Zero-Day Attacks Target Firewalls

State-sponsored cyber espionage is increasingly targeting difficult-to-monitor edge and networking devices to establish long-term footholds in strategic networks. In 2025 alone, Google's Threat Intelligence Group documented 90 zero-day vulnerabilities exploited in the wild, a notable increase from 78 in the prior year, underscoring the escalating threat landscape. Cisco recently disclosed a pair of "max-severity" vulnerabilities in its Secure Firewall Management Center software. Identified as CVE-2026-20079 and CVE-2026-20131, the flaws could permit an unauthenticated, remote attacker to gain root access and execute arbitrary code on affected devices. The FBI breach investigation centers on the agency's Digital Collection System Network, which was compromised using "sophisticated" techniques. The attackers infiltrated the system, which contains unclassified but sensitive law enforcement data like call logs and IP addresses from surveillance orders, by leveraging the infrastructure of a commercial internet service provider. U.S. officials have linked the FBI intrusion to a broader campaign by a China-nexus group known as "Salt Typhoon." This same group was previously identified as having breached major U.S. telecommunications providers, including Verizon and AT&T, in 2024 to access similar surveillance-related data. The Iranian APT group MuddyWater, linked to Iran's Ministry of Intelligence and Security (MOIS), has been deploying a previously unknown backdoor named "Dindoor." This new malware, which leverages the Deno runtime for execution, has been found on the networks of a U.S. bank, an airport, and the Israeli branch of a U.S. aerospace and defense software supplier. MuddyWater's recent campaign, which began in early February 2026, also utilized a separate Python backdoor called "Fakeset." In at least one instance, the attackers attempted to exfiltrate