Cisco SD-WAN Manager Flaw Exploited; SolarWinds Serv-U DoS Flaw in KEV; VMware Cloud Foundation Operations Stored XSS Flaws

Our old friend, processing untrusted input, is back. This latest bug affects all versions of the SD-WAN software, regardless of device configuration or deployment types. It is the seventh SD-WAN issue this year, the second zero-day flaw in two months, and it doesn't have a patch yet. It does require admin credentials to exploit, but unfortunately, credential compromise is all too common these days. First, make sure that you're on the latest SD-WAN version from May. Second, make sure that your authentication implements RBAC, is only available to authorized systems, and uses the strongest possible authentication mechanisms available.

The SD-WAN System from Cisco is getting a very serious look-see from attackers. I recall this being part of their Viptela Acquisition. I suspect we will see more of this, given the number of vulnerabilities that have been increasing. It would be ideal to keep this patched and to patch your systems often. Look for strange sites that could be part of your SD-WAN environment while you are at it.

Cisco just can’t seem to catch a break lately. The silver lining with their latest security flaw is that an attacker needs valid credentials to exploit it. The catch? Stolen credentials are incredibly easy to find online. The bottom line remains the same: IT admins need to stay on alert and patch their systems the moment Cisco drops an update.

So, not only apply the update, but also put a WAF in front of your file transfer service, which, when you think about it, should already be in place. If your team tells you, “been there, done that,” verify that you're in blocking mode, not learning mode, and verify someone is watching for signs of successful exploitation.

This appears to be an implementation-induced vulnerability, rather than contamination of their product with malware.

The good news is there are no current active exploits here. On the flip side, there are no workarounds: you need to deploy updated versions of VMware Aria Operations, Cloud Foundation, vSphere Foundation, and Telco Cloud Platform. This may be a good excuse to move to Cloud Foundation and vSphere Foundation 9.1.0.0 if you're still on 9.0 or lower. Note that the fix to TCP/TCI is a patch rather than an update.

Cross-Site Scripting has been in the OWASP (and other) top software vulnerability lists for over 20 years, currently 5th as part of A05:2025 Injection — VMware software updates should be routinely preventing such flaws from reaching production software. With little action at the federal level on enforcing language around meeting essential security hygiene levels, it will take successful civil lawsuits to make any progress.

States are taking data privacy into their own hands, moving aggressively to outlaw the commercial sale of highly sensitive location and tracking data. With Massachusetts joining the ranks as the fifth state to enforce an outright ban — and with roughly 20 others demanding strict, mandatory opt-in consent — businesses are left navigating a logistical nightmare. While this chaotic regulatory patchwork practically begs for a national data privacy law, a distracted Congress continues to keep federal reform on the back burner.

I am not sure why we have lagged on Data Privacy protections in the US, but maybe we can start seeing some traction on this. I think that the focus for a while has been on other laws, but this could start to change the game from a privacy standpoint.

Another state is taking a stand on data brokers and loopholes which allow access to and sale of surveillance and other privacy information. While states should be applauded for stepping up to fill the void of not having national legislation, it's going to be complicated to implement as many privacy acts as are being put into place. Each increases the risk of error and complexity of your implementation of permission reporting, data correction and opt-out systems. Make sure that your chief privacy officer is tracking all the new legislation; do not become the case law others learn from.

One supposes that it is too much to ask that it be illegal to trade in PII that was not provided by the subject for that purpose. One might settle for informed consent. In our Federal system, the state legislatures are a good place to start the hard task of drafting privacy legislation that is effective while avoiding disruption and other unintended consequences. We should be grateful to those legislators willing to take it on.

I mean, are we surprised that this type of code exists? I am not going to make excuses for the company because it has a sordid history with data privacy, but this should not be a shocker to anyone. Here is a better question: how many of the other smart glasses out there already have a feature like this?

