Cisco Catalyst SD-WAN unauthorized peering and SSH access campaign
Campaign
Summary
Hide ▲
Show ▼
An active campaign used unauthorized peering connections and SSH access to maintain footholds inside a service provider's Cisco Catalyst SD-WAN environment, increasing the risk of stealthy control-plane access. Activity was observed from late 2025 into March 2026, suggesting a persistent operation rather than a one-off event. The operator used that access to change default account passwords and evade detection. The campaign matters because SD-WAN control planes can provide wide-scale access to internal enterprise traffic.
Related Happenings
Cisco security patch release for CVE-2026-20245
Security Patch Release
H score38
First: 25.06.2026 00:29
Last: 25.06.2026 00:29
Sources 1
How related:
The tech giant started releasing Catalyst SD-WAN Manager updates with the CVE-2026-20245 fix on June 10.
About this happening:
Cisco released **security updates** for **Cisco Catalyst SD-WAN** after **CVE-2026-20245** was linked to root-level command execution, and customers were told to move to fixed sof...
Cisco security patch release for CVE-2026-20245
Security Patch ReleaseHow related: The tech giant started releasing Catalyst SD-WAN Manager updates with the CVE-2026-20245 fix on June 10.
About this happening: Cisco released **security updates** for **Cisco Catalyst SD-WAN** after **CVE-2026-20245** was linked to root-level command execution, and customers were told to move to fixed sof...
CISA adds CVE-2026-20262 to KEV and orders federal fixes
Public Sector Action
H score32
First: 16.06.2026 09:05
Last: 16.06.2026 09:05
Sources 1
About this happening:
**CISA** added **CVE-2026-20262** to its **Known Exploited Vulnerabilities (KEV) catalog** and required **Federal Civilian Executive Branch (FCEB)** agencies to apply Cisco's fixe...
CISA adds CVE-2026-20262 to KEV and orders federal fixes
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-20262** to its **Known Exploited Vulnerabilities (KEV) catalog** and required **Federal Civilian Executive Branch (FCEB)** agencies to apply Cisco's fixe...
Cisco Catalyst SD-WAN Manager actively exploited file upload overwrite flaw (CVE-2026-20262)
Vulnerability
H score24
First: 15.06.2026 20:12
Last: 15.06.2026 20:12
Sources 1
About this happening:
**Cisco Catalyst SD-WAN Manager** was patched for **CVE-2026-20262** after attackers used it to **create or overwrite files** and **escalate to root** across **all deployment type...
Cisco Catalyst SD-WAN Manager actively exploited file upload overwrite flaw (CVE-2026-20262)
VulnerabilityAbout this happening: **Cisco Catalyst SD-WAN Manager** was patched for **CVE-2026-20262** after attackers used it to **create or overwrite files** and **escalate to root** across **all deployment type...
Cisco security patch release for CVE-2026-20262
Security Patch Release
H score47
First: 15.06.2026 20:12
Last: 15.06.2026 20:12
Sources 1
About this happening:
**Cisco** released **security updates** for **CVE-2026-20262** in **Catalyst SD-WAN Manager**, covering multiple release trains after the zero-day was exploited to reach **root pr...
Cisco security patch release for CVE-2026-20262
Security Patch ReleaseAbout this happening: **Cisco** released **security updates** for **CVE-2026-20262** in **Catalyst SD-WAN Manager**, covering multiple release trains after the zero-day was exploited to reach **root pr...
Velvet Ant Linux login-layer persistence campaign
Campaign
H score41
First: 12.06.2026 21:17
Last: 12.06.2026 21:17
Sources 1
About this happening:
A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...
Velvet Ant Linux login-layer persistence campaign
CampaignAbout this happening: A **Velvet Ant** campaign was uncovered that quietly maintained access by backdooring **Linux PAM and OpenSSH** components, putting credential capture and command logging inside t...
Timeline
-
25.06.2026 17:15 2 articles · 2h ago
Cisco Catalyst SD-WAN unauthorized peering and SSH access campaign
Initial DisclosureFrom **late 2025 to January 2026**, repeated unauthorized peering connections were observed against a service provider's SD-WAN Manager devices. The activity later reappeared in **March 2026**, indicating continued access attempts.
Show sources
- Cisco Vulnerability Exploited Months Before Disclosure, Google Warns — www.infosecurity-magazine.com — 25.06.2026 17:15
- Cisco Vulnerability Exploited Months Before Disclosure, Google Warns — www.infosecurity-magazine.com — 25.06.2026 17:15