nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

Products & Services

Cisco Unified Communications Zero-Day Actively Exploited: Immediate Action Recommended

Cisco has released an urgent security advisory to address a critical zero-day remote code execution (RCE) vulnerability, tracked as CVE-2026-20045, that is being actively exploited in the wild. The flaw impacts multiple Unified Communications and Webex Calling products, and successful exploitation enables unauthenticated attackers to execute arbitrary code and escalate privileges to root level on affected systems.

The vulnerability stems from improper validation of user-supplied input in HTTP requests sent to the web-based management interfaces of these systems. A crafted sequence of requests allows an attacker to gain user-level access and, in some cases, elevate privileges to full system control, bypassing authentication in certain configurations.

Affected products include Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence Service (IM&P), Cisco Unity Connection, and Webex Calling Dedicated Instance, which are all widely deployed across enterprise, healthcare, government, and service provider environments.

CISA has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing that federal agencies must deploy patches by February 11, 2026, at the latest.

Why This Matters

Unified Communications platforms like Unified CM and Webex Calling are deeply trusted components of modern enterprise voice and collaboration infrastructure. They often expose management interfaces for remote administration and connectivity, which, when unpatched or exposed, become high-value targets:

  • Stealthy RCE: Attackers can inject arbitrary commands into the underlying OS without prior authentication.
  • Privilege Escalation: Once initial access is achieved, attackers can escalate to root, compromising the appliance completely.
  • Enterprise Exposure: These services are used in critical voice, contact center, and unified messaging deployments, amplifying the blast radius of compromise.

Active exploitation in the wild suggests threat actors are rapidly scanning for vulnerable interfaces and attempting unauthorized access prior to patch application, potentially with minimal detection.

Act Now

1. Patch Without Delay

Apply the version-specific updates for Unified Communications releases 12.5, 14, and 15 as outlined in Cisco’s advisory. Currently, there are no available workarounds that fully mitigate this issue, making patching the only effective solution.

2. Lock Down Management Interfaces

Restrict access to Unified Communications management interfaces to trusted networks and VPN segments only. If remote administration is required, consider just-in-time access controls to limit exposure.

3. Validate Device Hardening

Run a Firewall & Security Device Audit to confirm that Unified Communications appliances are not exposed to unnecessary networks and that default interfaces are disabled where possible.

4. Monitor for Suspicious Activity

Configure SIEM alerts to detect abnormal HTTP(S) management requests, unauthorized sessions, or suspicious privilege escalation patterns on UC infrastructure.

5. Integrate Into Incident Exercises

Use Incident Response tabletop exercises to simulate an exploitation scenario on UC platforms, including steps for core dump analysis, privilege reset actions, and identification of persistence mechanisms.

6. Review Identity Controls

Ensure that privileged access to UC management is protected with phishing-resistant MFA, strong password policies, and regular credential rotation.

Final Thoughts

CVE-2026-20045 serves as a critical reminder: unified communications systems are mission-critical, not just administrative afterthoughts. A zero-day exploited at this layer yields not just a single vulnerable service but a powerful foothold into an enterprise network.

Immediate patching, disciplined interface hardening, and continuous monitoring must be treated as non-negotiables, especially when threat actors are actively searching for exposed services.

Consider ongoing patch validation, vulnerability management, hardening audits, and incident readiness to ensure your UC infrastructure remains resilient against stealthy exploitation.

This Week in Cybersecurity: Microsoft & Google Shake Up Email Security

Office 365 Phishing Escalation: Spoofed Internal Emails

Attackers are bypassing traditional email filters by spoofing internal domains in Office 365 environments. These phishing emails appear to originate from within the organization, increasing the likelihood of user trust and interaction. The technique exploits misconfigured tenants that lack proper anti-spoofing protections such as DMARC, DKIM, and SPF. Once the message is delivered, users are more likely to click malicious links or provide credentials to spoofed login pages.

Security Recommendations: Organizations should enforce strict DMARC policies, audit SPF records, and transition to phishing-resistant MFA to reduce reliance on user judgment.

ClickFix / PHALT#BLYX Malware Campaign: Fake BSOD and Remote Access Trojan

A sophisticated phishing campaign is targeting European hospitality businesses by impersonating hotel booking platforms and luring users into interacting with emails that lead to a fake Blue Screen of Death (BSOD). Victims are prompted to enter code into Windows, which results in the deployment of DCRat, a full-featured remote access trojan. This attack leverages trusted Windows components such as MSBuild and PowerShell to evade antivirus and EDR controls.

