Cisco Talos Q1 2026 Report: Networking Gear Drives KEVs, n8n Platform Weaponized, AI Vulnerabilities Surge
Cisco Talos' Q1 2026 vulnerability pulse reveals networking gear accounts for 20% of Known Exploited Vulnerabilities, attackers are weaponizing the n8n AI workflow platform for malware delivery, and AI-relevant CVEs rose to 121.
Cisco Talos has released its Q1 2026 vulnerability pulse report, painting a sobering picture of the threat landscape. The first quarter saw overall CVE counts increase, with March recording the sharpest climb. While the number of Known Exploited Vulnerabilities (KEVs) remained roughly in line with 2025 figures, a striking 20% of KEV-related vulnerabilities involved networking gear — a proportion Talos expects to climb as the year progresses.
A significant finding is the weaponization of n8n, an AI workflow automation platform. Talos identified a marked increase in attackers abusing n8n's URL-exposed webhooks to deliver malware and perform device fingerprinting. By leveraging the platform's legitimate infrastructure, adversaries create phishing lures that bypass traditional security filters, masking malicious payloads as standard data streams. This effectively turns productivity tools into delivery vehicles for remote access trojans and other threats.
The report also highlights the persistent challenge of patch management. Roughly 25% of the CVEs Talos is tracking date to 2024 or earlier, with some disclosure dates reaching back to 2009. "Old vulnerabilities don't retire. They wait," the report notes, emphasizing that visibility into what is actually running in an environment is the prerequisite for effective defense.
AI-related vulnerabilities are on the rise. Using a keyword methodology, Talos identified 121 CVEs with AI relevance in Q1 — more than in Q1 2025. As AI components become more deeply embedded across the software stack, this number is expected to keep climbing. The report also references recent developments like the Mythos preview from Anthropic, which demonstrated the ability to identify and exploit zero-day vulnerabilities in major operating systems and browsers when directed by a user.
Talos recommends defenders move beyond static domain blocking and implement behavioral detection that alerts on anomalous traffic patterns directed toward automation platforms. Organizations should restrict endpoint communication with these services to only those explicitly authorized by established internal workflows. Additionally, AI-driven email security solutions should be utilized to analyze the semantic intent of incoming messages and proactively share indicators of compromise.
The report also includes a roundup of top security headlines, including Adobe patching an actively exploited zero-day that lingered for months, a fake Claude website distributing PlugX RAT, and Sweden blaming Russian hackers for an attempted cyber attack on a thermal plant. The Q1 pulse underscores that defenders must contend with both decade-old vulnerabilities and novel attacks leveraging trusted AI infrastructure.