This week’s developments reveal a broader shift in the cyber threat landscape. Rather than a single headline-grabbing breach, security researchers tracked a steady stream of attacks targeting network infrastructure, AI platforms, cloud services, and consumer devices.
From zero-day exploitation to AI-driven phishing and smart TVs quietly turned into proxy nodes, the pattern is clear: attackers are leveraging trusted services, misconfigurations, and emerging technologies to scale access and persistence.
Below is a breakdown of the most significant security events shaping the week.
🚨 Threat of the Week: Cisco SD-WAN Zero-Day Under Active Exploitation
A maximum-severity vulnerability in Cisco Catalyst SD-WAN products is being actively exploited in the wild.
Tracked as CVE-2026-20127 (CVSS 10.0), the flaw affects Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage). The vulnerability allows unauthenticated remote attackers to bypass authentication and gain administrative privileges through specially crafted requests.
Cisco attributed discovery of the issue to the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC). The company is monitoring exploitation activity under the cluster name UAT-8616, describing the actor as highly sophisticated.
Security teams using Cisco SD-WAN appliances are urged to patch immediately and review logs for signs of unauthorized access.
🔎 AI Firms Accused of Model Distillation Campaigns
Anthropic accused three Chinese AI companies — DeepSeek, Moonshot AI, and MiniMax — of conducting large-scale “distillation” attacks aimed at extracting model outputs to train competing systems.
The claims follow similar concerns raised by OpenAI, which previously reported suspected efforts to harvest outputs from frontier AI systems.
The allegations have reignited debate over intellectual property protections in AI training data and cross-border technology competition.
🌐 Google Disrupts China-Linked Espionage Campaign
Google announced it disrupted infrastructure tied to a suspected China-linked cyber espionage group tracked as UNC2814.
The group reportedly breached 53 organizations across 42 countries, targeting governments and telecommunications providers. A key tool in the campaign, a backdoor dubbed GRIDTIDE, allegedly abused Google Sheets APIs to disguise command-and-control communications.
Telecom providers remain a high-value target due to their access to sensitive communications data and lawful intercept systems.
🔐 Exposed Google Cloud API Keys Enabled Gemini Access
Security researchers identified thousands of exposed Google Cloud API keys that inadvertently granted access to Gemini AI endpoints when the Generative Language API was enabled.
With valid keys, attackers could access uploaded files, cached content, and generate usage costs. Google has since patched the issue.
The incident underscores how minor configuration changes in cloud environments can dramatically expand exposure risks.
🤖 AI Tools Introduce New Attack Surfaces
Multiple findings this week highlighted how AI integration is creating new avenues for exploitation:
- Vulnerabilities in Claude Code reportedly enabled remote code execution and API key theft via malicious repository configurations.
- Researchers warned of “AI-induced lateral movement,” where prompt injection attacks manipulate large language models into executing unintended actions.
- In Mexico, a threat actor allegedly abused Anthropic’s Claude chatbot to automate attacks against government systems, exposing millions of records.
As AI agents gain browsing and automation capabilities, security experts stress the need for stricter environment-level controls — not just model safeguards.
📱 Smart TVs Turned Into Proxy Network Nodes
A new SDK called Bright SDK has drawn scrutiny for quietly converting smart TVs into nodes within a global residential proxy network.
Developed by Bright Data, the SDK reportedly reduces visible advertising while routing web scraping traffic through user devices. The company claims its proxy network spans more than 150 million IP addresses across 195 countries.
The revelation raises privacy and consent concerns surrounding embedded third-party software in consumer electronics.
💬 Russia Launches Criminal Probe Into Telegram CEO
Russian authorities opened a criminal investigation into Pavel Durov, founder of Telegram, alleging the platform failed to comply with law enforcement takedown requests tied to extremist content.
The move follows increased pressure on encrypted messaging services and comes amid broader digital restrictions within Russia.
Durov has previously criticized government efforts as attempts to impose surveillance and censorship.
📡 Surge in SonicWall Scanning Activity
Threat intelligence firm GreyNoise detected over 84,000 scanning sessions targeting SonicWall SSL VPN infrastructure between February 22 and February 25, 2026.
The scans, originating from more than 4,000 IP addresses, focused heavily on determining whether SSL VPN services were enabled — often a precursor to credential-based attacks.
Organizations running exposed VPN services should verify patch status and enforce multi-factor authentication.
🛠 Law Enforcement & Cybercrime Disruptions
- Europol’s Project Compass led to the arrest of 30 members of the underground collective known as “The Com.”
- Polish authorities dismantled a phishing group that hijacked Facebook accounts to extract BLIK payment codes.
- A Chilean national was extradited to the U.S. over alleged large-scale trafficking of stolen payment card data.
These actions reflect increasing international cooperation against organized cybercrime networks.
🔥 Trending Critical Vulnerabilities
Security teams are advised to prioritize patches for:
- SolarWinds Serv-U (multiple CVEs)
- Cisco Catalyst SD-WAN (CVE-2026-20127 and related flaws)
- Google Chrome vulnerabilities (CVE-2026-3061, 3062, 3063)
- Broadcom VMware Aria Operations
- Juniper Networks Junos OS
- ServiceNow AI Platform
- Zyxel, Trend Micro, FreeBSD, Akamai, Angular, and others
Given the pace of exploitation, early patching and continuous vulnerability management remain essential.
📊 The Bigger Picture
Viewed individually, these incidents may appear contained. Collectively, they reveal a consistent trajectory:
- Faster reconnaissance and scanning
- Abuse of legitimate APIs and trusted platforms
- AI-enabled automation of intrusion workflows
- Expansion of attack surfaces through consumer devices and embedded SDKs
The takeaway is not panic — but preparation. Infrastructure, AI systems, and cloud services are increasingly interconnected. Weakness in one layer can cascade across others.
Security leaders should prioritize visibility, access control hygiene, and continuous monitoring as adversaries continue to refine both scale and efficiency.