Security Recommendations:

Microsoft 365 Admin Center to Enforce MFA
Beginning February 9, 2026, Microsoft will require all users accessing the Microsoft 365 Admin Center to authenticate using multi-factor authentication. This policy change aligns with ongoing efforts to secure administrative access and prevent compromise of high-value accounts.

Security Recommendations: Organizations should proactively enable MFA for all privileged accounts and test access workflows now to avoid business disruption.

Google Ending POP3 Support in Gmail
Google will discontinue support for the POP3 protocol in Gmail beginning in 2026. This will prevent Gmail from retrieving mail from third-party inboxes using POP3 and end support for Gmailify. While this is primarily an operational shift, POP3 is also a legacy protocol with limited encryption and security features.

Security Recommendations: Organizations still relying on POP3 should begin migration planning to IMAP or API-based access to maintain continuity and security.

Summary Takeaways

Legacy email protocols are being phased out, requiring attention to business continuity and security posture.

Phishing remains the dominant threat vector, with attackers leveraging both technical misconfigurations and social engineering.

MFA and identity controls are tightening across platforms, and enforcement is increasing.

TWiC: Chrome Zero-Day, Microsoft Exploit Activity, Fortinet SSO Weaknesses, and React2Shell Malware

This week’s TWiC highlights several high impact security events that organizations should review and prioritize. Google patched a Chrome zero day already exploited in the wild. Microsoft released updates addressing an actively exploited Windows privilege escalation flaw along with two additional zero-day vulnerabilities. Fortinet disclosed critical authentication bypass issues affecting multiple appliance families when FortiCloud SSO is enabled. Finally, exploitation of the React2Shell vulnerability continues to accelerate, with threat actors deploying the advanced EtherRAT malware implant. The sections below outline the risks and recommended actions for each issue.

Google Chrome Zero Day Actively Exploited
Google released a security update for Chrome that includes a fix for a high severity flaw tracked as bug ID 466192044. The issue is already exploited in the wild. Google has not yet assigned a CVE or published technical details, but a linked Chromium commit points to a buffer handling flaw in the ANGLE Metal renderer that could lead to memory corruption or code execution. All major Chromium based browsers will need to apply updates as patches become available.

Risks Identified

  • Ongoing exploitation targeting Chrome users
  • Potential for remote code execution and sandbox escape
  • Likely use in targeted campaigns
  • Delay in patch availability for non-Google Chromium browsers

Security Recommendations

  • Update Chrome to version 143.0.7499.109 or higher
  • Monitor availability of updates for other Chromium based browsers like Edge, Brave, Opera, and Vivaldi
  • Managed SIEM to detect abnormal Chrome child processes or exploitation patterns
  • Remove unnecessary browser extensions and enforce least privilege
  • Enable automatic browser updates in managed environments

Microsoft Patch Tuesday: Active Exploitation and Two Additional Zero Days
Microsoft released fixes for 56 vulnerabilities, including CVE-2025-62221, a privilege escalation flaw that is already exploited in the wild. The weakness exists in the Windows Cloud Files Mini Filter Driver, which is present even if cloud storage applications are not installed. Two additional issues, CVE-2025-54100 in PowerShell and CVE-2025-64671 in GitHub Copilot for JetBrains, have publicly available proof of concept code. Many of the patched vulnerabilities continue the trend of post compromise privilege escalation opportunities.

Risks Identified

  • Active exploitation of CVE-2025-62221 for SYSTEM level access
  • Broad exposure due to the minifilter driver being widely deployed
  • High potential for exploit chaining with initial access methods like phishing
  • PowerShell command injection enabling remote execution

Security Recommendations

  • Apply all December 2025 patches, prioritizing CVE-2025-62221
  • Update IDE environments that use GitHub Copilot or JetBrains tools
  • Review PowerShell usage and enable constrained language mode where possible
  • Internal penetration testing with a focus on privilege escalation paths
  • Managed SIEM to monitor PowerShell activity, driver anomalies, and exploit behavior
  • Review PowerShell usage and enable constrained language mode where possible
  • Microsoft 365 and Windows security configuration assessments
  • Rotate credentials if PowerShell exploitation is suspected

Fortinet FortiCloud SSO Authentication Bypass
Fortinet disclosed two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager when FortiCloud SSO is enabled. The flaws stem from improper SAML signature verification, allowing forged SAML messages to bypass authentication and grant full administrative access. FortiCloud SSO is enabled automatically when devices are registered with FortiCare unless administrators disable it.

