Cisco pushed fixes for four critical flaws in its identity and collaboration stack, an nginx management interface is being exploited in the wild with no authentication required, and SAP’s April Patch Tuesday includes a near-maximum-severity SQL injection in its financial planning database. Meanwhile, Cisco Talos published research on a botnet that has been hiding C2 traffic inside Heroku API calls for four months undetected.

In the News

Cisco Patches Four Critical ISE and Webex Flaws — CVE-2026-20184 Tops at CVSS 9.8

Cisco disclosed and patched four critical vulnerabilities spanning Identity Services Engine (ISE) and Webex. The most severe, CVE-2026-20184 (CVSS 9.8), stems from improper SSO certificate validation. An attacker who can reach the authentication endpoint can forge a certificate to impersonate any user — including administrators — and execute arbitrary code on the underlying server. The three additional critical flaws affect the same enterprise identity and collaboration stack, though Cisco has not yet confirmed in-the-wild exploitation for any of them.

The attack surface here is significant. ISE is the policy decision point in many enterprise network access control deployments, handling RADIUS authentication, authorization, and posture assessment. Webex is embedded in thousands of organizations for internal and external communications. A compromised ISE instance does not just give an attacker access to the ISE box — it gives them the ability to manipulate network access decisions for every endpoint that authenticates through it.

What defenders should do: Apply the Cisco advisory patches immediately. Audit SSO certificate validation configurations across ISE deployments. If patching requires a maintenance window, implement compensating controls: restrict management access to ISE and Webex to dedicated administrative VLANs, and monitor authentication logs for anomalous certificate presentations.

Source: The Hacker News

nginx-ui Authentication Bypass (CVE-2026-33032) Actively Exploited in the Wild

CVE-2026-33032, a CVSS 9.8 authentication bypass in nginx-ui’s MCP integration, is under active exploitation. Pluto Security, who discovered and named the flaw “MCPwn,” confirmed that unauthenticated attackers can gain full administrative control of the nginx-ui management interface without credentials. From there, the attacker has complete control of the nginx server configuration — meaning they can redirect traffic, inject content, or pivot into the internal network.

nginx-ui is an open-source graphical management tool for nginx, popular in small-to-midsize deployments and development environments where teams want a web interface instead of editing configuration files directly. The MCP integration endpoint that contains the vulnerability was not protected by the application’s standard authentication middleware — a straightforward access control failure.

The critical question for most organizations is not whether they use nginx-ui intentionally, but whether it exists anywhere in their environment at all. Shadow IT deployments, developer test environments, and acquired infrastructure are the most likely places it appears unmanaged.

What defenders should do: Patch nginx-ui immediately. If patching is not possible, take the management interface offline or restrict it to localhost/trusted management networks with firewall rules. Run an asset discovery scan for nginx-ui instances — they are often deployed outside the awareness of central IT.

Source: BleepingComputer

Cisco Talos Exposes PowMix Botnet Hiding in Heroku API Traffic

Cisco Talos published a detailed analysis of PowMix, a previously undocumented botnet that has been targeting Czech workers since at least December 2025. The botnet demonstrates several notable evasion techniques: randomized command-and-control beaconing intervals that defeat periodicity-based detection, and C2 traffic formatted as legitimate REST API calls to endpoints hosted on Heroku.

The REST API URL mimicry is the more operationally relevant technique. PowMix constructs its C2 communications to look like standard HTTPS requests to a cloud-hosted API — complete with plausible URL paths and headers. Network security tools that rely on domain reputation or signature matching see traffic to a legitimate cloud platform and pass it. Only behavioral analysis that examines the full session pattern — request timing, payload entropy, response characteristics — has a chance of flagging it.

Talos noted tactical overlap with the earlier ZipLine campaign, suggesting either a shared operator or shared tooling. The botnet’s initial access vector appears to be phishing emails tailored to Czech employment-related topics.

What defenders should do: Signature-based network detection will miss PowMix. Defenders need behavioral analytics capable of identifying anomalous patterns in HTTPS traffic to cloud platforms. DNS filtering that restricts access to newly registered or low-reputation subdomains on cloud platforms provides a partial compensating control. Monitor for PowerShell processes initiating HTTPS connections to Heroku endpoints, particularly with randomized timing patterns.

Source: Cisco Talos

SAP April Patch Tuesday: CVSS 9.9 SQL Injection in BPC/Business Warehouse

SAP’s April 2026 Patch Tuesday includes CVE-2026-27681, a SQL injection vulnerability in SAP Business Planning and Consolidation (BPC) and Business Warehouse (BW) with a CVSS score of 9.9. The flaw enables arbitrary database command execution — the attacker can read, modify, or delete any data the database service account can access.

