< ciso
brief />
Tag Banner

All news with #cisco tag

237 articles · page 6 of 12

Cisco Flags More Catalyst SD-WAN Flaws as Actively Exploited

🔔 Cisco has warned that two additional Catalyst SD-WAN Manager vulnerabilities — a high-severity arbitrary file overwrite (CVE-2026-20122) and a medium-severity information disclosure flaw (CVE-2026-20128) — are being actively exploited. The file-overwrite vulnerability can be triggered remotely by attackers with valid read-only API credentials; the information-disclosure issue requires local vManage credentials. Cisco says the flaws affect the software regardless of device configuration and urges administrators to upgrade to fixed releases immediately.
read more →

Cisco Releases Patches for 48 Firewall Vulnerabilities

🔒 Cisco has published 25 joint advisories addressing 48 vulnerabilities across its Secure Firewall ASA, Secure FMC and FTD product lines. The two most critical flaws, CVE-2026-20079 and CVE-2026-20131, are rated CVSS 10 and impact Secure FMC, enabling authentication bypass and remote code execution respectively. The auth bypass can be triggered with crafted HTTP requests against a boot-created system process, while the RCE stems from insecure deserialization of a user-supplied Java byte stream to the web management interface. There are no workarounds; Cisco urges customers to install the fixed software and the bundle also addresses 15 high and 31 medium severity issues.
read more →

Cisco Patches Maximum-Severity Flaws in Secure FMC

🔒 Cisco has released updates for two maximum-severity vulnerabilities in Cisco Secure FMC that allow unauthenticated remote attackers to obtain root on affected systems. CVE-2026-20079 is an authentication-bypass flaw exploitable via crafted HTTP requests to gain root, while CVE-2026-20131 is a remote code execution vulnerability triggered by a crafted serialized Java object that can execute arbitrary Java code as root. Cisco also patched dozens of other issues and says its PSIRT has no evidence these flaws are being actively exploited.
read more →

Talos: Monitoring Cyber Activity in the Middle East

🔍 Cisco Talos is actively monitoring the evolving conflict in the Middle East for cyber-related activity and currently reports no significant, state-sponsored cyber impacts. Incidents observed to date are limited — primarily website defacements, small distributed-denial-of-service (DDoS) campaigns, and opportunistic phishing using conflict-themed lures. Talos assesses that Iranian-aligned groups historically operate in espionage, destructive attacks, and hack-and-leak operations, which remain plausible avenues. Organizations should prioritize MFA, timely patching, robust monitoring, and targeted third-party risk controls to reduce collateral exposure.
read more →

Weekly Recap: SD-WAN 0-Day, Critical CVEs & Trends

⚡ The week's highlights show attackers exploiting critical infrastructure, cloud APIs, AI tooling, and consumer devices. Cisco SD‑WAN zero‑day (CVE‑2026‑20127) is being actively exploited to gain administrative access, while a string of high‑severity CVEs across vendors requires immediate attention. Misuse of trusted services — from Google Sheets and Gemini to autonomous AI agents — combined with exposed keys, is enabling stealthy, scalable access. Organizations should prioritize patching, tighten access to AI and cloud keys, and use continuous testing to validate defenses.
read more →

Dohdoor DoH Backdoor Targeting Education and Healthcare

🚨 Cisco Talos reports an ongoing campaign by UAT-10027 using a new backdoor called Dohdoor since December 2025. Dohdoor leverages DNS-over-HTTPS (DoH) for stealthy command-and-control, downloads and executes payloads within legitimate Windows processes, and employs phishing, PowerShell abuse, and DLL sideloading. The campaign targets U.S. education and health care organizations with C2 infrastructure hidden behind reputable services.
read more →

UAT-10027 Campaign Delivers Dohdoor Backdoor via DoH

🔒 Cisco Talos attributes a previously undocumented activity cluster, tracked as UAT-10027, to an ongoing campaign targeting U.S. education and healthcare since December 2025. The actor deploys a novel backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for stealthy C2 and reflectively loads additional payloads into memory. Initial access is suspected to begin with social-engineering and a PowerShell script that retrieves a staged batch and malicious DLLs (observed as propsys.dll and batmeter.dll), which are launched via DLL side‑loading of legitimate executables. Talos observed the adversary fronting C2 behind Cloudflare to make traffic appear as legitimate HTTPS and unhooking user-mode API hooks in NTDLL.dll to evade EDR; follow-on payloads have been assessed as Cobalt Strike beacons.
read more →

Talos: Dohdoor DoH Backdoor Targets US Education, Healthcare

🛡️ Cisco Talos reports an active campaign, observed since December 2025, in which actor UAT-10027 deployed a previously undocumented backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for covert C2. The multi-stage chain leverages phishing-delivered PowerShell to fetch a batch dropper that sideloads a disguised DLL into legitimate Windows binaries and tunnels C2 through Cloudflare’s edge. Dohdoor decrypts and reflectively executes payloads in memory, unhooks ntdll to evade EDR, and was observed targeting U.S. education and healthcare organizations.
read more →

Immediate Patch Urged for Critical Cisco Catalyst SD-WAN Bug

⚠️ Government security agencies have urged immediate patching of a critical zero-day, CVE-2026-20127, impacting Cisco Catalyst SD-WAN Controller and SD-WAN Manager. The authentication bypass can grant unauthenticated remote attackers administrative privileges, NETCONF access and the ability to alter SD-WAN configuration. Authorities including CISA and Five Eyes partners require urgent patching and threat hunting; Cisco released fixes on 25 February 2026.
read more →