Risks Identified

  • Full administrative access without credentials
  • Exposure across multiple product lines that often serve as perimeter security
  • Potential for misuse by ransomware and nation state operators
  • Elevated lateral movement risk once administrative access is obtained

Security Recommendations

  • Disable FortiCloud SSO until patched
  • Apply Fortinet firmware updates to the fixed versions
  • Firewall and appliance configuration assessments
  • External penetration testing with a focus on discovering management interfaces
  • Restrict administrative interfaces to trusted networks
  • Review SAML related logs for irregularities
  • Continuous vulnerability scanning to monitor Fortinet patch status
  • Validate device registration workflows and remove unused FortiCare associations

React2Shell Exploitation and EtherRAT Malware Deployment
Exploitation of the critical React2Shell vulnerability (CVE-2025-55182) continues to expand. Multiple threat groups, including North Korea linked actors, have leveraged the flaw to deploy a new malware family named EtherRAT. The implant uses Ethereum smart contracts for command and control, including five persistence layers on Linux hosts, and deploys its own Node.js runtime. The activity aligns with earlier Contagious Interview campaigns targeting developers through fake job opportunities.

nGuard recently published a detailed advisory on React2Shell.

Risks Identified

  • Rapid adoption of the vulnerability by state aligned actors
  • Remote code execution leading to credential theft, cryptomining, or long-term access
  • Distributed blockchain based C2 that is resistant to takedown
  • Strong persistence designed to survive reboots and forensic cleanup
  • Exposure for organizations running React Server Components or Next.js
  • Risk of spreading within developer environments

Security Recommendations

  • Refer to nGuard’s prior coverage on this to see a full breakdown of security recommendations
  • Application penetration testing for Node.js, React, and Next.js environments

Wrap
This week’s activity underscores the need for timely patching, careful review of authentication exposures, and close monitoring of systems that rely on widely deployed frameworks or cloud integrated components. Organizations should validate that updates have been applied, confirm SSO and administrative access paths are securely configured, and review logging and detection coverage for signs of exploitation. Continued attention to browser, operating system, appliance, and application layer vulnerabilities remains essential as threat actors rapidly adopt new exploit paths.

This Week in Cybersecurity (TWiC): React2Shell – Breaking Down CVE-2025-55182

Headline: React2Shell (CVE-2025-55182) – Critical RCE in React Server Components
A critical React vulnerability, CVE-2025-55182 (often called React2Shell), is the story of the week. React is one of the most common frameworks used to build modern websites and web applications. Even if your organization doesn’t write custom apps, many vendor tools and SaaS platforms use it under the hood. It’s rated CVSS 10.0, is on CISA’s Known Exploited Vulnerabilities (KEV) list, and is already being used in real attacks.

What’s affected
The issue is in React Server Components (RSC) and the related packages:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Impacted versions include React 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
Patched versions are 19.0.1, 19.1.2, 19.2.1 and later.
Popular frameworks that rely on RSC, such as Next.js and other RSC-enabled stacks, are affected when they bundle these packages.

Why it’s so serious
At a high level, the vulnerability is a deserialization of untrusted data in the protocol that connects the browser to React Server Components. The result:

  • Pre-auth remote code execution: An attacker can send a crafted HTTP request to a vulnerable RSC endpoint and run arbitrary code on the server, without logging in.
  • High reliability: Researchers report exploit chains that are extremely reliable in real-world testing.
  • Active exploitation: CISA’s KEV inclusion and reporting from major cloud providers confirm this is being used in the wild, including by state-linked threat actors.

Even if your developers don’t think they’re “using RSC much,” your app can still be vulnerable if the framework has RSC enabled by default or includes the react-server-dom-* packages.

What You Should Do About React2Shell
1. Quickly identify where you’re exposed
Inventory is step one:

  • Look for any apps using React 19.x with RSC enabled.
  • Include Internet-facing sites, internal admin portals, container images, and serverless functions.
  • Use software composition analysis (SCA), SBOMs, and regular vulnerability scanning so you’re not doing this by hand every time a library CVE drops.

2. Patch aggressively

  • Upgrade React and RSC packages to 19.0.1 / 19.1.2 / 19.2.1 or newer everywhere.
  • Follow your framework’s advisory (Next.js, etc.) so the bundled RSC components are updated, not just your direct React dependency.
  • Rebuild and redeploy images and services after updating libraries.

3. Assume compromise where risk is highest
If any high-value app was:

  • Internet-facing,
  • Running a vulnerable version, and
  • Left unpatched for several days after public disclosure
  • Preserve and review logs before wiping anything.
  • Hunt for suspicious commands and unusual outbound connections from the app servers.
  • Use a structured incident response process, this is where having an IR retainer and having run prior tabletop exercises pays off.

