🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• CVE-2026-20133 - CISA KEV 🔍 Show Kagi Synopsis
  **CVE-2026-20133** is an information disclosure vulnerability affecting **Cisco Catalyst SD-WAN Manager** . The vulnerability stems from **insufficient file system access restrictions** .
  
  **What the vulnerability allows attackers to do:**
  An unauthenticated, remote attacker can exploit this vulnerability by accessing the system's API to **read sensitive information from the underlying operating system** . This can lead to the exposure of confidential or privileged data .
  
  **Exploitation against internet-facing applications (MITRE ATT&CK T1190):**
  While the specific details of exploitation against internet-facing applications are not extensively detailed, the nature of the vulnerability (API access) suggests that any internet-facing Cisco Catalyst SD-WAN Manager instances could be targeted. The vulnerability allows attackers to gain unauthorized access to sensitive information, which is a common precursor to further malicious activities.
  
  **Known threat actors or campaigns:**
  **Cisco has confirmed that CVE-2026-20133 is being actively exploited in the wild** . While specific threat actors are not definitively named in relation to this CVE, a threat actor tracked as **UAT-8616** has been observed exploiting Cisco SD-WAN vulnerabilities since 2023 .
  
  **Affected versions:**
  **Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected** by this vulnerability . Earlier versions are considered vulnerable.
  
  **Immediate actions for defenders:**
  1. **Apply software updates:** Cisco has released software updates to address this vulnerability. It is crucial to **upgrade to a fixed release as soon as possible** .
  2. **Monitor for exploitation:** Network defenders should monitor their systems for any signs of suspicious API access or unusual data exfiltration attempts.
  3. **Review CISA's Known Exploited Vulnerabilities (KEV) Catalog:** Organizations should consult the CISA KEV catalog for the most up-to-date information on actively exploited vulnerabilities and prioritize remediation efforts accordingly .
• CVE-2026-20122 - CISA KEV 🔍 Show Kagi Synopsis
  **CVE-2026-20122** is a vulnerability affecting **Cisco Catalyst SD-WAN Manager** (formerly SD-WAN vManage) .
  
  **Vulnerability Details:**
  The vulnerability stems from **improper file handling on the API interface** of the affected system . This allows an attacker to **upload a malicious file** to the local file system . A successful exploit could lead to **arbitrary file overwrites** on the affected system and potentially **gain vManage user privileges** . Other related vulnerabilities in Cisco Catalyst SD-WAN Manager could allow attackers to access the system, elevate privileges to root, and gain access to sensitive information .
  
  **Exploitation and Threat Actors:**
  This vulnerability is being actively exploited against internet-facing applications, aligning with the MITRE ATT&CK technique **T1190: Exploit Public-Facing Application** . The active exploitation makes patching this vulnerability critically time-sensitive, and organizations should treat it as an emergency patching activity . While specific threat actors or campaigns are not detailed in the provided information, the CISA Known Exploited Vulnerabilities (KEV) Catalog is a resource for monitoring such activities .
  
  **Affected Versions:**
  The provided information indicates that Cisco Catalyst SD-WAN Manager is affected, but specific version numbers are not detailed in the research. Cisco has released software updates to address these vulnerabilities .
  
  **Immediate Defense Actions:**
  Defenders should **immediately apply software updates** released by Cisco for Cisco Catalyst SD-WAN Manager . Given the active exploitation, this should be treated as an emergency patching activity . Organizations should also consult the CISA Known Exploited Vulnerabilities (KEV) Catalog for further insights into actively exploited threats .
• Cyber investigation department of the Gyeonggi Southern Police Agency said on the 15th that it arrested a 35-year-old Kazakh man suspected of violating the Information and Communication Network Act - The content posted at the URL is controlled by **Maeil Business Newspaper (MK)**. 🔍 Show Kagi Synopsis
  A ransomware organization, led by a 35-year-old Kazakh national identified as Mr. A, has been apprehended in Kazakhstan following an investigation by South Korean police. This operation marks the first instance of South Korean police directly arresting suspects in collaboration with Kazakh investigative agencies 【1】.
  
  **What Happened:**
  From 2022 until July of the previous year, Mr. A's organization infiltrated the servers of six domestic companies, including hospitals and apartment management offices. They encrypted internal data and demanded Bitcoin in exchange for decryption keys. While none of the targeted Korean companies paid the ransom, they experienced temporary server paralysis due to the attacks 【1】.
  
