blog

Focus Friday: TPRM Insights On Critical Vulnerabilities in Solarwinds Serv-U, Jenkins, Cisco Catalyst SD-WAN, and n8n

Published

Feb 27, 2026

Updated

Feb 27, 2026

Introduction

Welcome to this week’s Focus Friday, our ongoing series providing Third-Party Risk Management (TPRM) professionals with actionable intelligence on the most significant cybersecurity incidents. As 2026 continues to present complex challenges in the software supply chain, organizations must shift from reactive broad-spectrum querying to targeted, data-driven assessments. This week, we examine a critical zero-day exploit in Cisco Catalyst SD-WAN and multiple RCE flaws in the n8n automation platform, alongside high-priority vulnerabilities in SolarWinds Serv-U and Jenkins Core. By leveraging Black Kite’s FocusTags®,

Filtered view of companies with SolarWinds Serv-U - Feb2026 FocusTag® on the Black Kite platform.

By utilizing Black Kite’s FocusTags®, organizations can move beyond manual, broad-spectrum vendor surveys and instead apply a data-driven approach to identify and mitigate these specific risks within their vendor ecosystem.

SolarWinds Serv-U - Feb2026 (CVE-2025-40541, CVE-2025-40540, CVE-2025-40539, CVE-2025-40538)

What are the SolarWinds Serv-U Remote Code Execution Vulnerabilities?

On February 24, 2026, SolarWinds disclosed four critical security flaws within its Serv-U FTP and Managed File Transfer (MFT) Server products. These vulnerabilities, assigned a high-severity CVSS score of 9.1, include an Insecure Direct Object Reference (IDOR) weakness (CVE-2025-40541), two separate type confusion bugs (CVE-2025-40540 and CVE-2025-40539), and a broken access control issue (CVE-2025-40538). Successful exploitation of these flaws could allow an attacker to achieve remote code execution (RCE) and gain root-level or administrative control over the affected server.

The vulnerabilities were published in late February 2026 and currently maintain EPSS scores of 0.04% for CVEs -40541, -40540, and -40539, and 0.03% for CVE-2025-40538. While these specific flaws are not yet listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog and no public proof-of-concept (PoC) exploits have been widely reported at the time of publication, SolarWinds has urged immediate patching due to the potential for full system compromise.

Why Should TPRM Professionals Prioritize the Serv-U Vulnerabilities?

Managed File Transfer (MFT) and FTP servers are critical components of the corporate supply chain, specifically designed to handle and store sensitive data such as PII, financial records, and proprietary intellectual property. Because these servers often sit on the network perimeter to facilitate external partner communications, they represent a high-value target for threat actors.

If a vendor's Serv-U instance is compromised via these RCE flaws, an attacker could potentially intercept or modify sensitive files, deploy ransomware, or use the root-level access to move laterally into the vendor's internal network. For a TPRM professional, a vulnerability in this product type is not just a technical bug; it is a direct threat to the confidentiality and integrity of the data shared with that third party.

What questions should TPRM professionals ask vendors about these Serv-U vulnerabilities?

To assess the risk exposure of your third-party ecosystem, consider the following targeted questions for vendors utilizing SolarWinds Serv-U:

Have you upgraded all instances of SolarWinds Serv-U FTP Server and Serv-U Managed File Transfer (MFT) Server to version 15.5.4 or later to mitigate the risk of CVE-2025-40541, CVE-2025-40540, CVE-2025-40539, and CVE-2025-40538?
Can you confirm if you have implemented the recommended actions such as restricting network exposure, monitoring for suspicious activity, conducting post-update validation, and applying the principle of least privilege to mitigate the risk of these vulnerabilities?
Have you reviewed logs for indicators such as unexpected command execution, unusual authentication patterns, unauthorized administrator account creation, or privilege escalation events as part of your response to these vulnerabilities?
After applying updates to SolarWinds Serv-U, did you verify that all components are fully patched and review systems for any signs of prior compromise?