4. Add short-term hardening
Patching is the real fix, but you can reduce blast radius by:

  • Deploying or tuning a WAF in front of affected apps, focusing on odd POSTs to RSC/server-action endpoints.
  • Putting sensitive admin and internal tools behind strong authentication, MFA, and network segmentation.
  • Tightening egress filtering from app hosts so a successful exploit can’t easily pivot or exfiltrate data.

5. Learn the bigger lessons
React2Shell is another reminder that:

  • Modern frameworks need focused web app/API security testing, not just generic port scans.
  • Third-party libraries are part of your attack surface and should be governed via a clear software supply chain process.
  • 24×7 log monitoring and threat hunting catch exploitation attempts much faster than ad-hoc log searches when “things look weird.”

Smishing 2.0: Points, Taxes, and Fake Retailers

Brian Krebs reports that major smishing operations, largely run from China, are evolving from “missed packages” and toll scams into fake loyalty points and tax refund lures:

  • SMS messages dangle bonus points, unclaimed refunds, or limited-time retailer offers.
  • Links lead to professional-looking fake e-commerce sites.
  • At checkout, attackers steal card data and often trick victims into providing one-time passcodes that are then used to enroll the card into Apple Pay or Google Pay on the attacker’s device.

How organizations can respond

  • Clarify OTP messages (e.g., “You are adding card XXXX to Apple Pay”) so customers recognize misuse.
  • Use risk-based controls and additional checks for new mobile wallet enrollments.
  • Monitor for brand impersonation domains and coordinate fast takedowns.
  • Run phishing/smishing simulations using realistic lures (points, refunds, fake retailers) to train staff and, where appropriate, customer-facing teams.

Social engineering testing, fraud process reviews, and awareness programs help close the gap between strong technical controls and human decision-making.

AI in OT: New Guidance for Critical Infrastructure
A group of global cyber agencies (including CISA, NSA, and several international partners) released joint guidance on using AI in operational technology (OT) environments such as energy, water, and manufacturing.
Key ideas:

  • Don’t bolt AI onto OT blindly. Confirm it actually improves safety, reliability, or detection compared to traditional automation.
  • Treat AI as an OT asset. Include models, data pipelines, and AI-enabled devices in asset inventories and risk assessments.
  • Keep humans in the loop. Maintain manual fallback modes and clear operational procedures if AI outputs look wrong or are unavailable.
  • Test and govern AI like any other critical control. That includes security reviews, change management, and ongoing performance monitoring.

For critical infrastructure operators, this means folding AI into existing OT security assessments, network segmentation projects, and incident response exercises, rather than treating it as a separate world.

Amazon Confirms Zero-Days Exploited in Cisco and Citrix Systems

What Happened

Recent Amazon threat intelligence confirms that at least two critical zero-day vulnerabilities have been actively exploited in products from Cisco and Citrix. Specifically:

  • CVE‑2025‑20337: This critical Cisco Identity Services Engine (ISE) zero-day is being exploited to achieve pre-authentication remote code execution, giving attackers root-level access without credentials. Beyond Amazon, several other outlets have confirmed active exploitation in the wild.
  • CVE‑2025‑5777: Citrix’s memory-overread vulnerability, widely referred to as “CitrixBleed 2”, is being used in real-world attacks against NetScaler ADC and Gateway devices. nGuard covered this back in July when it was first discovered that threat actors were exploiting this flaw before patches were available, mirroring the original CitrixBleed pattern.
  • Intelligence from Amazon Web Services and other observers indicates these exploits were used by an advanced persistent threat (APT) actor with custom tooling and significant capabilities.
  • The campaign underscores a classic patch-gap exploitation scenario where adversaries weaponize vulnerabilities before full remediations are deployed.

Why It Matters

Infrastructure such as enterprise identity platforms (Cisco ISE) and remote-access gateways (Citrix NetScaler) sits at the core of network trust. When these are compromised:

  • Attackers can bypass authentication, escalate privileges, and deploy stealthy web shells specially crafted for these appliances.
  • Custom malware operating in-memory, using sophisticated evasion (Java reflection, DES encryption, tailored HTTP headers) has been documented.
  • Because these systems control access to networks, compromise of them can serve as a “gateway” into broader enterprise infrastructure, affecting both SMBs and large enterprises.

