CCTR.10.MAR.26

Cisco has patched two critical vulnerabilities in Secure Firewall Management Center (FMC): CVE-2026-20079 (Authentication Bypass) and CVE-2026-20131 (Remote Code Execution), both rated CVSS 10.0. FMC centralises the configuration and management of multiple Cisco firewalls. If compromised, attackers could gain control of the managed firewalls, disable security protections, modify policies, or pivot deeper into the network. Currently there is no evidence of active exploitation in the wild.

• Restrict access to the FMC management interface to trusted networks only. I mean, don’t put your management interfaces on the internet.

• Patch immediately to the latest Cisco FMC software versions.

• Audit firewall policy changes and administrative actions.

https://securityaffairs.com/188921/security/cisco-fixes-maximum-severity-secure-fmc-bugs-threatening-firewall-security.html

Google Threat Intelligence Group (GTIG) has identified a powerful iOS exploit kit called “Coruna” targeting iPhone devices running iOS 13.0 through iOS 17.2.1.

This discovery marks one of the first publicly observed cases of mass exploitation capability targeting iOS devices, traditionally considered a harder ecosystem to exploit at scale.

It is also observed the toolkit proliferating across multiple threat actors during 2025. It was initially used in highly targeted surveillance operations, later deployed in watering hole attacks against Ukrainian users by UNC6353 (Russian espionage), and eventually appeared in broader campaigns by UNC6691, a financially motivated threat actor linked to China.

The progression suggests the existence of a secondary market for advanced exploitation tools, where high-end capabilities originally developed for surveillance operations are later reused by other threat actors.

• Ensure your iDevices are updated to the latest iOS version.

• Educate users about targeted mobile phishing and malicious websites.

https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit

A critical vulnerability CVE-2026-29000, CVSS 10.0 has been discovered in pac4j-jwt, a widely used Java authentication library. The flaw allows a complete authentication bypass. In practice, this means attackers could impersonate users, gain full access to applications relying on pac4j-jwt for authentication.

Any system relying on vulnerable versions should assume that authentication tokens could potentially be forged.

• Identify applications using pac4j-jwt for authentication, it's time to patch.

https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key

A vulnerability in Nginx-UI allows unauthenticated attackers to download full system backups.

The issue lies in the /api/backup endpoint, which is accessible without authentication. Worse, the response exposes the backup encryption key in the X-Backup-Security header, allowing attackers to decrypt the downloaded backup. This could lead to full compromise of the web infrastructure.

• Check if Nginx-UI is deployed in your environment.

• Block external access to the /api/backup endpoint and rotate exposed secrets.

https://github.com/advisories/GHSA-g9w5-qffc-6762