// #cisco
10 articles
Cisco Catalyst SD-WAN Manager CVE-2026-20262 Actively Exploited — Arbitrary File Overwrite Escalates to Root
A file upload vulnerability in Cisco Catalyst SD-WAN Manager is under active exploitation, allowing an attacker with network-operator level access to overwrite arbitrary files on the underlying operating system and escalate privileges to root. CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalogue on 16 June, setting a federal remediation deadline.
CISA Adds Chrome V8 Zero-Day, Cisco SD-WAN, and Arista EOS to Known Exploited Vulnerabilities Catalogue
CISA added three vulnerabilities to the KEV catalogue on 9 June: Google Chrome CVE-2026-11645 (V8 out-of-bounds write, actively exploited), Cisco SD-WAN CVE-2026-20245 (authentication bypass), and Arista EOS CVE-2026-7473 (privilege escalation command injection). Federal agencies face a 30 June remediation deadline across all three.
Enterprise Wi-Fi Security Assessment: Evaluating Ubiquiti UniFi Against Enterprise-Grade Alternatives After Bulletin 064
The three CVSS 10.0 vulnerabilities in Ubiquiti UniFi OS Bulletin 064 prompt a broader question: how does UniFi's security posture, vendor support, and enterprise control plane architecture compare to traditional enterprise Wi-Fi vendors? A structured assessment framework helps organisations evaluate whether UniFi is appropriate for their specific threat model.
Cisco SD-WAN CVE-2026-20182 Post-Compromise Forensics: Identifying Rogue Device Injection in Catalyst SD-WAN Deployments
CVE-2026-20182, the CVSS 10.0 Cisco Catalyst SD-WAN Manager zero-day added to CISA KEV on 14 May, was exploited before Cisco released the patch. Organisations that ran vManage on publicly accessible addresses during the exposure window must now forensically audit their SD-WAN device inventory and API authentication logs for signs of rogue device registration and traffic interception.
Cisco Catalyst SD-WAN CVE-2026-20182 CVSS 10.0 Authentication Bypass Exploited as Zero-Day — Attackers Injecting Rogue SD-WAN Devices
Cisco disclosed a CVSS 10.0 authentication bypass in the Catalyst SD-WAN Manager that has been actively exploited as a zero-day, allowing unauthenticated attackers to inject rogue SD-WAN devices into the management plane and intercept or reroute enterprise WAN traffic. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalogue with a 72-hour patching deadline for federal agencies.
Cisco CVE-2026-20188 — Unauthenticated DoS Permanently Crashes Crosswork Network Controller Until Manual Reboot
Cisco has disclosed a high-severity denial-of-service vulnerability in Crosswork Network Controller and NSO (Network Services Orchestrator) that allows an unauthenticated remote attacker to exhaust connection resources and permanently disable the device — requiring physical manual reboot to recover. CVE-2026-20188 affects the network automation and orchestration platforms used by major service providers and large enterprise networks for intent-based networking automation.
FIRESTARTER Backdoor Persists on Cisco Firepower Devices After Patching — Federal Agency Confirmed Victim
A joint CISA and NCSC advisory reveals FIRESTARTER, a sophisticated backdoor implanted on Cisco FTD and ASA firewalls that survives firmware updates and reimaging. At least one US federal agency is a confirmed victim. Defenders must verify device integrity rather than assume patching closed the access.
Four Critical Cisco Flaws: Webex SSO User Impersonation (CVSS 9.8) and ISE Root Code Execution (CVSS 9.9)
Cisco patched four critical vulnerabilities across Webex Services and Identity Services Engine. CVE-2026-20184 allows unauthenticated attackers to impersonate any Webex user via crafted SSO tokens. Three ISE flaws at CVSS 9.9 let read-only admins execute arbitrary commands as root. Webex deployments with SSO require urgent manual action — Cisco's cloud fix is not sufficient without administrator intervention.
CISA Supplemental Direction ED 26-03: How to Hunt for Compromise in Cisco Catalyst SD-WAN
CISA has issued supplemental hunt-and-hardening guidance for Cisco Catalyst SD-WAN systems under Emergency Directive 26-03, providing defenders with specific indicators to look for in environments exposed to CVE-2026-20127 — a CVSS 10.0 authentication bypass exploited since 2023. Organisations running Cisco SD-WAN infrastructure should treat this guidance as a mandatory compromise assessment checklist.
Interlock Ransomware Exploited Cisco FMC Zero-Day for 36 Days Before Patch — Root Access on Enterprise Firewalls
Cisco's Firepower Management Center (FMC) contains a CVSS 10.0 deserialization vulnerability that Interlock ransomware was exploiting as a zero-day for 36 days before Cisco disclosed or patched it. CVE-2026-20131 allows unauthenticated remote attackers to execute arbitrary Java code as root on any internet-exposed FMC appliance. Cisco patched the flaw on 4 March 2026, but unpatched appliances remain under active ransomware targeting.