Cisco customers have confronted a flood of actively exploited vulnerabilities affecting the vendor’s network edge software since late February, and researchers say that five of the nine vulnerabilities Cisco disclosed in its firewalls and SD-WAN systems over the past three weeks have already been exploited in the wild. 

Attackers exploited a pair of these defects — zero-day vulnerabilities in Cisco SD-WANs — for at least three years before the vendor and authorities discovered and issued warnings about the threat. Cisco disclosed an additional five SD-WAN vulnerabilities that same day, and three of those defects have since been confirmed actively exploited as well.

Weaknesses lurking in Cisco security products don’t end there. Amazon Threat Intelligence on Wednesday said one of the two max-severity defects Cisco reported in its firewall management software earlier this month has been actively exploited by Interlock ransomware since Jan. 26, more than a month before those vulnerabilities were publicly disclosed.

Some organizations, officials and members of the security community at large have missed widening risks as more of the defects come under attack. The flurry of Cisco SD-WAN and firewall vulnerabilities includes defects with low CVSS ratings, zero-days and others that were determined actively exploited after disclosure.

“These are not random bugs in low-value software. These are management-plane and control-plane weaknesses in devices at the network edge, which often function as trust anchors in enterprise environments,” Douglas McKee, director of vulnerability intelligence at Rapid7, told CyberScoop.

“If you compromise SD-WAN or firewall management, you’re landing on policy, visibility, routing, segmentation, and, in many cases, administrative trust over a large swath of the environment,” he added. “Attackers know that and, when they find a pre-auth path into those systems, especially one that can be chained to root, that’s about as attractive as it gets.”

The full slate of recently disclosed Cisco vulnerabilities affecting these systems include:

• SD-WAN vulnerabilities: CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129 and CVE-2026-20133
• Cisco Secure Firewall Management Center software vulnerabilities: CVE-2026-20079 and CVE-2026-20131

Researchers from multiple firms and Cisco have observed or been notified of active exploitation of CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128 and CVE-2026-20131.

The Cybersecurity and Infrastructure Security Agency has only added two of the defects — CVE-2022-20775 and CVE-2026-20127 — to its known exploited vulnerabilities catalog thus far. The agency, which last week added new hunting and reporting requirements to an emergency directive it issued for the defects in late February, did not answer questions about the updated order or explain why other actively exploited Cisco vulnerabilities haven’t been added to the catalog. The agency has been operating under a funding shutdown since February.

Interlock ransomware hits Cisco firewalls

The ongoing ransomware campaign Amazon Threat Intelligence spotted involving CVE-2026-20131 confirmed “Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” researchers said Wednesday.

Interlock’s observed attack path and operations are extensive, including post-compromise reconnaissance scripts, custom remote access trojans, a webshell and legitimate tool abuse. Amazon did not identify specific victims, and said the group threatens organizations with data encryption, regulatory fines and compliance valuations.

“Interlock has historically targeted specific sectors where operational disruption creates maximum pressure for payment,” Amazon Threat Intelligence researchers said in the blog post. These sectors include education, engineering, architecture, construction, manufacturing, industrial, health care and government entities. 

4 Cisco SD-WAN defects under attack

The swarm of vulnerabilities in Cisco SD-WANs poses additional risk for customers. Cisco Talos previously attributed long-running attacks involving CVE-2026-20127 and CVE-2022-20775 to UAT-8616, but it’s unclear if the same threat group is responsible for all of the Cisco SD-WAN exploits. 

“Other threat groups are likely to pick up public research in order to weaponize or adapt it opportunistically, so we may see follow-on attempts by additional threat actors, including low-skilled attackers,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.

Researchers said vulnerabilities are often disclosed in clusters after a meaningful defect is identified in a specific product, such as Cisco’s SD-WAN systems.

Cisco declined to answer questions and said customers can find the latest information on its security advisories page.

Condon and McKee both noted that Cisco has been responsive in releasing software fixes, threat-hunting intelligence and, in the case of the SD-WAN zero-days, coordinated government guidance. 

“This is what a good crisis response is supposed to look like once exploitation is identified,” McKee said. 

“The harder question is whether the industry is getting early-enough visibility into the defects in edge-management software that sophisticated actors are clearly prioritizing,” he added. “Are our organizations equipped with the right people and tools to perform this level of exposure management?”

The expanding exploits Cisco customers are combating on firewalls and SD-WANs is a reminder that organizations shouldn’t deprioritize less notorious vulnerabilities or those with lower CVSS scores, Condon said. 

