Read Blog Post

The week in breach news March 11, 2026 This week’s cyber incidents highlight a mix of exploited vulnerabilities, infrastructure attacks and corporate data breaches. Cisco warned users about two critical flaws in the Catalyst SD-WAN Manager, while the ransomware group Qilin claimed responsibility for an attack on the U.S. electric cooperative TVEC. Meanwhile, the Wikimedia Foundation faced a self-propagating malware incident, Dutch paint giant AkzoNobel confirmed a major breach and LexisNexis reported a cybersecurity incident in its Legal & Professional division. NORTH AMERICA Cisco Industry: Technology Exploit: Zero-day vulnerability Cisco has warned users about two vulnerabilities in Catalyst SD-WAN Manager (formerly known as SD-WAN vManage) that are currently under active exploitation in the wild. The vulnerabilities disclosed are: CVE-2026-20122 (CVSS score: 7.1) – An arbitrary file overwrite vulnerability that could allow an authenticated remote attacker to overwrite arbitrary files on the local file system. Successful exploitation requires valid read-only credentials with API access on the affected system. CVE-2026-20128 (CVSS score: 5.5) – An information disclosure vulnerability that could allow an authenticated local attacker to gain Data Collection Agent (DCA) user privileges on the affected system. Successful exploitation requires valid vManage credentials. The company did not provide details about the scale of the attacks or the threat actors involved. The disclosure comes a week after Cisco reported that a critical vulnerability in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager, tracked as CVE-2026-20127 with a CVSS score of 10.0, was exploited by a sophisticated threat actor known as UAT-8616 to establish persistent access to high-value organizations. Source How it could affect your business Since these vulnerabilities are already being actively exploited, users should update to a fixed software release as soon as possible. Organizations should also restrict access from unsecured networks, place appliances behind a firewall, disable HTTP access for the Catalyst SD-WAN Manager administrator portal and turn off services such as HTTP and FTP when not required. Changing default administrator passwords and closely monitoring system logs for unexpected inbound or outbound traffic can also help detect suspicious activity early. UNITED STATES Tennessee Valley Electric Cooperative (TVEC) Industry: Energy & Natural Resources Exploit: Ransomware & Malware Cybercriminals continue to target critical infrastructure, with the ransomware group Qilin claiming it breached Tennessee Valley Electric Cooperative (TVEC), a U.S. electric cooperative. Based in Savannah, Tennessee, TVEC provides electric service to customers in Wayne and Hardin counties in West Tennessee. The cooperative has not publicly addressed the ransomware gang’s claims. However, based on the group’s previous attacks, the stolen data could include employee information, customer records or internal organizational documents. The group has previously targeted other U.S. electric cooperatives, including Karnes Electric Cooperative and San Bernard Electric Cooperative, last year. Source How it could affect your business Critical infrastructure organizations are increasingly being targeted by cybercriminals and nation-state actors seeking to disrupt essential services or steal sensitive operational data. To strengthen defenses, organizations should segment critical networks, deploy continuous monitoring for suspicious activity and regularly test their backup and disaster recovery plans to maintain operational resilience. NORTH AMERICA Wikimedia Foundation Industry: Nonprofit & Social Impact Exploit: Ransomware & Malware The Wikimedia Foundation, the non-profit organization that hosts Wikipedia, experienced a significant security incident on March 5 involving a self-propagating JavaScript worm. The issue came to light after users noticed a surge of automated edits that inserted hidden scripts and vandalized random pages. The worm modified user scripts and defaced Meta-Wiki pages. According to Wikimedia’s Phabricator issue tracker, the attack appears to have begun when a malicious script hosted on Russian Wikipedia was executed, altering a global JavaScript script on Wikipedia with malicious code. The malicious script, first uploaded in March 2024, is reportedly linked to scripts used in previous attacks targeting wiki projects. Source How it could affect your business Self-propagating JavaScript worms are particularly dangerous because they exploit trust in open-source code and can spread automatically across developer environments. Organizations should tightly control third-party dependencies, enforce package integrity checks and monitor repositories for unusual changes to stop malicious code from spreading through the software supply chain. UNITED STATES AkzoNobel Industry: Manufacturing Exploit: Ransomware & Malware The Dutch paint manufacturing giant AkzoNobel confirmed that hackers breached the network of one of its U.S. sites following a data leak from the Anubis ransomware gang. AkzoNobel is a major paints and coatings company with well-known brands such as Dulux, Sikkens, International and Interpon under its corporate umbrella. The Anubis ransomware group claims to have stolen 170 GB of data from the company. Samples posted on its leak site reportedly include confidential agreements with high-profile clients, email addresses, phone numbers, private email correspondence, passport