{"id":241086,"date":"2026-07-07T12:59:00","date_gmt":"2026-07-07T16:59:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/07\/sophisticated-threat-campaign-pushes-cisco-to-the-very-edge\/"},"modified":"2026-07-07T13:05:08","modified_gmt":"2026-07-07T17:05:08","slug":"sophisticated-threat-campaign-pushes-cisco-to-the-very-edge","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/07\/sophisticated-threat-campaign-pushes-cisco-to-the-very-edge\/","title":{"rendered":"Sophisticated threat campaign pushes Cisco to the very edge"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/sophisticated-threat-campaign-pushes-cisco-to-the-very-edge\/824569\/\">Sophisticated threat campaign pushes Cisco to the very edge<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/sophisticated-threat-campaign-pushes-cisco-to-the-very-edge\/824569\/\">https:\/\/www.cybersecuritydive.com\/news\/sophisticated-threat-campaign-pushes-cisco-to-the-very-edge\/824569\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-07 12:59:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>For decades, Cisco has positioned itself as a leader in network infrastructure. The company is one of the top providers of secure networking equipment that businesses and governments depend on. In recent months, that dominance is proving to be the company\u2019s Achilles\u2019 heel.\u00a0<br \/>\nSince early 2026, security researchers have been tracking an ongoing series of attacks targeting vulnerabilities in Cisco SD-WAN. Those attacks appear to have impacted key government sites and critical infrastructure providers and have raised the anxiety level of authorities across the globe.<\/p>\n<p>\u201cEdge infrastructure remains one of the highest-value targets in enterprise security,\u201d said Douglas McKee, director of vulnerability intelligence at Rapid7. \u201cIf you compromise SD-WAN or firewall management, you\u2019re landing on policy, visibility, routing, segmentation, and, in many cases, administrative trust over a large swath of the environment.\u201d<br \/>\nCisco environments have become an increasingly important target by state-nexus and other top threat actors in recent years, due, in part, to the wide use of these tools in the most sensitive government and enterprise networks in the world.<\/p>\n<p>By the numbers<\/p>\n<p>\u00a0<br \/>\n39 million<br \/>\nNetworking devices connected to Cisco platform<\/p>\n<p>\u00a0<br \/>\n1 billion<br \/>\nClients connected monthly<\/p>\n<p>\u00a0<br \/>\n750 billion<br \/>\nSecurity events observed daily<\/p>\n<p>During the 2024 campaign by China-nexus actor Salt Typhoon, the attacks leveraged access to Cisco devices to reach into major telecommunications providers.<br \/>\nThreats to critical sectors<br \/>\nThe Cybersecurity and Infrastructure Security Agency in February issued an emergency directive warning that a threat actor was targeting an authentication bypass vulnerability, tracked as CVE-2026-20127, and a privilege-escalation flaw, tracked as CVE-2026-20775, in Cisco Catalyst SD-WAN systems.\u00a0<br \/>\nCisco Talos researchers in May said an authentication bypass vulnerability, tracked as CVE-2026-20182, was being targeted by a sophisticated threat actor tracked as UAT-8616.\u00a0<br \/>\nOther threat actors chained together three vulnerabilities in Cisco Catalyst SD-WAN Manager, which allowed attackers to gain access to the device, Cisco Talos said. The chained vulnerabilities, CVE-2026-20133, CVE-2026-20122 and CVE-2026-20128, led to the release of web shells that allowed attackers to execute bash commands on a device.<\/p>\n<p>Edge infrastructure remains one of the highest-value targets in enterprise security.<\/p>\n<p>Douglas McKee<br \/>\nDirector of vulnerability intelligence, Rapid7<\/p>\n<p>Cisco products are frequently targeted due to their widespread use in government and enterprise networks, Jonathan Forest, a VP analyst at Gartner, said.\u00a0<\/p>\n<p>A software-defined wide-area network is a virtual technology used to connect various business locations, including cloud environments, data centers and branch locations. In an SD-WAN environment, users get a combination of efficient routing, security and load balancing.\u00a0<br \/>\nCisco Catalyst SD-WAN is often implemented in a customer\u2019s own environment, which means customer security teams are largely responsible for patching their own software.\u00a0<br \/>\n\u201cThe result can be delays in patching and vulnerabilities being exposed for an extended time, leaving it open for attackers,\u201d said Forest.