Japanese telco KDDI has messed up by allowing an attacker to access systems powering an email service it manages for itself and other local ISPs, and which stores info on up to 14.2 million users. The company yesterday posted a confession [PDF] that it detected unauthorized access to the email system it offers to third-party customers on June 17th. Machine translation of the confession suggests that KDDI investigated the situation and found attackers exploited a vulnerability in third-party software used on the email service, without claiming that vuln was a zero-day it had no chance of defending or an explanation of why it was running vulnerable software. There’s some good news because KDDI was able to prevent further intrusion on the same day it noticed the attack, and says it has bolstered its defences to prevent future intrusions. But the carrier also fears that up to 14.2 million email addresses and passwords may have leaked and therefore warned that third parties may have obtained personal data. Thankfully, the company had hashed and encrypted the passwords – so users only have to fear phishing and identity theft, instead of something nastier. However, some of the data KDDI thinks may have leaked pertains to dormant accounts or others that users cancelled, meaning some potential victims will be hard to contact if the attackers have indeed stolen data. KDDI is one user of the hacked platform, and also provides it to Japanese ISPs STNet, JCOM, Chubu Telecommunications Co., Nifty Corporation, and BIGLOBE. Those companies now get to explain KDDI’s failure to their own customers, and perhaps also have the chance to revisit any other outsourcing deals with the carrier. Others who rely on KDDI to provide them with various services also get to ask the company some stern questions about whether its other platforms are secure. The carrier, meanwhile, says it’s informed the relevant authorities of the situation, but is yet to complete an investigation so remains unaware of the full extent of the mess. ®

The list of Klue customers whose Salesforce data was stolen in the latest supply-chain heist keeps growing, with an increasing number of cybersecurity companies disclosing that they are among the victims of a new data-theft and extortion crew called Icarus. Klue, which provides market intelligence to more than 250,000 users worldwide, hasn’t said how many of its customers were caught up in the breach and didn’t immediately respond to The Register’s inquiries. Huntress was one of the first cybersecurity vendors to sound the alarm, and, in an email to The Register, said that it was among the “hundreds of Klue customers” affected. However, it said that the breach did not affect its tools or highly secure information such as passwords. “Huntress believes in radical transparency about security incidents, including when it affects our company,” the security shop wrote on Thursday. “The data that was copied from our Salesforce account includes business contacts, price quotes, and other sales-related data and messaging. No threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry we collect was affected.” Huntress, along with the other victim companies, said that there is no indication that any of its products or infrastructure were compromised, and that this security incident was specific to CRM data. Since then, several other security and software vendors including Recorded Future, Tanium, Jamf, Gong, HackerOne, Kudelski Security, Snyk, Insurity, and Sprout Social have revealed that the data thieves also accessed their CRM data via the Klue integration with Salesforce. Here’s what we do know about what happened and who is behind this latest extortion campaign. The breach occurred on June 11, and Klue spotted the intrusion a day later. This unauthorized activity affected “a portion” of its integration infrastructure, according to the software provider. Klue has since disconnected all of its integrations with Salesforce, Gong, HubSpot, SharePoint, and Google Drive. It also hired CrowdStrike to assist in the investigation and security response. “Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service,” Klue CEO Jason Smith said in a Friday blog post. “The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.” Mandiant CTO Charles Carmakal urged organizations using Klue integrations to “immediately audit their systems and monitor application logs for evidence of compromise over the past few weeks. Rotate credentials as appropriate based on the scope of compromise.” While the attack “resembles the 2025 and 2026 third-party OAuth abuse campaigns against Salesforce,” as ReliaQuest noted, a group called Icarus began posting victims on its data-leak site. It soon became apparent that this new extortion crew - not ShinyHunters, which has frequently targeted Salesforce and stolen data from hundreds of the CRM giant's customers in attacks over the past few years - was behind this latest supply-chain incident. Icarus, according to the group’s leak site, has been active since April 28. After compromising Klue, the criminals began emailing affected customers. Huntress shared its extortion message, with the subject line “top secret email” purportedly sent from “mr bean,” with The Reg, and we are leaving the misspellings, and poor grammar, as is. “This email is being written to you because your data as exfiltrated due to a breach happening to your partner, Klue.com (as them),” it reads. “Your Salesforce data has been downloaded. We advice you to write us on Session @” with a Session address, the email continues, and threatens to make the data public within 48 hours unless Huntress initiates communication with the criminals. “Do the right decision,” it says, “xoxo.” There’s a subsequent email that simply says “wrong session lol” and then lists the correct Session ID. Researchers don’t know too much about Icarus - yet - but this type of large-scale supply-chain attack typically paints an equally large target on the intruders’ collective backs. So we expect to hear more from law enforcement and third-party security sleuths in the upcoming days. “There is very little publicly known about [Icarus],” Huntress' Lindsey O'Donnell-Welch told us. “IP addresses from which they are known to have accessed sensitive information include the Netherlands, France, and Ukraine. But we cannot draw any conclusions based on that information alone as these may have been VPN concentrators or Tor exit nodes.” And while this intrusion “bears some surface-level similarities with prior Salesforce-focused extortion activity, we have not seen any evidence at this point linking Icarus to ShinyHunters,” O'Donnell-Welch added. ® Correction: An earlier version of this story stated ReliaQuest was a victim. That company has since clarified it was not.

