Trending Topics

Cisco Patches Critical RCE Flaw CVE-2026-20230 in Unified Communications Manager

Cisco has released urgent security updates addressing CVE-2026-20230, a critical remote code execution vulnerability in Unified Communications Manager (Unified CM) that could allow unauthenticated attackers to gain root-level control over affected appliances. The flaw resides in the WebDialer component, where improper input validation permits specially crafted HTTP requests to perform arbitrary file writes on the underlying operating system. Once an attacker can write controlled data to disk, they can chain that into privilege escalation and full system takeover.

In vulnerable configurations, a remote attacker can target the Unified CM's WebDialer endpoint, send a malicious request, and pivot from file write to code execution with elevated privileges. From there, the attacker could intercept or manipulate voice traffic, harvest credentials, modify call routing, or use the Unified CM as a foothold for lateral movement deeper into the corporate network.

Widespread exploitation has not yet been reported, but public proof-of-concept code is already available - which means opportunistic scanning and automated attacks are likely to follow quickly. The vulnerability is exploitable only when the WebDialer service is enabled, and many organizations enable it to support click-to-call features and CRM or collaboration tool integrations, leaving internet-facing or internally exposed Unified CM nodes at risk.

In environments where Unified CM is treated as "just voice infrastructure," security hardening often lags behind other critical systems, increasing the chance that a successful compromise goes unnoticed. Unified communications platforms frequently sit in privileged network segments with access to directory services, voicemail storage, and call recording systems - amplifying the potential blast radius of any intrusion.

Cisco has released fixed builds for Unified CM versions 14SU6 and 15SU5. These should be treated as emergency patches, not routine maintenance. The immediate priority is to identify all Unified CM and Session Management Edition instances in your environment, verify whether WebDialer is enabled, and upgrade affected systems as soon as change windows allow. Where immediate patching is not possible, disabling the WebDialer service provides a practical short-term mitigation by reducing the exposed attack surface, though it may affect click-to-call workflows in the interim.

Critical Magento 2 RCE CVE-2026-45247 Actively Exploited

A critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 is being actively exploited in real-world attacks. CVE-2026-45247 affects all versions prior to 1.11.12, carries a CVSS score of 9.8, and has been added to CISA's Known Exploited Vulnerabilities catalog - confirmation that this is no longer a theoretical risk to production e-commerce platforms.

The flaw is a PHP object injection issue. Attackers can pass crafted serialized data into application code that deserializes it unsafely, invoking gadget classes within the application's codebase and libraries to achieve remote code execution under the web server's permissions. No authentication is required to trigger the vulnerable code path, which means automated scanning and exploitation at scale is straightforward for both opportunistic and targeted actors.

Once attackers gain that level of access, the consequences for e-commerce environments are severe. They can modify the Magento codebase, plant backdoors, inject malicious JavaScript into checkout pages to skim payment card details, siphon authentication cookies, redirect customers to counterfeit payment portals, create hidden administrative accounts, alter tax or discount rules to commit fraud, or repurpose the compromised server as infrastructure for malware hosting or phishing campaigns - all while keeping core store functionality seemingly intact.

For any Magento 2 store running the affected extension, patching alone is not sufficient. If the extension was exposed and unpatched during the active exploitation window, there is a meaningful chance attackers have already established persistent access mechanisms that will survive routine updates. A thorough compromise assessment must accompany remediation, particularly for stores handling high transaction volumes or operating in regulated sectors.

Organizations should upgrade the Mirasvit Full Page Cache Warmer to version 1.11.12 or later, scheduling emergency change windows if necessary to minimize exposure time. Administrators should also verify that file permissions, admin panel access controls, and environment configurations follow hardening best practices - limiting the blast radius of similar vulnerabilities in the future.

Reaper macOS Infostealer Abuses Script Editor to Steal Passwords and Crypto

A new macOS infostealer, dubbed Reaper, is targeting Apple users by abusing the built-in Script Editor to steal passwords, crypto assets, and sensitive documents while quietly installing a persistent backdoor. Researchers describe it as an advanced variant of the SHub malware family that specifically bypasses protections added in recent macOS Tahoe 26.4 security updates designed to stop similar threats.

Reaper's attack chain begins with fake download pages for popular apps like WeChat and Miro, hosted on a typosquatted domain closely resembling an official Microsoft address: mlcrosoft[.]co[.]com. When a victim lands on the page, hidden JavaScript fingerprints the device - checking IP, location, installed software, and security tools - and proceeds only if the user is outside Russia. The site then triggers macOS Script Editor via a special AppleScript-style link that preloads a malicious script, with the actual payload visually obscured by blank lines and ASCII art to prevent casual inspection.

If the victim clicks Run in Script Editor, they see what appears to be an official Apple security update prompt for XProtectRemediator. Behind the scenes, Reaper uses curl to download and execute additional components. A second prompt asks for the user's macOS login password, which the malware captures and uses to unlock Keychain items and stored browser credentials. At that point, attackers have the keys to the kingdom.

Reaper then pivots into broad data theft. It targets browser data from Chrome, Firefox, Edge, Brave, Opera, Vivaldi, Arc, and Orion, as well as password manager extensions including 1Password, Bitwarden, and LastPass, and crypto wallet extensions like MetaMask and Phantom. Desktop cryptocurrency wallets - Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite - are also targeted, and the malware can replace legitimate wallet applications with trojanized versions to intercept future transactions. Beyond financial data, it collects iCloud account information, Telegram session data, and developer configuration files that could enable further compromise.

