{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cisco/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-33018"},{"cvss":7.1,"id":"CVE-2026-33020"},{"id":"CVE-2026-41144"}],"_cs_exploited":false,"_cs_products":["ASA","Secure Firewall Threat Defense","IOS","IOS XE","IOS XR"],"_cs_severities":["critical"],"_cs_tags":["cisco","vulnerability","rce","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eA cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).\u003c/li\u003e\n\u003cli\u003eAttacker exploits a vulnerability allowing authentication bypass.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication bypass, the attacker gains unauthorized access to the device.\u003c/li\u003e\n\u003cli\u003eAttacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe code executes with administrator privileges, granting the attacker full control over the device.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised device as a pivot point to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eAttacker compromises additional systems and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsult Cisco\u0026rsquo;s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T05:43:56Z","date_published":"2026-04-24T05:43:56Z","id":"/briefs/2024-07-cisco-multiple-vulns/","summary":"Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.","title":"Multiple Vulnerabilities in Cisco Products Allow for Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/"},{"_cs_actors":["UAT-4356"],"_cs_cves":[{"cvss":9.9,"id":"CVE-2025-20333"},{"cvss":6.5,"id":"CVE-2025-20362"}],"_cs_exploited":false,"_cs_products":["Firepower eXtensible Operating System (FXOS)","ASA","FTD"],"_cs_severities":["critical"],"_cs_tags":["uat-4356","firestarter","cisco","backdoor","network","espionage"],"_cs_type":"threat","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called \u0026ldquo;FIRESTARTER,\u0026rdquo; which shares technical capabilities with RayInitiator\u0026rsquo;s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco\u0026rsquo;s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.\u003c/li\u003e\n\u003cli\u003eThe FIRESTARTER backdoor is written to \u003ccode\u003e/opt/cisco/platform/logs/var/log/svc_samcore.log\u003c/code\u003e and the CSP_MOUNT_LIST is updated to copy itself to \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter a graceful reboot, FIRESTARTER is executed from \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER restores the original CSP_MOUNT_LIST from \u003ccode\u003e/tmp/CSP_MOUNTLIST.tmp\u003c/code\u003e and removes the temporary copy and the trojanized \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e file from disk.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the \u0026ldquo;libstdc++.so\u0026rdquo; memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the file integrity monitoring rule to detect the creation or modification of \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e and \u003ccode\u003e/opt/cisco/platform/logs/var/log/svc_samcore.log\u003c/code\u003e (see \u0026ldquo;File Creation in Suspicious Directory\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eApply software upgrade recommendations outlined in Cisco\u0026rsquo;s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T15:11:53Z","date_published":"2026-04-23T15:11:53Z","id":"/briefs/2026-04-uat-4356-firestarter/","summary":"UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.","title":"UAT-4356 FIRESTARTER Backdoor Targeting Cisco Firepower Devices","url":"https://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.1,"id":"CVE-2026-20085"},{"cvss":4.8,"id":"CVE-2026-20087"},{"cvss":4.8,"id":"CVE-2026-20088"},{"cvss":4.8,"id":"CVE-2026-20089"},{"cvss":4.8,"id":"CVE-2026-20090"}],"_cs_exploited":false,"_cs_products":["Integrated Management Controller"],"_cs_severities":["medium"],"_cs_tags":["xss","cisco","cimc","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eMultiple cross-site scripting (XSS) vulnerabilities have been identified in the web-based management interface of the Cisco Integrated Management Controller (IMC). Successful exploitation of these vulnerabilities could allow a remote attacker to inject malicious scripts into the web browser of a user accessing the IMC interface. This could lead to session hijacking, sensitive information disclosure, or other malicious activities performed in the context of the user\u0026rsquo;s session. The vulnerabilities were disclosed on 2026-04-22, and Cisco has released software updates to address them. There are no known workarounds. This threat is relevant for organizations using Cisco IMC to manage their infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Cisco IMC web interface.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing a JavaScript payload designed to execute in the context of a victim\u0026rsquo;s browser session.\u003c/li\u003e\n\u003cli\u003eAttacker delivers the malicious URL to the victim, typically through phishing, social engineering, or by injecting it into a trusted website.\u003c/li\u003e\n\u003cli\u003eVictim clicks on the malicious URL, or the URL is automatically loaded through a compromised website.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s web browser sends an HTTP request to the vulnerable Cisco IMC web server.\u003c/li\u003e\n\u003cli\u003eThe Cisco IMC web server reflects the attacker\u0026rsquo;s malicious JavaScript payload in the HTTP response without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s web browser executes the malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code executes within the victim\u0026rsquo;s browser, allowing the attacker to steal cookies, redirect the user, or perform other actions on behalf of the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these XSS vulnerabilities could allow an attacker to execute arbitrary JavaScript code in the context of a user\u0026rsquo;s session. This could lead to sensitive information disclosure, such as the theft of session cookies, allowing the attacker to hijack the user\u0026rsquo;s session and gain unauthorized access to the Cisco IMC. The attacker could also redirect the user to a malicious website or deface the IMC web interface. While the specific number of vulnerable systems is unknown, organizations using Cisco IMC are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the software updates released by Cisco to address the vulnerabilities (CVE-2026-20085, CVE-2026-20087, CVE-2026-20088, CVE-2026-20089, CVE-2026-20090).