This Week in Dragon Sight

This week’s threat landscape reflects a dangerous convergence of infrastructure vulnerabilities, AI-enabled attack tooling, and stealth exploitation techniques. A zero-day in Cisco SD-WAN devices and multiple critical flaws in SolarWinds Serv-U underscore persistent risk in edge and file transfer systems widely used by enterprises and service providers. Threat actors are now weaponizing generative AI platforms in live government-targeted campaigns, demonstrating that AI is operationalized, not theoretical. Meanwhile, new Wireshark updates patch security flaws affecting analysts and defenders themselves, and researchers disclosed a zero-click vulnerability that raises concerns around silent device compromise. The pattern is clear: perimeter technologies, trusted software, and even security tooling remain active targets, reinforcing the need for layered defense and continuous monitoring.

NEW!!!

Checkout our new Youtube channel!!

CYBER NEWS ROUNDUP

Nexus-Dragon Cybersecurity Roundup: News Articles from Around the Web Relevant to the SMB

Cisco SD-WAN Zero-Day (CVE-2026-20127) Actively Exploited
A newly disclosed zero-day vulnerability in Cisco SD-WAN devices is actively being exploited, enabling attackers to execute arbitrary code on affected systems. The flaw impacts organizations that rely on SD-WAN infrastructure for branch connectivity and could lead to network-wide compromise if not promptly patched. Immediate firmware updates and strengthened network segmentation are strongly recommended. Nexus-Dragon assesses this as especially critical for SMBs using managed WAN solutions, as many operate with default configurations and lack layered detection controls.
Read more: https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html

SolarWinds Patches Four Critical Serv-U Vulnerabilities
There are released patches to address four critical vulnerabilities in its Serv-U Managed File Transfer and Secure FTP products, including flaws that could enable remote code execution. Organizations using Serv-U for internal operations or partner data exchanges face significant risk of data theft or full system compromise if updates are delayed. These issues highlight the ongoing trend of attackers targeting file transfer infrastructure as a high-value entry point. Nexus-Dragon emphasizes that many SMBs deploy Serv-U or similar solutions without continuous monitoring, making disciplined patch management and visibility controls essential.
Read more: https://thehackernews.com/2026/02/solarwinds-patches-4-critical-serv-u.html

Hackers Weaponize Claude Code in Mexican Government Cyberattack
Threat actors reportedly leveraged an AI coding assistant platform, Claude Code, to develop and refine tools used in an attack targeting Mexican government systems. This marks a shift toward AI-accelerated offensive development, lowering the barrier for malware refinement and operational efficiency. While AI platforms are not inherently malicious, their misuse demonstrates how adversaries are rapidly integrating generative tools into campaigns. Nexus-Dragon views this as strategically important for SMBs because AI-enhanced attack development increases speed and scale, reducing the warning time between vulnerability disclosure and exploitation.
Read more: https://www.securityweek.com/hackers-weaponize-claude-code-in-mexican-government-cyberattack/

Wireshark 4.6.4 Released with Security Fixes
Wireshark 4.6.4 has been released to address security vulnerabilities that could potentially be exploited through malicious capture files. While primarily a defensive tool, flaws in packet analysis software could expose analysts or security teams to risk during routine investigation workflows. Users are advised to upgrade immediately to avoid exploitation through crafted traffic files. Nexus-Dragon emphasizes that even security tooling must be included in patch governance programs, particularly for SMBs with limited internal security oversight.
Read more: https://cybersecuritynews.com/wireshark-4-6-4-released/

OpenClaw Zero-Click Vulnerability Disclosed
Researchers disclosed an OpenClaw zero-click vulnerability that allows attackers to compromise devices without any user interaction. Zero-click flaws are particularly dangerous because they bypass traditional phishing awareness defenses and require no action from the victim. Such vulnerabilities are typically exploited in targeted or high-value campaigns but may eventually cascade into broader exploitation. Nexus-Dragon advises SMB leaders to adopt behavior-based endpoint protection and continuous monitoring, as user training alone cannot mitigate zero-interaction attacks.
Read more: https://cybersecuritynews.com/openclaw-0-click-vulnerability/

