Cisco SD-WAN CVSS 10.0, Three Claude Vulnerabilities, NuGet/npm Supply Chain Attacks
Contents
Major security news piled up in the second half of February. This article covers Cisco SD-WAN’s CVSS 10.0, NuGet/npm supply chain attacks, and three security issues around Claude AI that came out in quick succession.
Cisco SD-WAN CVE-2026-20127 (CVSS 10.0) and UAT-8616
Cisco disclosed CVE-2026-20127, a CVSS 10.0 vulnerability. It affects the Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage), allowing unauthenticated remote attackers to gain administrative privileges.
Technical Details
The root cause is a flaw in SD-WAN’s peering authentication mechanism. The SD-WAN Controller and Manager are designed to verify each other with peer authentication against other network devices, but this mechanism doesn’t function properly. Attackers exploit this to bypass authentication and establish access as an internal high-privilege non-root user account.
The observed pattern then chains CVE-2022-20775 (CVSS 7.8, privilege escalation) to escalate to root.
Affected and Fixed Versions
| Branch | Fixed Version |
|---|---|
| 20.9.x | 20.9.8.2 (scheduled for Feb 27 release) |
| 20.12.x | 20.12.6.1 |
| 20.15.x | 20.15.4.2 |
| 20.18.x | 20.18.2.1 |
| Pre-20.9 | Migration to a fixed version required |
UAT-8616 Attack Patterns
Cisco Talos has been tracking UAT-8616’s activity from 2023 to the present, assessing it as targeting critical infrastructure sectors. The attack chain consists of the following stages:
- Initial Access: Joining a rogue peer to the network management plane or control plane
- Privilege Escalation: Gaining root via CVE-2022-20775
- Persistence: Creating local user accounts, adding SSH authorized keys, modifying startup scripts
- Control: Seizing the SD-WAN management plane via NETCONF (port 830) and SSH
- Evidence Destruction: Deleting logs in
/var/log, clearing command history, removing network connection history
The fact that they go as far as log deletion indicates a sophisticated targeted attack designed for long-term persistence. It continued for at least three years, from 2023 to 2026.
CISA Response
CISA added both CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) catalog and issued Emergency Directive 26-03 for federal agencies.
Deadlines imposed on FCEB (Federal Civilian Executive Branch) agencies:
| Action | Deadline (US Eastern Time) |
|---|---|
| SD-WAN inventory submission | Feb 26, 23:59 |
| Detailed inventory and completed actions report | Mar 5 |
| Full environment hardening report | Mar 26 |
Australia’s ASD-ACSC (Australian Signals Directorate) also reported the vulnerability, indicating response efforts beyond the US.
Supply Chain Attacks: NuGet + npm
Two supply chain attacks reported by Socket. Different attack techniques were used on NuGet and npm respectively, and both racked up thousands to tens of thousands of downloads before removal.
NuGet: ASP.NET Identity Theft (4,500+ DL)
Four packages published by an account called hamzazaheer in August 2024 were the attack’s primary components.
NCryptYoDOMOAuth2_IRAOAuth2.0SimpleWriter_
The four packages form a multi-stage structure with distinct roles.
NCryptYo functions as the initial dropper. On installation, it establishes a local proxy on localhost:7152 and relays traffic to an attacker-controlled C2 server. It uses JIT compiler hooks to decrypt encrypted payloads.
DOMOAuth2_ and IRAOAuth2.0 handle the main credential theft. They exfiltrate ASP.NET Identity user account information, role assignments, and permission mappings, then create persistent backdoors using authorization rules received from the C2 server.
SimpleWriter_ functions as a utility for file writing and hidden process execution.
Since ASP.NET Identity sits at the core of authentication and authorization, exfiltrating this data provides an entry point into the entire account system of production applications.
npm: Mythic C2 Distribution (50,000+ DL)
ambar-src, uploaded on February 13, 2026, recorded over 50,000 downloads before removal.
It abuses npm’s preinstall script hook to execute malicious code during package installation. It detects the execution environment’s OS and fetches payloads from the x-ya[.]ru domain.
| OS | Payload |
|---|---|
| Windows | msinit.exe (encrypted shellcode) |
| Linux | ELF binary (SSH reverse shell client) |
| macOS | Apfell JXA agent (Mythic C2) |
The Apfell agent used for macOS is part of the Mythic C2 framework and is capable of reconnaissance, screenshot capture, Google Chrome data interception, and system password extraction.
Tenable stated that “any system that installed ambar-src should be considered fully compromised.” Even after removing the package, additional malware deployed afterward may persist. The 50,000 download count is exceptionally high, indicating significant risk of infiltration into CI systems and development environments. The preinstall hook auto-executes during installation, making it hard to notice when buried deep in the dependency tree.
Three Claude AI Security Issues
Three security issues around Claude were reported in quick succession in the second half of February.
Claude Code: RCE and API Key Theft via Hooks/MCP
Two vulnerabilities discovered by Check Point Research, with technical details published on February 25, 2026.
- CVE-2025-59536 (CVSS 8.7): Planting malicious Hook commands in
.claude/settings.jsoncauses automatic execution when Claude Code starts. For MCP servers, settingenableAllProjectMcpServers=truebypasses user approval, enabling RCE at the point of project cloning - CVE-2026-21852: Overwriting
ANTHROPIC_BASE_URLin project settings causes the API key to be sent to the attacker’s server
Affected versions are pre-v1.0.111 (RCE) and pre-v2.0.65 (API key theft). Both have been patched.
Timeline: reported in July 2025, fixed in August and December 2025 respectively, technical details published on February 25, 2026.
Claude Desktop Extensions: Zero-Click RCE (CVSS 10.0)
A vulnerability discovered by LayerX. DXT (Desktop Extensions) run with full system privileges without sandboxing.
As an attack example, malicious instructions are embedded in Google Calendar events and processed by Claude through an ambiguous prompt. Claude chains a low-risk data fetch via a connector with high-risk local execution, resulting in zero-click RCE.
Over 50 DXTs and more than 10,000 users are affected. Anthropic refused to fix this issue, stating it was “outside the threat model,” and it remains unpatched.
Mexico Government Data Breach (150GB)
Reported by Bloomberg on February 25, 2026. The attacker jailbroke Claude with Spanish-language prompts, disguising the activity as penetration testing.
Over approximately one month from December 2025 to January 2026, a total of 150GB of data was exfiltrated from the Federal Tax Administration (195 million taxpayer records), the electoral management agency, and several state governments.
Anthropic responded by suspending the account and adding abuse detection probes to Opus 4.6.
References
- Check Point Research - RCE and API Token Exfiltration through Claude Code Project Files
- The Hacker News - Claude Code Flaws Allow Remote Code Execution
- LayerX - Claude Desktop Extensions RCE
- Bloomberg - Hacker Used Anthropic’s Claude to Steal Sensitive Mexican Data
- SecurityWeek - Claude Code Flaws Exposed Developer Devices to Silent Hacking