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts against the Cisco IMC web interface.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests containing potentially malicious JavaScript payloads targeting the Cisco IMC web interface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-cisco-imc-xss/","summary":"Multiple cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow a remote attacker to conduct an XSS attack against a user of the interface.","title":"Cisco Integrated Management Controller (IMC) Multiple XSS Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-imc-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-20128"}],"_cs_exploited":false,"_cs_products":["Catalyst SD-WAN Manager"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-20128","credential-access","sd-wan","cisco"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is affected by a vulnerability (CVE-2026-20128) that allows for the disclosure of stored passwords. An authenticated, local attacker with low privileges can exploit this vulnerability by accessing a credential file on the filesystem. Successful exploitation grants the attacker DCA user privileges, potentially leading to unauthorized access and control over the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance to mitigate risks associated with Cisco SD-WAN devices. This vulnerability highlights the importance of proper credential management and access controls in network management systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains low-privileged access to the Cisco Catalyst SD-WAN Manager system through legitimate credentials or other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates the filesystem to locate the DCA user\u0026rsquo;s credential file.\u003c/li\u003e\n\u003cli\u003eThe attacker reads the credential file, which contains the DCA user\u0026rsquo;s password in a recoverable format.\u003c/li\u003e\n\u003cli\u003eThe attacker decodes or decrypts the password using readily available tools or techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the recovered DCA user credentials to authenticate to the SD-WAN Manager with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the DCA user privileges to perform unauthorized configuration changes or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially pivots to other systems or network segments accessible through the SD-WAN infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over the Cisco Catalyst SD-WAN Manager. This could lead to significant disruption of network services, data breaches, and potential compromise of connected systems. The impact is magnified by the widespread use of SD-WAN in enterprise environments, making this a critical vulnerability for organizations utilizing Cisco Catalyst SD-WAN Manager.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and apply the mitigations outlined in CISA\u0026rsquo;s Emergency Directive 26-03 and associated guidance for Cisco SD-WAN devices, as referenced in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor file access events on the Cisco Catalyst SD-WAN Manager system for suspicious access patterns to credential files using the \u003ccode\u003eDetect Suspicious SD-WAN Credential File Access\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and password policies on the Cisco Catalyst SD-WAN Manager to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eApply the security updates provided by Cisco to patch CVE-2026-20128 as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T12:00:00Z","date_published":"2026-04-21T12:00:00Z","id":"/briefs/2026-04-cisco-sdwan-password-disclosure/","summary":"Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.","title":"Cisco Catalyst SD-WAN Manager Password Disclosure Vulnerability (CVE-2026-20128)","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cisco","sdwan","vulnerability","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities exist within the Cisco Catalyst SD-WAN Manager software. These vulnerabilities can be exploited by remote, anonymous, or local attackers. Successful exploitation allows attackers to perform a range of malicious activities. These include escalating privileges to administrator level, circumventing authentication mechanisms, executing arbitrary commands with Netadmin-level privileges, accessing sensitive system information, and overwriting arbitrary files on the affected system. This poses a significant risk to organizations utilizing the SD-WAN Manager, potentially leading to complete compromise of the affected systems and the networks they manage. Given the centralized role of SD-WAN managers, a successful attack could have widespread consequences.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to the Cisco Catalyst SD-WAN Manager, either remotely, anonymously, or locally.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability related to authentication, bypassing normal login procedures.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an elevation of privilege vulnerability to gain administrator rights on the system.\u003c/li\u003e\n\u003cli\u003eWith administrator privileges, the attacker executes commands with Netadmin rights.\u003c/li\u003e\n\u003cli\u003eThe attacker reads sensitive system information, such as configuration files, user credentials, or network topology data.