https://feed.craftedsignal.io/tags/cisco/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 24 Apr 2026 05:43:56 +0000https://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/Fri, 24 Apr 2026 05:43:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.A cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.

Attack Chain

1. Attacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).
2. Attacker exploits a vulnerability allowing authentication bypass.
3. Upon successful authentication bypass, the attacker gains unauthorized access to the device.
4. Attacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.
5. The code executes with administrator privileges, granting the attacker full control over the device.
6. Attacker uses the compromised device as a pivot point to move laterally within the network.
7. Attacker compromises additional systems and exfiltrates sensitive data.

Impact

Successful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.

Recommendation

• Deploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.
• Consult Cisco’s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.

]]>criticaladvisoryciscovulnerabilityrceauthentication-bypasshttps://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/Thu, 23 Apr 2026 15:11:53 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.Cisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called “FIRESTARTER,” which shares technical capabilities with RayInitiator’s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco’s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.

Attack Chain

1. UAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.
2. The attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.
3. The FIRESTARTER backdoor is written to /opt/cisco/platform/logs/var/log/svc_samcore.log and the CSP_MOUNT_LIST is updated to copy itself to /usr/bin/lina_cs.
4. After a graceful reboot, FIRESTARTER is executed from /usr/bin/lina_cs.
5. FIRESTARTER restores the original CSP_MOUNT_LIST from /tmp/CSP_MOUNTLIST.tmp and removes the temporary copy and the trojanized /usr/bin/lina_cs file from disk.
6. FIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.
7. FIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the “libstdc++.so” memory region.
8. The attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.

Impact

Compromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.

Recommendation

• Deploy the file integrity monitoring rule to detect the creation or modification of /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log (see “File Creation in Suspicious Directory”).
• Apply software upgrade recommendations outlined in Cisco’s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.
• Monitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.

]]>criticalthreatuat-4356firestarterciscobackdoornetworkespionagehttps://feed.craftedsignal.io/briefs/2026-04-cisco-imc-xss/Thu, 23 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-imc-xss/Multiple cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow a remote attacker to conduct an XSS attack against a user of the interface.Multiple cross-site scripting (XSS) vulnerabilities have been identified in the web-based management interface of the Cisco Integrated Management Controller (IMC). Successful exploitation of these vulnerabilities could allow a remote attacker to inject malicious scripts into the web browser of a user accessing the IMC interface. This could lead to session hijacking, sensitive information disclosure, or other malicious activities performed in the context of the user’s session. The vulnerabilities were disclosed on 2026-04-22, and Cisco has released software updates to address them. There are no known workarounds. This threat is relevant for organizations using Cisco IMC to manage their infrastructure.

Attack Chain

1. Attacker identifies a vulnerable Cisco IMC web interface.
2. Attacker crafts a malicious URL containing a JavaScript payload designed to execute in the context of a victim’s browser session.
3. Attacker delivers the malicious URL to the victim, typically through phishing, social engineering, or by injecting it into a trusted website.
4. Victim clicks on the malicious URL, or the URL is automatically loaded through a compromised website.
5. The victim’s web browser sends an HTTP request to the vulnerable Cisco IMC web server.
6. The Cisco IMC web server reflects the attacker’s malicious JavaScript payload in the HTTP response without proper sanitization.
7. The victim’s web browser executes the malicious JavaScript code.
8. The attacker’s JavaScript code executes within the victim’s browser, allowing the attacker to steal cookies, redirect the user, or perform other actions on behalf of the victim.

Impact

Successful exploitation of these XSS vulnerabilities could allow an attacker to execute arbitrary JavaScript code in the context of a user’s session. This could lead to sensitive information disclosure, such as the theft of session cookies, allowing the attacker to hijack the user’s session and gain unauthorized access to the Cisco IMC. The attacker could also redirect the user to a malicious website or deface the IMC web interface. While the specific number of vulnerable systems is unknown, organizations using Cisco IMC are potentially at risk.

