOR were fixed, all three with the same CVSSv3 score as the first, which also made it possible to obtain maximum privileges. Although all of them require the attacker to have prior credentials or high privileges, they remain dangerous in scenarios where other privilege escalations are chained together or stolen credentials are used. More than 12,000 Serv-U servers are publicly exposed according to Shodan, representing a large attack surface.
UNC2814 global campaign against telecommunications companies and government agencies
Google Threat Intelligence attributed to UNC2814, an actor originating in China and active since 2017, a campaign with 53 confirmed victims in 42 countries and suspicious activity in at least 20 additional countries in the telecommunications and government sectors. The group employed the C backdoor called GRIDTIDE, which uses the Google Sheets API as command and control infrastructure, hiding malicious traffic in legitimate requests without exploiting vulnerabilities in Google products.
After the initial compromise, the actor performed lateral movement via SSH with service accounts, established persistence through /etc/systemd/system/xapt.service, deployed SoftEther VPN Bridge for encrypted outgoing communications, and directed its activity against systems with PII data. GRIDTIDE executes arbitrary commands, uploads and downloads files, employs AES 128 in CBC mode with a 16-byte key to decrypt Google Drive configurations, and uses authentication via service accounts. It implements a cell-based C2 mechanism, polling A1 for commands and storing data in A2 An ranges and metadata in V1, with secure Base64 encoding for URLs.
GTIG confirmed that the activity is unrelated to Salt Typhoon and that initial access may have involved the exploitation of web servers and perimeter systems.
Diesel Vortex: organised network steals transport identities and diverts shipments in the US and Europe
Researchers at Have I Been Squatted have documented the activity of the financially motivated threat actor known as Diesel Vortex, which has been stealing credentials from transport and logistics operators in the US and Europe through a phishing campaign using 52 domains. Victims include platforms such as DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and EFS. The operation was uncovered thanks to an exposed repository containing SQL databases and Telegram logs, which linked the actor to Russian infrastructure and Armenian-speaking operators.
The investigation revealed nearly 3,500 pairs of stolen credentials, of which 1,649 were unique. The group operated as a highly structured organisation with a call centre, email support, programmers and staff dedicated to capturing contacts in the sector. Their tactics included typosquatting, precise cloning of logistics portals, vishing and impersonation on Telegram channels. The phishing pages captured credentials, transport data, financial information, and 2FA codes, all controlled in real time by Telegram bots.
In addition to credential theft, Diesel Vortex engaged in carrier impersonation, mailbox compromise, and double brokering for the diversion and theft of cargo.
Cisco confirms active exploitation of a 10.0 vulnerability in Catalyst SD-WAN
Cisco has warned of the active exploitation of CVE-2026-20127 (CVSSv3 10.0 according to the vendor), a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager. The flaw is due to a faulty peering authentication mechanism that allows a remote attacker to send manipulated requests and authenticate as a high-privileged non-root internal user, accessing NETCONF and modifying the SD-WAN mesh configuration.
Cisco Talos attributes the exploitation of the flaw since 2023 to UAT-8616, an actor it defines as highly sophisticated. The intrusion included escalation to root via downgrade and exploitation of CVE-2022-20775 (CVSSv3 7.8 according to the vendor), followed by firmware restoration to evade detection. For its part, CISA issued Emergency Directive ED 26-03, requiring federal agencies to inventory, collect forensic artefacts, apply patches, and review compromises associated with both CVEs. The joint CISA and NCSC guidelines warn of global campaigns aimed at inserting rogue peers and maintaining persistence with elevated privileges.
Cisco indicates that there are no workarounds and that the only mitigation is to update to patched versions, while urging users to audit /var/log/auth.log for entries showing Public Key Accepted for vmanage-admin from unknown IP addresses.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