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a file overwrite vulnerability to modify or replace critical system files with malicious versions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised SD-WAN Manager to push malicious configurations to other network devices.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the SD-WAN network, potentially leading to data exfiltration, service disruption, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to a complete compromise of the Cisco Catalyst SD-WAN Manager. Given the critical role of SD-WAN managers in controlling and managing network infrastructure, this can have significant consequences. A successful attack could result in widespread network outages, data breaches, and the potential for further lateral movement within the network. While the exact number of potential victims is unknown, the widespread use of Cisco SD-WAN solutions suggests a potentially large impact. Targeted sectors include any organization relying on Cisco Catalyst SD-WAN Manager for network management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available security patches provided by Cisco for the SD-WAN Manager to remediate the vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement strong access control measures to restrict access to the SD-WAN Manager interface.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity originating from or directed towards the SD-WAN Manager. Use the \u0026ldquo;Detect Suspicious Outbound Connection from SD-WAN Manager\u0026rdquo; Sigma rule to identify unusual network connections.\u003c/li\u003e\n\u003cli\u003eEnable and review audit logs on the SD-WAN Manager to detect unauthorized access attempts or configuration changes. Use the \u0026ldquo;Detect Unauthorized Configuration Change via SD-WAN Manager\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eRegularly back up the SD-WAN Manager configuration to facilitate recovery in the event of a successful attack.\u003c/li\u003e\n\u003cli\u003eHarden the SD-WAN Manager by disabling unnecessary services and features.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T08:08:56Z","date_published":"2026-04-21T08:08:56Z","id":"/briefs/2026-04-cisco-sdwan-vulns/","summary":"Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager allow a remote, anonymous, or local attacker to gain administrator privileges, bypass authentication, execute commands with Netadmin rights, read sensitive system information, and overwrite arbitrary files.","title":"Cisco Catalyst SD-WAN Manager Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-20184"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cisco","webex","sso","certificate-validation","user-impersonation","cve-2026-20184","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-20184, has been identified in the Single Sign-On (SSO) implementation with Control Hub in CISCO Webex versions 39.6 through 45.4. This improper certificate validation issue allows an unauthenticated, remote attacker to bypass security controls and impersonate legitimate users. CISCO Webex is a widely used cloud-based platform for video meetings and collaboration. Successful exploitation could lead to unauthorized access to sensitive information, disruption of services, and a complete compromise of the CIA triad. The vulnerability poses a significant risk to organizations relying on Webex for internal and external communications. Public proof-of-concept or proof-of-exploitation code is not yet available, but the severity and ease of exploitation warrant immediate attention and patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable CISCO Webex instance running a version between 39.6 and 45.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious token designed to exploit the improper certificate validation flaw in the SSO with Control Hub.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to a Webex service endpoint, presenting the crafted token.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Webex instance fails to properly validate the certificate associated with the token.\u003c/li\u003e\n\u003cli\u003eThe attacker is authenticated as a targeted user without providing valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the targeted user\u0026rsquo;s sensitive information, including meeting schedules, contact lists, and potentially recorded meetings.\u003c/li\u003e\n\u003cli\u003eThe attacker joins Webex meetings without authorization, potentially eavesdropping on confidential conversations or disrupting the meeting.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the Webex environment by leveraging the compromised user\u0026rsquo;s access rights, potentially gaining administrative control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20184 can lead to severe consequences. Attackers can impersonate any user within the Webex service, gaining unauthorized access to confidential meetings, sensitive data, and internal communications. This can result in a breach of confidentiality, integrity, and availability, potentially leading to significant financial losses, reputational damage, and legal liabilities. The number of affected organizations could be substantial given Webex\u0026rsquo;s widespread use across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all CISCO Webex installations to a version beyond 45.4 to remediate CVE-2026-20184 (Reference: CISCO Security Advisory).\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any suspicious activity related to unauthorized access attempts within the CISCO Webex environment, as recommended by the CCB (Reference: CCB Advisory).