Recommendation

• Apply the software updates released by Cisco to address the vulnerabilities (CVE-2026-20085, CVE-2026-20087, CVE-2026-20088, CVE-2026-20089, CVE-2026-20090).
• Deploy the Sigma rule provided below to detect potential exploitation attempts against the Cisco IMC web interface.
• Monitor web server logs for suspicious HTTP requests containing potentially malicious JavaScript payloads targeting the Cisco IMC web interface.

]]>mediumadvisoryxssciscocimcvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/Tue, 21 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.Cisco Catalyst SD-WAN Manager is affected by a vulnerability (CVE-2026-20128) that allows for the disclosure of stored passwords. An authenticated, local attacker with low privileges can exploit this vulnerability by accessing a credential file on the filesystem. Successful exploitation grants the attacker DCA user privileges, potentially leading to unauthorized access and control over the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance to mitigate risks associated with Cisco SD-WAN devices. This vulnerability highlights the importance of proper credential management and access controls in network management systems.

Attack Chain

1. An attacker gains low-privileged access to the Cisco Catalyst SD-WAN Manager system through legitimate credentials or other vulnerabilities.
2. The attacker navigates the filesystem to locate the DCA user’s credential file.
3. The attacker reads the credential file, which contains the DCA user’s password in a recoverable format.
4. The attacker decodes or decrypts the password using readily available tools or techniques.
5. The attacker uses the recovered DCA user credentials to authenticate to the SD-WAN Manager with elevated privileges.
6. The attacker leverages the DCA user privileges to perform unauthorized configuration changes or access sensitive data.
7. The attacker potentially pivots to other systems or network segments accessible through the SD-WAN infrastructure.

Impact

Successful exploitation of this vulnerability allows an attacker to gain complete control over the Cisco Catalyst SD-WAN Manager. This could lead to significant disruption of network services, data breaches, and potential compromise of connected systems. The impact is magnified by the widespread use of SD-WAN in enterprise environments, making this a critical vulnerability for organizations utilizing Cisco Catalyst SD-WAN Manager.

Recommendation

• Review and apply the mitigations outlined in CISA’s Emergency Directive 26-03 and associated guidance for Cisco SD-WAN devices, as referenced in the overview.
• Monitor file access events on the Cisco Catalyst SD-WAN Manager system for suspicious access patterns to credential files using the Detect Suspicious SD-WAN Credential File Access Sigma rule.
• Implement stricter access controls and password policies on the Cisco Catalyst SD-WAN Manager to prevent unauthorized access.
• Apply the security updates provided by Cisco to patch CVE-2026-20128 as they become available.

]]>mediumadvisorycve-2026-20128credential-accesssd-wanciscohttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-vulns/Tue, 21 Apr 2026 08:08:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-vulns/Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager allow a remote, anonymous, or local attacker to gain administrator privileges, bypass authentication, execute commands with Netadmin rights, read sensitive system information, and overwrite arbitrary files.Multiple vulnerabilities exist within the Cisco Catalyst SD-WAN Manager software. These vulnerabilities can be exploited by remote, anonymous, or local attackers. Successful exploitation allows attackers to perform a range of malicious activities. These include escalating privileges to administrator level, circumventing authentication mechanisms, executing arbitrary commands with Netadmin-level privileges, accessing sensitive system information, and overwriting arbitrary files on the affected system. This poses a significant risk to organizations utilizing the SD-WAN Manager, potentially leading to complete compromise of the affected systems and the networks they manage. Given the centralized role of SD-WAN managers, a successful attack could have widespread consequences.

Attack Chain

1. An attacker gains unauthorized access to the Cisco Catalyst SD-WAN Manager, either remotely, anonymously, or locally.
2. The attacker exploits a vulnerability related to authentication, bypassing normal login procedures.
3. The attacker leverages an elevation of privilege vulnerability to gain administrator rights on the system.
4. With administrator privileges, the attacker executes commands with Netadmin rights.
5. The attacker reads sensitive system information, such as configuration files, user credentials, or network topology data.
6. The attacker exploits a file overwrite vulnerability to modify or replace critical system files with malicious versions.
7. The attacker uses the compromised SD-WAN Manager to push malicious configurations to other network devices.
8. The attacker achieves complete control over the SD-WAN network, potentially leading to data exfiltration, service disruption, or further lateral movement.