  **Who is Affected:**
  The primary victims were **domestic companies in South Korea**, specifically **hospitals** and **apartment management offices**, whose servers were targeted. The organization also targeted servers in various other countries 【1】.
  
  **Security Implications:**
  This incident highlights the vulnerability of companies that fail to implement basic security measures. The attackers exploited weaknesses such as **unchanged default IDs and passwords**, and the use of **simple password strings** for server credentials 【1】. The attacks resulted in **temporary server paralysis** for the affected Korean companies, disrupting their operations.
  
  **Technical Details:**
  The organization gained unauthorized access by **randomly substituting frequently used account information** to guess credentials. Once they seized system authority, they proceeded to encrypt the internal data of the targeted companies 【1】.
  
  **What Defenders Should Know:**
  To defend against such ransomware attacks, officials recommend several key security practices:
  - **Change default manager account information** on servers 【1】.
  - **Regularly update passwords** 【1】.
  - Implement **multi-level authentication** 【1】.
  - **Control access** to systems and **monitor account usage history** 【1】.
  The police also plan to share information on ransomware decryption technology with organizations like the Korea Internet & Security Agency (KISA) to help prevent future damage 【1】.
• Vercel April 2026 security incident | Vercel Knowledge Base - Vercel 🔍 Show Kagi Synopsis
  On April 21, 2026, Vercel detected a **security incident involving unauthorized access to certain internal systems** 【1】. The company has engaged incident response experts and law enforcement to investigate and remediate the situation 【1】.
  
  **What Happened:**
  The incident originated from a compromise of **Context.ai**, a third-party AI tool used by a Vercel employee. Attackers exploited this to gain control of the employee's Google Workspace account, which subsequently led to unauthorized access to Vercel's internal systems 【1】.
  
  **Who is Affected:**
  A **limited subset of Vercel customers** had their **non-sensitive environment variables** (those stored as plaintext) compromised 【1】. Vercel has directly contacted these affected customers and advised them to rotate their credentials immediately 【1】.
  
  **Security Implications:**
  The primary security implication is the exposure of **non-sensitive environment variables** 【1】. There is **no evidence that "sensitive" environment variables were accessed** 【1】. The attacker is assessed as highly sophisticated 【1】. This incident may be part of a broader compromise affecting a third-party AI tool's Google Workspace OAuth app, potentially impacting numerous organizations 【1】.
  
  **Technical Details:**
  The attack vector involved the compromise of a Google Workspace OAuth app associated with the third-party AI tool, Context.ai 【1】. This allowed attackers to access the employee's Google Workspace account and subsequently Vercel's internal systems, leading to the exposure of plaintext environment variables 【1】. The specific OAuth app ID is `110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com` 【1】.
  
  **What Defenders Should Know:**
  Defenders are advised to take the following actions:
  - **Enable multi-factor authentication (MFA)** for all accounts 【1】.
  - **Review and rotate all non-sensitive environment variables**, treating them as potentially exposed 【1】.
  - Utilize Vercel's **"sensitive" environment variable feature** for critical information 【1】.
  - **Review account activity logs** for any suspicious activity 【1】.
  - **Investigate recent deployments** for any signs of compromise 【1】.
  - **Rotate Deployment Protection tokens** 【1】.
• The Dangers of Reusing Protobuf Definitions: Critical Code Execution in protobuf.js (GHSA-xq3m-2v4x-88gg) - Endor Labs 🔍 Show Kagi Synopsis
  A critical remote code execution (RCE) vulnerability, identified as **GHSA-xq3m-2v4x-88gg**, has been discovered in **protobuf.js**, a widely used JavaScript runtime for Protocol Buffers 【1】. This vulnerability has a critical severity score of **9.4 (CVSS)** and affects versions **protobufjs ≤ 8.0.0 and ≤ 7.5.4** 【1】.
  
  **What Happened:**
  The vulnerability arises because protobuf.js compiles protobuf schemas by using the `Function` constructor to execute generated JavaScript source code 【1】. An attacker can supply a malicious protobuf schema (configuration file) to a target application 【1】. When the application processes a message of a type defined in this malicious schema, the `Function` constructor executes the attacker's payload. This payload is injected by manipulating the type name within the schema, which is used directly as a function identifier without proper sanitization 【1】. The execution is triggered lazily, meaning it occurs the first time the application needs the type's constructor, typically when decoding a message 【1】.
  