Government Alerts & ICS Advisories

CISA Issues Updated RESURGE Malware Analysis Highlighting Stealthy, Active Threat
https://www.cisa.gov/news-events/news/cisa-issues-updated-resurge-malware-analysis-highlighting-stealthy-active-threat

CISA Announces New Town Halls to Engage Stakeholders on Cyber Incident Reporting for Critical Infrastructure
https://www.cisa.gov/news-events/news/cisa-announces-new-town-halls-engage-stakeholders-cyber-incident-reporting-critical-infrastructure

Cyber Hygiene

Security teams should immediately patch the actively exploited Cisco SD-WAN zero-day and confirm that management interfaces are not exposed to the internet. Monitor closely for unauthorized configuration changes and suspicious control-plane activity that could indicate persistence.

SolarWinds Serv-U users must upgrade to the latest fixed release and audit all administrative accounts, as recent critical flaws allow remote code execution and potential full system compromise. Managed file transfer systems should be placed behind VPN or private access, with MFA enforced and alerts enabled for abnormal file activity.

Organizations running Ivanti Connect Secure should validate for RESURGE malware persistence rather than assuming patching alone eliminates risk. Development environments should secure CI/CD pipelines and scan software dependencies to reduce the chance of malicious package propagation.

Wireshark and other security analysis tools should be updated immediately, and untrusted capture files must not be opened on production systems. Reduce exposed services, tighten firewall rules, and restrict remote management access to trusted IP ranges only.

Strengthen endpoint monitoring to detect living-off-the-land techniques, and segment OT and ICS networks from corporate environments while applying vendor mitigations without delay. This week’s threat pattern reinforces a hard truth: attackers are targeting trusted infrastructure and exploiting visibility gaps, making disciplined patching, hardened access controls, and continuous monitoring essential for both IT teams and SMB leaders.

Why This Matters

This week’s threat activity confirms that attackers are deliberately targeting core infrastructure including network edge devices, managed file transfer platforms, and remote access systems, and they are exploiting zero days with speed and precision. When patch cycles are slow and logging is incomplete, compromise is not hypothetical, it is inevitable. For SMBs, exposed management interfaces, permissive configurations, and weak monitoring remain the primary causes of breach. The window between disclosure and exploitation is closing rapidly, and organizations that do not patch immediately, restrict administrative access, and actively monitor for unauthorized changes are assuming unacceptable operational risk.

Vulnerability Deep Dive

Threat Intelligence Brief: Cisco Catalyst SD-WAN Authentication Bypass (CVE-2026-20127)
Week of March 1, 2026

Overview
CVE-2026-20127 is serious because it affects Cisco SD-WAN devices that manage how traffic moves between offices and data centers. If attackers break into one of these systems, they can change network settings, move through connected locations, and hide their activity. These devices sit at the edge of the network, so a breach there can open the door to everything behind it. For small and mid-sized businesses, leaving management access exposed or delaying updates can turn a single device flaw into a company-wide security incident.

Threat Actor Profile
Access brokers and ransomware affiliates targeting exposed edge infrastructure.

Mapped MITRE ATT&CK Techniques

• T1190 – Exploit Public-Facing Application

• T1078 – Valid Accounts

• T1098 – Account Manipulation

• T1562 – Impair Defenses

• T1021 – Remote Services

• T1040 – Network Sniffing

Technical Summary

• CVE-2026-20127 is caused by improper authentication enforcement in the Cisco Catalyst SD-WAN management interface, allowing a remote, unauthenticated attacker to bypass login validation and obtain elevated administrative access.

• Exploitation targets the SD-WAN control plane, a critical network edge component, enabling attackers to modify routing policies, create privileged accounts, alter segmentation rules, and weaken security controls.

