This week's report covers four threats: a critical zero-day vulnerability in Cisco's SD-WAN networking software flagged by NHS Cyber Alerts and the NCSC, an actively exploited flaw in enterprise file transfer software, a sophisticated phishing kit bypassing multi-factor authentication on Microsoft 365, and a newly discovered backdoor malware linked to North Korea that is targeting healthcare and education organisations.
NHS Cyber Alerts has issued a high-severity alert for a critical vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager, software used by organisations to manage and secure their wide area networks. The flaw, CVE-2026-20127, carries the maximum possible severity score of 10. It allows an attacker to bypass the login process entirely and gain high-level administrative access without a username or password. Cisco, the NCSC, and Five Eyes intelligence partners have confirmed that multiple threat actors have been actively exploiting this vulnerability, with observed attacks dating back to as early as 2023. Patches are now available.
Cisco SD-WAN products are used by enterprise organisations, including NHS trusts and their suppliers, to manage network connectivity across multiple sites. An attacker who exploits this flaw could manipulate an organisation's entire network configuration, intercept traffic, or use the access as a launchpad for further attacks. The fact that this has been exploited as a zero-day since 2023 means some organisations may already be compromised without knowing it. The NHS Cyber Alert specifically calls out edge devices like this as high-value targets that are increasingly exploited. For NHS suppliers, this is directly relevant to DSPT obligations around patch management and edge device security.
A critical vulnerability in a widely used enterprise file transfer product is being actively exploited by attackers in the wild. The flaw lets an attacker upload and run malicious files on the server without needing to log in. File transfer tools like these are commonly used by businesses to send large or sensitive files, including patient data, financial records, and contracts, between organisations. Researchers have observed attackers using this flaw to steal data and, in some cases, to plant backdoors for later access. A patch is available.
Enterprise file transfer products have become a favourite target for cyber criminals because they often sit on the edge of a network, handle valuable data, and are sometimes overlooked in patch management cycles. UK health organisations and their suppliers frequently use these tools to exchange data with NHS systems. A compromise could lead to a data breach affecting patient records, which carries serious regulatory and reputational consequences. Previous campaigns against similar products, such as the MOVEit attacks in 2023, caused widespread disruption across the public and private sectors.
A sophisticated phishing kit is being sold on criminal forums that allows attackers to bypass multi-factor authentication (MFA) on Microsoft 365 accounts. The kit works by sitting between the victim and the real Microsoft login page, capturing both the password and the MFA code in real time. Victims receive a convincing email — often themed around shared documents or urgent IT requests — and are directed to a fake login page. Because the kit passes the real login session through to Microsoft, the attacker receives a valid session cookie that lets them into the account without triggering further MFA checks.
Microsoft 365 is the most widely used email and productivity platform in the UK public sector and among NHS suppliers. Many organisations have invested in MFA as a key defence, so it can be unsettling to learn that certain phishing techniques can get around it. This does not mean MFA is useless — it still blocks the vast majority of credential attacks. It does mean that organisations should treat MFA as one layer of defence, not the only one. For digital health companies handling patient data, a compromised email account can quickly lead to a data breach.
Security researchers at Cisco Talos have uncovered an active cyber espionage campaign that has been running since at least December 2025. The group behind it, tracked as UAT-10027, has possible links to North Korea and shares technical similarities with the well-known Lazarus Group. The campaign uses a previously unseen piece of malware called Dohdoor, which acts as a backdoor into victims' systems. Attackers likely gain initial access through phishing emails, then run a chain of hidden scripts that load malicious code into legitimate Windows processes to avoid detection. The campaign has so far been observed targeting healthcare facilities — including an elderly care provider — and educational institutions in the United States.
North Korea-linked groups have a well-documented history of targeting healthcare organisations for financial gain, and their tactics do not respect borders. UK health organisations and NHS suppliers use similar technology to that already targeted, and the same phishing techniques work just as well against UK staff. The Dohdoor backdoor is designed to evade detection by security tools, making it harder to spot once it is inside a network. If an attacker gains persistent access through a backdoor like this, they can steal sensitive data, conduct reconnaissance, or deploy ransomware at their discretion. The NHS has previously been a high-profile victim of North Korean cyber activity, most notably during the WannaCry attack in 2017.
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.