What You Should Do (Now)

  1. Patch Immediately: Apply the latest firmware or software updates from Cisco and Citrix. If updates are not yet feasible, isolate or restrict public-access interfaces on affected devices.
  2. Validate Controls & Hardening: Conduct Firewall & Security Device Audits to confirm devices are configured securely, management interfaces are locked down, and edge-perimeter segmentation is enforced.
  3. Monitor & Detect: Deploy anomaly detection and behavior-based monitoring. With Managed SIEM, you can surface unusual patterns, unauthorized sessions, or payload-injection attempts.
  4. Build Incident Readiness: Use Incident Response tabletop exercises to walk teams through core dump analysis, firmware integrity checks, credential resets, and containment decisions before a real compromise occurs.
  5. Review Identity & Access Controls: Ensure least-privilege access, MFA everywhere, and rotate credentials on legacy or exposed appliances. Pair with Risk Assessments which align your security posture with NIST, CIS and other trusted frameworks.

Takeaway

These zero-day exploits are not just isolated software defects, as they expose a harsh reality: identity and network-access infrastructure are high-value targets. A vulnerability in an appliance trusted to enforce access controls can become the ticket into your enterprise.

Securing those gateways must be a priority. Deploy patching fast, enforce hardening, monitor edge-devices continuously and lean on experts when gaps or resource constraints exist.

This Week in Cybersecurity (TWiC): Source Code Thefts, Massive Credential Dumps & Emergency Patches

The past 2 weeks in cybersecurity delivered a series of critical developments that highlight persistent weaknesses across the software supply chain, identity management, and core infrastructure. From the continued fallout of a high-profile breach at F5 to conflicting reports about a massive Gmail password leak, security professionals are being tested across multiple fronts. Add to that a critical Windows server vulnerability prompting an emergency patch, and the picture becomes clear: attackers are exploiting cracks wherever they appear, be it in vendor ecosystems, identity systems, or update infrastructure. Here’s a quick rundown of what you need to know.

F5 Breach Deepens: Source Code and Undisclosed Vulnerabilities Exposed

In a follow-up to our earlier advisory on the F5 breach, new revelations confirm the situation is worse than initially understood. A sophisticated, likely nation-state threat actor infiltrated F5’s internal systems, stealing portions of the BIG-IP source code and accessing data on yet-to-be-disclosed vulnerabilities. F5 has stated that its build systems were not modified, but the theft of proprietary code and vulnerability research significantly raises the threat level for organizations relying on their products.

Given the exposure of over 266,000 BIG-IP instances to the internet, this development underscores the critical need for proactive patch management, device segmentation, and hardening of public-facing infrastructure. Ongoing threat-hunting efforts and vendor risk monitoring are essential here, especially as attackers may now have an edge in weaponizing these vulnerabilities.

Gmail Credentials in Massive 183 Million Account Leak — But Google Pushes Back

Reports emerged this week of a staggering 183 million compromised credentials hitting the dark web, with millions tied to Gmail accounts. According to researchers, the data likely comes from infostealer malware logs and reused credentials, not a direct breach of Google itself.

Google has strongly denied any compromise of its systems, attributing the leak to poor credential hygiene and third-party breaches. Regardless of the source, this incident reinforces the need for strong identity controls: unique passwords, multi-factor authentication, and regular credential exposure checks are now baseline expectations. Organizations should prioritize continuous identity monitoring and enforce secure credential policies to defend against the inevitable credential-stuffing attempts that follow such leaks.

Microsoft Pushes Emergency Patch for Critical WSUS Flaw

Microsoft issued an out-of-band patch for a critical remote code execution vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287. The original patch released during October’s Patch Tuesday was found to be incomplete, prompting this emergency update.

This vulnerability poses serious risks to organizations relying on WSUS for patch management, especially if default ports are exposed externally. Beyond just applying the patch, this incident is a reminder that attackers are targeting administrative infrastructure as much as user endpoints. Security teams should ensure that internal update mechanisms are locked down and monitored, as compromise of these systems can rapidly propagate malware or unauthorized updates across entire environments.

Wrap-Up

This week’s cybersecurity news highlights a sobering reality: no part of the modern IT stack is off-limits. Whether it’s vendor platforms like BIG-IP, user credentials floating on the dark web, or core infrastructure like WSUS, attackers are looking for any way in. It’s a critical time for organizations to re-evaluate their exposure across supply chains, authentication practices, and system update mechanisms. Proactive assessmentscontinuous monitoring, and incident response readiness are not just best practices, they’re survival strategies.

Chat Icon Chat Close

Learn how nGuard can secure your data

Ready to take the next step? Speak to an nGuard expert and get your questions answered today.

Chat Popup

No thanks, maybe later