• Because SD-WAN systems manage traffic between branch and core networks, compromise can support lateral movement, traffic interception, command-and-control staging, and ransomware operations.

• The highest risk exists where management interfaces are internet-facing and not protected by strong access controls, MFA, or centralized SIEM monitoring. Weak logging and delayed vulnerability management increase dwell time.

• The vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog and is subject to federal mitigation directives, indicating confirmed operational threat and elevated urgency.

References:
https://nvd.nist.gov/vuln/detail/CVE-2026-20127
https://www.cve.org/CVERecord?id=CVE-2026-20127
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
https://www.cyber.gc.ca/en/alerts-advisories/cisco-security-advisory-av26-166
https://www.cyber.gc.ca/en/alerts-advisories/al26-004-critical-vulnerability-affecting-cisco-catalyst-sd-wan-cve-2026-20127
https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127
https://blog.talosintelligence.com/uat-8616-sd-wan/
https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats

Nexus-Dragon’s Curated Threat Intelligence Service delivers real-time, tailored insights focused on your risks, your industry, and your assets. We cut through the noise to give you high-confidence IOCs, mapped MITRE ATT&CK techniques, and strategic recommendations so you can act fast and stay protected. Get intelligence built for action.

www.nexus-dragon.com 

Dragon Armor Advisors (DAA) by Nexus-Dragon takes the hassle out of hiring by recruiting, vetting, and managing elite cybersecurity professionals for you. From analysts to compliance leads, our mission-ready experts many from NSA, DoD, and CISA integrate seamlessly into your team with zero long-term risk. Fill your security gaps fast. www.nexus-dragon.com

Sponsor Spotlights

Tenable Nessus® Expert is the gold standard for vulnerability assessment—built for security teams facing limited resources and a fast-changing threat landscape. It automates point-in-time assessments to help you quickly find, prioritize, and remediate vulnerabilities across operating systems, devices, and applications.
Discover how Nessus Expert can strengthen your defenses.

Optery helps businesses and individuals automatically remove their private information from hundreds of data broker websites—reducing exposure to phishing, identity theft, and targeted attacks. It’s a powerful privacy protection platform ideal for SMBs looking to safeguard executives, employees, or clients.
Learn more →

Monday Streamline your cybersecurity projects and team workflows with Monday is the flexible work OS built to help small businesses and IT teams stay organized, aligned, and efficient. From managing incident response tasks to tracking compliance milestones, Monday makes it easy to visualize progress and stay ahead of threats.
Learn more →

This week’s sponsor, Bitdefender, delivers advanced endpoint protection built to stop ransomware, phishing, and zero-day threats before they disrupt your business. Trusted by small businesses and IT teams worldwide, Bitdefender combines AI-driven detection with lightweight performance and centralized management. Learn how you can strengthen your security posture with enterprise-grade protection designed for SMBs.

Learn more →

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:
Or explore our solutions directly at:

Meet the Nexus-Dragon

A Comprehensive Training and Security Platform

Nexus-Dragon stands apart by delivering more than just tools—it builds defenders. We combine cybersecurity training, information security, and real-world operations into one platform. Our focus spans network security, cloud security, and endpoint security, with added strength in penetration testing, incident response, and risk management. Every service is tied to core standards like the NIST Cybersecurity Framework, ISO 27001, PCI-DSS, HIPAA, and GDPR, ensuring both compliance and resilience.

Advanced Operations and Intelligence

Our operations cover the full spectrum of modern defense. The Nexus-Dragon team runs advanced security operations, integrating endpoint detection and response (EDR), extended detection and response (XDR), SIEM, and SOAR to catch and contain threats quickly. Capabilities include threat hunting, cyber threat intelligence, and vulnerability management, while our security architecture applies zero trust, multi-factor authentication (MFA), single sign-on (SSO), and identity governance to protect critical digital identity systems.

TELL US HOW WE’RE DOING!

Your feedback is VERY valuable! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you. Written with the help of our little A.I!

All trademarks belong to their respective owners.

CONTACT US