Cybercrime now accounts for more than 30 percent of all offenses across the Asia and South Pacific (ASP) region, according to the latest figures from Interpol. The international cop shop said on Wednesday that the region has seen “a dramatic increase” in the number of recorded cybercrimes, driven largely by an uptake of digital infrastructure, new technologies, and the increasingly organized nature of criminal networks. Interpol’s latest ASP Cyberthreat Assessment Report states that online scams and phishing attacks dominate cybercrime in the region. Data taken from 2024-2025 shows that phishing campaigns have matured beyond the spray-and-pray mass emails of yesteryear and now resemble the more sophisticated techniques deployed elsewhere in the world. Targeted spear phishing is more common nowadays, and the growing use of AI helps even low-skilled script kiddies to apply a layer of authenticity to their attacks. The region’s problem with organized scamming gangs that run camps where hundreds of people are compelled to commit crimes is especially pronounced and well-documented. A United Nations report published last year described scam call centers across Southeast Asia as an epidemic that is metastasizing across the region “like a cancer.” These compounds can be found across countries such as Cambodia, Laos, Myanmar, and the Philippines, and often see vulnerable individuals trafficked into the scam centers to work under poor conditions – or even as slaves. Interpol cited Singaporean research, which estimated the regional scam industry generates close to $40 billion each year. AI tools, especially those capable of generating convincing deepfake imagery, have also proven popular with cybercriminals across ASP, just as they have beyond the region. In 2024, the same scam compounds were found using deepfake imagery to support romance scams. In February 2024, an employee at a multinational business in Hong Kong was duped into authorizing a $25 million payment because the faces of company execs were convincingly deepfaked on a video call. A similar case was also reported in Singapore in March 2025, when a finance director at a different multinational was tricked into transferring more than $499 million following a Zoom call in which fraudsters assumed the identities of company chiefs, including the CEO and CFO. Interpol’s report highlights how cyber threats are evolving into large-scale challenges for multiple jurisdictions, and no longer represent relatively uncommon, isolated incidents. While digitization across the region is growing, opening new economic opportunities for these countries, law enforcement agencies are struggling to keep pace with the increase in cybercrime. Many lack the skills and tools needed to investigate these crimes. The issue is especially pronounced in developing countries and small island states in the Pacific, which face “significant resource and capacity constraints,” and are thus more vulnerable to direct targeting in attacks by criminals who have a greater chance of evading consequences. Neal Jetton, cybercrime director at Interpol, said: “The findings in this report highlight a rapidly evolving cyber threat landscape across Asia and the South Pacific, where cybercriminals are leveraging artificial intelligence, ransomware-as-a-service models, and sophisticated social engineering techniques on an industrial scale. “As digital adoption accelerates across the region, strengthening operational cooperation, information sharing, and cyber resilience remains essential to protecting communities and critical infrastructure.” Some improvement Interpol lauded many jurisdictions and governments within the ASP region for their proactive approaches to countering cybercrime growth. Hong Kong and the Republic of Korea are two areas that have made strides by introducing new cybersecurity legislation, while others have established national task forces, codified national action plans, and launched awareness campaigns. But even in more developed countries globally, and those with more mature cybersecurity regulatory and legislative landscapes, the