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious authentication patterns indicative of exploitation attempts against Webex (Reference: Sigma rule - \u0026ldquo;Webex Suspicious Authentication Pattern\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable and review Webex access logs for unusual login attempts or access patterns originating from unexpected locations (Reference: Webex access logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T09:19:48Z","date_published":"2026-04-17T09:19:48Z","id":"/briefs/2026-04-cisco-webex-cert-bypass/","summary":"A critical improper certificate validation vulnerability in CISCO Webex versions 39.6 - 45.4 (CVE-2026-20184) allows a remote, unprivileged attacker to impersonate users, gain unauthorized access, and join meetings without authorization, potentially impacting confidentiality, integrity, and availability.","title":"Critical Certificate Validation Vulnerability in CISCO Webex Allows User Impersonation","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-webex-cert-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cisco","unity-connection","vulnerability","xss","data-manipulation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Unity Connection is susceptible to multiple vulnerabilities that can be exploited by malicious actors. Successful exploitation of these vulnerabilities could allow attackers to perform cross-site scripting (XSS) attacks, redirect users to attacker-controlled malicious websites, manipulate sensitive data, and achieve unauthorized disclosure of confidential information. The vulnerabilities affect Cisco Unity Connection, a unified communications platform. These vulnerabilities pose a significant risk to organizations relying on Cisco Unity Connection for voice messaging and unified communications. Defenders need to implement detection and prevention measures to mitigate potential attacks targeting these flaws.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Cisco Unity Connection server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL or injects malicious code into a field accessible via the web interface.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses the crafted URL or interacts with the injected code through the Unity Connection web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s script executes within the user\u0026rsquo;s browser session (XSS).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the XSS vulnerability to redirect the user to a malicious website designed to harvest credentials or install malware.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker leverages the vulnerability to manipulate data stored within Cisco Unity Connection, such as user profiles or configuration settings.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the vulnerability to gain unauthorized access to sensitive information, such as user credentials, call logs, or system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information for further malicious activities, such as gaining unauthorized access to other systems or conducting fraudulent activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to a range of detrimental outcomes, including unauthorized access to sensitive data, manipulation of critical system configurations, and redirection of users to malicious websites. This can result in data breaches, financial losses, reputational damage, and disruption of communication services. While the exact number of potential victims is unknown, organizations utilizing vulnerable versions of Cisco Unity Connection are at risk. The impact spans various sectors that rely on this technology for unified communications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for unusual URL patterns or requests containing suspicious characters indicative of XSS attempts targeting Cisco Unity Connection interfaces.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to detect and block common XSS attack vectors to protect Cisco Unity Connection web interfaces.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Unity Connection logs for any unauthorized modifications to user profiles or system configurations, which could indicate successful exploitation of data manipulation vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious URI parameters in Cisco Unity Connection\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T11:13:57Z","date_published":"2026-04-16T11:13:57Z","id":"/briefs/2026-04-cisco-unity-vulns/","summary":"Multiple vulnerabilities in Cisco Unity Connection can be exploited by an attacker to conduct cross-site scripting attacks, redirect users to malicious websites, manipulate data, and disclose confidential information.","title":"Multiple Vulnerabilities in Cisco Unity Connection","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-unity-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-20093"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["authentication bypass","cisco","imc","cve-2026-20093"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, CVE-2026-20093, affects multiple versions of Cisco Integrated Management Controller (IMC) software. The vulnerability allows an unauthenticated remote attacker to bypass the login process and gain full administrative privileges on the affected system. This flaw stems from improper input validation (CWE-20). Exploitation grants the attacker the ability to change user passwords, manipulate hardware settings such as power cycling servers, and potentially use the compromised device to launch attacks on other systems within the network. The impacted product list is extensive, spanning multiple Cisco product lines, including the 5000 Series ENCS, Catalyst 8300 Series Edge uCPE, UCS C-Series M5/M6 Rack Servers, and UCS E-Series M3/M6. This vulnerability poses a significant threat to organizations relying on these systems for critical infrastructure management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe unauthenticated attacker sends a specially crafted request to the Cisco IMC web interface.\u003c/li\u003e\n\u003cli\u003eThe vulnerable IMC software fails to properly validate the request, allowing the attacker to bypass the authentication mechanism.