Impact

Successful exploitation of these vulnerabilities can lead to a complete compromise of the Cisco Catalyst SD-WAN Manager. Given the critical role of SD-WAN managers in controlling and managing network infrastructure, this can have significant consequences. A successful attack could result in widespread network outages, data breaches, and the potential for further lateral movement within the network. While the exact number of potential victims is unknown, the widespread use of Cisco SD-WAN solutions suggests a potentially large impact. Targeted sectors include any organization relying on Cisco Catalyst SD-WAN Manager for network management.

Recommendation

• Apply available security patches provided by Cisco for the SD-WAN Manager to remediate the vulnerabilities.
• Implement strong access control measures to restrict access to the SD-WAN Manager interface.
• Monitor network traffic for suspicious activity originating from or directed towards the SD-WAN Manager. Use the “Detect Suspicious Outbound Connection from SD-WAN Manager” Sigma rule to identify unusual network connections.
• Enable and review audit logs on the SD-WAN Manager to detect unauthorized access attempts or configuration changes. Use the “Detect Unauthorized Configuration Change via SD-WAN Manager” Sigma rule.
• Regularly back up the SD-WAN Manager configuration to facilitate recovery in the event of a successful attack.
• Harden the SD-WAN Manager by disabling unnecessary services and features.

]]>criticaladvisoryciscosdwanvulnerabilityprivilege-escalationhttps://feed.craftedsignal.io/briefs/2026-04-cisco-webex-cert-bypass/Fri, 17 Apr 2026 09:19:48 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-webex-cert-bypass/A critical improper certificate validation vulnerability in CISCO Webex versions 39.6 - 45.4 (CVE-2026-20184) allows a remote, unprivileged attacker to impersonate users, gain unauthorized access, and join meetings without authorization, potentially impacting confidentiality, integrity, and availability.A critical vulnerability, CVE-2026-20184, has been identified in the Single Sign-On (SSO) implementation with Control Hub in CISCO Webex versions 39.6 through 45.4. This improper certificate validation issue allows an unauthenticated, remote attacker to bypass security controls and impersonate legitimate users. CISCO Webex is a widely used cloud-based platform for video meetings and collaboration. Successful exploitation could lead to unauthorized access to sensitive information, disruption of services, and a complete compromise of the CIA triad. The vulnerability poses a significant risk to organizations relying on Webex for internal and external communications. Public proof-of-concept or proof-of-exploitation code is not yet available, but the severity and ease of exploitation warrant immediate attention and patching.

Attack Chain

1. The attacker identifies a vulnerable CISCO Webex instance running a version between 39.6 and 45.4.
2. The attacker crafts a malicious token designed to exploit the improper certificate validation flaw in the SSO with Control Hub.
3. The attacker connects to a Webex service endpoint, presenting the crafted token.
4. The vulnerable Webex instance fails to properly validate the certificate associated with the token.
5. The attacker is authenticated as a targeted user without providing valid credentials.
6. The attacker gains unauthorized access to the targeted user’s sensitive information, including meeting schedules, contact lists, and potentially recorded meetings.
7. The attacker joins Webex meetings without authorization, potentially eavesdropping on confidential conversations or disrupting the meeting.
8. The attacker escalates privileges within the Webex environment by leveraging the compromised user’s access rights, potentially gaining administrative control.

Impact

Successful exploitation of CVE-2026-20184 can lead to severe consequences. Attackers can impersonate any user within the Webex service, gaining unauthorized access to confidential meetings, sensitive data, and internal communications. This can result in a breach of confidentiality, integrity, and availability, potentially leading to significant financial losses, reputational damage, and legal liabilities. The number of affected organizations could be substantial given Webex’s widespread use across various sectors.

Recommendation

• Immediately patch all CISCO Webex installations to a version beyond 45.4 to remediate CVE-2026-20184 (Reference: CISCO Security Advisory).
• Upscale monitoring and detection capabilities to identify any suspicious activity related to unauthorized access attempts within the CISCO Webex environment, as recommended by the CCB (Reference: CCB Advisory).
• Implement the provided Sigma rule to detect suspicious authentication patterns indicative of exploitation attempts against Webex (Reference: Sigma rule - “Webex Suspicious Authentication Pattern”).
• Enable and review Webex access logs for unusual login attempts or access patterns originating from unexpected locations (Reference: Webex access logs).

