- Mycomputerspot Security Newsletter
- Posts
- Fail-Safe Friday - Executive Action Brief
In partnership with
In the last 72 hours, three developments should set your weekend posture: Ciscoβs Unified Communications zero-day (CVE-2026-20045) moved from mitigations to patches with active exploitation confirmed; CISA added multiple items to the KEV catalog across January 21β22, tightening remediation deadlines; and HPE OneView exploitation attempts surged as reports linked botnet activity to recent fixes.
Priorities: close Cisco UC exposure now with version-specific patches, treat all new KEV entries as operationally exploited, and lock down infrastructure managers (OneView) with RBAC, network isolation, and log forwarding.
Introducing the first AI-native CRM
Connect your email, and youβll instantly get a CRM with enriched customer insights and a platform that grows with your business.
With AI at the core, Attio lets you:
Prospect and route leads with research agents
Get real-time insights during customer calls
Build powerful automations for your complex workflows
Join industry leaders like Granola, Taskrabbit, Flatfile and more.
Top-level takeaways this week:
Exploit & Zero-Day Velocity β β Cisco UC zero-day confirmed exploited; CISA adds fresh KEV entries within 24 hours.
Infrastructure & Tooling Risk β β Botnet activity observed against HPE OneView management planes.
Compliance Clock Pressure β β New KEV listings compress timelines and raise audit exposure.
1) Cisco UC zero-day (CVE-2026-20045) β High
What changed: Cisco released patches and confirmed in-the-wild attacks against Unified CM and Webex Calling Dedicated Instance; see Cisco advisory and independent coverage here and here.
Why this matters: UC platforms sit next to identity, voice, and call-routingβRCE/policy tamper here yields credential exposure, lateral movement, and outage risk.
2) CISA KEV cadence (Jan 21β22 updates) β High
What changed: CISA added one KEV item on Jan 21 and four more on Jan 22 based on active exploitation.
Why this matters: KEV = operationalized. Unpatched assets now carry technical risk + compliance deadlines (federal and private-sector audits follow KEV clocks).
3) HPE OneView RCE targeting & botnet surge β Medium-High
What changed: Researchers observed large-scale exploitation attempts against HPE OneView CVE-2025-37164, including rapid botnet recruitment post-patch.
Why this matters: Infra managers are blast-radius multipliersβcompromise can reconfigure racks, harvest secrets, and implant firmware-level persistence.
4) GitLab security updates (2FA bypass & DoS) β Medium-High
What changed: GitLab shipped fixes for 2FA bypass and DoS issues in CE/EE; admins should align to the latest 18.8.x patch train and review self-managed exposure.
Why this matters: Source-control and DevOps platforms hold tokens, runners, and release pipelines. Auth gaps translate to supply-chain risk.
Stage | Vector / System | What weβre seeing |
|---|---|---|
Initial access | UC/web management planes & outdated KEV assets | Cisco UC zero-day and KEV-listed flaws enable fast footholds on externally reachable services. |
Privilege & persistence | Infra managers & CI/CD | OneView and GitLab admin planes provide high-impact lateral options and durable creds/tokens. |
Impact | Service disruption & data exfil | Voice/call outages, policy tamper, and token theft are driving spread into SaaS and core app |
Weβre running a super short survey to see if our newsletter ads are being noticed. It takes about 20 seconds and there's just a few easy questions.
Your feedback helps us make smarter, better ads.
π Patch & Hardening
Cisco UC (CVE-2026-20045): Apply the version-specific fixed trains from the Cisco advisory, remove public admin exposure, enforce MFA/RBAC, and forward admin logs to SIEM.
KEV items (Jan 21β22): Map affected assets and set time-boxed remediation with evidence (versions/hashes/screenshots). Track exceptions with interim compensating controls.
HPE OneView: Patch to latest hotfix, isolate management networks, restrict API, rotate stored creds/certs, and review enclosure profile diffs.
GitLab: Upgrade to the latest CE/EE patch; gate admin/API to VPN/JIT lists; rotate runner tokens and personal access tokens.
π§βπ» People & Monitoring
UC/Voice: Alert on new admin users, config exports, or service restarts outside change windows; watch for odd TFTP/HTTP pulls from UC nodes.
KEV coverage: Continuous checks that assets matching new KEV entries are patched or isolated; flag variances daily.
Infra managers: Detect mass profile changes, firmware pushes, or credential vault access from rare ASNs.
GitLab: Watch for unusual PAT creation, runner registrations, and SSO anomalies; review webhook explosions post-upgrade.
π Process & Validation
Change freeze on UC and infra-manager control planes unless CISO-approved.
Tabletop (30 min): βUC zero-day β token theft β OneView pivot β policy tamper.β
π€ Partners & Assurance
Network/voice MSPs: attest to Cisco UC patch levels and confirm centralized logging.
Platform teams: provide KEV remediation evidence for Jan 21β22 adds; report any exceptions.
Infra/DevOps: deliver OneView and GitLab version attestations and RBAC reviews.
UC exploit trail: Web-UI file writes, unexpected service restarts, or config exports followed by new admin sessions; correlate with rare ASN logins.
KEV drift: Assets with KEV-listed versions seen on the network after policy deadlines; page owners automatically.
OneView takeover: API calls for enclosure profile edits/firmware outside CAB windows; sudden east-west from management VLANs.
GitLab abuse: Spikes in PAT creation, runner tokens, or protected branch rule changes; anomalous SSO/OAuth grants.
Overall: High for Cisco UC exploitation and KEV-listed asset targeting; Medium-High for infrastructure manager compromise (OneView) and CI/CD abuse where exposure or legacy tokens persist.
KEV means βalready weaponized.β Close with proof, not intent.
Voice/UC is an identity-adjacent crown jewel. Patch Cisco UC now and remove public paths.
Infra managers multiply blast radius. Isolate, patch, and attest OneView and DevOps planes.
π Verify: Cisco UC versions patched to the fixed trains; admin exposure gated; logs centralized.
π Validate: Jan 21β22 KEV items mapped and remediated or isolated with documented compensations.
πΌ Confirm: OneView and GitLab patch status, RBAC reviews, and credential/token rotations complete.
πΉ Double-check: Monday tabletop β βUC zero-day β infra pivot β exfil.β
Final Insight: A quiet weekend hinges on three receipts: Cisco UC patched, KEV entries closed, and infra managers fenced off.
Everything else can wait; attackers wonβt.
Voice-first code workflows with auto file tagging and variable recognition. Dictate reproductions and prompts and paste clean, code-friendly text into GitHub, Jira, or your editor. Try Wispr Flow for engineers.