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full administrative access to the IMC.\u003c/li\u003e\n\u003cli\u003eThe attacker changes the password of an existing administrative user or creates a new administrative user.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in to the IMC with the newly acquired administrative credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies hardware settings, such as power management configurations, potentially power cycling servers.\u003c/li\u003e\n\u003cli\u003eThe attacker disrupts critical infrastructure managed by the compromised IMC.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised device as a pivot point to launch further attacks against other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20093 grants an attacker complete control over the affected Cisco IMC. This can lead to severe consequences, including disruption of critical services, data breaches, and lateral movement within the network. Given the hardware-level access provided by IMC, attackers can manipulate physical infrastructure, leading to extended downtime and potential data loss. The CCB has assessed the risk of this vulnerability as high due to the ease of exploitation and the potential impact on confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all affected Cisco IMC instances to the latest available version to remediate CVE-2026-20093 (refer to the affected software list).\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any suspicious activity related to unauthorized access attempts to Cisco IMC web interfaces (deploy the Sigma rules provided).\u003c/li\u003e\n\u003cli\u003eIn case of an intrusion, report the incident via \u003ca href=\"https://ccb.belgium.be/en/cert/report-incident\"\u003ehttps://ccb.belgium.be/en/cert/report-incident\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T14:00:09Z","date_published":"2026-04-03T14:00:09Z","id":"/briefs/2026-04-cisco-imc-auth-bypass/","summary":"An unauthenticated remote attacker can exploit CVE-2026-20093 to bypass authentication in Cisco Integrated Management Controller (IMC), gain full administrative access, and manipulate hardware settings, potentially disrupting critical infrastructure.","title":"Critical Authentication Bypass Vulnerability in Cisco Integrated Management Controller (CVE-2026-20093)","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-imc-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-20160"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-20160","cisco","ssm-on-prem","rce","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-20160 affects Cisco Smart Software Manager On-Prem (SSM On-Prem). The vulnerability allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This is due to the unintentional exposure of an internal service. The vulnerability was reported in April 2026. Successful exploitation allows for command execution with root-level privileges, making it a critical risk for organizations using the affected Cisco SSM On-Prem software. Defenders should apply available patches or mitigations immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an internet-facing Cisco Smart Software Manager On-Prem (SSM On-Prem) instance.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers the unintentionally exposed internal service through reconnaissance techniques such as port scanning and service enumeration.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request specifically designed to exploit the exposed API endpoint of the internal service.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the vulnerable API endpoint of the exposed service.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SSM On-Prem software processes the malicious request without proper authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe software executes arbitrary commands on the underlying operating system due to the exposed API.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root-level privileges on the SSM On-Prem host, allowing for full control of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform further malicious activities, such as data exfiltration, lateral movement, or installation of persistent backdoors.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20160 allows an attacker to execute arbitrary commands on the underlying operating system with root-level privileges. This could lead to complete compromise of the affected SSM On-Prem host. The attacker could exfiltrate sensitive data, disrupt services, or use the compromised system as a launchpad for further attacks within the network. Given the critical nature of software license management performed by SSM On-Prem, a successful attack could have significant operational and financial consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch released by Cisco to address CVE-2026-20160 on all affected Cisco Smart Software Manager On-Prem (SSM On-Prem) instances.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests targeting Cisco Smart Software Manager On-Prem instances to detect potential exploitation attempts, using the \u0026ldquo;Detect Cisco SSM On-Prem API Exploitation Attempt\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of internal services and prevent unauthorized access from external networks.\u003c/li\u003e\n\u003cli\u003eReview access controls and authentication mechanisms for all internal services to ensure proper security configurations and prevent unintentional exposure.