]]>criticaladvisoryciscowebexssocertificate-validationuser-impersonationcve-2026-20184cloudhttps://feed.craftedsignal.io/briefs/2026-04-cisco-unity-vulns/Thu, 16 Apr 2026 11:13:57 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-unity-vulns/Multiple vulnerabilities in Cisco Unity Connection can be exploited by an attacker to conduct cross-site scripting attacks, redirect users to malicious websites, manipulate data, and disclose confidential information.Cisco Unity Connection is susceptible to multiple vulnerabilities that can be exploited by malicious actors. Successful exploitation of these vulnerabilities could allow attackers to perform cross-site scripting (XSS) attacks, redirect users to attacker-controlled malicious websites, manipulate sensitive data, and achieve unauthorized disclosure of confidential information. The vulnerabilities affect Cisco Unity Connection, a unified communications platform. These vulnerabilities pose a significant risk to organizations relying on Cisco Unity Connection for voice messaging and unified communications. Defenders need to implement detection and prevention measures to mitigate potential attacks targeting these flaws.

Attack Chain

1. An attacker identifies a vulnerable Cisco Unity Connection server.
2. The attacker crafts a malicious URL or injects malicious code into a field accessible via the web interface.
3. A legitimate user accesses the crafted URL or interacts with the injected code through the Unity Connection web interface.
4. The attacker’s script executes within the user’s browser session (XSS).
5. The attacker uses the XSS vulnerability to redirect the user to a malicious website designed to harvest credentials or install malware.
6. Alternatively, the attacker leverages the vulnerability to manipulate data stored within Cisco Unity Connection, such as user profiles or configuration settings.
7. The attacker exploits the vulnerability to gain unauthorized access to sensitive information, such as user credentials, call logs, or system configurations.
8. The attacker uses the gathered information for further malicious activities, such as gaining unauthorized access to other systems or conducting fraudulent activities.

Impact

Successful exploitation of these vulnerabilities can lead to a range of detrimental outcomes, including unauthorized access to sensitive data, manipulation of critical system configurations, and redirection of users to malicious websites. This can result in data breaches, financial losses, reputational damage, and disruption of communication services. While the exact number of potential victims is unknown, organizations utilizing vulnerable versions of Cisco Unity Connection are at risk. The impact spans various sectors that rely on this technology for unified communications.

Recommendation

• Inspect web server logs for unusual URL patterns or requests containing suspicious characters indicative of XSS attempts targeting Cisco Unity Connection interfaces.
• Implement a web application firewall (WAF) with rules to detect and block common XSS attack vectors to protect Cisco Unity Connection web interfaces.
• Monitor Cisco Unity Connection logs for any unauthorized modifications to user profiles or system configurations, which could indicate successful exploitation of data manipulation vulnerabilities.
• Deploy the Sigma rule Detect Suspicious URI parameters in Cisco Unity Connection to identify potential exploitation attempts in web server logs.

]]>highadvisoryciscounity-connectionvulnerabilityxssdata-manipulationhttps://feed.craftedsignal.io/briefs/2026-04-cisco-imc-auth-bypass/Fri, 03 Apr 2026 14:00:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-imc-auth-bypass/An unauthenticated remote attacker can exploit CVE-2026-20093 to bypass authentication in Cisco Integrated Management Controller (IMC), gain full administrative access, and manipulate hardware settings, potentially disrupting critical infrastructure.A critical authentication bypass vulnerability, CVE-2026-20093, affects multiple versions of Cisco Integrated Management Controller (IMC) software. The vulnerability allows an unauthenticated remote attacker to bypass the login process and gain full administrative privileges on the affected system. This flaw stems from improper input validation (CWE-20). Exploitation grants the attacker the ability to change user passwords, manipulate hardware settings such as power cycling servers, and potentially use the compromised device to launch attacks on other systems within the network. The impacted product list is extensive, spanning multiple Cisco product lines, including the 5000 Series ENCS, Catalyst 8300 Series Edge uCPE, UCS C-Series M5/M6 Rack Servers, and UCS E-Series M3/M6. This vulnerability poses a significant threat to organizations relying on these systems for critical infrastructure management.