\u00a0<br \/>\nBecause Cisco products are so widely deployed, there\u2019s a lot riding on their resilience and security.<br \/>\n\u201cDue to that prevalence, their products often come under increased attack, since a single flaw can result in access to tons of downstream high-profile customers,\u201d said TJ Sayers, senior director of threat intelligence at the Center for Internet Security.\u00a0<br \/>\nCritical services<br \/>\nHospitals and other healthcare facilities are highly dependent on technology provided by SD-WAN. They often rely upon distributed networks where a central hospital is connected to an off-site health clinic or data center, or use a cloud platform.\u00a0<br \/>\n\u201cWhen critical vulnerabilities emerge repeatedly in wide-area network infrastructure, it puts immense pressure on health sector IT security teams and the stakes are high,\u201d Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center, told Cybersecurity Dive.<br \/>\n\u201cIf a cyberattack leverages an infrastructure flaw to cause a prolonged IT outage that disrupts emergency care, lab results, or medication management, care slows down, negatively impacting patient outcomes,\u201d Weiss said.\u00a0<br \/>\nUnauthorized peering<br \/>\nMandiant, the incident response arm of Google Cloud, disclosed a March attack where a hacker exploited a zero-day vulnerability in Cisco Catalyst SD-WAN at a communications service provider to gain root-level access through a compromised administrative account. The vulnerability was later identified as CVE-2026-20245\u00a0and a patch was released.\u00a0<br \/>\nMandiant initially observed unauthorized peering connections to the service provider\u2019s SD-WAN devices starting in late 2025, noting the possibility the hacker exploited CVE-2026-20127 or CVE-2026-20182, which had not been disclosed or patched at the time. It was later determined that the targeted device was not affected by either of the prior vulnerabilities.\u00a0<br \/>\nResearchers said the March incident also involved unauthorized peering, which is the process of establishing a trusted digital connection between distinct network components, such as edge routers, regional hubs or central controllers. After gaining access, the hacker authenticated to the SD-WAN Manager and changed the password on the default administrator account.\u00a0<br \/>\nMandiant researchers said the hacker took numerous steps to cover up their forensic footprint, including deletion of all files created during the attack and restoring system configuration that were modified.\u00a0<br \/>\nIt is not immediately clear whether the hacker in the late 2025 incident and the March incident are the same.\u00a0<br \/>\n\u201cMandiant suspected it might be a zero-day during its initial investigation, but deeper forensic analysis was required to confirm the exploit of a new flaw,\u201d Pete Boonyakarn, senior cybersecurity consultant at Mandiant &#8211; Google Cloud, told Cybersecurity Dive.\u00a0\u00a0<\/p>\n<p>When critical vulnerabilities emerge repeatedly in wide-area network infrastructure, it puts immense pressure on health sector IT security teams and the stakes are high.<\/p>\n<p>Errol Weiss<br \/>\nCSO, Health ISAC<\/p>\n<p>Highly targeted<br \/>\nThe attacks against SD-WAN are not an entirely unique experience for Cisco, as the company\u2019s networking and security products have been among the most targeted in recent years.\u00a0<\/p>\n<p>The Cybersecurity and Infrastructure Security Agency issued an emergency directive in September 2025 ordering federal civilian executive branch agencies to take immediate action to mitigate several vulnerabilities in Cisco devices.\u00a0<br \/>\nThe directive was linked to a sophisticated actor exploiting zero-day flaws in Cisco Adaptive Security Appliances and then further manipulating read-only memory to enable persistence that survived reboots. The same flaws were also discovered in Cisco Firepower devices.\u00a0<br \/>\nAt least 10 organizations globally had been compromised at the time of the disclosure, and that number was expected to increase over time.\u00a0<br \/>\nThe attacks were linked to a remote code execution flaw, tracked as CVE-2025-20333, and a privilege-escalation flaw tracked as CVE-2025-20362. The threat activity linked back to the Arcane Door campaign that began in early 2024.\u00a0<br \/>\nThe September incident drew the attention of Congress. In October 2025, Louisiana Sen. Bill Cassidy sent a letter to Cisco asking a list of specific questions about the potential impact on federal agencies and the larger public.