“Several of the exploited vulnerabilities in this tranche of Cisco SD-WAN bugs don’t have critical CVSS scores, meaning teams using CVSS as a prioritization mechanism might miss medium- or high-scored flaws that still have real-world adversary utility,” she added.

The attacks also collectively reflect a persistent pattern of attackers targeting network edge systems from multiple vendors, including Cisco.

“Attackers continue to treat network edge and management infrastructure as prime real estate, and when defenders see pre-authentication, management-plane flaws with evidence of pre-disclosure exploitation, they need to assume compromise, not just exposure,” McKee said. 

“Attackers are investing time and capability into finding and operationalizing previously unknown defects in Cisco edge and management infrastructure because the payoff is enormous,” he added. “These platforms give you a privileged position, broad visibility, and a path to durable access inside high-value organizations. That’s exactly why they keep getting hit.”

The post Cisco’s latest vulnerability spree has a more troubling pattern underneath appeared first on CyberScoop.

Attackers have been exploiting a pair of zero-day vulnerabilities in Cisco’s network edge software for at least three years, and the global campaign is ongoing, authorities said across a series of warnings released Wednesday.

The Cybersecurity and Infrastructure Security Agency issued an emergency directive about the global attacks and issued joint guidance with the Five Eyes to help defenders respond and hunt for evidence of compromise.

This marks the second series of multiple actively exploited zero-day vulnerabilities in Cisco edge technology since last spring. Both campaigns resulted in CISA emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were identified.

Authorities refrained from attributing the attacks to any nation state or threat group. Cisco Talos researchers assigned the exploits and post-compromise activity to UAT-8616, which they only described as a “highly sophisticated threat actor.”

The activity cluster’s “attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors to establish persistent footholds into high-value organizations including critical infrastructure sectors,” Cisco Talos said in a threat advisory.

Malicious activity linked to this campaign is far reaching and attackers have exploited vulnerabilities in targeted systems to access and potentially compromise federal networks, Nick Andersen, CISA’s executive assistant director for cybersecurity, said during a media briefing Wednesday. 

Andersen declined to say when CISA was first aware of this activity and did not provide details about potential victims, adding that officials are working through the beginning stages of mitigation.

In the jointly issued threat hunt guide, the Five Eyes said all members were aware that the most recent zero-day — CVE-2026-20127 — was identified and confirmed actively exploited in late 2025. Officials and Cisco did not explain why it took at least two months to disclose and patch the vulnerability, and share emergency mitigation guidance. 

Attackers are gaining full control of a system in a chain by exploiting CVE-2026-20127 to bypass authentication, then downgrading software to a version vulnerable to CVE-2022-20775 to escalate privileges, said Douglas McKee, director of vulnerability intelligence at Rapid7.

“That second step allows them to move from administrative control to root on the underlying operating system. That downgrade step shows deliberate knowledge of product versioning and patch history,” he told CyberScoop. “This is not opportunistic scanning. This is structured tradecraft.”

CISA added CVE-2022-20775 and CVE-2026-20127 to its known exploited vulnerabilities catalog Wednesday.

The three-year gap between known initial attacks and detected exploitation of the zero-days showcases the attackers’ surgical use of vulnerabilities and the highly targeted nature of their campaign, said Ben Harris, founder and CEO of watchTowr. 

The timeline and known attack path also indicates operational discipline that allowed attackers to maintain long-term access in critical network infrastructure without triggering alarms, McKee said. Those activities align “more closely with state-sponsored espionage tradecraft than financially motivated crime,” he added.

CISA’s emergency directive requires federal agencies to take inventory of all vulnerable Cisco SD-WAN systems, collect logs from those systems, apply Cisco’s security updates, hunt for evidence of compromise and follow Cisco’s guidance by Friday. 

The latest campaign targeting Cisco network edge technology shares many similarities with another string of attacks officials and Cisco warned about in September. Those attacks, which involved at least two actively exploited zero-days, were underway for at least a year before they were first discovered in May. 

Cisco did not answer questions about any potential connections between the campaigns. The vendor and officials have also thus far avoided sharing any details about what occurred behind the scenes during these sustained attacks.

A spokesperson for Cisco urged customers to upgrade software and follow guidance from its advisory. 

Unfortunately, it’s too late for some Cisco SD-WAN customers to patch, Harris said. “Cisco’s advice to fully rebuild and look for prior signs of intrusion should be taken seriously.”

The post Governments issue warning over Cisco zero-day attacks dating back to 2023 appeared first on CyberScoop.