Attack Chain

1. The unauthenticated attacker sends a specially crafted request to the Cisco IMC web interface.
2. The vulnerable IMC software fails to properly validate the request, allowing the attacker to bypass the authentication mechanism.
3. The attacker gains full administrative access to the IMC.
4. The attacker changes the password of an existing administrative user or creates a new administrative user.
5. The attacker logs in to the IMC with the newly acquired administrative credentials.
6. The attacker modifies hardware settings, such as power management configurations, potentially power cycling servers.
7. The attacker disrupts critical infrastructure managed by the compromised IMC.
8. The attacker uses the compromised device as a pivot point to launch further attacks against other systems on the network.

Impact

Successful exploitation of CVE-2026-20093 grants an attacker complete control over the affected Cisco IMC. This can lead to severe consequences, including disruption of critical services, data breaches, and lateral movement within the network. Given the hardware-level access provided by IMC, attackers can manipulate physical infrastructure, leading to extended downtime and potential data loss. The CCB has assessed the risk of this vulnerability as high due to the ease of exploitation and the potential impact on confidentiality, integrity, and availability.

Recommendation

• Immediately patch all affected Cisco IMC instances to the latest available version to remediate CVE-2026-20093 (refer to the affected software list).
• Upscale monitoring and detection capabilities to identify any suspicious activity related to unauthorized access attempts to Cisco IMC web interfaces (deploy the Sigma rules provided).
• In case of an intrusion, report the incident via https://ccb.belgium.be/en/cert/report-incident.

]]>criticaladvisoryauthentication bypassciscoimccve-2026-20093https://feed.craftedsignal.io/briefs/2024-02-cisco-ssm-rce/Wed, 01 Apr 2026 17:28:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-02-cisco-ssm-rce/CVE-2026-20160 is a critical vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) that allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges by sending a crafted request to an exposed API.CVE-2026-20160 affects Cisco Smart Software Manager On-Prem (SSM On-Prem). The vulnerability allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This is due to the unintentional exposure of an internal service. The vulnerability was reported in April 2026. Successful exploitation allows for command execution with root-level privileges, making it a critical risk for organizations using the affected Cisco SSM On-Prem software. Defenders should apply available patches or mitigations immediately.

Attack Chain

1. The attacker identifies an internet-facing Cisco Smart Software Manager On-Prem (SSM On-Prem) instance.
2. The attacker discovers the unintentionally exposed internal service through reconnaissance techniques such as port scanning and service enumeration.
3. The attacker crafts a malicious request specifically designed to exploit the exposed API endpoint of the internal service.
4. The attacker sends the crafted request to the vulnerable API endpoint of the exposed service.
5. The vulnerable SSM On-Prem software processes the malicious request without proper authentication or authorization checks.
6. The software executes arbitrary commands on the underlying operating system due to the exposed API.
7. The attacker gains root-level privileges on the SSM On-Prem host, allowing for full control of the system.
8. The attacker can then perform further malicious activities, such as data exfiltration, lateral movement, or installation of persistent backdoors.

Impact

Successful exploitation of CVE-2026-20160 allows an attacker to execute arbitrary commands on the underlying operating system with root-level privileges. This could lead to complete compromise of the affected SSM On-Prem host. The attacker could exfiltrate sensitive data, disrupt services, or use the compromised system as a launchpad for further attacks within the network. Given the critical nature of software license management performed by SSM On-Prem, a successful attack could have significant operational and financial consequences.

Recommendation

• Apply the security patch released by Cisco to address CVE-2026-20160 on all affected Cisco Smart Software Manager On-Prem (SSM On-Prem) instances.
• Monitor web server logs for unusual API requests targeting Cisco Smart Software Manager On-Prem instances to detect potential exploitation attempts, using the “Detect Cisco SSM On-Prem API Exploitation Attempt” Sigma rule.
• Implement network segmentation to limit the exposure of internal services and prevent unauthorized access from external networks.
• Review access controls and authentication mechanisms for all internal services to ensure proper security configurations and prevent unintentional exposure.
• Deploy the “Detect Cisco SSM On-Prem Root Command Execution” Sigma rule to detect suspicious process execution originating from the SSM On-Prem server.