\u00a0<br \/>\nCassidy, chair of the Senate Health, Education, Labor and Pensions Committee, said he was leading an investigation into the potential impact of cyber risk calling it a \u201cgrave national threat.\u201d\u00a0<br \/>\n\u201cAs the largest provider of network infrastructure in the world, Cisco holds a unique position in delivering not only to the federal government, but virtually all businesses,\u201d Cassidy wrote in the letter.\u00a0<br \/>\nSecurity governance<br \/>\nDespite its recent history of issues, Cisco is widely considered to be deliberate and thoughtful about the security of its products and the trust of its customers.\u00a0<br \/>\nThe company operates a Security and Trust Organization under the leadership of Chief Security and Trust Officer Anthony Grieco, according to the 2025 Cisco annual report. The company board of directors monitors cyber risk through an audit committee, and the committee meets with Grieco multiple times per year.\u00a0<br \/>\nThe board of directors and audit committee get more frequent updates in the event of cybersecurity incidents or threats. At the time the annual report was filed, Cisco did not believe its financial condition or operating results were materially impacted by cyber risk or any previously identified cyber issue.<br \/>\nProactive measures<br \/>\nCisco executives publicly acknowledged the rapidly changing threat landscape in recent years, and the company has programs designed to maintain the security of its product line.\u00a0\u00a0<br \/>\n\u201cWe have a red team that goes off and attacks our products proactively, trying to find vulnerabilities,\u201d Grieco said during a panel discussion last month at the Cisco Live conference in Las Vegas.<br \/>\nHowever, Cisco executives understood they could not afford to rely on traditional measures to stop modern day threats. Cisco has recently embraced frontier AI models to push the boundaries of vulnerability scanning to a scope and scale the best human testers cannot achieve alone.\u00a0<br \/>\nCisco was a founding member of Project Glasswing and participated in private testing of Anthropic\u2019s advanced Claude Mythos Preview.\u00a0<br \/>\nCisco used frontier AI to test 1.8 billion lines of code\u00a0over a period of eight weeks, Grieco said in a June blog post. He noted the work would have taken the company\u2019s security team about eight years to complete such a task.\u00a0<br \/>\nCisco officials understand that AI alone will not magically resolve all of their product vulnerabilities. Grieco said the company combined frontier LLMs with its own human-guided harness and was able to achieve a false positive rate of less than 3%.\u00a0<br \/>\n\u201cTrue AI-driven security is measured by actionable precision at scale, not by the count of vulnerabilities alone,\u201d Grieco noted in the blog post.\u00a0<br \/>\nThe company has unveiled key changes in how it announces and prioritizes vulnerability disclosure.\u00a0<br \/>\nStarting in July, Cisco moved to a twice-monthly disclosure model, beginning on the first and third Wednesday of each month, according to a blog post from Russ Smoak, Cisco\u2019s vice president of information security.\u00a0<br \/>\nThe company has also shifted its disclosure model to emphasize critical vulnerabilities that are actively exploited or flaws that pose the highest risk of becoming exploited, Smoak said.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sophisticated threat campaign pushes Cisco to the very edge https:\/\/www.cybersecuritydive.com\/news\/sophisticated-threat-campaign-pushes-cisco-to-the-very-edge\/824569\/ Publish Date: 2026-07-07 12:59:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":241087,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/spa3BmSnXqLeHcuj2aBRrKwdt5jpNlC6Ijn8t4RyvO0\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9jaXNjb19saXZlX3NpemVfYWRqXy1fMV85OURpRjBULmpwZWc=.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,31,35,34,27],"class_list":["post-241086","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-exploit","tag-hacker","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241086"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=241086"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241086\/revisions"}],"predecessor-version":[{"id":241088,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241086\/revisions\/241088"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/241087"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=241086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=241086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=241086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}