issue of increasing rates of cybercrime persists. While Interpol does not collect cybercrime figures for other regions, such as Europe and North America, in the same way that it does for ASP, it’s easy to see that problems persist everywhere. The UK’s Office for National Statistics (ONS) publishes crime rates by type across England and Wales each year, and while computer misuse offenses in 2025 decreased by 58 percent compared to 2017’s figures, there were still an estimated 735,000 cases across the year. Expanding the data to look beyond pure cyber offenses to cyber-supported crimes, such as banking and credit fraud, these offenses account for more than 2.7 million of the circa 9.6 million total crimes committed. The FBI in the US produces its annual IC3 report examining the rates of cybercrime across the country. Although it doesn’t compare it to total offenses or other crime types, the latest report reflecting 2025’s figures showed cybercrime reports topped one million for the first time, and total losses reached a record $20.87 billion. ®

UPDATED If you have a Fortinet firewall, it's time to stop and change your passwords. Intruders somehow gained access to around 75,000 Fortinet firewall devices and stole credentials belonging to major corporations across 194 countries, in some cases leading to full network compromise. Security researchers say that they have verified the data, and the cracked FortiGate passwords belong to accounts spanning multinational corporations including FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, PxW, Accenture, Oracle and many others. Check to see if your organization made the list of affected domains – and immediately rotate all passwords associated with Fortinet VPN and administrative interfaces. Make sure multi-factor authentication is turned on, too, as this type of massive credential leak can lead to very serious consequences, giving attackers full, remote access to not only the firewall but the entire corporate network. Hudson Rock, which analyzed the data, said the leak affects 21,632 unique domains. “The scale of this breach touches nearly every sector of the global economy, sparing no industry. The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet,” the security shop said on its Infostealer blog. Researcher Volodymyr “Bob” Diachenko first spotted the intrusions and attributed them to a Russian-speaking group. “They intercept SSL VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments,” he wrote on LinkedIn. “The operation processed 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MSSQL servers.” Plus, according to Diachenko, the criminals fully pwned at least four organizations, including a Turkish NATO defense contractor, and, in that case, stole classified defense documents. Security sleuth Kevin Beaumont, who also verified the stolen credentials, said “the data is legit.” “I have worked with several orgs listed, and can confirm the logins and passwords are real,” Beaumont wrote. “Many of the devices sampled are on fairly recent patches.” According to device search engine Shodan, the massive heist comprises about half of all internet-facing Fortinet firewalls. Plus, Beaumont noted, most of the compromised Fortinet devices remain online. So if you’re still reading this story: stop now, and go reset your Fortinet firewall passwords stat. After we first published this story, Fortinet responded to us, denying that the attacks are fresh and claiming that the data showing up on the dark web comes from prior breaches. "Based on our analysis, the data involved is a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory," a Fortinet spokesperson told El Reg. Organizations that follow routine best practices, including regularly refreshing security credentials, as per guidance in this March blog, face minimal risk from credential compromise detail referenced in the reporting.” The Register reached out to the companies affected by the so-called FortiBleed campaign for comment, Lenovo said it was looking into it; we didn't receive responses from the others. ® Updated at 2118 with a statement from Fortinet.

