This Week in Security - Week 10, March 2026

Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.

🚨 Critical: CISA Known Exploited Vulnerabilities

These vulnerabilities are being actively exploited in the wild. Immediate action required.

CVE-2022-20775: Cisco SD-WAN Path Traversal Vulnerability

Vendor/Product: Cisco SD-WAN

Description: Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.

Required Action: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

CISA Due Date: 2026-02-27

Reference: CVE-2022-20775 - NVD

CVE-2026-20127: Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability

Vendor/Product: Cisco Catalyst SD-WAN Controller and Manager

Description: Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

Required Action: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

CISA Due Date: 2026-02-27

Reference: CVE-2026-20127 - NVD

CVE-2026-25108: Soliton Systems K.K FileZen OS Command Injection Vulnerability

Vendor/Product: Soliton Systems K.K FileZen

Description: Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-03-17

Reference: CVE-2026-25108 - NVD

📰 This Week’s Security News

ClawJacked attack let malicious websites hijack OpenClaw to steal data

Security researchers have disclosed a high-severity vulnerability dubbed “ClawJacked” in the popular AI agent OpenClaw that allowed a malicious website to silently bruteforce access to a locally runni…

Read more: ClawJacked attack let malicious websites hijack OpenClaw to steal data

QuickLens Chrome extension steals crypto, shows ClickFix attack

A Chrome extension named “QuickLens - Search Screen with Google Lens” has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of …

Read more: QuickLens Chrome extension steals crypto, shows ClickFix attack

APT37 hackers use new malware to breach air-gapped networks

North Korean hackers are deploying newly uncovered tools to move data between internet-connected and air-gapped systems, spread via removable drives, and conduct covert surveillance. […]…

Read more: APT37 hackers use new malware to breach air-gapped networks

✅ What You Should Do This Week

• Immediate: Patch CVE-2022-20775, CVE-2026-20127 (actively exploited)
• Verify: Check your systems against CISA KEV catalog
• Monitor: Review Azure AD sign-in logs for suspicious activity
• Audit: Verify MFA is enforced for all privileged accounts
• Backup: Test your disaster recovery procedures

💡 Expert Analysis

Alright, let’s talk about what actually matters this week.

Cisco SD-WAN: Stop Waiting, Start Patching

I’m going to be honest with you - the Cisco SD-WAN vulnerabilities are bad. Really bad.

CVE-2026-20127 lets attackers bypass authentication completely. No credentials needed. No fancy exploit chain. Just send some crafted requests and boom - they’re in your network with admin privileges.

And here’s the kicker: these vulnerabilities have been exploited in the wild since 2023. That’s not a typo. Attackers have had over two years to use this.

If you’re running Cisco SD-WAN, here’s what you need to do:

Stop reading this and go check if you’ve patched. Seriously. CISA gave you a deadline of February 27th. If you missed it, patch this week. Not next maintenance window, not when things calm down. This week.

I know, I know - “but we need to test it first” and “we can’t just take down the network.” I get it. I’ve been there. But you know what’s worse than a maintenance window? Explaining to your CISO how attackers gained access to your entire SD-WAN fabric because you were waiting for the perfect time to patch.

Quick gut check:

• Are your SD-WAN controllers isolated from everything else?
• When was the last time you looked at your SD-WAN logs?
• Do you even have visibility into who’s accessing your SD-WAN management plane?

If you hesitated on any of those, you’ve got bigger problems than just patching.

Chrome Extensions Are a Bigger Problem Than You Think

The QuickLens extension getting compromised should make you pause and think about your browser security.

Here’s the thing everyone misses: users install Chrome extensions without thinking twice. “Oh, this makes Google Lens easier to use, cool.” One click, installed. Nobody reads the permissions. Nobody thinks about the risk.

And the scary part? Extensions update automatically. A legitimate extension today can become malware tomorrow, and most IT departments won’t even notice until it’s too late.

Here’s my advice:

Lock down your Chrome extensions. Only allow pre-approved ones. I know users will complain. They always do. But it’s a lot easier to deal with complaints than to deal with a breach that started because someone installed a compromised extension.

If you’re in financial services and you’re letting users install whatever Chrome extensions they want, you’re making the attackers’ job way too easy. Your internal apps run in browsers. Your customer data is accessed through browsers. A malicious extension can see all of it.

Simple rule: If it’s not on the approved list, it doesn’t get installed. Period.

Air-Gapped Networks: Let’s Be Real

The APT37 malware story reminds me of something I learned early in my career: air-gapped networks are never really air-gapped.

There’s always a USB drive. Always a laptop that moves between environments. Always a contractor who needs to bring in some files. The moment physical media crosses that gap, you don’t have isolation anymore.

I’ve seen organizations spend millions on “air-gapped” backup systems, only to have someone walk a USB drive between the production and backup environments every week. That’s not an air gap. That’s just a really inefficient network.

If you think you have an air-gapped network, ask yourself:

• How does data get in and out? (Be honest)
• Are you monitoring those crossing points?
• What happens when someone plugs in a USB drive?

Don’t just trust that the gap protects you. Verify it. Test it. Try to break it yourself before the bad guys do.

The Theme This Week: Trust Less

You know what connects all these stories? We keep trusting things we shouldn’t.

We trust that Cisco’s authentication works. It doesn’t always.
We trust that Chrome extensions are safe. They’re not.
We trust that physical separation protects us. It doesn’t.

In security, especially in financial services, trusting things is how you get burned.

My take: Patch the Cisco stuff immediately. Lock down your browser extensions. And if you think your air-gapped network is protecting you, go test that assumption before someone else does.

The attackers aren’t taking their time. Why should you?

Want to talk about your Azure security or compliance challenges? I do free 30-minute calls with financial services folks. Reach out and let’s chat.

📬 Stay Updated

Subscribe to receive weekly security digests directly in your inbox.

Questions or feedback? Contact us

GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.