Guillermo Sánchez
Ethan Grammer / March 9, 2026 / 5 minutes of readingRecent Breaches/Incidents
1. Ransomware Attack Forces Widespread Clinic Closures in Mississippi.
Description:
A major ransomware attack hit the University of Mississippi Medical Center (UMMC) on February 19, 2026, disrupting IT systems and forcing the closure of all outpatient clinics across the state. The incident knocked critical infrastructure offline, including the center’s Epic electronic health record (EHR) platform, and led to the cancellation of appointments and elective procedures.
The attack forced UMMC to take its network and phone systems offline as a precaution while containment and investigation efforts progressed. Clinics initially shut down statewide and remained closed through the following week to ensure systems could be safely restored.
Patients with time-sensitive needs, such as chemotherapy and urgent care, were prioritized, and some emergency services continued under manual (paper-based) downtime procedures. Hospital facilities and emergency departments in Jackson and other counties remained open throughout the outage.
The attack’s effect on outpatient care was profound, with many patients unable to keep scheduled appointments or undergo elective surgeries. In some cases, people traveled long distances only to find services unavailable due to the outage. Clinicians reverted to manual documentation and communication methods as digital systems remained inaccessible.
UMMC officials confirmed they were working with federal authorities, including the FBI, and national cybersecurity experts to investigate and respond to the breach. Efforts to restore normal operations gradually progressed, and clinics began reopening after more than a week of closure, with extended hours and outreach to reschedule canceled care.
As of the latest updates, it remains unclear whether sensitive patient data was compromised. UMMC has not disclosed details about the attackers or the specific ransomware strain involved. The center continues to assess the full scope and impact of the cyberattack.
Advisories/ Vulnerabilities/Alerts
1. Critical Cisco SD-WAN Vulnerability Under Active Exploitation
Source Advisory URL: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
Description:
Cisco has published a critical security advisory addressing a severe flaw in its SD-WAN infrastructure that is currently being exploited in the wild. The vulnerability, tracked as CVE-2026-20127, affects the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage).
The flaw is an authentication bypass vulnerability in the peering authentication mechanism. An unauthenticated, remote attacker could send specially crafted requests to a vulnerable system and bypass authentication controls. This may allow them to log in with high-privileged access to affected SD-WAN components. Once authenticated, the attacker could manipulate critical network configuration using protocols like NETCONF.
The vulnerability carries a CVSS score of 10.0, the highest severity level, reflecting its serious impact and ease of exploitation.
Multiple independent security reports indicate this vulnerability has been exploited in the wild, with activity traced back to at least 2023. Threat actors are using the flaw to gain unauthorized administrative access and may even establish persistent footholds within SD-WAN environments.
Due to this ongoing exploitation, the Cybersecurity and Infrastructure Security Agency has issued Emergency Directive 26-03, requiring federal agencies to mitigate affected systems immediately.
The vulnerability affects the following deployment types:
The vulnerability affects the following deployment types:
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP Environment
Recommended Actions:
Cisco has released security updates to address this flaw. There are no workarounds, so applying the patch is the primary mitigation. Additional recommendations include:
- Restricting management interfaces from the public internet
- Applying access control lists (ACLs) to limit traffic to trusted hosts
- Monitoring authentication and peering logs for unusual access attempts
Cisco also provides hardening guidance to help secure SD-WAN deployments.
2. Fortinet Warns of Critical FortiCloud SSO Authentication Bypass
Source Advisory URL: https://www.fortiguard.com/psirt/FG-IR-26-060
Description:
Fortinet has released an important security advisory, FG-IR-26-060, addressing a critical authentication bypass vulnerability affecting its products when FortiCloud Single Sign-On (SSO) is enabled. The flaw is tracked as CVE-2026-24858 and has been seen exploited in real-world attacks.
The issue stems from a flawed authentication mechanism in FortiCloud SSO that could allow an attacker with a valid FortiCloud account and registered device to bypass administrative login controls on other devices registered to different accounts, without needing proper credentials. Although FortiCloud SSO isn’t enabled by default, it can be activated during device registration unless explicitly disabled.
Multiple Fortinet products are affected if they are using FortiCloud SSO and running vulnerable versions:
- FortiOS
- FortiManager
- FortiAnalyzer
- FortiProxy
- FortiWeb
- FortiSwitchManager
Fortinet confirmed that two malicious FortiCloud accounts were observed exploiting this vulnerability in the wild prior to being locked out on January 22, 2026. To protect customers while patches were rolled out, Fortinet temporarily disabled FortiCloud SSO on its side on January 26. It was later re-enabled on January 27 with protections for patched devices.
Recommended Actions:
To mitigate this risk:
- Upgrade all affected Fortinet devices to the fixed versions listed in the advisory as soon as possible.
- If immediate upgrade isn’t feasible, disable FortiCloud SSO until patched versions are in place.
- Restrict administrative interfaces to trusted networks to minimize exposure.
3. CISA Warns of BeyondTrust Remote Code Execution Being Used in Ransomware Attacks.
Source Advisory URL: https://www.bleepingcomputer.com/news/security/cisa-beyondtrust-rce-flaw-now-exploited-in-ransomware-attacks
Description:
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert confirming that threat actors are actively exploiting a serious vulnerability in BeyondTrust products as part of ransomware campaigns. The flaw, tracked as CVE-2026-1731, affects both BeyondTrust Remote Support and Privileged Remote Access (PRA) software and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
CVE-2026-1731 is a pre-authentication remote code execution (RCE) flaw caused by an operating system command injection weakness. It allows an unauthenticated attacker to send specially crafted requests to affected installations, potentially executing arbitrary code on the underlying system.
The vulnerability impacts:
- Remote Support versions 25.3.1 and earlier
- Privileged Remote Access versions 24.3.4 and earlier
CISA initially added the flaw to the KEV catalog on February 13 and gave federal agencies only a three-day timeline to either patch affected systems or discontinue use of the vulnerable products.
Recommended Actions:
To mitigate the risk posed by this vulnerability:
- Apply vendor patches immediately:
- Upgrade Remote Support to version 25.3.2 or later
- Upgrade Privileged Remote Access to version 25.1.1 or later
- Enable automatic updates for cloud instances; BeyondTrust reported that SaaS deployments were auto-patched on February 2.
- Verify patch status on all self-hosted systems via the management interface or manual deployment.
If patching immediately is not possible, organizations should restrict access to BeyondTrust management interfaces from untrusted networks and consider isolating vulnerable systems until they are updated.