Table of Contents
In this week’s Security Advisory
- Cisco Patches Multiple Critical SD-WAN Vulnerabilities
- Zyxel Patches Critical RCE Vulnerability
- SolarWinds Releases Patch for Critical Serv-U Flaws
- Broadcom Patches Multiple VMware Products
- Malicious NPM Packages Harvesting Credentials
- Grandstream Phone Vulnerability Allows Calls to be Intercepted
Cisco Patches Multiple Critical SD-WAN Vulnerabilities
Cisco has released patches for six vulnerabilities affecting its Catalyst SD-WAN. The most critical vulnerability, CVE-2026-20127 (CVSS 10/10), could allow an unauthenticated attacker to gain access to the affected system. By then chaining other vulnerabilities, the attacker could elevate their privileges to root for complete control of the system. Cisco has also released patches for nine other vulnerabilities affecting different products.
Affected Versions
A full list of affected products can be found here.
Recommendations
Apply the latest patches.
More Reading / Information
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
Zyxel Patches Critical RCE Vulnerability
Zyxel has released patches for seven vulnerabilities that affect over a dozen of their router models. The most critical vulnerability, CVE-2025-13942 (CVSS 9.8/10), is a command injection issue that can be exploited by a remote unauthenticated attacker. Successful exploitation requires UPnP and WAN access to be enabled, and WAN access is disabled by default. The next two vulnerabilities are high severity, and the last four are medium severity.
Affected Versions
- A full list of affected products can be found here.
Recommendations
- Apply the latest patches.
More Reading / Information
- https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026
SolarWinds Releases Patch for Critical Serv-U Flaws
SolarWinds has released patches for four critical remote code execution vulnerabilities affecting its Serv-U product. All four vulnerabilities are privilege escalation and require existing access to be exploited. The most severe of these vulnerabilities is CVE-2025-40538 (CVSS 9.1/10), which allows an attacker to gain root permissions on vulnerable servers. There is currently no indication that these vulnerabilities have been exploited in the wild.
Affected Versions
- All versions below 15.5.4.
Recommendations
- Upgrade to version 15.5.4.
More Reading / Information
- https://www.bleepingcomputer.com/news/security/critical-solarwinds-serv-u-flaws-offer-root-access-to-servers/
- https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm#link7
Broadcom Patches Multiple VMware Products
Broadcom has released patches for three vulnerabilities, two high severity and one medium, affecting its VMware Aria Operations and VMware Cloud Foundation Operations components of different products. The first high severity vulnerability is CVE-2026-22719 (CVSS 8.1/10), which is a command injection issue that can be exploited by an unauthenticated attacker. If exploited, it would be possible for the attacker to execute code remotely while the support assist migration is in progress. The second high severity vulnerability is CVE-2026-22720 (CVSS 8/10), which is a XSS (cross-site scripting) vulnerability.
Affected Versions
A full list of affected versions can be found here.
Recommendations
Upgrade to the fixed versions of each product.
More Reading / Information
- https://www.securityweek.com/vmware-aria-operations-vulnerability-could-allow-remote-code-execution/
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
Malicious NPM Packages Harvesting Credentialss
A new supply chain attack posing as legitimate NPM packages is occurring in the wild. This campaign, codenamed SANDWORM_MODE, is like recent “Shai-Hlud” campaigns where the code embedded into the package’s harvests access tokens, environment secrets, API keys, etc. One of the components of this malware is an “MCPInject” module that is designed to target AI coding assistants. The below packages are published by two aliases, official334 and javaorg, it is recommended to ensure none of the affected packages are in use.
Affected Packages
- claud-code[@]0.2.1
- cloude-code[@]0.2.1
- cloude[@]0.3.0
- crypto-locale[@]1.0.0
- crypto-reader-info[@]1.0.0
- detect-cache[@]1.0.0
- format-defaults[@]1.0.0
- hardhta[@]1.0.0
- locale-loader-pro[@]1.0.0
- naniod[@]1.0.0
- node-native-bridge[@]1.0.0
- opencraw[@]2026.2.17
- parse-compat[@]1.0.0
- rimarf[@]1.0.0
- scan-store[@]1.0.0
- secp256[@]1.0.0
- suport-color[@]1.0.1
- veim[@]2.46.2
- yarsg[@]18.0.1.
Recommendations
Users who have installed any of the packages are advised to remove them immediately, rotate npm/GitHub tokens and CI secrets, and review any package.json, lockfiles, and .github/workflows/ for any unexpected changes.
More Reading / Information
- https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html
- https://socket.dev/blog/sandworm-mode-npm-worm-ai-toolchain-poisoning
Grandstream Phone Vulnerability Allows Calls to be Intercepted
The vulnerability, CVE-2026-2329 (CVSS 9.3/10), is a buffer overflow issue that can be exploited by a remote, unauthenticated attacker to execute code with root privileges on the affected device. Exploitation would allow an attacker to extract secrets from vulnerable phones so they can intercept and eavesdrop on calls. The vulnerability is not easily exploitable; however, technical details have been published, which would lower the bar needed for an attacker to exploit.
Affected Versions
- GXP16XX ≤1.0.7.79.
Recommendations
- Upgrade firmware to 1.0.7.81 or later.
More Reading / Information
- https://www.securityweek.com/critical-grandstream-phone-vulnerability-exposes-calls-to-interception/
- https://psirt.grandstream.com/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.