Full Report
Cisco’s response to the latest SD-WAN and firewall defects has been fast, but the harder question is how long sophisticated actors had a head start — and what’s already compromised. The post Cisco’s latest vulnerability spree has a more troubling pattern underneath appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Cisco SD-WAN and Secure Firewall Management Exploit Campaign
## CVE Details
- **CVE IDs:**
- **SD-WAN:** CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129, CVE-2026-20133
- **Firewall Management Center (FMC):** CVE-2026-20079, CVE-2026-20131
- **CVSS Score:** Up to 10.0 (Critical)
- **CWE:** Not specified in the article (typically involves Authentication Bypass and Remote Code Execution in these product lines).
## Affected Systems
- **Products:** Cisco SD-WAN systems and Cisco Secure Firewall Management Center (FMC) software.
- **Versions:** Specific versions are not detailed in the text, but the flaws affect the "management-plane" and "control-plane" of these edge devices.
- **Configurations:** Systems with management interfaces exposed to the internet or untrusted networks are at highest risk.
## Vulnerability Description
The vulnerabilities represent a series of defects in Cisco’s network edge architecture. High-criticality flaws in Cisco FMC and SD-WAN allow attackers to bypass authentication or gain unauthorized access to management interfaces. Because these devices serve as "trust anchors" for enterprise environments, a compromise allows attackers to manipulate routing, segmentation, and security policies, or move laterally throughout the internal network.
## Exploitation
- **Status:** **Exploited in the wild.** Five of the nine vulnerabilities (including CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128, and CVE-2026-20131) have been confirmed as actively exploited.
- **Complexity:** Low (Pre-authentication paths into the system).
- **Attack Vector:** Network.
- **Notable Actor:** **Interlock Ransomware** has been observed exploiting CVE-2026-20131 since January 2026, over a month before public disclosure.
## Impact
- **Confidentiality:** Total (Full access to management policies and network visibility).
- **Integrity:** Total (Ability to modify routing and security segmentation).
- **Availability:** Total (Potential for ransomware deployment or device bricking).
## Remediation
### Patches
- Cisco has released security updates for affected SD-WAN and FMC software versions. Specific patch version numbers are available via the official Cisco Security Advisories.
### Workarounds
- Restriction of access to management interfaces (FMC and SD-WAN controllers) to trusted IP addresses only.
- Enforcement of Multi-Factor Authentication (MFA) where applicable.
- Disabling unnecessary services on the management plane.
## Detection
- **Indicators of Compromise:** Look for unauthorized administrative logins and changes to routing or firewall policies. Amazon Threat Intelligence has identified Interlock ransomware activity associated with these exploits.
- **Detection methods and tools:**
- Review CISA Emergency Directive (ED 26-03) for specific hunting requirements.
- Monitor for unusual outbound traffic from firewall management interfaces.
- Use Cisco’s built-in logging to audit for "pre-auth" access attempts.
## References
- **Vendor Advisories:**
- hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- **Relevant Links:**
- hxxps://www[.]cisa[.]gov/news-events/directives/v1-ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- hxxps://aws[.]amazon[.]com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/
- hxxps://cyberscoop[.]com/cisco-firewall-sd-wan-vulnerabilities-exploited/