Remediation Recommendations for Vendors subject to this risk

SolarWinds and security researchers recommend several immediate technical steps to mitigate the risks associated with these vulnerabilities:

Apply Security Updates: The most effective defense is an immediate upgrade to SolarWinds Serv-U version 15.5.4 or later, which contains the official fixes for all four critical CVEs.
Segment and Restrict Access: Limit network exposure by ensuring that Serv-U management interfaces are not accessible from the public internet. Use secure gateways or trusted IP ranges to restrict traffic.
Enforce Least Privilege: Configure the underlying service accounts for Serv-U to run with minimal necessary permissions, reducing the likelihood of an attacker gaining full host control.
Validate Post-Patch Integrity: After updating, conduct a thorough validation to ensure no unauthorized modifications or persistence mechanisms were established prior to the remediation.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite enables organizations to identify which of their vendors are running vulnerable versions of SolarWinds Serv-U without the need for manual questionnaires. We published the SolarWinds Serv-U - Feb2026 FocusTag® on February 24, 2026, the same day the vulnerabilities were disclosed.

TPRM professionals can operationalize this intelligence by filtering their vendor ecosystem for this tag to see a prioritized list of at-risk partners. A primary differentiator of the Black Kite platform is the provision of specific asset details, including the IP addresses and subdomains where the vulnerable product was detected. This level of granular detail allows users to provide vendors with actionable evidence, significantly accelerating the remediation process and reducing the overall time to resolution.

Black Kite's SolarWinds Serv-U - Feb2026 FocusTag® details critical insights on the event for TPRM professionals.

Jenkins - Feb2026 (CVE-2026-27099 and CVE-2026-27100)

What are the Jenkins Core Vulnerabilities?

On February 18, 2026, the Jenkins project released a security advisory detailing two distinct vulnerabilities in Jenkins Core (Weekly and LTS versions).

The first, CVE-2026-27099, is a high-severity stored Cross-Site Scripting (XSS) flaw. It stems from a failure to properly sanitize user-provided HTML in the "offline cause" description field for nodes. An attacker with permissions to configure or disconnect agents (Agent/Configure or Agent/Disconnect) can inject malicious scripts into the "Mark temporarily offline" reason field. These scripts then execute in the context of any user's session—including administrators—who views that node's status page. This vulnerability carries a CVSS score of 8.0 and an EPSS score of 0.02.

The second, CVE-2026-27100, is a medium-severity information disclosure vulnerability involving the "Run Parameter" feature. Jenkins previously accepted Run Parameter values that referenced builds the submitting user was not authorized to access. This allows attackers with build and configuration permissions (Item/Build and Item/Configure) to perform internal reconnaissance by verifying the existence of jobs and builds, and potentially viewing their display names. This flaw has a CVSS score of 4.3 and an EPSS score of 0.02.

Both vulnerabilities were published within the last week. At this time, there are no reports of these flaws being exploited in the wild, and they are not listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Why Jenkins Flaws Create Significant Risks for Third-Party Ecosystems

Jenkins serves as the central hub for many organizations' continuous integration and continuous delivery (CI/CD) pipelines. Because these servers manage source code, build secrets, and deployment credentials, they are high-value targets for supply chain attacks.

From a TPRM perspective, a stored XSS vulnerability on a Jenkins server is particularly dangerous. If an attacker hijacks an administrator's session, they could potentially gain full control over the build environment. This could allow for the injection of malicious code into software artifacts before they are shipped to customers, or the theft of sensitive API keys and credentials used in the deployment process. The information disclosure flaw, while lower in severity, provides attackers with the metadata needed to map out internal project structures and identify high-value targets within the build infrastructure.

What questions should TPRM professionals ask vendors about these Jenkins vulnerabilities?

To evaluate the potential risk within your supply chain, consider asking your vendors the following targeted questions:

Does your organization utilize Jenkins Core (Weekly or LTS) for software development or deployment, and have you confirmed an upgrade to version 2.551 or 2.541.2?
If an immediate upgrade is not possible, have you verified that the default Content Security Policy (CSP) is active and strictly enforced on all Jenkins instances?
Have you performed an audit of user permissions to ensure that "Agent/Configure" and "Agent/Disconnect" rights are restricted to the absolute minimum number of authorized personnel?
Are Jenkins instances that handle sensitive production code isolated from the public internet and restricted to internal or VPN-only access?