Familiar face recognition sounds kind of cool up front, let alone recognizing strangers, but the devil is in the details, particularly when coupled with AI systems which accelerate finding any weaknesses (or features) in the implementation. Given our other story about privacy laws, it's not clear how one would opt out of such a system. Consider that in Germany, due to GDPR and BDSG, your doorbell and other surveillance cameras are not permitted to capture images in public spaces or neighboring properties; they must only record your own property. This will be interesting to watch as it progresses.

Meta did the right thing by pulling its pre-release code, but don't expect the technology to stay shelved for long — it will inevitably return as a feature. Facial recognition isn't new; it's been around for decades. However, it was the explosion of social media over the last 20 years that finally fed these models the data they needed to mature. Now a staple of daily commercial and civic life, automated recognition serves as a permanent upgrade to faulty human memory. It is the next tech frontier, assuming companies can find a way around tightening state privacy laws.

Facial recognition works well, and is non-intrusive when asked to compare a single individual to a reference that they provided. Apple's facial recognition for user AUTHENTICATION is a good example. It has high error rates and is invasive when asked to IDENTIFY or RECOGNIZE from large populations. (That said, at 91, I often have difficulty putting names to people I know well but see seldom. When I finally get smart glasses, I will appreciate a little help.)

The attackers here took advantage of the AI's ability to add new email addresses to accounts, then used those accounts to reset MFA. It’s not so much the AI model that was a problem; it was the guardrails around it. We see there is a 20K number here, but after this was disclosed, how many other accounts could have been hit? That is probably a number not yet known.

The use of AI to recover accounts reveals issues, and serves as a reminder that automation will reveal underlying shortcuts as well as take full advantages of privileges given. Make sure you're doing your QA properly. For Instagram users, make sure you don't have any extra email addresses associated with your profile, and that you've implemented MFA. Wait, you haven't used your Instagram account in "forever?" maybe it's time to delete that account, as there are those willing to recover/activate it and use it for you.

The rush to deploy AI-assisted applications to streamline corporate headcount frequently triggers unintended consequences, with this latest incident leaving Meta facing public embarrassment. Comprehensive quality assurance (guardrail) testing likely would have identified the design flaw, although ironically, that process may have been automated by AI as well.

Unfortunately, this report does not have details on the initial infection vector that would make this more useful to get the risk across to management. But the first line of the conclusion is briefing-worthy: "The attackers' focus throughout was on a single objective: long-term, incremental theft of the contents of a single Outlook mailbox, exfiltrated through Dropbox and OneDrive Personal in small batches over a period of five months to avoid raising suspicions or triggering alerts on the system."

The report from Symantec and Carbon Black includes the IoCs you're looking for. The malware masqueraded as the Adobe Acrobat Reader update service as well as the Microsoft OneDrive setup helper. But those were setup through an earlier compromise where the attackers had system/admin privileges. Beyond hunting for these IoCs, make sure that your EDR is ubiquitous and monitored, that updates are applied judiciously and authentication tokens have a defined lifetime. My buddy Roger tells me that he's trained his IT staff to treat every Tuesday as patch day, to keep the cadence of assuring all systems are kept updated. While it took a bit of time and culture change, overall the team is more effective and confident in their security posture than they were previously, and Roger as CISO is as well.

Do you have strong authentication on your email?

This report stands out for three alarming reasons: it reveals that data from a third of the US population was compromised in 2025 (even factoring in duplicate entries); it proves that bad actors still view healthcare as low-hanging fruit; and it raises tough questions about whether the sector's cybersecurity "best practices" are actually working.

Those numbers are alarming. In essence, we're at better than a one-in-three chance our HIPAA data has been breached. While fully supporting our healthcare providers raising the bar on security, we need to be proactive. Make sure that you have ID protection/restoration services, that they are still active, and that they are monitoring your current information. Before you go out and purchase a service, check your existing providers, banks, credit union, auto club, etc., many of which offer free or discounted services with your current membership/patronage.

HIPAA security remains in the ditch. It should have been prescriptive instead of expecting all covered entities to do their own risk assessments and select and implement their own measures. Even the largest and most professional enterprises have failed basic hygiene and have been breached. This is the tragic result.