Category: Uncategorized

Ravie LakshmananApr 02, 2026Network Security / Vulnerability

Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges.

The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0.

“This vulnerability is due to incorrect handling of password change requests,” Cisco said in an advisory released Wednesday. “An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.”

“A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.”

Security researcher “jyh” has been credited with discovering and reporting the vulnerability. The shortcoming affects the following products regardless of the device configuration – 

• 5000 Series Enterprise Network Compute Systems (ENCS) – Fixed in 4.15.5
• Catalyst 8300 Series Edge uCPE – Fixed in 4.18.3
• UCS C-Series M5 and M6 Rack Servers in standalone mode – Fixed in 4.3(2.260007), 4.3(6.260017), and 6.0(1.250174)
• UCS E-Series Servers M3 – Fixed in 3.2.17
• UCS E-Series Servers M6 – Fixed in 4.15.3

Another critical vulnerability patched by Cisco impacts Smart Software Manager On-Prem (SSM On-Prem), which could enable an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability, CVE-2026-20160 (CVSS score: 9.8), stems from an unintentional exposure of an internal service.

“An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service,” Cisco said. “A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.”

Patches for the flaw have been released in Cisco SSM On-Prem version 9-202601. Cisco said the vulnerability was discovered internally during the resolution of a Cisco Technical Assistance Center (TAC) support case.

While neither of the vulnerabilities has been exploited in the wild, a number ofrecentlydisclosed security flaws in Cisco products have been weaponized by threat actors. In the absence of a workaround, customers are recommended to update to the fixed version for optimal protection.

Ravie LakshmananApr 01, 2026Social Engineering / Malware

Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files.

The activity, beginning in late February 2026, leverages these scripts to initiate a multi-stage infection chain for establishing persistence and enabling remote access. It’s currently not known what lures the threat actors use to trick users into executing the scripts.

“The campaign relies on a combination of social engineering and living-off-the-land techniques,” the Microsoft Defender Security Research Team said. “It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system.”

The use of legitimate tools and trusted platforms is a deadly combination, as it allows threat actors to blend in normal network activity and increase the likelihood of success of their attacks.

The activity begins with the attackers distributing malicious VBS files via WhatsApp messages that, when executed, create hidden folders in “C:\ProgramData” and drop renamed versions of legitimate Windows utilities like “curl.exe” (renamed as “netapi.dll”) and “bitsadmin.exe” (renamed as “sc.exe”).

Upon gaining an initial foothold, the attackers aim to establish persistence and escalate privileges, ultimately installing malicious MSI packages on victim systems. This is achieved by downloading auxiliary VBS files hosted on AWS S3, Tencent Cloud, and Backblaze B2 using the renamed binaries.

“Once the secondary payloads are in place, the malware begins tampering with User Account Control (UAC) settings to weaken system defenses,” Redmond said. “It continuously attempts to launch cmd.exe with elevated privileges, retrying until UAC elevation succeeds or the process is forcibly terminated, modifying registry entries under HKLM\Software\Microsoft\Win, and embedding persistence mechanisms to ensure the infection survives system reboots.”

These actions allow the threat actors to gain elevated privileges without user interaction via a combination of Registry manipulation with UAC bypass techniques, and ultimately deploy unsigned MSI installers. This includes legitimate tools like AnyDesk that provide attackers with persistent remote access, enabling the attackers to exfiltrate data or deploy more malware.

“This campaign demonstrates a sophisticated infection chain combining social engineering (WhatsApp delivery), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting,” Microsoft said.