Remediation Recommendations for Vendors subject to this risk

Vendors running Jenkins should prioritize the following technical remediation steps to secure their CI/CD environment:

Upgrade Jenkins Core Immediately: Update Jenkins Weekly to version 2.551 or Jenkins LTS to version 2.541.2. These versions include the necessary fixes to escape user-provided descriptions and reject unauthorized Run Parameter references.
Enforce Content Security Policy (CSP): For those on versions 2.539 or newer who cannot patch immediately, ensuring the CSP is enforced can help prevent the execution of injected XSS payloads.
Permissions Audit: Review and apply the principle of least privilege to the Agent and Item permission sets. Specifically, restrict who can mark nodes offline or configure builds to prevent the initial injection of malicious data.
Monitor Administrative Actions: Regularly review Jenkins logs for unusual activity in node configurations or unexpected changes to the "offline cause" fields.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Jenkins - Feb2026 FocusTag® on February 20, 2026, shortly after the initial disclosure. This tag allows TPRM professionals to immediately identify which vendors in their ecosystem are running vulnerable versions of Jenkins Core.

Instead of waiting for manual responses to security questionnaires, Black Kite customers can filter their vendor list by this tag to see a prioritized view of the risk. A key advantage of using Black Kite for this incident is the visibility into specific asset information. The platform provides the IP addresses and subdomains of the exposed Jenkins instances, allowing TPRM teams to provide vendors with precise data to facilitate faster remediation and verify that critical pipelines are secured against these recent flaws.

Black Kite's Jenkins - Feb2026 FocusTag® details critical insights on the event for TPRM professionals.

Cisco Catalyst SD-WAN (CVE-2026-20127 and CVE-2022-20775)

What are the Cisco Catalyst SD-WAN Authentication Bypass and Privilege Escalation Vulnerabilities?

On February 25, 2026, Cisco disclosed a critical zero-day vulnerability, CVE-2026-20127, impacting the Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage). This authentication bypass flaw carries a maximum CVSS score of 10.0 and allows unauthenticated remote attackers to send crafted requests to bypass peering authentication. Successful exploitation grants the attacker high-privileged NETCONF access, which enables the manipulation of the entire SD-WAN fabric.

This flaw is frequently chained with CVE-2022-20775, a high-severity privilege escalation vulnerability (CVSS 7.8) found in the CLI of Cisco SD-WAN software. While the latter is an older flaw, threat actor UAT-8616 has been observed intentionally downgrading systems to vulnerable releases (18.4 through 20.8) to exploit it and gain permanent root persistence. Both vulnerabilities were added to CISA's Known Exploited Vulnerabilities (KEV) catalog on February 25, 2026. CISA and Cisco released advisories on this date, noting that these vulnerabilities are currently being exploited in the wild to facilitate data exfiltration and lateral movement.

Why TPRM Professionals Should Prioritize the Cisco SD-WAN Vulnerabilities

SD-WAN solutions serve as the central nervous system for modern corporate networks, handling the routing and security of traffic across distributed environments. Because the Cisco Catalyst SD-WAN Manager and Controller oversee the entire network fabric, a compromise in these components is equivalent to an attacker gaining the "keys to the kingdom."

From a TPRM perspective, a vulnerable vendor puts all data transiting their network at risk. An attacker with root-level access can intercept sensitive communications, modify configurations to create persistent backdoors, and move laterally into connected cloud or on-premise environments. Unlike vulnerabilities in isolated applications, flaws in network infrastructure like SD-WAN require immediate attention because they bypass traditional perimeter defenses and expose the core of the vendor's security architecture.

What questions should TPRM professionals ask vendors about the Cisco SD-WAN vulnerabilities?