]]>criticaladvisorycve-2026-20160ciscossm-on-premrcewebserverhttps://feed.craftedsignal.io/briefs/2026-02-cisco-sdwan-rce/Fri, 27 Feb 2026 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-cisco-sdwan-rce/A critical remote code execution vulnerability exists in Cisco Catalyst SD-WAN Controllers (CVE-2026-20127) due to improper authentication, allowing unauthenticated remote attackers to bypass authentication and gain administrative privileges, potentially leading to network configuration manipulation.<p>A critical vulnerability, CVE-2026-20127, affects Cisco Catalyst SD-WAN Controllers. The vulnerability stems from an improper authentication mechanism, which can be exploited by unauthenticated remote attackers. Successful exploitation allows bypassing authentication and gaining administrative privileges. This access could allow the attacker to log in as a high-privileged, non-root user, gaining access to NETCONF, and enabling the manipulation of the SD-WAN fabric&rsquo;s network configuration. The…</p> criticaladvisoryciscosd-wanrcevulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-cisco-sdwan-info-disclosure/Fri, 19 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cisco-sdwan-info-disclosure/Cisco Catalyst SD-WAN Manager contains an information disclosure vulnerability (CVE-2026-20133) that could allow remote attackers to view sensitive information on affected systems, requiring immediate patching or mitigation.Cisco Catalyst SD-WAN Manager is susceptible to an information disclosure vulnerability, identified as CVE-2026-20133. The vulnerability allows unauthorized remote attackers to potentially gain access to sensitive information residing on affected systems. While the exact nature of the disclosed information isn’t specified in the advisory, it could encompass configuration details, user credentials, or other sensitive data critical for the secure operation of the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance, highlighting the severity and urging immediate action. The directive impacts organizations utilizing Cisco SD-WAN devices and emphasizes the need for thorough risk assessment and implementation of provided mitigation strategies.

Attack Chain

1. Vulnerability Discovery: An attacker identifies a publicly accessible endpoint or API within the Cisco Catalyst SD-WAN Manager that is vulnerable to CVE-2026-20133.
2. Unauthorized Request: The attacker crafts a malicious HTTP request targeting the vulnerable endpoint, exploiting the lack of proper authorization checks or input validation.
3. Information Exposure: The SD-WAN Manager processes the request and, due to the vulnerability, inadvertently discloses sensitive information. This could be in the form of a file, database content, or API response.
4. Data Extraction: The attacker captures the exposed data from the response, potentially including configuration files, usernames, passwords, or other sensitive credentials.
5. Credential Compromise: The attacker uses the extracted credentials to gain unauthorized access to other systems within the SD-WAN environment or the broader network.
6. Lateral Movement: Leveraging compromised credentials, the attacker moves laterally across the network, targeting critical systems and data.
7. Data Exfiltration / System Compromise: The attacker exfiltrates sensitive data or achieves complete system compromise, depending on the attacker’s objectives.

Impact

Successful exploitation of CVE-2026-20133 can lead to significant consequences, including the compromise of sensitive data, unauthorized access to critical systems, and potential disruption of network operations. Given the central role of SD-WAN managers in controlling network traffic and security policies, a successful attack can have a wide-ranging impact. The number of potentially affected organizations is substantial due to the widespread adoption of Cisco SD-WAN solutions. The impact can include data breaches, financial loss, reputational damage, and regulatory penalties.

Recommendation

• Immediately assess your exposure to CVE-2026-20133 by following CISA’s Emergency Directive 26-03 mitigation instructions.
• Apply the necessary patches or workarounds provided by Cisco to remediate the vulnerability as outlined in Cisco’s security advisory.
• If patches are unavailable or cannot be immediately applied, implement the hardening guidance provided in CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices”.
• For cloud-based deployments, adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
• Deploy the following Sigma rule to detect suspicious HTTP requests targeting potential vulnerable endpoints of the Cisco Catalyst SD-WAN Manager.

]]>highadvisorycvevulnerabilityciscosd-wan