InfoSec.Watch

127 - From Cisco To EV Chargers: Active Exploits And Urgent Patches

Infosec.Watch Season 2 Episode 127

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 10:00

Send us Fan Mail

A wave of edge and control‑plane threats drives urgent patching and smarter validation across Cisco SD‑WAN, EV charging, FileZen, and Serve‑U. We map real exploits, spotlight APT28 tradecraft, unpack Google risk shifts, and share a post‑patch playbook that assumes breach.

• Cisco SD‑WAN 10.0 authentication bypass and active exploitation
• CISA KEV update for FileZen and patch prioritization
• EV charging platform flaws enabling session hijack and station impersonation
• APT28 targeting MSHTML and legacy components as modern vectors
• One Uptime 10.0 root‑level exploit via traceroute probes
• Google localhost WebSocket risk and policy reversals on token proxying
• Governance for agentic AI with supervised fine‑tuning and oversight
• Quick hits on North Korean air‑gap tools and UNC2814 disruption
• Serve‑U critical updates and file transfer exposure
• EU CRA impacts on open source supply chains
• Post‑patch validation: verify versions, confirm exposure is gone, hunt logs, rotate secrets
• Continuous exposure management for control planes and edge systems

For more in-depth analysis and links to everything we discussed today, be sure to subscribe to our newsletter at infosec.watch

Support the show

Thanks for listening to InfoSec.Watch!

Subscribe to our newsletter for in-depth analysis: https://infosec.watch
Follow us for daily updates:
-  X (Twitter)
- LinkedIn 
- Facebook -   

Stay secure out there!


SPEAKER_01

Welcome back to the InfoSec.watch Podcast, your weekly brief on what matters most in cybersecurity. I'm Grant Lawson.

SPEAKER_00

And I'm Sloan Parker. It has been a very busy week, Grant. We've got a lot to get through, from critical vulnerabilities in Cisco gear to new tools from North Korean threat actors.

Cisco SD‑WAN 10.0 Exploit

SPEAKER_01

Absolutely. Let's not waste any time and jump right into our top stories. First on the list is a big one: a maximum severity security flaw in Cisco Catalyst SD WAN controller and manager.

SPEAKER_00

Maximum severity? You mean a 10.0?

SPEAKER_01

A perfect 10. It's tracked as CVE 2026-2217. And what's really concerning is that it's already under active exploitation. The report says malicious activity dates back to 2023.

SPEAKER_00

Wow, since last year? That's a long time for a critical bug to be exploited in the wild before it's even disclosed. What's the impact?

SPEAKER_01

It's an authentication bypass that allows an unauthenticated remote attacker to gain administrative access to the affected systems. Full control. This is as bad as it gets for a core networking product like SD-WAN.

CISA KEV And FileZen

SPEAKER_00

Yikes. And speaking of active exploitation, CISA has been busy. They've just added a vulnerability in a product called FileZen to their known exploited vulnerabilities catalog.

SPEAKER_01

Right, and we know what that means. The Kev catalog is basically a drop everything and patch list, especially for U.S. federal agencies who are mandated to fix these within a certain time frame. It's a strong signal for everyone else to prioritize it.

EV Chargers And Physical Risk

SPEAKER_00

And the hits keep coming. This next one is a bit different. It affects physical infrastructure. DISA also issued an urgent industrial controls advisory for the EV2Go electric charging platform.

SPEAKER_01

I saw that one, a 9.4 CVSS score. The flaws allow for session hijacking and even station impersonation.

SPEAKER_00

Station impersonation. So you could have attackers setting up fake charging stations or taking over real ones? That feels dangerous.

Core Takeaways On Exposure

SPEAKER_01

It really is. It highlights the growing attack surface as we connect more and more of our critical infrastructure to the internet. The takeaway for all three of these stories is really the same. Identify your exposure, prioritize patching on anything internet facing, and get detections in place for exploit attempts because the attackers are not waiting around.

APT28 And MSHTML Vector

SPEAKER_00

Exactly. So let's move on to our vulnerabilities spotlight. And it seems we have another big name involved here, APT28.

SPEAKER_01

Yep, the Russia-linked state-sponsored group. Akamai has new findings suggesting they may have exploited a security flaw patched by Microsoft. The vulnerability is CVE 2026-21513, an 8.8 high severity flaw in MSHTML.

SPEAKER_00

MSHTML. That's the old Internet Explorer engine, right? So we're talking about an attack vector through something like a malicious Office document.

SPEAKER_01

That's the classic vector for it. A user opens a file, the vulnerable component renders malicious content, and the attacker gains a foothold. It's a stark reminder that even legacy components can pose a modern threat, especially when wielded by sophisticated actors like APT28.

One Uptime Critical Flaw

SPEAKER_00

Definitely. And speaking of high CVSS scores, this next one is literally off the charts. One uptime version 10.0.7 just patched a critical vulnerability. CVE2627728 with a CVSS score of 10.0.

SPEAKER_01

A perfect 10. What's the vector on this one?

SPEAKER_00

Yet this. Attackers can use tracerou probes to execute root commands and steal data. Right? So again, the guidance is clear. If you're using one uptime, you need to patch immediately. There's no room for error with a vulnerability this severe.

