Happy Friday! The team continues digging deep into the deluge of Cisco vulnerabilities that were recently published, as well as keeping up with other high value vulnerabilities. Here are our deliveries this week.
On March 5, Cisco reported that CVE-2026-20122 was being actively exploited in the wild. VulnCheck's exploits index does not currently list a public exploit for this vulnerability. However, the Initial Access team has developed an exploit and provided customers with PCAPs, network signatures, and ASM queries. Censys reports that fewer than 1,000 SD-WAN instances are exposed online.
The team also provided coverage for CVE-2026-20128, which Cisco flagged as exploited in the wild and which was recently observed by Shadowserver. The team developed an exploit, network rules, and ASM queries.
Continuing the Cisco theme, VulnCheck's exploits index does not currently list a public exploit for CVE-2026-20133. However, the team delivered an exploit, PCAP, network rules, and ASM queries.
At customer request, the team continued its original vulnerability research on CVE-2026-20131 affecting Cisco Secure Firewall Management Center. Censys reports approximately 300 instances exposed online. The team delivered the first known exploit for this vulnerability, resulting in a reverse shell. The team additionally delivered a PCAP and updated go-exploit to include a GWT-based Java gadget.
The team developed an exploit for a backup file disclosure vulnerability affecting Nginx UI. The issue can expose Nginx configuration files and associated secrets without authentication. Our Censys query identifies more than 3,000 exposed systems. Additionally, VulnCheck is tracking two public exploits. Given the ease of exploitation plus the number of exposed targets, we would not be surprised to see this vulnerability added to VulnCheck KEV in the near future.
Along with the exploit, the team delivered a vulnerable Docker target, ASM queries, and network signatures.
Infosec media recently covered this vulnerability discovered by CodeAnt AI, with the CVE assigned by the VulnCheck CNA. The team developed an exploit that allows remote attackers to forge authentication tokens. The team also provided a vulnerable Docker container and PCAPs.
OpenViking is an open-source context database designed for AI agents with more than 8,000 stars on GitHub. A broken access control vulnerability affecting OpenViking was assigned CVE-2026-22207 by the VulnCheck CNA. The team developed an exploit and delivered a PCAP and vulnerable Docker container.
The team continued vulnerability research on CVE-2026-20127, a vulnerability exploited in the wild as a zero-day by UAT-8616. The team expects to deliver an exploit next week but was able to provide a PCAP and a YARA rule for CVE-2026-20127 in this release cycle.