  **Who is Affected:**
  The vulnerability affects applications that use **protobuf.js** and load protobuf schemas from potentially untrusted sources. This includes a vast range of applications, as protobuf.js is a core component for anything using Protocol Buffers from JavaScript, including services built on **Google Cloud, Firebase, and most modern cloud platforms** 【1】. It is often installed as a hidden dependency, meaning many development teams may not be aware they are using it 【1】. The vulnerability is particularly relevant to applications that decode messages from external sources, such as application servers, gateways, service-mesh sidecars, and ingestion pipelines 【1】.
  
  **Security Implications:**
  The security implications are severe, leading to **full RCE on running services** 【1】. An attacker can achieve:
  - **Full RCE on running services:** This impacts application servers, protocol-aware gateways, service-mesh sidecars, ingestion pipelines, and any worker that decodes messages against an attacker-influenced schema 【1】.
  - **Credential and data exfiltration:** The malicious code runs within the Node.js process, gaining access to environment variables, service tokens, database connections, secrets, and in-memory user data 【1】.
  - **Lateral movement:** An RCE on a data plane service can provide a pivot point into the rest of the system, allowing attackers to access internal APIs, queues, and object stores 【1】.
  
  **Technical Details:**
  The vulnerability lies in how protobuf.js generates JavaScript code from protobuf schemas. It uses the `Function` constructor, a powerful but dangerous tool that can execute arbitrary code 【1】. The exploit involves crafting a protobuf type name that includes malicious JavaScript code. For example, a type named `User){process.mainModule.require("child_process").execSync("id");` would cause the `Function` constructor to execute the `id` command 【1】. This name is directly inserted into the generated code without escaping or validation of non-word characters 【1】. The fix involves stripping non-word characters from type names before they are used in code generation 【1】. The vulnerability is triggered when the application first needs to use a message type defined in the malicious schema, typically during message decoding 【1】.
  
  **What Defenders Should Know:**
  Defenders should take the following actions:
  - **Upgrade protobuf.js:** Immediately upgrade to versions **8.0.1** (for the 8.x line) or **7.5.5** (for the 7.x line) 【1】. It is crucial to audit transitive dependencies, as many applications pull in protobuf.js indirectly through libraries like `@grpc/proto-loader`, Firebase, or Google Cloud SDKs 【1】. Tools like `npm ls protobufjs` and `npm audit` can help identify vulnerable versions 【1】.
  - **Treat schema-loading as untrusted input:** Endpoints that load protobuf schemas should be considered as untrusted input surfaces, similar to `eval` 【1】.
  - **Prefer precompiled artifacts:** In production environments, use tools like `pbjs` and `pbts` to generate static code. If the production request path does not require runtime schema compilation, avoid enabling that code path 【1】.
  - **Pin and verify reused schemas:** When reusing schemas from registries (e.g., Buf Schema Registry, googleapis/googleapis, internal registries), pin them to immutable versions, verify checksums, and apply the same review process as for new npm dependencies 【1】.
  - **Include development tools in SCA scope:** Development tools such as codegen tools, linters, and build plugins should be included in Software Composition Analysis (SCA) scope, as they can also introduce runtime vulnerabilities 【1】.
• Analysis of RedSun: Local Privilege Escalation via Defender Remediation Abuse - Fortra Intelligence and Research Experts (FIRE) 🔍 Show Kagi Synopsis
  The cybersecurity article details a Local Privilege Escalation (LPE) vulnerability named **RedSun**, discovered by Fortra Intelligence and Research Experts (FIRE) and disclosed in April 2026.
  
  **What Happened**
  RedSun exploits a race condition between **Windows Defender** and the **Windows Cloud Files API (cfapi)**, combined with **NTFS Reparse Points**, to achieve arbitrary file overwrites. An attacker can trick the highly privileged Windows Defender service into overwriting critical system binaries, allowing them to replace a legitimate service with their own malicious code.
  
  **Who is Affected**
  The vulnerability affects **Windows 10/Server 2016 and later** systems where standard users have access to the Cloud Files API and can create directory junctions. The **Windows Defender real-time protection engine** is specifically targeted.
  