SPEAKER_01

Okay, let's shift gears a bit and look at policy and regulation watch. There are a couple of interesting developments from Google.

SPEAKER_00

Yeah, first, a vulnerability related to the OpenClaw Gateway port. Apparently, malicious websites could open a WebSocket connection to localhost, brute force casswords, and take control of the agent.

SPEAKER_01

That's a classic example of a cross-site scripting or, well, a cross-origin attack that breaks the browser's security model. The fact that a remote website can interact with a service on your local machine is always a red flag.

SPEAKER_00

And the other Google story is a bit of a policy reversal. They've refreshed a system called anti-gravity and have started reinstating accounts that were suspended for token proxying.

SPEAKER_01

The ban wave reversal, it sounds like they're giving people a final warning rather than a permanent ban.

SPEAKER_00

Exactly. It's a final warning on using those open claw proxies. Though the key takeaway for both of these is about tracking obligations, mapping requirements to your controls, and being ready for when enforcement tightens.

Governing AI Agents Safely

SPEAKER_01

Sound advice. Now for our tool or resource of the week, we're looking at something a bit more forward-looking: agenc AI.

SPEAKER_00

Okay, so AI agents that can actually perform tasks, not just provide information. That's a huge step.

SPEAKER_01

It is, and it comes with a lot of risk. The resource this week is about managing that risk. It details how to use things like supervised fine-tuning and structured oversight to govern these agents in production. It's all about improving reliability and supporting accountable deployment.

SPEAKER_00

So you don't just uh let it loose on your network.

Quick Hits: Air Gaps To Takedowns

SPEAKER_01

Please don't. The recommendation is to pilot it in a sandbox, validate that it actually covers what you need it to in your environment, and then slowly add it to a repeatable workflow, whether that's in your CICD pipeline, detection engineering, or system hardening.

SPEAKER_00

Makes sense. Walk before you run. Alright, let's run through some quick hits. First up, North Korean hackers have some new toys for hitting air-gapped systems.

SPEAKER_01

The old school method. They're using removable drives to move data between internet connected and isolated networks. Good reminder that air gaps are only as good as your physical security and USB drive policies.

SPEAKER_00

Next, a big takedown. Google worked with partners to disrupt the infrastructure of a suspected China Nexus group, UNC 2814. They had greached at least 53 organizations in 42 countries.

SPEAKER_01

That's a prolific actor. The defensive advice there is pretty fundamental. Use phishing-resistant multi-factor authentication, review your logs for indicators of compromise, and make sure your incident response plan is more than just a dusty document on a shelf.

SPEAKER_00

Right. And for SolarWinds users, there are updates to address four critical security flaws in this serve file transfer software. All are rated 9.1 and could lead to remote code execution.

SPEAKER_01

File transfer solutions are always high-value targets. That's another patch now situation for sure.

SPEAKER_00

Totally. And lastly, a quick look at the EU Cyber Resilience Act. Red Hat and the Open SSF are publishing some interesting case studies on how the CRA will impact the open source supply chain. It's a huge issue. That's definitely worth a read for anyone involved in developing or consuming open source software, which is pretty much everyone.

Patch Plus Validate Playbook

SPEAKER_01

True. Okay, that brings us to our actionable defense move of the week.

SPEAKER_00

I like this one. It's about what to do after you patch. The advice is that for every tier zero patch you deploy, on your firewalls, your VPNs, your identity systems, patching is just step one. Okay, I'm listening. What's step two?

SPEAKER_01

Step two is validation and investigation. First, verify on the box that the new version is actually running. Second, use an external tool to confirm the exposure is actually gone. Third, and this is key, review the last 14 days of admin, authentication, and configuration logs for anomalies.

SPEAKER_00

The assumed breach mindset. Assume they got in before you close the door.

SPEAKER_01

Precisely. And the final piece is if compromise is plausible, you rotate your secrets. Don't take any chances. The patch is the beginning of the response, not the end.

SPEAKER_00

That is solid advice. So as we wrap up, what's the final word? What's the common theme you saw this week, Grant?

SPEAKER_01

For me, it's all about the control planes and the edge surfaces. The Cisco SD WAN flaw, the Solar Wind Serve U-Bugs, the EV chargers. These are all systems at the perimeter, or systems that control the perimeter. They have a huge blast radius when they're compromised.

SPEAKER_00

Right. They're the gateways to the kingdom.

SPEAKER_01

Exactly. And it drives home the point that exposure management has to be a continuous process. You can't just set it and forget it. You have to constantly be working to tighten identity controls, reduce your reachable admin surfaces, and build your detections with the fundamental assumption that exploitation attempts will happen.

SPEAKER_00

A perfect summary. And that is all the time we have for this week.

Closing And Newsletter CTA

SPEAKER_01

Thanks for tuning in. For more in-depth analysis and links to everything we discussed today, be sure to subscribe to our newsletter at infosec.watch.

SPEAKER_00

And don't forget to follow us for daily updates and conversations. You can find us on X, Facebook, and LinkedIn. We'd love to hear from you.

SPEAKER_01

Stay safe out there. We'll see you next week.