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Cisco SSM On-Prem Root Command Execution\u0026rdquo; Sigma rule to detect suspicious process execution originating from the SSM On-Prem server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T17:28:31Z","date_published":"2026-04-01T17:28:31Z","id":"/briefs/2024-02-cisco-ssm-rce/","summary":"CVE-2026-20160 is a critical vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) that allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges by sending a crafted request to an exposed API.","title":"Cisco Smart Software Manager On-Prem RCE via Exposed API (CVE-2026-20160)","url":"https://feed.craftedsignal.io/briefs/2024-02-cisco-ssm-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cisco","sd-wan","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-20127, affects Cisco Catalyst SD-WAN Controllers. The vulnerability stems from an improper authentication mechanism, which can be exploited by unauthenticated remote attackers. Successful exploitation allows bypassing authentication and gaining administrative privileges. This access could allow the attacker to log in as a high-privileged, non-root user, gaining access to NETCONF, and enabling the manipulation of the SD-WAN fabric\u0026rsquo;s network configuration. The…\u003c/p\u003e\n","date_modified":"2026-02-27T10:00:00Z","date_published":"2026-02-27T10:00:00Z","id":"/briefs/2026-02-cisco-sdwan-rce/","summary":"A critical remote code execution vulnerability exists in Cisco Catalyst SD-WAN Controllers (CVE-2026-20127) due to improper authentication, allowing unauthenticated remote attackers to bypass authentication and gain administrative privileges, potentially leading to network configuration manipulation.","title":"Critical RCE Vulnerability in Cisco Catalyst SD-WAN Controller","url":"https://feed.craftedsignal.io/briefs/2026-02-cisco-sdwan-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-20133"}],"_cs_exploited":false,"_cs_products":["Catalyst SD-WAN Manager"],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","cisco","sd-wan"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is susceptible to an information disclosure vulnerability, identified as CVE-2026-20133. The vulnerability allows unauthorized remote attackers to potentially gain access to sensitive information residing on affected systems. While the exact nature of the disclosed information isn\u0026rsquo;t specified in the advisory, it could encompass configuration details, user credentials, or other sensitive data critical for the secure operation of the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance, highlighting the severity and urging immediate action. The directive impacts organizations utilizing Cisco SD-WAN devices and emphasizes the need for thorough risk assessment and implementation of provided mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Discovery:\u003c/strong\u003e An attacker identifies a publicly accessible endpoint or API within the Cisco Catalyst SD-WAN Manager that is vulnerable to CVE-2026-20133.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Request:\u003c/strong\u003e The attacker crafts a malicious HTTP request targeting the vulnerable endpoint, exploiting the lack of proper authorization checks or input validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Exposure:\u003c/strong\u003e The SD-WAN Manager processes the request and, due to the vulnerability, inadvertently discloses sensitive information. This could be in the form of a file, database content, or API response.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Extraction:\u003c/strong\u003e The attacker captures the exposed data from the response, potentially including configuration files, usernames, passwords, or other sensitive credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e The attacker uses the extracted credentials to gain unauthorized access to other systems within the SD-WAN environment or the broader network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Leveraging compromised credentials, the attacker moves laterally across the network, targeting critical systems and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / System Compromise:\u003c/strong\u003e The attacker exfiltrates sensitive data or achieves complete system compromise, depending on the attacker\u0026rsquo;s objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20133 can lead to significant consequences, including the compromise of sensitive data, unauthorized access to critical systems, and potential disruption of network operations. Given the central role of SD-WAN managers in controlling network traffic and security policies, a successful attack can have a wide-ranging impact. The number of potentially affected organizations is substantial due to the widespread adoption of Cisco SD-WAN solutions. The impact can include data breaches, financial loss, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately assess your exposure to CVE-2026-20133 by following CISA’s Emergency Directive 26-03 mitigation instructions.\u003c/li\u003e\n\u003cli\u003eApply the necessary patches or workarounds provided by Cisco to remediate the vulnerability as outlined in Cisco\u0026rsquo;s security advisory.\u003c/li\u003e\n\u003cli\u003eIf patches are unavailable or cannot be immediately applied, implement the hardening guidance provided in CISA’s “Hunt \u0026amp; Hardening Guidance for Cisco SD-WAN Devices”.\u003c/li\u003e\n\u003cli\u003eFor cloud-based deployments, adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious HTTP requests targeting potential vulnerable endpoints of the Cisco Catalyst SD-WAN Manager.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-19T12:00:00Z","date_published":"2024-01-19T12:00:00Z","id":"/briefs/2024-01-cisco-sdwan-info-disclosure/","summary":"Cisco Catalyst SD-WAN Manager contains an information disclosure vulnerability (CVE-2026-20133) that could allow remote attackers to view sensitive information on affected systems, requiring immediate patching or mitigation.","title":"Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability (CVE-2026-20133)","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-sdwan-info-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Cisco","version":"https://jsonfeed.org/version/1.1"}