Cisco network-device rootkit campaign
Campaign
Summary
Hide ▲
Show ▼
A Cisco network-device rootkit campaign is exploiting CVE-2025-20352 and a modified CVE-2017-3881 Telnet flaw to gain persistent, unauthorized access on exposed devices. The operation matters because it can hide changes, bypass authentication, and survive long enough to enable follow-on movement across Cisco 9400, 9300, and 3750G environments. It has also been observed against older Linux hosts, showing a multi-stage access path rather than a one-off exploit.
Cases
Related Happenings
Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)
Vulnerability
H score60
First: 05.06.2026 09:24
Last: 05.06.2026 09:24
Sources 1
About this happening:
**CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...
Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)
VulnerabilityAbout this happening: **CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...
Latest development: 06.06.2026 07:19
Cisco warned that CVE-2026-20245 in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is under active exploitation and can let an authenticated local attacker with netadmin privileges upload a crafted file to execute arbitrary commands as root. Cisco said the flaw affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), that limited exploitation has already resulted in configuration changes pushed to edge devices, and that no patches or mitigations are currently available. Cisco also advised checking /var/log/scripts.log for indicators of compromise and credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the issue.
Cisco Unified CM SSRF root-privilege flaw (CVE-2026-20230)
Vulnerability
H score49
First: 04.06.2026 14:09
Last: 04.06.2026 14:09
Sources 1
About this happening:
**CVE-2026-20230** exposes **Cisco Unified CM** systems with **WebDialer enabled** to remote **SSRF** abuse that can lead to **root-level compromise**. The flaw can be triggered w...
Cisco Unified CM SSRF root-privilege flaw (CVE-2026-20230)
VulnerabilityAbout this happening: **CVE-2026-20230** exposes **Cisco Unified CM** systems with **WebDialer enabled** to remote **SSRF** abuse that can lead to **root-level compromise**. The flaw can be triggered w...
Latest development: 26.06.2026 22:43
Cisco released a patch for CVE-2026-20230 in Cisco Unified Communications Manager Server and warned that the critical server-side request forgery flaw could be exploited remotely and without authentication via specially crafted HTTP requests.
Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)
Vulnerability
H score60
First: 14.05.2026 23:09
Last: 14.05.2026 23:09
Sources 1
About this happening:
**CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...
Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)
VulnerabilityAbout this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...
Latest development: 14.05.2026 23:25
Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
Vulnerability
H score88
First: 24.04.2026 20:06
Last: 24.04.2026 20:06
Sources 1
About this happening:
**Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco security patch release for CVE-2026-20184
Security Patch Release
H score44
First: 16.04.2026 14:27
Last: 16.04.2026 14:27
Sources 1
About this happening:
**Cisco** released patches for **four critical flaws** affecting **Identity Services Engine (ISE)**, **ISE-PIC**, and **Webex Services**, closing paths to **arbitrary code executi...
Cisco security patch release for CVE-2026-20184
Security Patch ReleaseAbout this happening: **Cisco** released patches for **four critical flaws** affecting **Identity Services Engine (ISE)**, **ISE-PIC**, and **Webex Services**, closing paths to **arbitrary code executi...
Timeline
-
16.10.2025 18:00 2 articles · 8mo ago
Cisco SNMP rootkit campaign disclosed
Initial DisclosureA Cisco network-device rootkit campaign used CVE-2025-20352 against exposed Cisco SNMP services to install Linux rootkits, embed hooks into IOSd memory, and create a universal password based on “disco” for persistent unauthorized access; the same activity also used a modified Telnet flaw based on CVE-2017-3881, a UDP controller, and memory-access techniques that concealed configuration changes on Cisco 9400 series, 9300 series, and legacy 3750G devices.
Show sources
- New Rootkit Campaign Exploits Cisco SNMP Flaw to Gain Persistence — www.infosecurity-magazine.com — 16.10.2025 18:00
- New Rootkit Campaign Exploits Cisco SNMP Flaw to Gain Persistence — www.infosecurity-magazine.com — 16.10.2025 18:00