Six people suspected of bank helpdesk fraud are in custody after Dutch cops stormed an Amsterdam residence and caught them in conversation with a potential victim. Police say the individuals were aged between 15 and 30 and operated out of a makeshift call center they had established in an Amsterdam home. Authorities believe the accused committed bank helpdesk fraud, which has become increasingly popular across the Netherlands. Offenders were recently targeted as part of Game Over?!, a novel law enforcement scheme that successfully shamed criminals into submitting themselves to authorities. Helpdesk scammers typically operate call victims on the phone, using methods similar to voice phishing, or "vishing." They present themselves as bank employees contacting victims under various guises, all designed to steal their money. In this case, police say the alleged criminals tried to convince victims to "increase their limits," and in "several" cases, succeeded in stealing funds from their accounts. The precise cover story is largely irrelevant, however. The aim of the game is the same each time: Convince a prospective victim to surrender enough details to access their bank accounts and steal their money. While these scams mostly take place remotely, Dutch police said in their announcement on Tuesday that the crew sent members to visit victims in person, purportedly offering hands-on assistance to secure their accounts. The same tactic can often be observed with fake police officer shakedowns, which have also become popular in the country. Police say tens of thousands of elderly people, who make up the majority of targets for such scams, have fallen victim to the confidence scams. In these cases, fraudsters visit elderly individuals' houses and pretend to represent law enforcement, offering a service to safeguard their valuables. The crooks then steal those valuables, and police say previous cases have turned violent. Some have also ended in fatalities. Multiple victims of the helpdesk frauds reported their respective cases, according to the cops. The National Intervention Team for Digital Crime was called in to investigate, and during a raid on June 10, officers found the suspects mid-call with a potential victim. Officers seized multiple laptops and phones after apprehending the six suspects, and found several bank cards at the property. Further arrests have not been ruled out. ®

A cyberattack on Australia’s second-largest sugar producer has forced farmers to keep crops in the ground, and looks like denting their incomes. Mackay Sugar, based in the Australian state of Queensland, processes sugar cane farmed in nearby districts. The company disclosed a cyberattack on June 10 and limited operations while it dealt with the fallout. Some operations remain restricted, but the company said on Monday that it managed to perform some manual crushing at its Farleigh Mill site, working with sugar cane that was harvested before the attack. “Significant progress has been made over the weekend in restoring the systems that support cane supply, harvesting, and mill operations,” Mackay Sugar said in a statement. “Steam trials are now underway, and subject to final validation activities, some harvesting is expected to recommence this week in preparation for the staged restart of crushing operations later this week.” While the company is optimistic it can resume crushing, it's advised growers not to harvest their crops for the time being. That edict works for Mackay Sugar because sugar producers need to process crops within 48 hours of harvest. Doing so preserves high sugar content and overall yield. Delaying the processing for any longer after harvesting could result in sucrose converting to simple sugars, unwanted fermentation, and lower yields. But late harvesting can reduce the quality of cane, reducing the price they earn for their crops. Interrupted harvesting also impacts the railways used to move cane from farms to mills. Mackay Sugar acknowledged the impact its downtime could have on growers and other partners, and committed to restoring systems safely. “We are communicating directly and regularly with our employees, growers, and key partners,” it said. “We recognise the impact this incident is having on our growers, and we are doing everything we can to support them and to safely resume full operations as soon as possible. “We take our responsibility to protect our systems, operations, and information very seriously. We apologise for any disruption this incident has caused and will continue to provide updates as we continue our investigation.” The company operates three mills across Queensland, two of which were operating at a limited capacity due to the attack. Its Racecourse Mill, described as the heart of the business and home to its corporate offices, was among those affected. Racecourse Mill typically generates 213,000 tons of raw sugar and 58,000 tons of molasses a year, and the site’s cogeneration plant generates 156,000 MWhs of renewable electricity a year, around 71 percent of which is sent back into the national electricity grid. Mackay’s mill in Farleigh, the company’s oldest, was also affected. It typically produces around 196,000 tons of raw sugar and 49,000 tons of molasses per year. The company’s largest and most productive factory, Marian Mill, was unscathed. Ungentlemanly conduct Cybercrime group The Gentlemen claimed responsibility for the attack on Mackay Sugar, posting the company to its data leak site without offering any details about the attack or whether it stole data to use as leverage for extortion demands. Cyber threat intelligence professionals have known