The Week in Vulnerabilities: Juniper, Cisco SD-WAN, and Critical ICS Exposure

Cyble Research & Intelligence Labs (CRIL) tracked 1,641 vulnerabilities between March 04 and March 10, 2026. Of these, 175 vulnerabilities already have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks. A total of 200 vulnerabilities were rated critical under CVSS v3.1, while 61 received critical severity under CVSS v4.0. Additionally, CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting confirmed exploitation in the wild, including legacy flaws still actively weaponized in operational environments. On the industrial side, CISA issued 9 ICS advisories covering 24 vulnerabilities, affecting vendors including Mitsubishi Electric, Hitachi Energy, Mobiliti, ePower, Everon, and Delta Electronics. The Week’s Top Vulnerabilities CVE-2026-21902 — Juniper Junos OS (Critical) CVE-2026-21902 is a critical authentication bypass and remote code execution vulnerability in Juniper Junos OS Evolved. The flaw exposes an internal anomaly detection service externally, allowing unauthenticated attackers to send crafted requests and execute arbitrary code as root. A publicly available PoC and underground forum discussions significantly increase the likelihood of exploitation. CVE-2026-20127 — Cisco SD-WAN (Critical) CVE-2026-20127 is a critical authentication bypass vulnerability affecting Cisco SD-WAN controllers. Due to flawed authentication logic, attackers can bypass peering authentication and gain administrative access over the network. Successful exploitation enables traffic manipulation, lateral movement, and persistent access across enterprise networks. CVE-2026-29000 — pac4j-jwt Library (Critical) CVE-2026-29000 is a critical authentication bypass vulnerability in the pac4j-jwt library. The flaw allows attackers with access to a public key to forge authentication tokens and impersonate any user, including administrators. CVE-2026-27971 — Qwik Framework (Critical) CVE-2026-27971 is a critical remote code execution vulnerability caused by unsafe deserialization in Qwik’s server-side RPC mechanism. A single malicious request can trigger arbitrary code execution on the backend server. CVE-2026-29128 — IDC SFX Satellite Receivers (Critical) CVE-2026-29128 involves hardcoded credentials and unauthenticated remote code execution in IDC SFX Series Satellite Receivers. Attackers can extract privileged credentials and execute commands as root, enabling full compromise of satellite communication infrastructure. Vulnerabilities Added to CISA KEV CISA continued expanding its KEV catalog with vulnerabilities reflecting active exploitation trends. Notable additions include: CVE-2021-22681 — Rockwell Automation credential exposure vulnerability enabling unauthorized OT access CVE-2017-7921 — Hikvision authentication bypass vulnerability still actively exploited years after disclosure These additions highlight the persistent risk of legacy vulnerabilities in both IT and OT environments. Critical ICS Vulnerabilities CISA issued 9 ICS advisories covering 24 vulnerabilities, with most rated high severity. CVE-2026-26051 — Mobiliti EV Charging Platform (Critical) CVE-2026-26051 is a critical missing authentication vulnerability in Mobiliti’s EV charging platform, allowing unauthenticated access to infrastructure systems. The risk is amplified by the absence of vendor patches or response, requiring organizations to implement independent mitigation controls. CVE-2026-22552 — ePower EV Charging Platform (Critical) CVE-2026-22552 is a critical authentication bypass vulnerability affecting ePower EV charging systems. Exploitation could enable unauthorized access to the charging infrastructure and service disruption. CVE-2026-26288 — Everon Platform (Critical) CVE-2026-26288 is a critical missing authentication vulnerability in Everon APIs, allowing attackers to access sensitive backend services without credentials. CVE-2026-1775 — Labkotec LID-3300IP (Critical) CVE-2026-1775 is a critical missing authentication vulnerability in Labkotec systems, where no fix is available for certain hardware versions, requiring device replacement. Impacted Critical Infrastructure Sectors Analysis shows that Energy and Transportation Systems account for 50% of ICS vulnerabilities, with Energy appearing in 62.5% of all cases . This highlights tightly coupled risks between energy infrastructure and transportation systems, particularly in emerging sectors such as EV charging ecosystems. Conclusion This week’s findings highlight a convergence of large-scale IT vulnerability disclosures, active exploitation trends, and increasing exposure across industrial environments. With 175 publicly available PoCs, active underground discussions, and KEV additions confirming exploitation, organizations must prioritize proactive defense strategies. Key recommendations include: Prioritizing vulnerabilities based on exploit availability and risk Securing internet-facing assets and critical infrastructure endpoints Implementing strong authentication and access controls Segmenting IT and OT environments to limit lateral movement Replacing or isolating unsupported and unpatched systems Continuously monitoring threat intelligence and underground activity Conducting regular security assessments and penetration testing Cyble’s attack surface management solutions enable organizations to identify exposed assets, prioritize remediation, and detect early indicators of compromise. Combined with threat intelligence and third-party risk intelligence, organizations can proactively defend against evolving threats across both IT and ICS environments. The post The Week in Vulnerabilities: Juniper, Cisco SD-WAN, and Critical ICS Exposure appeared first on Cyble.