To evaluate the risk exposure within your third-party ecosystem, consider asking the following targeted questions:

Have you upgraded all instances of Cisco Catalyst SD-WAN Controllers and Managers to the fixed releases to mitigate the risk of CVE-2026-20127 and CVE-2022-20775?
Have you implemented network mitigations such as using Access Control Lists (ACLs) or firewalls to restrict traffic on Port 22 (SSH) and Port 830 (NETCONF) to only allow connections from known, trusted controller and administrative IP addresses?
Can you confirm if you have audited all local user accounts, specifically looking for the creation, usage, and immediate deletion of malicious accounts, and ensured that the "vmanage-admin" account has not been tampered with?
Have you audited your environments for indicators of UAT-8616 activity, such as searching for Accepted publickey for vmanage-admin originating from unknown or unauthorized IP addresses, and reviewing logs for unauthorized control connection peering events (type: vmanage)?

Remediation Recommendations for Vendors subject to this risk

Vendors utilizing affected Cisco SD-WAN products should prioritize the following technical remediation steps:

Apply Fixed Software Releases: Immediately upgrade all Cisco Catalyst SD-WAN Controllers and Managers. If running end-of-life versions (earlier than 20.9), migrate to a supported and patched software track without delay.
Restrict Network Exposure: Use firewalls or ACLs to limit access to management interfaces. Ensure that peering and administrative ports are not reachable from the public internet.
Audit for Compromise: Search for the high-fidelity indicator "Accepted publickey for vmanage-admin" originating from unknown IPs and review "control-connection-state-change" logs for unauthorized peers.
Validate Version Integrity: Regularly verify that systems have not been downgraded to older, vulnerable software versions, a tactic used by threat actors to regain root persistence.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the Cisco Catalyst SD-WAN FocusTag® on February 26, 2026, following the CISA KEV update and official Cisco disclosures. This tag allows TPRM professionals to instantly identify which vendors in their ecosystem are potentially exposed to this critical attack chain.

Operationalizing this tag provides a significant advantage by highlighting specific asset information, such as the IP addresses and subdomains of the vulnerable SD-WAN controllers and managers. By providing vendors with these exact technical details, TPRM teams can bypass generic outreach and demand specific evidence of patching for the identified vulnerable assets. This data-driven approach accelerates the remediation process and ensures that the most critical points of failure in the supply chain are addressed before threat actors can achieve permanent persistence.

Black Kite's Cisco Catalyst SD-WAN FocusTag® details critical insights on the event for TPRM professionals.

n8n - Feb2026 (Latest) (CVE-2026-27497, CVE-2026-27577, CVE-2026-27495)

What are the n8n Workflow Automation Critical RCE Vulnerabilities?

In February 2026, researchers disclosed three critical remote code execution (RCE) flaws in n8n, a popular workflow automation platform. These vulnerabilities—CVE-2026-27497, CVE-2026-27577, and CVE-2026-27495—each carry a CVSS score of 9.4 and an EPSS score of 0.02%.

The most severe flaw, CVE-2026-27577, is a sandbox escape that bypasses previous security controls (specifically those for CVE-2025-68613) by using JavaScript "with" statements and prototype chain tricks to access the Global Function Constructor. CVE-2026-27497 involves a command injection risk in the Merge node’s SQL Query mode, where unauthenticated or low-privileged users can execute system commands. Finally, CVE-2026-27495 targets the JavaScript Task Runner, allowing code to break out of the runner's isolated environment directly into the main n8n process.

While these flaws were published in late February 2026 and have not yet been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog, public proof-of-concept (PoC) exploits are expected shortly given the nature of the research.

Why TPRM Professionals Should Address n8n Automation Risks

Workflow automation tools like n8n serve as the "central nervous system" of a vendor's digital operations, often possessing high-level permissions to cloud infrastructure, CRM systems, and internal databases. A compromise of an n8n instance is rarely an isolated event; it typically grants an attacker access to the sensitive API keys and credentials stored within the platform.