This is the highest-severity item in a patch cycle covering 13+ SAP enterprise products. SAP BPC and BW are financial planning and data warehousing platforms — the databases behind them contain financial records, HR data, budgets, forecasts, and supply chain information. A successful exploit does not just compromise a single application; it compromises the data that drives executive decision-making.

SAP environments are notoriously difficult to patch quickly. Change control processes, testing requirements, and uptime commitments often push critical patches into the next maintenance window — sometimes weeks after disclosure. That gap is where the risk lives.

What defenders should do: Prioritize CVE-2026-27681 for immediate patching. If patching requires extended testing, implement database activity monitoring as a compensating control to detect anomalous SQL queries. Virtual patching through a web application firewall, if deployed in front of the SAP application layer, can provide interim protection against known SQL injection patterns.

Source: The Hacker News

Today’s Deep Dive — C2 Evasion Through Cloud API Mimicry

The PowMix botnet is the latest example of a technique that has been gaining traction for several years: hiding command-and-control traffic inside requests that look like legitimate cloud API calls. The tactic exploits a fundamental tension in enterprise network security — organizations cannot block traffic to major cloud platforms without breaking business operations, and defenders cannot inspect every HTTPS session to a trusted domain.

The Mechanism

Traditional C2 detection relies on three signal categories: known-bad indicators (domains, IPs, JA3 hashes), periodic beaconing patterns, and protocol anomalies. PowMix defeats all three.

First, the C2 infrastructure runs on Heroku, a legitimate platform-as-a-service provider. The domains resolve to Heroku’s IP space, the TLS certificates are valid Heroku certificates, and the JA3 hashes match standard browser or runtime fingerprints. Known-bad indicator lists do not flag it.

Second, PowMix randomizes its beaconing intervals. Instead of checking in every 60 seconds — a pattern that periodicity detection can identify — it introduces jitter that makes the traffic pattern statistically indistinguishable from a human using a web application.

Third, the HTTP requests themselves are formatted as plausible REST API calls with standard JSON payloads, proper content-type headers, and URL paths that mimic common API conventions. Deep packet inspection of the decrypted traffic sees what looks like a normal API interaction.

Detection Approaches

Behavioral analytics that baseline normal cloud API usage for each endpoint offer the strongest detection signal. If a workstation that has never communicated with Heroku suddenly starts making API calls at irregular intervals, that deviation is detectable — even if each individual request looks legitimate.

DNS analytics provide another angle. PowMix’s Heroku subdomains are newly created and have no historical query volume from the organization. DNS filtering solutions that factor in domain age and organizational query history can flag these as suspicious.

At the endpoint level, the initial execution chain involves PowerShell initiating HTTPS connections. Monitoring for PowerShell network activity — particularly to cloud platform endpoints — remains a high-value detection strategy.

MITRE ATT&CK mapping: T1071.001 (Application Layer Protocol: Web Protocols), T1568.002 (Dynamic Resolution: Domain Generation Algorithms — partial overlap with the randomized subdomain use), T1102 (Web Service — use of legitimate cloud platform for C2).

What This Means Operationally

The operational reality is that blocking cloud platforms is not an option for most organizations, and inspecting all cloud-bound HTTPS traffic at scale requires significant investment in decryption infrastructure. The practical path forward is layered detection: DNS filtering to catch newly created cloud subdomains, endpoint telemetry to flag unexpected PowerShell network activity, and behavioral analytics to identify deviations from baseline cloud communication patterns.

A network monitoring stack that relies solely on signatures and reputation lists will not detect PowMix or the campaigns that will follow it.

Detection Spotlight

The following Splunk SPL query identifies PowerShell processes initiating outbound HTTPS connections to Heroku subdomains — a detection signal relevant to PowMix and similar campaigns abusing cloud platform-as-a-service providers for C2.

index=sysmon EventCode=3
| where process_name="powershell.exe" OR process_name="pwsh.exe"
| where dest_port=443
| rex field=dest_host "(?<subdomain>[^\.]+)\.herokuapp\.com"
| where isnotnull(subdomain)
| stats count earliest(_time) as first_seen latest(_time) as last_seen values(dest_host) as destinations by src_ip, user
| where count > 3
| sort - count

What it catches: PowerShell processes (both Windows PowerShell and PowerShell Core) making HTTPS connections to Heroku subdomains. The threshold of 3+ connections filters out incidental one-off requests while catching sustained C2 communication patterns.

False positive considerations: Development teams that use Heroku for legitimate purposes will generate hits. Baseline your environment first — exclude known developer workstations or create a lookup table of approved Heroku subdomains. The values(dest_host) field in the output helps analysts quickly distinguish between legitimate application traffic (consistent subdomain) and C2 activity (multiple or unfamiliar subdomains).

Adapt the dest_host regex for other PaaS providers (Railway, Render, Fly.io) that threat actors may use for the same technique.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.