How long can a threat actor live inside your network before anyone notices? In the case of Cisco SD-WAN, the answer was two and a half years. HN64 covers two separate CVSS 10.0 vulnerabilities, a jailbroken AI chatbot used to steal 195 million government records, North Korean hackers jumping air-gapped networks via USB and Ruby, and a phishing platform that makes MFA essentially useless.
Stories Covered
Cisco SD-WAN CVSS 10.0: Exploited Since 2023
CVE-2026-20127 is a perfect-score authentication bypass in Cisco Catalyst SD-WAN (vManage). A state-sponsored actor had been quietly exploiting it since 2023 — two and a half years — before a Five Eyes joint intelligence operation (all five countries) uncovered what was happening. Compromising the SD-WAN controller means sitting in the brain of an entire organization network: every office, data center, and cloud connection runs through it.
Second CVSS 10.0: Dell Critical Vulnerability
A second perfect-score vulnerability in Dell enterprise infrastructure rounded out an episode where two separate CVSS 10.0 flaws were in active exploitation simultaneously — a rare and alarming combination requiring immediate attention from any affected organization.
AI Chatbot Jailbroken to Steal 195 Million Government Records
An AI chatbot was jailbroken and leveraged to exfiltrate 195 million government records. The attack bypassed standard guardrails through prompt manipulation, then used the model as a pivot point to access and exfiltrate sensitive data — a concrete case of AI becoming an attack surface rather than just a tool.
ScarCruft Jumps Air Gaps via USB and Ruby Runtime
North Korean group ScarCruft developed a technique to jump air-gapped networks using infected USB drives paired with a portable Ruby runtime. When plugged into an isolated machine, the Ruby interpreter executes malicious scripts without needing to install anything — bypassing one of the most trusted isolation mechanisms in high-security environments.
Phishing Platform That Defeats MFA
A sophisticated phishing-as-a-service platform emerged that renders multi-factor authentication essentially useless through real-time session token interception. The platform acts as a transparent proxy between the victim and the legitimate site, capturing the session cookie the moment authentication completes and replaying it before the victim notices anything wrong.
Leave a Reply