From a TPRM perspective, these RCE vulnerabilities represent a significant supply chain threat. If a vendor's automation hub is hijacked, an attacker could manipulate business workflows, exfiltrate the data being processed—such as customer records or financial transactions—or use the n8n server as a pivot point to enter other parts of the vendor's network. Because these tools are designed to move data between systems, they are a primary target for actors seeking to automate data theft at scale.

What questions should TPRM professionals ask vendors about these n8n vulnerabilities?

To evaluate the risk profile of your third-party ecosystem, consider these targeted questions for vendors utilizing n8n:

Have all n8n instances in your environment been updated to versions 2.10.1, 2.9.3, or 1.123.22 (or later) to address the latest RCE and sandbox escape flaws?
Do you currently employ n8n’s Task Runner with the "external" mode setting to ensure that potential sandbox escapes are isolated from the main host process?
Have your security teams audited the workflows database table for suspicious use of the with( or constructor keywords within your custom JavaScript nodes?
Is access to creating and editing workflows restricted to a small group of trusted administrators, or can lower-privileged users configure automation nodes?

Remediation Recommendations for Vendors subject to this risk

Vendors running self-hosted n8n instances should take the following technical actions to secure their environments:

Update to Patched Versions: Immediately install the latest security updates (version 2.10.1, 2.9.3, or 1.123.22) which include critical fixes for AST parsing and SQL injection logic.
Implement Execution Isolation: Switch n8n runners to external mode (N8N_RUNNERS_MODE=external) to mitigate the impact of a sandbox breakout.
Exclude Vulnerable Nodes: If immediate patching is not possible, disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable.
Review Persistence and Logs: Audit the n8n data directory and /tmp for unauthorized binary files or scripts that may have been dropped during an exploitation attempt.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite published the n8n - Feb2026 (Latest) FocusTag® on February 26, 2026, providing rapid coverage for these critical automation flaws. This tag enables TPRM professionals to instantly filter their vendor list to see which partners are running exposed n8n instances before they can be weaponized in the wild.

A key differentiator for Black Kite is the inclusion of specific asset details, such as the subdomains or IP addresses where the self-hosted n8n webhooks or management consoles are located. This level of granularity allows TPRM teams to move beyond generic alerts and present vendors with concrete evidence of their exposure. By pointing exactly to the vulnerable automation infrastructure, organizations can drive much faster remediation and verify that their supply chain's "central nervous system" is properly defended.

Black Kite's n8n - Feb2026 (Latest) FocusTag® details critical insights on the event for TPRM professionals.

Strengthening TPRM Outcomes with Black Kite’s FocusTags®

In an era where high-profile vulnerabilities in core infrastructure—like the critical zero-day in Cisco Catalyst SD-WAN or complex RCEs in n8n automation—can emerge overnight, the ability to act with precision is the ultimate competitive advantage for TPRM teams. Black Kite’s FocusTags® transform how organizations approach these "all-hands" security events by providing:

Surgical Visibility: Instantly filter your entire vendor ecosystem to identify only those entities exposed to specific, high-priority threats like the February 2026 Cisco, n8n, Jenkins, or SolarWinds flaws.
Actionable Asset Intelligence: Go beyond simple "yes/no" indicators. Black Kite provides specific IP and subdomain data, allowing you to tell a vendor exactly where their vulnerability lies, eliminating guesswork and vendor pushback.
Prioritized Remediation: Focus your team’s limited bandwidth on the most critical vendors and the most severe vulnerabilities—such as the CVSS 10.0 Cisco SD-WAN bypass—ensuring that your high-impact supply chain partners are secured first.
Reduced Questionnaire Fatigue: By leading with technical evidence, you can skip the broad "Are you affected?" emails and move straight to meaningful remediation discussions, preserving your relationship with key vendors even during widespread incidents.

