Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco ASA and IOS/IOS XE zero-day exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 63
3 unique sources, 3 articles

Summary

Hide ▲

Cisco exploitation wave now includes CVE-2025-20352 in Cisco IOS Software and Cisco IOS XE, where Trend Micro says Operation Zero Disco abused the SNMP stack overflow as a zero-day to deploy Linux rootkits on older, unprotected systems. The attacks primarily targeted Cisco 9400, 9300, and legacy 3750G series devices, used modified Telnet exploitation attempts, and enabled remote code execution and persistent unauthorized access through universal passwords and hooks in IOSd memory.

Related Happenings

Cisco Secure Workload REST API validation/authentication flaw (CVE-2026-20223)

Vulnerability
First: 21.05.2026 15:04 Last: 21.05.2026 15:04 Sources 1

About this happening: **Cisco Secure Workload Cluster Software** was patched for **CVE-2026-20223**, a **critical** REST API flaw that could let attackers gain **Site Admin privileges** and cross tenan...

Open Happening

Cisco ThousandEyes and Nexus security patches

Security Patch Release
First: 21.05.2026 15:04 Last: 21.05.2026 15:04 Sources 1

About this happening: Cisco released patches for **three medium-severity vulnerabilities** affecting **ThousandEyes Virtual Appliance**, **ThousandEyes Enterprise Agent**, and **Nexus 3000/9000 switche...

Open Happening

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

Open Happening

Cisco security patch release for CVE-2026-20188

Security Patch Release
First: 06.05.2026 21:06 Last: 06.05.2026 21:06 Sources 1

About this happening: **Cisco** released security updates for **CVE-2026-20188**, a high-severity **DoS vulnerability** in **Crosswork Network Controller (CNC)** and **Network Services Orchestrator (NS...

Open Happening

Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)

Vulnerability
First: 24.04.2026 20:06 Last: 24.04.2026 20:06 Sources 1

About this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...

Open Happening

Timeline

  1. 16.10.2025 21:13 1 articles · 7mo ago

    Operation Zero Disco exploits Cisco IOS and IOS XE switches

    Exploitation Observed

    Trend Micro says attackers in Operation Zero Disco exploited CVE-2025-20352 in older Cisco IOS and IOS XE networking devices, including Cisco 9400, 9300, and legacy 3750G series devices, to deploy a Linux rootkit and gain persistent access; the activity also included attempts to abuse CVE-2017-3881 on Cisco switches lacking endpoint detection response solutions.

    Show sources
    Open in new tab
  2. 25.09.2025 22:22 2 articles · 8mo ago

    CISA issues Emergency Directive on Cisco ASA zero-days

    Legal Policy Action Update

    CISA issues an Emergency Directive on ongoing activity targeting Cisco Adaptive Security Appliances (ASA), saying a state-sponsored APT tied to ArcaneDoor is exploiting zero-day vulnerabilities to gain unauthenticated remote code execution and persist through reboot and system upgrade by manipulating ROM; the directive cites CVE-2025-20333, CVE-2025-20363, and CVE-2025-20362, and requires federal civilian agencies to disconnect end-of-support devices and upgrade remaining systems by 11:59 PM EST on September 26, 2025.

    Show sources
    Open in new tab
  3. 24.09.2025 03:00 2 articles · 8mo ago

    Cisco discloses CVE-2025-20352 in IOS and IOS XE

    Initial Disclosure

    Cisco discloses CVE-2025-20352, a CVSS 7.7 SNMP subsystem flaw in Cisco IOS Software and Cisco IOS XE that can enable authenticated remote code execution and denial of service when SNMP is enabled and the affected object ID is not excluded; Trend Micro estimates at least 2 million devices may be at risk, and Cisco urges customers to upgrade to a fixed release such as IOS XE 17.15.4a or apply the advisory mitigation by disabling affected object identifiers.

    Show sources
    Open in new tab