Reaper also comes with robust file theft capabilities. It scans Desktop and Documents folders for office documents, configuration files, and wallet artifacts, focusing on items under 2 MB or image files up to roughly 150 MB. Larger archives are automatically split into 70 MB chunks before exfiltration, keeping network traffic less conspicuous while smuggling substantial data to a hard-coded gateway domain.

Defending against Reaper starts with breaking its social engineering path. Mac users should avoid downloading software from search ads, social media links, or third-party aggregators and stick to the official Mac App Store or known vendor sites. Any web link that unexpectedly launches Script Editor with prefilled content should be treated as hostile and closed immediately. Surprise password prompts during what appears to be a routine app install or security update should raise immediate suspicion. Organizations should monitor for unusual Script Editor activity, unexpected curl usage tied to user sessions, and suspicious launch agents or update-style folders that beacon on short intervals.

Cisco SD‑WAN Under Fire from 0‑Days and an Active Kill Chain

Cisco's SD-WAN stack is facing sustained pressure from multiple zero-day vulnerabilities that together form a powerful kill chain for advanced threat actors. CVE-2026-20182, a maximum-severity authentication bypass in the Catalyst SD-WAN Controller and Manager, allows a remote unauthenticated attacker to impersonate a trusted router on the control plane and log in as a high-privileged internal user. Once in, attackers have been observed pushing malicious configuration changes over NETCONF, adding rogue peers, and escalating to root - effectively seizing control of the entire SD-WAN fabric across branches, data centers, and cloud edges.

Cisco and Talos report that UAT-8616, the same actor behind earlier Cisco SD-WAN zero-days including CVE-2026-20127, began exploiting CVE-2026-20182 in targeted attacks in May 2026, with impact across on-premises, Cisco-hosted cloud, and FedRAMP deployments.

The newly disclosed CVE-2026-20245 deepens the problem. This high-severity command injection flaw in the Cisco Catalyst SD-WAN Manager CLI allows commands to be executed with root-level privileges once an attacker has netadmin access. That privilege requirement may sound limiting, but in practice it aligns precisely with how UAT-8616 operates: use CVE-2026-20182 to bypass authentication and gain high-privileged access, then use CVE-2026-20245 as the final step to run arbitrary commands as root and solidify persistence.

Cisco has not yet released a dedicated patch for CVE-2026-20245 and currently points customers to the software fix for CVE-2026-20182 as an interim measure. That closes one key entry point but does not eliminate the escalation risk. The kill chain remains partially open.

For defenders, this shifts Cisco SD-WAN from routine infrastructure to a strategic, high-value target that demands immediate attention. Organizations should urgently identify all Catalyst SD-WAN Controllers and Managers, upgrade to Cisco's fixed releases for CVE-2026-20182, and ensure management and control plane interfaces are isolated from the public internet behind strict firewalls and segmented management networks.

Security teams should also pull and centralize forensic data, reviewing logs for signs of abuse - unknown peers, unexpected NETCONF configuration pushes, new SSH keys, unusual logins, and suspicious use of scripts such as vconfd_script_upload_tenant_list.sh. Because some of these indicators can appear during legitimate operations, careful correlation with change windows and admin activity is essential.

Given UAT-8616's history of long-term dwell time on Cisco edge devices, any hint of compromise should trigger a full incident response effort that treats SD-WAN as a potential pivot point into the broader enterprise network.

Proto6 Flaws in protobuf[.]js Expose Core Data and AI Systems

Cyera researchers have uncovered six vulnerabilities in protobuf[.]js, the widely used JavaScript implementation of Google's Protocol Buffers, showing how a schema layer that appears to be data-only can quietly turn into executable code with serious security consequences. Collectively dubbed Proto6, the flaws range from remote code execution to denial-of-service and prototype pollution, affecting core behaviors including schema parsing, option handling, generated constructors, and static code generation. Since protobuf.js underpins cloud services, microservices APIs, and AI data pipelines, the findings hit at the backbone of many modern systems.

The core insight from the research is that protobuf schemas are not always passive configurations. In protobuf.js, schema content can influence how objects are built and what code gets generated - meaning that fields like type names, option paths, or other metadata can cross from data into runtime behavior if not carefully validated.

The most critical issue, tracked as CVE-2026-41242, demonstrates that attacker-controlled type fields in protobuf definitions or JSON descriptors can be compiled into JavaScript and executed when messages are decoded, enabling remote code execution in Node.js applications that process untrusted schemas. Other flaws enable prototype pollution and denial-of-service attacks by abusing schema options or constructor logic to crash services or corrupt application state.

The library is downloaded tens of millions of times per week and is broadly used in projects that rely on Protocol Buffers through gRPC, Google Cloud, Firebase, and custom microservice frameworks. Any application that accepts, reflects, or dynamically loads protobuf schemas from external sources, multi-tenant inputs, or reflection services is at particular risk. A poisoned .proto file or JSON descriptor can become a vehicle for code injection - potentially reaching sensitive environment variables, databases, and internal services, with lateral movement possible once code execution is achieved.

The protobuf.js maintainers have released patches addressing the identified issues. Fixed versions are available in protobuf.js 7.5.5 and 8.0.1, which harden schema handling by sanitizing type names and tightening validation during code generation. Organizations should immediately inventory their Node.js and JavaScript services, identify where protobuf.js is in use, and upgrade any instances running versions 7.5.4 or earlier - or 8.0.0 - to the patched releases.

Beyond patching, restrict protobuf definitions to trusted origins only, validate or filter any schemas arriving from external users or tenants, and for high-risk workflows, process untrusted schemas in sandboxed or containerized environments with minimal privileges.