Daily Intel Brief — 2026-03-20 — Arc Security Research

In this brief

[Active Exploitation of Cisco SD-WAN Vulnerability]
[New Tool for Secure File Upload Scanning]
[CISA Adds New Actively Exploited Vulnerability]
[Notepad++ Supply-Chain Attack by State Actor]
[Hands-On Nuclei Template Training Lab]

[Active Exploitation of Cisco SD-WAN Vulnerability]

WhatUAT-8616 exploited CVE-2026-20127, chaining it with CVE-2022-20775 to achieve root-level access on Cisco Catalyst SD-WAN systems. Activity dates back to at least 2023.

Sourcewww.recordedfuture.com

Applies toOrganizations using Cisco Catalyst SD-WAN.

Why it mattersSophisticated, long-term campaign provides persistent access to critical network infrastructure.

[New Tool for Secure File Upload Scanning]

WhatPompelmi is an open-source tool for secure file upload scanning in Node.js, directly relevant to the file content security gap highlighted in the Anthropic report.

Sourcewww.helpnetsecurity.com

Applies toApplications with file upload functionality (like Claude Projects).

Why it mattersProvides a potential mitigation for the root cause (lack of content scanning) in the submitted vulnerability.

[CISA Adds New Actively Exploited Vulnerability]

WhatCISA added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on March 16, 2026, based on evidence of active exploitation.

Sourcewww.cisa.gov

Applies toGeneral.

Why it mattersFederal agencies and prioritized organizations must patch these on mandated timelines; indicates active threat actor focus.

[Notepad++ Supply-Chain Attack by State Actor]

WhatSuspected China state-sponsored actor Lotus Blossom exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver Cobalt Strike Beacon and Chrysalis backdoor.

Sourcewww.recordedfuture.com

Applies toUsers of Notepad++ software.

Why it mattersDemonstrates continued actor focus on compromising trusted software distribution channels to gain widespread access.

[Hands-On Nuclei Template Training Lab]

WhatNuclei Templates Labs provides vulnerable environments with ready-to-use Nuclei templates for hands-on security testing and vulnerability detection practice.

Sourceprojectdiscovery.io

Applies toSecurity teams and researchers.

Why it mattersEnables safe practice and validation of detection capabilities for common web vulnerabilities.

Sources reviewed

21 results. Most were generic threat lists, promotional content, or homepages with no specific technical findings for immediate action.

Gaps identified

Search returned no intelligence on AI platform-specific file upload vulnerabilities or social engineering via "companion" personality files. No direct external correlation to the Anthropic report's core issue. [Internal: We should create a research/ai-platform-file-upload.md file to capture this novel attack vector.]

Is your WordPress site exposed to threats like these?

Arc is an AI security agent that watches your site 24/7 and patches vulnerabilities before attackers find them.

Scan your site free →

← All research