Find notable cyber news and cases, enriched with sources, timelines, and signals.

Cisco network-device rootkit campaign

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

A Cisco network-device rootkit campaign is exploiting CVE-2025-20352 and a modified CVE-2017-3881 Telnet flaw to gain persistent, unauthorized access on exposed devices. The operation matters because it can hide changes, bypass authentication, and survive long enough to enable follow-on movement across Cisco 9400, 9300, and 3750G environments. It has also been observed against older Linux hosts, showing a multi-stage access path rather than a one-off exploit.

Cases

Related Happenings

Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)

Vulnerability
H score60 First: 05.06.2026 09:24 Last: 05.06.2026 09:24 Sources 1

About this happening: **CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...

Latest development: 06.06.2026 07:19

Cisco warned that CVE-2026-20245 in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is under active exploitation and can let an authenticated local attacker with netadmin privileges upload a crafted file to execute arbitrary commands as root. Cisco said the flaw affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), that limited exploitation has already resulted in configuration changes pushed to edge devices, and that no patches or mitigations are currently available. Cisco also advised checking /var/log/scripts.log for indicators of compromise and credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the issue.

Cisco Unified CM SSRF root-privilege flaw (CVE-2026-20230)

Vulnerability
H score49 First: 04.06.2026 14:09 Last: 04.06.2026 14:09 Sources 1

About this happening: **CVE-2026-20230** exposes **Cisco Unified CM** systems with **WebDialer enabled** to remote **SSRF** abuse that can lead to **root-level compromise**. The flaw can be triggered w...

Latest development: 26.06.2026 22:43

Cisco released a patch for CVE-2026-20230 in Cisco Unified Communications Manager Server and warned that the critical server-side request forgery flaw could be exploited remotely and without authentication via specially crafted HTTP requests.

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
H score60 First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)

Vulnerability
H score88 First: 24.04.2026 20:06 Last: 24.04.2026 20:06 Sources 1

About this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...

Cisco security patch release for CVE-2026-20184

Security Patch Release
H score44 First: 16.04.2026 14:27 Last: 16.04.2026 14:27 Sources 1

About this happening: **Cisco** released patches for **four critical flaws** affecting **Identity Services Engine (ISE)**, **ISE-PIC**, and **Webex Services**, closing paths to **arbitrary code executi...

Timeline

  1. 16.10.2025 18:00 2 articles · 8mo ago

    Cisco SNMP rootkit campaign disclosed

    Initial Disclosure

    A Cisco network-device rootkit campaign used CVE-2025-20352 against exposed Cisco SNMP services to install Linux rootkits, embed hooks into IOSd memory, and create a universal password based on “disco” for persistent unauthorized access; the same activity also used a modified Telnet flaw based on CVE-2017-3881, a UDP controller, and memory-access techniques that concealed configuration changes on Cisco 9400 series, 9300 series, and legacy 3750G devices.

    Show sources