of the group for almost a year, after spotting it in July 2025 and classifying it as a ransomware-as-a-service provider. However, there is no evidence that ransomware was used in the attack on Makay Sugar. The company has never mentioned ransomware in its statements, referring to the attack only as a “cyber security incident.” However, The Gentlemen is known for using file-encrypting malware in its double extortion attacks. The group caught the attention of Microsoft’s researchers, who last month published a deep dive into how it carries out attacks. Microsoft’s report noted that not only do The Gentlemen affiliates have access to a powerful file encryptor, but also one that self-propagates, which “increases the likelihood of widespread impact once initial access is achieved.” It has also recently established a partnership with BreachForums, which allows the group to recruit prospective new affiliates with different skillsets, such as penetration testers and initial access brokers. ®

Cybercrims deploying DragonForce ransomware appear to have gained access to a major US services company's network, then spent two months up to no good while disguising their command-and-control activities as legitimate Microsoft Teams traffic. Researchers at security firm Symantec said the intrusion began with attackers gaining access to the victim's environment before deploying a custom Go-based backdoor, tracked as "Backdoor.Turn," to maintain communication with the compromised systems. Rather than reaching out to attacker-controlled infrastructure that might raise alarms, the backdoor hid its activity inside traffic associated with Microsoft's widely used collaboration platform. To anyone monitoring network traffic, the compromised systems appeared to communicate only with legitimate Microsoft servers. "The attackers in this campaign use exceptionally sophisticated cyber tradecraft," Symantec said. "The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors." Symantec said the attackers installed Backdoor.Turn on systems after deploying DragonForce ransomware, potentially giving them a way back into compromised networks or access they could later sell to other criminals. To connect to Microsoft's infrastructure, the backdoor first requested an anonymous visitor token from Microsoft Teams and Skype back-end services. It then used a Microsoft-operated TURN relay server – infrastructure typically used to help establish communication between users – before establishing a direct QUIC connection to a malicious command-and-control server. Symantec said this is the first known case of malware using this particular technique. The security firm did not identify the victim beyond describing it as a major US services company, nor did it say whether the Teams-based communications channel had been observed in other DragonForce incidents. The ransomware operation has become increasingly prominent over the past year, operating a ransomware-as-a-service model that allows affiliates to conduct attacks under the DragonForce banner. It has been linked to the prolific Scattered Spider group, which has conducted a string of high-profile attacks, including intrusions targeting major retailers in the UK. While attackers have long abused legitimate cloud services to conceal malicious traffic, Symantec's findings suggest that DragonForce operators continue to look for ways to blend into the software and infrastructure that organizations trust most. ®

Heart monitoring biz iRhythm says thieves made off with patient health information and tried to turn it into a payday. The California-based cardiac monitoring specialist offers customers a wearable device that collects data, then analyzes it to create reports about heart health. The company said it detected unauthorized activity on June 8 and launched an investigation with the help of third-party cybersecurity experts. A day later, the company received messages from a cybercriminal claiming to have obtained sensitive information, including proprietary company data, protected health information, and other personal information. According to iRhythm's filing with the US Securities and Exchange Commission, the attackers demanded payment in exchange for not publicly disclosing the stolen data. The company confirmed that data had been exfiltrated and, on June 10, determined that the incident was material due to the volume of information potentially affected. While the company disclosed the extortion demand and the existence of stolen data, it made no mention of negotiations. iRhythm spent a good chunk of the filing explaining what the attackers didn't get. According to the company, the intrusion was confined to business applications and never reached its clinical systems, medical devices, or customer connections. Patient care and day-to-day operations were unaffected. The company has not yet disclosed how many individuals may be affected, what data was accessed, or which third-party-hosted applications were involved in the breach. It has also not identified the threat actor behind the attack, and The Reg has found no evidence of major ransomware groups claiming responsibility. The company's filing states the attackers gained access through social engineering. Exactly how that happened remains unclear, although healthcare organizations have increasingly found themselves dealing with phishing campaigns, help desk impersonation scams, and other forms of human-targeted intrusion designed to bypass technical defenses. As of the filing date, iRhythm said it had not identified any ongoing unauthorized access to its systems and believed the incident was unlikely to have a material impact on its financial condition or operating results. The company added that it maintains cyber insurance that may cover some of the losses associated with the breach. iRhythm's disclosure comes less than a week after drug giant Novo Nordisk revealed that attackers had copied patient data from some clinical trials, adding another healthcare name to a growing list of organizations dealing with data theft and extortion attempts. ®

