Cisco

This analytic identifies ICMP traffic to external IP addresses with total bytes greater than 1,000 bytes, leveraging the Network_Traffic data model to detect potential information smuggling, covert communication, or command-and-control (C2) activities.

This analytic detects instances where prohibited network traffic is allowed, highlighting potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration, ultimately allowing attackers to bypass network defenses.

This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns, indicating persistence establishment following initial compromise.

Attackers create privileged accounts on Cisco IOS devices and then execute commands remotely via HTTP to gain privileged access.

This analytic detects internal systems generating an unusually high volume of intrusion detections within a 30-minute window using Cisco Secure Firewall Threat Defense logs, identifying hosts triggering more than 15 Snort-based signatures, which may indicate suspicious activity like malware execution, command-and-control communication, vulnerability scanning, or lateral movement.

Cisco Secure Workload versions 3.9 and prior, versions prior to 3.10.8.3, and versions prior to 4.0.3.17 are vulnerable to unauthorized API access, requiring an urgent update.

Splunk Enterprise and Cloud Platform versions prior to 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13 are vulnerable to information disclosure (CVE-2026-20239), allowing users with access to the `_internal` index to view sensitive data.

CVE-2026-20206 describes a command injection vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent where an authenticated remote attacker with transaction test management privileges could execute arbitrary commands within the BrowserBot container as the node user.

CVE-2026-20199 - A vulnerability in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance could allow an authenticated, remote attacker to execute commands on the underlying operating system as the root user.

CVE-2026-20223: An unauthenticated, remote attacker can access Cisco Secure Workload site resources with Site Admin privileges by sending a crafted API request, due to insufficient validation and authentication of REST API endpoints.

CVE-2026-20171 describes a vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 and 9000 Series Switches that could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial-of-service (DoS) condition.

Kaspersky's Q1 2026 report highlights trends in malware targeting Windows, macOS, and IoT devices, including the exploitation of CVE-2026-20131 in Cisco Secure FMC firewalls and the rise of new ransomware variants and mining activities.

A remote, anonymous attacker can exploit a vulnerability in the Cisco Catalyst SD-WAN Controller to gain administrator rights and manipulate the network configuration.

The EvilTokens phishing-as-a-service (PhaaS) platform sold on Telegram is capable of launching device code phishing attacks at scale, leveraging AI to generate convincing and personalized lures, enabling aspiring cybercriminals to bypass traditional security measures, including MFA.

Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager could allow a remote attacker to gain access to sensitive information, elevate privileges, or gain unauthorized access to the application.

A vulnerability in the peering authentication of Cisco Catalyst SD-WAN Controller and Manager (CVE-2026-20182) could allow a remote, unauthenticated attacker to bypass authentication and obtain administrative privileges by sending crafted requests.

This rule detects the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary, which adversaries may leverage to escalate privileges and bypass access controls through token theft.

Cisco researchers discovered that attackers can manipulate vision-language models (VLMs) by using pixel-level perturbations in images to embed malicious instructions, which are unreadable by humans but interpreted by AI, leading to potential data exfiltration or other unauthorized actions.

An unauthenticated remote attacker can cause a denial-of-service condition on Cisco Crosswork Network Controller and Network Services Orchestrator by exhausting connection resources via a high volume of connection requests.

Multiple vulnerabilities in Cisco Unity Connection allow an attacker to execute arbitrary code with administrator privileges or perform Server-Side Request Forgery (SSRF) attacks.

Cisco released security advisories on May 6, 2026, addressing vulnerabilities including remote code execution, server-side request forgery, and denial of service in Crosswork Network Controller, IoT Field Network Director, Network Services Orchestrator, SG350/SG350X Managed Switches, and Unity Connection.

Multiple vulnerabilities in Cisco Unity Connection could allow a remote attacker to execute arbitrary code or conduct server-side request forgery (SSRF) attacks.

An insecure direct object reference in Cisco Slido's REST API could have allowed an authenticated remote attacker to access social profile data or affect quiz/poll results.

