Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: emergency-directive (3 articles)Clear

Second maximum-severity Cisco Catalyst SD-WAN auth bypass exploited as a zero-day by sophisticated UAT-8616 actor - CISA gives federal agencies until May 17 to patch (CVE-2026-20182)

Cisco disclosed and patched a second perfect-score authentication bypass in its Catalyst SD-WAN Controller and Manager (formerly vSmart and vManage). The bug, CVE-2026-20182 (CVSS 10.0), was found by Rapid7 while investigating the earlier CVE-2026-20127 wave, and lives in the same vdaemon service over DTLS port 12346. An unauthenticated attacker can become a trusted peer of the controller, log in as a privileged internal account, hit the NETCONF interface, and rewrite the entire SD-WAN fabric. Cisco Talos already attributes limited in-the-wild exploitation to UAT-8616, an actor with operational-relay-box ties that has been targeting Cisco SD-WAN since 2023.

Check
Identify on-prem and cloud Cisco Catalyst SD-WAN Controller and Manager instances, compare any successful peer IPs to the configured System IPs under WebUI > Devices > System IP, and open a Cisco TAC case for unknown peers.
Affected
Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and Cisco-managed SD-WAN Cloud deployments. Maximum severity (CVSSv3 10.0).
Fix
Upgrade to the fixed releases listed in Cisco advisory cisco-sa-sdwan-rpa2-v69WY2SW immediately - CISA Emergency Directive 26-03 set the federal deadline at May 17, 2026. Restrict internet exposure of UDP/12346 to trusted peers only.

CISA and UK NCSC warn 'FIRESTARTER' backdoor survives Cisco ASA/Firepower patches - US agency compromised, hardware replacement recommended

CISA and the UK's National Cyber Security Centre jointly published a malware analysis report for FIRESTARTER, a persistent backdoor that China-linked group UAT-4356 (the same crew behind 2024's ArcaneDoor campaign) planted on Cisco ASA and Firepower firewall devices by chaining CVE-2025-20333 (VPN web server RCE) and CVE-2025-20362 (unauthorized access). The implant hooks into Cisco's Service Platform mount list, a boot-time configuration that controls which programs run when the device starts, so it survives reboots, firmware upgrades, and the September 2025 patches for those two CVEs. CISA found FIRESTARTER on an already-patched US federal civilian agency's Cisco Firepower device through continuous network monitoring - attackers silently returned in March 2026 to deploy a second-stage implant called Line Viper without needing to re-exploit the original vulnerabilities. Updated Emergency Directive ED 25-03 now orders federal agencies to audit every Cisco ASA and Firepower device they run and submit device memory snapshots for CISA analysis. The stark guidance for everyone else: if you confirm a compromise, replace the hardware. Reimaging is not enough because the bootloader itself may be implanted.

Check
Inventory every Cisco ASA and Firepower Threat Defense device in your environment - including branch offices, remote sites, and lab gear - and check patch status against CVE-2025-20333 and CVE-2025-20362 as the absolute minimum baseline.
Affected
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices running ASA/FTD software, particularly any units that were internet-exposed and unpatched between the September 2025 patch release and the date you actually applied it. Devices patched in that window may still carry the FIRESTARTER implant because the backdoor survives patching.
Fix
Patch any ASA/FTD device still vulnerable to CVE-2025-20333 or CVE-2025-20362 immediately. Then perform a core dump on every device following CISA's supplemental direction and look for FIRESTARTER indicators described in MAR AR26-113A and the joint advisory AA26-113A. Any device showing indicators of compromise must be replaced with new hardware - do not trust reimaging or factory reset, because the persistence mechanism modifies the Cisco Service Platform mount list and the bootloader may be affected. Rotate all VPN credentials and admin passwords on affected devices. Hunt for Line Viper and review firewall logs for unexpected outbound connections from management interfaces for the period after initial patching.

Cisco Catalyst SD-WAN Manager flaw added to CISA KEV with 4-day federal patch deadline - actively exploited (CVE-2026-20133)

CISA added a Cisco Catalyst SD-WAN Manager information disclosure flaw to its Known Exploited Vulnerabilities catalog on Monday, ordering federal agencies to patch by Friday, April 24 - an unusually aggressive 4-day deadline that reflects confirmed active exploitation. CVE-2026-20133 is an unauthenticated remote flaw in the SD-WAN Manager (formerly vManage) API, caused by insufficient file system access restrictions. An attacker can access the API and read sensitive information from the underlying operating system - including credentials that enable follow-on attacks. Cisco patched it in late February alongside two other SD-WAN Manager flaws (CVE-2026-20128 and CVE-2026-20122, both also added to KEV this week and confirmed exploited in the wild). Catalyst SD-WAN Manager is used to centrally manage up to 6,000 SD-WAN devices from one dashboard, making it a high-value target. Oddly, Cisco's PSIRT still says they have no evidence of public exploitation - contradicting CISA. CISA is treating its own intelligence as authoritative and has issued Emergency Directive 26-03 plus a Hunt & Hardening Guide for Cisco SD-WAN. Over the past several years CISA has tagged 91 Cisco vulnerabilities as exploited in the wild, six used by ransomware operations.

Check
If you run Cisco Catalyst SD-WAN Manager (or the old vManage), patch today. CISA's 4-day federal deadline is the clearest signal yet that exploitation is widespread.
Affected
Cisco Catalyst SD-WAN Manager (formerly vManage) running versions prior to the February 2026 security update. Three CVEs are in play: CVE-2026-20133 (unauthenticated information disclosure, just added to KEV), CVE-2026-20128 (recoverable password storage), and CVE-2026-20122 (incorrect privileged API use). All three are confirmed exploited in the wild.
Fix
Apply Cisco's February 2026 security update for Catalyst SD-WAN Manager which fixes all three CVEs. If patching is delayed beyond April 24, follow CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices - restrict API access to trusted admin IPs only and review API access logs for unusual file-system-related requests over the past 60 days. Rotate any credentials stored on the SD-WAN Manager, as CVE-2026-20128 exposes them in recoverable format.