By integrating FocusTags® into your TPRM workflows, you transform reactive vulnerability news into a proactive defense mechanism, ensuring your organization remains resilient against the evolving threat landscape.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags® in the Last 30 Days:

SolarWinds Serv-U - Feb2026 : CVE-2025-40541, CVE-2025-40540, CVE-2025-40539, CVE-2025-40538, Critical Remote Code Execution (RCE) flaws that could allow unauthenticated attackers to gain root-level access.
Jenkins - Feb2026 : CVE-2026-27099, CVE-2026-27100, High-severity stored XSS in node descriptions and information disclosure via Run Parameters.
Cisco Catalyst SD-WAN : CVE-2026-20127, CVE-2022-20775 — Critical 10.0 CVSS authentication bypass exploited in the wild, chained with privilege escalation for full root access.
n8n - Feb2026 (Latest) : CVE-2026-27497, CVE-2026-27577, CVE-2026-27495 — Triple critical RCE vulnerabilities in sandbox and node execution allowing host server takeover.
BeyondTrust RA & PRA : CVE-2026-1731, Remote Code Execution (RCE) vulnerability in BeyondTrust RA & PRA.
Zimbra - Feb2026 : CVE-2020-7796, Critical Server-Side Request Forgery (SSRF) vulnerability in the Zimbra’s WebEx Zimlet.
PostgreSQL - Feb2026 : CVE-2026-2004, CVE-2026-2005, CVE-2026-2006, Arbitrary Code Execution and Buffer Overflows Vulnerabilities in PostgreSQL.
Exchange Server - Feb2026 : CVE-2026-21527, Spoofing vulnerability in Microsoft Exchange Server involving UI misrepresentation.
SAP NetWeaver - Feb2026 : CVE-2026-0509, Critical Missing Authorization vulnerability in SAP NetWeaver AS ABAP allowing unauthorized RFC execution.
Gogs - Feb2026 : CVE-2025-64111, CVE-2025-64175, CVE-2026-24135, Triple threat involving Critical RCE, 2FA Bypass, and Path Traversal in Gogs Git services.
OpenClaw : CVE-2026-25253, Critical 1-Click Remote Code Execution and Token Exfiltration Vulnerability in OpenClaw (Moltbot).
Ivanti EPMM - Jan2026 : CVE-2026-1281, CVE-2026-1340, Critical Unauthenticated Remote Code Execution and Code Injection Vulnerabilities in Ivanti Endpoint Manager Mobile.
Cisco TelePresence : CVE-2026-20119, High-Severity Denial of Service Vulnerability in Cisco TelePresence Collaboration Endpoint (CE) Software.
Django - Feb2026 : CVE-2026-1207, CVE-2026-1287, CVE-2026-1312, CVE-2025-14550, CVE-2026-1285, CVE-2025-13473, Multiple SQL Injection, Denial of Service (DoS), and Username Enumeration Vulnerabilities in Django Web Framework.
n8n - Feb2026 : CVE-2026-25049, CVE-2026-25056, CVE-2026-25053, Triple Threat of Critical Remote Code Execution Vulnerabilities in n8n Workflow Automation Platform.
Fortinet - Jan2026 : CVE-2026-24858, Authentication Bypass Using an Alternate Path or Channel Vulnerability, Zero-Day Exploitation in Fortinet Products.
GNU InetUtils telnetd : CVE-2026-24061, Authentication Bypass Vulnerability in GNU InetUtils.
SolarWinds WHD - Jan2026 : CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554, CVE-2025-40536, CVE-2025-40537, Untrusted Data Deserialization, Authentication Bypass, and Hardcoded Credentials Vulnerabilities in SolarWinds Web Help Desk.
OpenSSL : CVE-2025-15467, CVE-2025-11187, Remote Code Execution and Buffer Overflow Vulnerabilities in OpenSSL.
SmarterMail - Jan2026 : CVE-2026-23760, Administrative Password Reset and Authentication Bypass Vulnerability in SmarterTools SmarterMail.
n8n - Jan2026 (Latest) : CVE-2026-1470, CVE-2026-0863, Remote Code Execution, Arbitrary Code Injection, and Sandbox Escape Vulnerabilities in n8n.
React Server Components : CVE-2026-23864, Denial of Service Vulnerabilities in React Server Components.
TP-Link Archer MR600 : CVE-2025-14756, Authenticated Command Injection Vulnerability in TP-Link Archer MR600 Routers.