InfoSecBulletin Cybersecurity for mankind
Trend Micro’s Deep Security Agent for Linux has a design flaw. This issue lets a local attacker, who does not have special access, create short “blind spots.” During these moments, endpoint protections are not working temporarily.
The issue stems from how the agent unloads and reloads its bmhook and tmhook kernel modules under heavy local event load, creating a repeatable protection gap rather than a one‑off stability glitch.
Cisco SD-WAN Flaw Exploited and Trend Micro Flaws Allows to Security Bypass
Ransomware Crisis Deepens: 4,089 Victims Hit Across 121 Countries in 2026
CVE-2026-20230
Cisco Patches in Unified CM as Exploit Code Goes Public
1-Click GitHub Token Flaw Allows Attackers Steal Users’ OAuth Tokens
TP-Link Router Flaw Enables Remote Command Execution Attacks
ALERT
Google patches one exploited Android zero-day and 124 issues
CISA warns two-year-old Oracle Vuln as actively exploited in attacks
Hackers Use Meta’s AI Bot to Take Over Instagram Accounts
Anthropic confirms Claude Mythos-class models will be public
Threat Actors Fake FIFA Sites to Steal Personal Info
Independent research on Trend Micro Deep Security Agent (DSA) found that a regular process can create a large number of harmless events in the file system and processes, putting pressure on the agent’s behavior-monitoring system.
In tests, a C‑based proof‑of‑concept hammered file create/write/truncate/rename operations, symlink creation/removal, and fork/exit loops against a Linux host protected by DSA.
Rather than simply throttling telemetry, the agent’s ds_am.init component responded by invoking rmmod on the bmhook and tmhook kernel modules, fully unloading and subsequently reloading the syscall‑hooking and behavior‑monitoring stack. Click here to read the full report.
Affected components and current status
The issue has been seen in Ubuntu Linux systems using Trend Micro Deep Security Agent with the tmhook and bmhook kernel modules from the Linux support pack.
The study focuses on how the Linux agent tracks behavior, not on the Deep Security Manager. This is different from previous Deep Security CVEs about privilege escalation, code injection, and access control problems.
Currently, the reload issue caused by event storms is not listed as a CVE in public Deep Security vulnerability records. This may mean it is being carefully shared or has not been officially tracked yet.
Cisco has announced a serious security flaw in its Catalyst SD-WAN Manager. This flaw is being used by attackers to run any commands as if they had full control of the systems.
The flaw, noted as CVE-2026-20245, has a CVSS score of 7.8. It happens due to bad input checks (CWE-116) in the command-line interface of Cisco Catalyst SD-WAN Manager, which was called vManage before.
Cisco’s security alert (cisco-sa-sdwan-privesc-4uxFrdzx) says that a weak point lets logged-in attackers with netadmin rights upload a special file and run any commands, giving them total control of the system.
Cisco SD-WAN Security Flaw
Cisco’s security team (PSIRT) said that the weakness has already been used by attackers in some real situations. In the cases seen, attackers took advantage of the flaw to make unauthorized changes to SD-WAN devices, showing possible follow-up actions for staying in the system or changing the network.
The weakness comes from not checking user input properly when files are uploaded and processed. This lets attackers add harmful commands that run with root access.
Cisco has shared signs of compromise (IOCs) to help organizations find possible attacks. Security teams should check the scripts.log file in /var/log/ for strange entries related to unexpected file uploads or command runs, especially those mentioning scripts like vconfd_script_upload_tenant_list.sh.
Administrators need to keep logs, check edge device settings for any unauthorized changes, and reach out to Cisco TAC if they think there has been a breach. Cisco also says that future updates will not fix systems that are already compromised, so extra response actions will be needed.
Mandiant reported the problem, showing how threat intelligence teams help find flaws that are being used. Since SD-WAN management platforms are important for business networks, this issue highlights the need to protect management interfaces, apply strict access rules, and watch for unusual activity.
Ransomware Crisis Deepens: 4,089 Victims Hit Across 121 Countries in 2026