ShinyHunters claims to have breached the Council of Europe and stolen more than 297 GB of data after exploiting a zero-day flaw in Oracle PeopleSoft and abusing that hole to hack more than 100 organizations. According to a post on the extortion crew’s data-leak site, the 429,000 pilfered files contain HR and payroll records, payslips, purchase-order records, CVs, and employees’ salary, banking, tax, and medical records. A Council of Europe spokesperson told The Register that it is “currently investigating the matter and assessing the situation,” but declined to comment further. A spokesperson for the cybercrime group told us that the Council is yet another victim of the Oracle PeopleSoft heist. Oracle has yet to respond to The Register’s inquiries, and it's unclear if the vulnerability, tracked as CVE-2026-35273, has been patched. ShinyHunters previously told us that the gang exploited the CVE to compromise more than 100 organizations across 300 vulnerable instances, and that these victims included the University of Nottingham. Last week, the crims listed the UK uni on their leak site, then dumped data belonging to around 454,600 current and former students, including personal and academic records. Meanwhile, a Google threat report published late last week noted malicious activity, “consistent with the exploitation of CVE-2026-35273,” between May 27 and June 9, and said that its incident responders notified more than 100 global orgs “whose IP addresses correlated with potentially vulnerable endpoints." Most of these are US-based organizations, and 68 percent operated within the higher education sector. This latest heist follows another ShinyHunters intrusion targeting data belonging to university and K-12 students, teachers, and staff. In mid-May, ed-tech giant Instructure said it “reached an agreement” - this is corporate-speak for “paid the ransom demand” - with the data theft and extortion crew after ShinyHunters breached its Canvas digital learning platform and accessed data tied to 275 million students, teachers, and staff. In March, ShinyHunters claimed it stole data from K-12 software provider Infinite Campus as part of a broader wave of Salesforce-related intrusions. The ed tech company did not pay up, and the group subsequently published data they claim was stolen from Infinite Campus, including 137,000 individuals’ email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus, in its data breach notification, said that the leaked files largely consisted of “names and contact information for school staff" and that “the majority is directory information commonly found on school websites.” ®

Data theft and extortion group ShinyHunters has exploited a critical Oracle PeopleSoft bug as a zero-day to compromise more than 100 organizations, including the University of Nottingham, across 300 vulnerable instances. A spokesperson for the cybercrime crew on Thursday told The Register that they exploited CVE-2026-35273 to break into the university’s PeopleSoft system and steal 40 GB of personal data and billing records belonging to hundreds of thousands of current and former students. ShinyHunters posted the UK university on its data leak site on Tuesday before publishing the stolen files later that same day, presumably because the school refused to pay the extortion demand. “University of Nottingham on our leak site is one of the first publicly confirmed incidents,” a ShinyHunters spokesperson told us. “We have only just started outreach to affected orgs and are actively looking to reach an agreement with affected orgs.” They didn’t say when they planned to post the other 100 or so claimed victims. A Google threat intelligence report published Thursday afternoon corroborated ShinyHunters’ claims to have compromised more than 100 organizations. Google said it spotted malicious activity, “consistent with the exploitation of CVE-2026-35273,” between May 27 and June 9, and notified more than 100 global orgs “whose IP addresses correlated with potentially vulnerable endpoints." Most of these, we’re told, are based in the US and 68 percent are in the higher-education sector. PeopleSoft is a widely used enterprise software suite that large corporations and institutions use to manage their human resources, payroll and billing applications, supply chains, and student records. CVE-2026-35273 is a 9.8 CVSS-rated vulnerability that allows remote, unauthenticated attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools and fully take over the platform. On Wednesday, a day after ShinyHunters leaked the school’s data, the University of Nottingham confirmed the breach and Oracle issued an out-of-band security alert. It’s unclear, however, if the software provider has issued a patch to fix the security flaw. The Register reached out to Oracle, and did not receive any response to our questions. Google-owned Mandiant Chief Technology Officer Charles Carmakal, in a brief LinkedIn post on Thursday, warned that PeopleSoft was one of two zero-day vulnerabilities “actively being exploited in the wild.” “Oracle released mitigations,” Carmakal wrote. “Patches should come soon.” The other zero-day, for the record, is this Cisco Catalyst SD-WAN Manager vulnerability.®