Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cisco (14 articles)Clear

Cisco Catalyst SD-WAN Manager users have until today to patch three actively-exploited flaws as CISA adds eight to the KEV catalog

CISA added eight actively-exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 20, with federal agencies required to patch three Cisco Catalyst SD-WAN Manager flaws by today, April 23, and the remaining five by May 4. The Cisco trio (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) enable arbitrary file upload with vmanage user privileges, recovery of stored credentials for the DCA user, and unauthenticated disclosure of sensitive configuration data. Cisco confirmed exploitation of the first two in March 2026. The other five cover a wide blast radius: CVE-2025-32975 is a CVSS 10.0 authentication bypass in Quest KACE Systems Management Appliance letting attackers impersonate any user without credentials, exploited in the wild by unknown actors last month per Arctic Wolf. CVE-2023-27351 is the PaperCut NG/MF bypass that Microsoft's Lace Tempest chained into Cl0p and LockBit deployments back in 2023. CVE-2024-27199 is a path traversal in JetBrains TeamCity giving limited admin actions - its sibling CVE-2024-27198 is already on the KEV list. CVE-2025-48700 is a Zimbra XSS that the Ukrainian CERT attributes to UAC-0233/UAC-0250 for stealing mailbox contents, MFA backup codes, and application passwords. CVE-2025-2749 is a Kentico Xperience Staging Sync Server path traversal.

Check
Check your environment for any exposed or internal instances of Cisco Catalyst SD-WAN Manager, Quest KACE SMA, PaperCut NG/MF, JetBrains TeamCity, Zimbra Collaboration Suite, or Kentico Xperience and confirm patch status against the specific CVEs below.
Affected
Cisco Catalyst SD-WAN Manager (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133). Quest KACE SMA unpatched against CVE-2025-32975 (CVSS 10.0). PaperCut NG/MF against CVE-2023-27351. JetBrains TeamCity against CVE-2024-27199. Synacor Zimbra Collaboration Suite against CVE-2025-48700. Kentico Xperience against CVE-2025-2749.
Fix
Apply vendor-released patches for each product. Cisco SD-WAN Manager needs fixing by end of day April 23 to meet the CISA federal deadline - treat the same as a commercial deadline and patch today. The other five carry a May 4 CISA deadline. If you cannot patch immediately, remove affected products from direct internet exposure and monitor for the exploitation patterns each vendor describes. For Zimbra specifically, check mailbox audit logs for unusual TGZ archive creation and review MFA backup code usage.

Cisco Webex SSO flaw lets unauthenticated attackers impersonate any user (CVE-2026-20184) - four critical bugs patched this week

Cisco has patched four critical vulnerabilities this week across Webex and Identity Services Engine (ISE). The standout flaw is CVE-2026-20184 in Cisco Webex Services with SSO integration via Control Hub - it allows an unauthenticated remote attacker to impersonate any user in the service due to incorrect certificate validation in the SSO flow. This is particularly dangerous for organizations using Webex with SAML and centralized identity management. Alongside it: CVE-2026-20180 and CVE-2026-20186 (both CVSS 9.9) affect Cisco ISE and ISE Passive Identity Connector, allowing authenticated attackers with even read-only admin credentials to execute arbitrary commands on the underlying OS and escalate to root. CVE-2026-20147 is a path traversal flaw in the same products. ISE versions before 3.2, plus 3.2, 3.3, 3.4, and 3.5 branches are all affected. No workarounds - only software updates fix these. In single-node ISE deployments, exploitation can also knock the node offline, blocking network access for unauthenticated endpoints.

Check
If you use Cisco Webex with SSO via Control Hub, treat CVE-2026-20184 as urgent - it's unauthenticated. If you run Cisco ISE for network access control, plan to patch this week.
Affected
Cisco Webex Services configured with SSO integration via Control Hub (CVE-2026-20184, unauthenticated impersonation). Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) versions prior to 3.2, plus 3.2, 3.3, 3.4, and 3.5 branches (CVE-2026-20180, CVE-2026-20186, CVE-2026-20147).
Fix
Apply Cisco's software updates from the April 15 advisories. For ISE, upgrade to the fixed release matching your branch - there are no workarounds. For Webex with SSO, the fix is included in Cisco's latest Control Hub release. If patching is delayed, restrict admin access to ISE management interfaces to trusted IPs only via network-level ACLs - this doesn't fix CVE-2026-20184 but reduces the risk from ISE credential theft to RCE chains. Review Cisco admin account hygiene: read-only credentials are enough to chain to root on unpatched ISE.

Cisco IMC authentication bypass lets unauthenticated attackers take full admin control of servers (CVE-2026-20093)

Cisco patched a CVSS 9.8 authentication bypass in its Integrated Management Controller - the hardware-level management system built into Cisco UCS servers. An attacker sends one crafted HTTP request to the password change function and can reset any user's password, including Admin, without any credentials. Because IMC operates below the operating system on a dedicated baseboard controller with its own IP address, traditional endpoint security tools can't detect or stop it. The flaw affects dozens of Cisco product lines including APIC servers, Secure Firewall Management Center, and Cyber Vision appliances.

Check
Check if any Cisco UCS C-Series M5/M6 servers, ENCS 5000, Catalyst 8300, or UCS E-Series systems have their IMC web interface accessible from the network.
Affected
Cisco UCS C-Series M5 and M6 Rack Servers (standalone mode), 5000 Series ENCS, Catalyst 8300 Edge uCPE, UCS E-Series M3/M6, plus dozens of appliances built on preconfigured UCS C-Series including APIC, Secure Firewall Management Center, and Cyber Vision Center.
Fix
Update Cisco IMC firmware: ENCS 5000 to 4.15.5, UCS C-Series to 4.3(2.260007), 4.3(6.260017), or 6.0(1.250174) depending on track. Restrict IMC interface access to a dedicated management VLAN. Audit existing IMC user accounts for any unauthorized password changes.

Cisco breached through Trivy supply chain attack - source code and AWS keys stolen

The TeamPCP supply chain campaign has claimed its biggest victim yet. Attackers used credentials stolen from the Trivy vulnerability scanner compromise to breach Cisco's internal development environment, stealing source code belonging to both Cisco and its customers. Multiple AWS keys were also taken and used for unauthorized activity across Cisco's cloud accounts. The company expects continued fallout from the follow-on LiteLLM and Checkmarx compromises in the same campaign.

Check
If your CI/CD pipelines used Trivy, LiteLLM, or Checkmarx KICS between March 19-27, audit for unauthorized access immediately.
Affected
Any organization that ran compromised versions of Trivy (v0.69.4+), LiteLLM (1.82.7-1.82.8), or Checkmarx KICS GitHub Actions during the exposure windows.
Fix
Pin Trivy to v0.69.3, trivy-action to v0.35.0, setup-trivy to v0.2.6. Rotate all pipeline secrets, AWS keys, SSH keys, and tokens. Block scan.aquasecurtiy[.]org and 45.148.10.212. Search GitHub orgs for repositories named tpcp-docs - their presence means data was exfiltrated.