Maximum-Severity Cisco SD-WAN Zero-Day Actively Exploited

🔒 A maximum-severity vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127 (CVSS 10.0), lets an unauthenticated remote attacker bypass authentication and obtain elevated administrative privileges by sending a crafted request. Cisco reports active exploitation across on-prem and Cisco-hosted deployments by a sophisticated actor identified as UAT-8616, with malicious activity dating to 2023. Customers should apply vendor fixes immediately, audit /var/log/auth.log for unexpected "Accepted publickey for vmanage-admin" entries, and follow CISA emergency guidance.
read more →

Five Eyes Emergency Directive: Exploited Cisco SD-WAN

⚠️ Federal and allied cybersecurity agencies issued an emergency directive after Cisco Talos disclosed active exploitation of a critical flaw in Cisco Catalyst SD-WAN controllers (CVE-2026-20127). The vulnerability allows unauthenticated attackers to bypass authentication and gain administrative access to SD‑WAN control-plane components. Cisco has released patches with no workarounds; CISA and Five Eyes partners urge immediate patching, inventorying of in-scope systems, log collection and active hunting for compromise.
read more →

Critical Cisco SD-WAN Authentication Bypass Exploited

⚠️ Cisco warns of a critical authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20127) that has been exploited in zero-day attacks beginning in 2023. The flaw allows attackers to authenticate as a high-privileged non-root account, add rogue peers, and manipulate NETCONF to alter SD-WAN fabric configuration. Cisco and partners report active exploitation, and vendors have issued software updates; there are no full workarounds, so immediate patching and hardening are urged.
read more →

Active Exploitation of Cisco SD‑WAN Controller by UAT‑8616

🔒 Cisco Talos reports active exploitation of CVE-2026-20127 in Cisco Catalyst SD-WAN Controller, enabling unauthenticated attackers to bypass authentication and obtain administrative privileges. Talos attributes the activity to a sophisticated actor tracked as UAT-8616 and finds evidence dating to 2023, including software downgrades and subsequent exploitation of CVE-2022-20775 to escalate to root. Customers are urged to follow vendor advisories, validate control peering events, and apply the detection and remediation guidance provided.
read more →

CISA Emergency Directive: Mitigate Cisco SD‑WAN Risks

⚠ CISA issued Emergency Directive 26-03 requiring immediate mitigation of critical vulnerabilities in Cisco SD‑WAN systems, citing exploitable flaws including CVE-2026-20127 and CVE-2022-20775. Agencies must inventory systems, collect virtual snapshots and logs, apply patches, hunt for evidence of compromise, and implement vendor hardening guidance. CISA will monitor compliance, provide technical assistance, and deliver additional resources as needed. The directive is supported by the NSA, ASD’s ACSC, Canada’s Cyber Centre, NCSC-NZ, and NCSC-UK.
read more →

CISA and Partners: Guidance on Cisco SD‑WAN Exploits

🔔 CISA and international partners warn of active exploitation of Cisco SD-WAN systems, adding CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities Catalog. FCEB agencies are required by Emergency Directive 26-03 to inventory, update, and assess SD-WAN deployments. Organizations should collect artifacts, apply vendor updates, follow the Catalyst SD-WAN Hardening Guide, and hunt for evidence of compromise immediately.
read more →

CISA Adds Two Cisco SD-WAN Vulnerabilities to KEV Catalog

⚠️CISA has added two Cisco SD‑WAN vulnerabilities (CVE‑2022‑20775 and CVE‑2026‑20127) to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. These affect Cisco Catalyst SD‑WAN components and include a path traversal and an authentication bypass that can enable unauthorized access. Under BOD 22‑01, FCEB agencies must remediate by required due dates; CISA urges all organizations to prioritize timely mitigation.
read more →

Ryan Liles: Mastering Technical Diplomacy at Cisco

🔎 Ryan Liles describes his role connecting Cisco product teams with independent evaluators to ensure products are tested and validated beyond vendor claims. As part of Talos’ Vulnerability Research and Discovery group, he coordinates third-party testing labs and navigates sensitive conversations about methodology and deployment. Liles stresses calm, fact-focused dialogue and long-standing industry relationships to resolve issues and improve testing outcomes.
read more →

DKnife AitM Framework Compromises Network Gateways

🛡️ Cisco Talos discovered DKnife, a modular AitM framework operating on Linux-based network gateways since at least 2019 and active into early 2026. Deployed at the edge rather than endpoints, it performs deep packet inspection, credential interception, and selective traffic manipulation. Operators use it to hijack software and app updates to deliver ShadowPad and DarkNimbus payloads, and to perform DNS and binary replacement attacks.
read more →

DKnife toolkit hijacks routers to spy and deliver malware

🛡️ Cisco Talos researchers describe DKnife as an ELF-based Linux toolkit used since 2019 to hijack router traffic and perform adversary-in-the-middle operations. The framework has seven modules — including yitiji.bin to create a bridged TAP interface and mmdown.bin to drop malicious APKs — enabling DPI, credential harvesting, and delivery of backdoors such as ShadowPad and DarkNimbus. Talos attributes the activity to a China-nexus actor and noted C2 servers remained active as of January 2026.
read more →

Hidden DKnife AitM Framework Targets Routers Since 2019

🔍 Cisco Talos researchers uncovered DKnife, a Linux-based gateway-monitoring and adversary-in-the-middle framework used since at least 2019 and active through January 2026. The toolkit targets routers and edge devices running CentOS/Red Hat Enterprise Linux, using seven ELF components to perform DPI, traffic interception, DNS hijacking and in-line substitution of Android and Windows downloads. Talos attributes the framework with high confidence to Chinese-nexus actors and notes overlaps with campaigns delivering WizardNet, DarkNimbus and ShadowPad.
read more →