North America
Cisco
Cisco has warned users about two vulnerabilities in Catalyst SD-WAN Manager (formerly known as SD-WAN vManage) that are currently under active exploitation in the wild.
The vulnerabilities disclosed are:
- CVE-2026-20122 (CVSS score: 7.1) – An arbitrary file overwrite vulnerability that could allow an authenticated remote attacker to overwrite arbitrary files on the local file system. Successful exploitation requires valid read-only credentials with API access on the affected system.
- CVE-2026-20128 (CVSS score: 5.5) – An information disclosure vulnerability that could allow an authenticated local attacker to gain Data Collection Agent (DCA) user privileges on the affected system. Successful exploitation requires valid vManage credentials.
The company did not provide details about the scale of the attacks or the threat actors involved. The disclosure comes a week after Cisco reported that a critical vulnerability in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager, tracked as CVE-2026-20127 with a CVSS score of 10.0, was exploited by a sophisticated threat actor known as UAT-8616 to establish persistent access to high-value organizations.
SourceHow it could affect your business
Since these vulnerabilities are already being actively exploited, users should update to a fixed software release as soon as possible. Organizations should also restrict access from unsecured networks, place appliances behind a firewall, disable HTTP access for the Catalyst SD-WAN Manager administrator portal and turn off services such as HTTP and FTP when not required. Changing default administrator passwords and closely monitoring system logs for unexpected inbound or outbound traffic can also help detect suspicious activity early.
United States
Tennessee Valley Electric Cooperative (TVEC)
Cybercriminals continue to target critical infrastructure, with the ransomware group Qilin claiming it breached Tennessee Valley Electric Cooperative (TVEC), a U.S. electric cooperative.
Based in Savannah, Tennessee, TVEC provides electric service to customers in Wayne and Hardin counties in West Tennessee. The cooperative has not publicly addressed the ransomware gang’s claims. However, based on the group’s previous attacks, the stolen data could include employee information, customer records or internal organizational documents.
The group has previously targeted other U.S. electric cooperatives, including Karnes Electric Cooperative and San Bernard Electric Cooperative, last year.
SourceHow it could affect your business
Critical infrastructure organizations are increasingly being targeted by cybercriminals and nation-state actors seeking to disrupt essential services or steal sensitive operational data. To strengthen defenses, organizations should segment critical networks, deploy continuous monitoring for suspicious activity and regularly test their backup and disaster recovery plans to maintain operational resilience.
North America
Wikimedia Foundation
The Wikimedia Foundation, the non-profit organization that hosts Wikipedia, experienced a significant security incident on March 5 involving a self-propagating JavaScript worm.
The issue came to light after users noticed a surge of automated edits that inserted hidden scripts and vandalized random pages. The worm modified user scripts and defaced Meta-Wiki pages. According to Wikimedia’s Phabricator issue tracker, the attack appears to have begun when a malicious script hosted on Russian Wikipedia was executed, altering a global JavaScript script on Wikipedia with malicious code.
The malicious script, first uploaded in March 2024, is reportedly linked to scripts used in previous attacks targeting wiki projects.
SourceHow it could affect your business
Self-propagating JavaScript worms are particularly dangerous because they exploit trust in open-source code and can spread automatically across developer environments. Organizations should tightly control third-party dependencies, enforce package integrity checks and monitor repositories for unusual changes to stop malicious code from spreading through the software supply chain.
United States
AkzoNobel
The Dutch paint manufacturing giant AkzoNobel confirmed that hackers breached the network of one of its U.S. sites following a data leak from the Anubis ransomware gang.
AkzoNobel is a major paints and coatings company with well-known brands such as Dulux, Sikkens, International and Interpon under its corporate umbrella. The Anubis ransomware group claims to have stolen 170 GB of data from the company. Samples posted on its leak site reportedly include confidential agreements with high-profile clients, email addresses, phone numbers, private email correspondence, passport scans, material testing documents and internal technical specification sheets.
Meanwhile, the company stated that the impact appears limited and that it is taking appropriate steps to notify and support potentially affected parties.
SourceHow it could affect your business
Ransomware groups like Anubis operate under a ransomware-as-a-service (RaaS) model, lowering the bar for cybercrime and making it easier for even less-technical criminals to launch sophisticated attacks. To combat this growing ransomware threat landscape, organizations should implement proactive threat monitoring, maintain encrypted, regularly tested backups, and ensure systems can be restored quickly without relying on ransom payments.
United States
LexisNexis Legal & Professional
Data analytics giant LexisNexis confirmed that its Legal & Professional division experienced a cybersecurity incident after the Fulcrumsec cybercrime group claimed responsibility for breaching the company.
On March 3, the cybercrime group claimed it stole 2 GB of data from LexisNexis Legal & Professional, including enterprise account data, employee credentials, software development secrets and personal information belonging to 400,000 individuals. The following day, March 4, the company confirmed the incident and said it had contained the breach, adding that neither its products nor services were compromised. According to the firm, only a limited number of servers were accessed, and the data stored on them mostly consisted of legacy and deprecated information from before 2020.
The attackers reportedly exfiltrated the files from a LexisNexis AWS instance by exploiting an unpatched React2Shell vulnerability.
SourceHow it could affect your business
This incident highlights the importance of proactive patch management, as unpatched vulnerabilities remain a common entry point for attackers. Organizations should automate routine patching, prioritize risk-based updates for critical systems and use intelligent automation tools to identify and remediate high-risk vulnerabilities before they can be exploited.
