Weekly Threat Brief — Week Ending March 1, 2026

Published: March 2, 2026 | ByteVanguard

Overall Risk Posture — Elevated

Active exploitation of edge/network appliances continues, with emergency vendor directives still driving urgency. No new KEV additions or major alerts in the past 48 hours (as of March 2), but Cisco SD-WAN and RoundCube exploitation chains remain active threats.

🔴 Actively Exploited

  • Cisco Catalyst SD-WAN — CVE-2026-20127 & CVE-2022-20775
    Authentication bypass + path traversal.
    CISA Emergency Directive ED-26-03 mandates immediate inventory, patching, and threat hunting. Exploitation has been active since 2023. Federal remediation deadline was Feb 27 — treat as critical across all environments.
  • Soliton FileZen — CVE-2026-25108
    Authenticated OS command injection via crafted HTTP requests. Vendor confirms active exploitation and related incidents. Upgrade to v5.0.11+ immediately.
  • RoundCube Webmail — CVE-2025-49113 & CVE-2025-68461
    PHP deserialization RCE + XSS. Added to KEV Feb 20. Rapid weaponization observed. Upgrade exposed instances (≥1.6.12 / ≥1.5.12).

Trend: Edge appliances and legacy webmail remain dominant initial access vectors for ransomware and fast lateral movement.

🟠 Emerging Exploits to Watch

  • Chrome — CVE-2026-2441
    CSS use-after-free flaw patched mid-February, but confirmed early wild exploitation. Potential vector for targeted watering-hole campaigns.
  • Weaponization Velocity
    VulnCheck reports exploitation weaponized 16.5% faster YoY for same-year CVEs. AI-generated PoCs are proliferating, though many remain low-quality. Time-to-weaponization continues shrinking.
  • Credential-Focused Attacks Rising
    AiTM phishing, password spraying, and token replay attacks continue to outpace traditional code exploitation. Microsoft reports ~38M daily identity risk detections, reinforcing identity as the primary attack surface.

🟢 Patch & Mitigation Priorities

  1. Cisco SD-WAN (CVE-2026-20127 / CVE-2022-20775)
    Immediate patching and hunting required. Validate device exposure externally.
  2. RoundCube Webmail
    Upgrade or isolate exposed instances without delay.
  3. Soliton FileZen (CVE-2026-25108)
    Patch before March 17 vendor deadline. Audit logs for suspicious file operations.
  4. Microsoft February Updates
    Prioritize legacy authentication hardening; many current chains leverage outdated auth protocols.

📡 Notable Scanning Activity

  • Sustained probing of Cisco SD-WAN and perimeter devices post-KEV addition.
  • Continued targeting of exposed webmail endpoints.
  • Rising scanning for unmanaged AI/LLM instances (e.g., Ollama) for compute hijacking or abuse.

⚠️ Infrastructure Exposure Trends

  • Some ransomware crews shifting toward data extortion without encryption (e.g., SafePay variants).
  • Growing exposure of unmanaged AI endpoints vulnerable to prompt injection or code execution.
  • Cloud identity misconfigurations (Entra/Azure) and legacy services widening attack surface.

🎯 What Teams Should Prioritize This Week

  1. Hunt and patch latest KEV entries — Cisco SD-WAN remains highest urgency.
  2. Enforce phishing-resistant MFA (FIDO2 / WebAuthn) tenant-wide.
  3. Audit exposed services: legacy auth, file transfer appliances, AI endpoints.
  4. Hunt for anomalous authentication patterns, AiTM indicators, and password spray telemetry.
  5. Prepare for AI-accelerated exploitation cycles — test detection against rapid PoCs.

Weekly Pulse

Exploitation velocity remains elevated. Identity infrastructure continues under sustained pressure. No major new spikes in the past 48 hours, but exposure windows remain narrow heading into March.

Bottom line: Patch aggressively. Harden identity. Monitor telemetry continuously.

Intelligence over headlines. Signal over noise.

Intelligence

Latest Reports Critical Vulnerabilities Exploited in the Wild

Quick Links

Home Contact About the Project

Stay Connected

Follow @ByteVanguardSec
Report Intelligence
© 2026 ByteVanguard. Built for security professionals.