scans, material testing documents and internal technical specification sheets. Meanwhile, the company stated that the impact appears limited and that it is taking appropriate steps to notify and support potentially affected parties. Source How it could affect your business Ransomware groups like Anubis operate under a ransomware-as-a-service (RaaS) model, lowering the bar for cybercrime and making it easier for even less-technical criminals to launch sophisticated attacks. To combat this growing ransomware threat landscape, organizations should implement proactive threat monitoring, maintain encrypted, regularly tested backups, and ensure systems can be restored quickly without relying on ransom payments. UNITED STATES LexisNexis Legal & Professional Industry: Legal Exploit: Hacking Data analytics giant LexisNexis confirmed that its Legal & Professional division experienced a cybersecurity incident after the Fulcrumsec cybercrime group claimed responsibility for breaching the company. On March 3, the cybercrime group claimed it stole 2 GB of data from LexisNexis Legal & Professional, including enterprise account data, employee credentials, software development secrets and personal information belonging to 400,000 individuals. The following day, March 4, the company confirmed the incident and said it had contained the breach, adding that neither its products nor services were compromised. According to the firm, only a limited number of servers were accessed, and the data stored on them mostly consisted of legacy and deprecated information from before 2020. The attackers reportedly exfiltrated the files from a LexisNexis AWS instance by exploiting an unpatched React2Shell vulnerability. Source How it could affect your business This incident highlights the importance of proactive patch management, as unpatched vulnerabilities remain a common entry point for attackers. Organizations should automate routine patching, prioritize risk-based updates for critical systems and use intelligent automation tools to identify and remediate high-risk vulnerabilities before they can be exploited. Added intelligence Stay one step ahead of threats with the latest insights and defense strategies. Phishing prevention checklist Phishing, business email compromise (BEC) and account takeover (ATO) attacks are increasingly using AI to create messages that appear legitimate and are harder to detect. Download this checklist to learn practical steps you can take to strengthen user awareness and make your team a stronger first line of defense against evolving phishing threats. View Resource Understanding phishing: How a ransomware attack unfolds Understand the step-by-step progression of a ransomware attack. This guide breaks down how ransomware campaigns unfold and explains the critical role phishing plays in enabling initial access, helping you better recognize and disrupt attacks before they escalate. View Resource LIKE WHAT YOU'RE READING? Subscribe now to get security news and information in your inbox every week Country United States Canada United Kingdom (GB) Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canary Islands Cape Verde Cayman Islands Central African Republic Ceuta and Melilla Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo, Democratic People's Republic Congo Republic of Cook Islands Costa Rica Cote d'Ivoire Croatia/Hrvatska Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Holy See (City Vatican State) Honduras Hong Kong Hungary Iceland India Indonesia Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, Democratic People's Republic of Korea, Republic of Kosovo Kuwait Kyrgyzstan Lao Peoples Democratic Republic Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia, Federal State of Moldova, Republic of Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territories Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Island Poland Portugal Puerto Rico Qatar Reunion Island Romania Russian Federation Rwanda Saint Barthélemy Saint Helena Saint Kitts and Nevis Saint Lucia Saint Martin Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovak Republic Slovenia Solomon Islands South Africa South Georgia Spain Sri Lanka St. Pierre and Miquelon Suriname Svalbard and Jan Mayen Islands Swaziland Sweden Switzerland Taiwan Tajikistan Tanzania Thailand Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates Uruguay US Minor Outlying Islands Uzbekistan Vanuatu Venezuela Vietnam Virgin Islands, British Virgin Islands, USA Wallis and Futuna Islands Western Sahara Zambia Subscribe Upcoming webinars & events Join our upcoming events and webinars for expert insights, practical strategies and the latest cybersecurity trends. Network Detective Pro Tech Jam: Finding risk before the attacker does March 25, 2026 11:00 AM EDT Maintaining real-time visibility into network risk can be challenging as IT environments become more complex and cyberthreats become more sophisticated. In this session, discover how Network Detective Pro streamlines and automates IT assessments to uncover misconfigurations, legacy systems and exposure points attackers commonly exploit. Register Now Top 10 pentest findings attackers love to exploit March 12, 2026 2:00 PM EDT Explore the top 10 penetration test findings attackers rely on most, based on insights from the last 50,000 network penetration tests conducted by Vonahi. These are not rare zero-day exploits but recurring weaknesses actively present in real-world IT environments, many of which traditional scanning tools continue to miss. Register Now