  **Security Implications**
  This vulnerability can lead to **full administrative control** over a compromised system. By overwriting a legitimate system binary with their own code, an attacker can execute arbitrary commands with `SYSTEM` privileges.
  
  **Technical Details**
  The exploit involves a six-phase process:
  1. **Bait Creation**: A decoy file containing the EICAR test string is created to trigger antivirus detection.
  2. **CfAPI Registration**: A directory is registered as a Cloud Sync Root to intercept system operations.
  3. **TOCTOU Window**: A Batch Oplock is used to pause the antivirus thread during its scan of the decoy file.
  4. **Path Redirection**: While the antivirus is paused, the directory is replaced with an NTFS Mount Point targeting `C:\Windows\System32`.
  5. **Weaponized Remediation**: The antivirus resumes and, believing it's cleaning a threat in the user's directory, overwrites a system binary in `System32`.
  6. **Privilege Escalation**: The attacker replaces the corrupted service with their payload and executes it to gain a `SYSTEM`-privileged interactive shell.
  
  **What Defenders Should Know**
  Defenders should monitor for the following suspicious activities:
  * **Unauthorized use of `CldApi.dll`** by non-system processes to register Cloud Sync Roots.
  * **Sequences of Batch Oplocks** followed by directory renaming and the creation of mount points targeting critical system paths.
  * The **Antimalware Service Executable (`MsMpEng.exe`)** performing write or overwrite operations on system binaries within `C:\Windows\System32`.
  * **EICAR alerts** occurring immediately before unexpected modifications to system services or COM objects.
  * **Unauthorized named pipes** (e.g., `\??\pipe\REDSUN`) being accessed by `SYSTEM`-level processes.
  
  Mitigation strategies include **restricting mount point creation and Cloud Files API access** for unprivileged users, in addition to implementing robust behavioral monitoring. 【1】
• One Click(Fix) To Rule Them All, One Click(Fix) To Find Them - The content posted at the URL is controlled by **Saksham Anand**. 🔍 Show Kagi Synopsis
  The cybersecurity article details the evolution and discovery of **ClickFix**, a malicious technique used by threat actors for initial access.
  
  **What Happened:**
  ClickFix has evolved from simply impersonating CAPTCHA or error prompts to more sophisticated lures. These now include fake documentation for products like **Claude Code**, guides for **Mac storage cleaning**, and malicious instructions distributed through platforms like **Medium** 【1】. The core of the discovery method involves using a known ClickFix domain to find others through the **Google Ads Transparency Center** 【1】.
  
  **Who is Affected:**
  The primary targets are users who fall for these lures, potentially downloading malware or compromising their systems. Companies whose brands are impersonated are also affected, as their reputation is exploited to lend credibility to the malicious campaigns 【1】.
  
  **Security Implications:**
  The security implications include **initial access for threat actors**, which can lead to further compromise, data theft, or the deployment of ransomware. The use of legitimate advertising platforms like Google Ads by threat actors, either through compromised accounts or by creating dummy companies, highlights a significant security risk and a vector for abuse 【1】.
  
  **Technical Details:**
  The technique involves starting with a known malicious domain, such as `claude-code-macos[.]com`. This domain is then searched within the **Google Ads Transparency Center**. This search reveals the companies advertising the malicious domain. By examining the ads associated with these companies, other malicious domains and lures, such as those impersonating **Claude Code** and **Kimi**, can be discovered 【1】. The Google Ads accounts used could be compromised legitimate accounts or fake entities created by the threat actors 【1】.
  
  **What Defenders Should Know:**
  Defenders can utilize this technique for **proactive threat hunting** and **brand abuse investigations**. It allows for the identification and blocking of multiple malicious domains across corporate networks and facilitates reporting for domain takedowns 【1】. However, defenders must be aware that this method has limitations. If Google removes an advertisement or domain due to abuse reports, it may no longer be visible in the Transparency Center, creating **visibility gaps** that can hinder investigations and the correlation of user activity with other domains controlled by the same threat actor 【1】.
• Botconf 2026 videos - youtube.com 🔍 Show Kagi Synopsis
  I am sorry, but I cannot access external websites or specific YouTube playlists, including the one you provided. Therefore, I am unable to read the cybersecurity article and provide a detailed precis.