A remote, authenticated attacker can cause a denial-of-service condition on vulnerable Cisco SG350 and SG350X Series Managed Switches by sending a crafted SNMP request due to improper error handling.

Cisco Prime Infrastructure is vulnerable to an information disclosure vulnerability, allowing authenticated remote attackers to download arbitrary log files due to insufficient authorization checks.

Multiple vulnerabilities in Cisco IoT Field Network Director Software could allow an authenticated, remote attacker to access files, execute commands, and cause denial-of-service (DoS) conditions on managed routers.

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow a remote attacker to bypass authorization mechanisms or examine error messages to gain access to sensitive information.

An authenticated attacker with agent privileges can upload malicious files to Cisco Enterprise Chat and Email (ECE) via the Lite Agent feature, leading to potential browser-based attacks against other users.

Talos has begun tracking phone numbers in emails as indicators of compromise, revealing insights into their reuse in scam campaigns where attackers use API-driven VoIP services for cost-effective operations, rotating phone number blocks to evade security filters, and maximizing reach by recycling numbers across diverse lures.

Multiple stored cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to inject malicious code into specific pages of the interface, leading to arbitrary script execution or sensitive information access.

Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.

UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.

Multiple cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow a remote attacker to conduct an XSS attack against a user of the interface.

China-nexus cyber actors are increasingly using large-scale networks of compromised devices, including SOHO routers and IoT devices, to obscure the origin of their attacks and conduct various malicious activities, from reconnaissance to data exfiltration.

Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.

Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface, allowing an attacker to upload a malicious file and overwrite arbitrary files to gain vmanage user privileges.

Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.

The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.

Cisco Catalyst SD-WAN Manager contains an information disclosure vulnerability (CVE-2026-20133) that could allow remote attackers to view sensitive information on affected systems, requiring immediate patching or mitigation.

Detection of 'no logging message' command usage on Cisco ASA devices, potentially indicating an adversary suppressing security-critical log events to evade detection.

Detection of manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface, potentially allowing unauthorized network access and lateral movement.

Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.

The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.

This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.

This rule identifies suspicious access attempts to the LSASS process, potentially indicating credential dumping attempts by filtering out legitimate processes and access patterns to focus on anomalies.

Attackers modify registry run keys or startup keys to achieve persistence by referencing a program that executes when a user logs in or the system boots.

Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.

The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.

This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.

This analytic detects suspicious configuration changes on Cisco devices by analyzing archive logs for activities such as backdoor account creation, SNMP community string modifications, and TFTP server configurations, potentially indicating attacker presence and lateral movement.

This analytic detects the execution of attacker tools used for unauthorized access, network scanning, privilege escalation, password dumping, or data exfiltration, based on process activity data from EDR agents and focusing on known attacker tool names.

The sfc.exe utility is used with the "-u" parameter to uninstall Cisco Secure Endpoint components, potentially disabling endpoint protection and facilitating further exploitation.

The sfc.exe utility is being used with the '-unblock' parameter, a feature within Cisco Secure Endpoint, to remove system blocks imposed by the endpoint protection, potentially indicating an attempt to bypass security measures and execute blocked malicious payloads.

An attacker attempts to disable the Immunet Protect service of Cisco Secure Endpoint by leveraging the `sfc.exe` utility with the `-k` parameter, potentially blinding the EDR for further compromise.

Tampering with logging filter configurations on Cisco ASA devices can allow attackers to evade detection by reducing logging levels or disabling specific log categories.

Detection of disabled logging functionality on a Cisco ASA device via CLI commands, indicating potential defense evasion by adversaries.

A vulnerability in Cisco ACI Multi-Site CloudSec encryption allows a remote attacker to read or modify intersite encrypted traffic due to a flaw in cipher implementation.

Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.

This analytic identifies excessive ICMP traffic to external IP addresses exceeding 1,000 bytes, potentially indicating command and control activity, data exfiltration, or covert communication channels.