Cisco SD-WAN Zero-Day Exploited Since 2023, CISA Sounds Alarm

◆ DEEP DIVES

1. 01

   Cisco SD-WAN Zero-Day: A 3-Year Nation-State Campaign Demands Emergency Response

   <h3>The Attack Chain</h3><p>A <strong>multi-year zero-day exploitation campaign</strong> targeting Cisco SD-WAN devices has been exposed through coordinated disclosure from CISA and Five Eyes intelligence partners. The campaign, active since <strong>at least 2023</strong>, chains two vulnerabilities to achieve persistent root access:</p><table><thead><tr><th>CVE</th><th>Type</th><th>Role</th><th>CVSS</th></tr></thead><tbody><tr><td>CVE-2026-20127</td><td>Authentication Bypass</td><td>Initial access to management plane</td><td>Maximum severity</td></tr><tr><td>CVE-2022-20775</td><td>Privilege Escalation</td><td>Root access via firmware downgrade</td><td>Known since 2022</td></tr></tbody></table><p>The <strong>software downgrade technique</strong> is the critical innovation. Even organizations that patched CVE-2022-20775 years ago are vulnerable — the attacker rolls firmware back to a vulnerable version after bypassing authentication. This renders traditional patch management insufficient and maps to <strong>MITRE ATT&CK T1601.001</strong> (Modify System Image).</p><h3>Cross-Source Corroboration</h3><p>Four independent intelligence sources confirm this threat. CISA issued an <strong>emergency directive</strong>. Five Eyes partners published joint threat-hunting guidance. Cisco described the actors as <strong>"highly sophisticated and disciplined"</strong> — language that signals nation-state attribution without naming the actor. VulnCheck's 2025 data provides macro context: of 40,000+ CVEs published, only ~1% were exploited in the wild, but <strong>network edge devices absorb disproportionate exploitation</strong>.</p><blockquote>Officials explicitly declined attribution, but Five Eyes coordination, federal network targeting, multi-year persistence, and the "highly sophisticated" descriptor are consistent with Chinese APT groups (Volt Typhoon, Salt Typhoon) that have previously targeted U.S. networking infrastructure for pre-positioning.</blockquote><h3>Compounding Factor: Volt Typhoon Never Left</h3><p>Dragos's 2026 Year in Review confirms that <strong>Volt Typhoon remains embedded in U.S. critical infrastructure</strong> despite the government's 2025 "mission accomplished" claims. A new access broker group called <strong>Sylvanite</strong> is conducting large-scale initial access operations targeting electricity, water, and oil/gas sectors across North America, Europe, the UK, and Guam — handing off access to groups including Volt Typhoon. Any critical infrastructure operator that relaxed monitoring based on 2025 government assurances now has a gap measured in months.</p><h3>The Blast Radius</h3><p>SD-WAN controllers manage traffic routing, encryption policies, and network segmentation across your entire WAN fabric. Admin access means an attacker can <strong>intercept traffic, modify routing, disable security policies, and move laterally</strong> across every connected site. Some compromised environments will require <strong>full system rebuilds</strong> — not just patching.</p>

   Action items

   • Inventory all Cisco SD-WAN devices (IOS XE SD-WAN, vEdge, cEdge) and check firmware versions against CISA's advisory within 24 hours
   • Execute threat hunt using Five Eyes published IOCs and TTPs — focus on firmware version anomalies, unexpected downgrade events, and anomalous management plane authentication going back to 2023
   • Apply CVE-2026-20127 patch and disable firmware downgrade capability where supported; implement firmware integrity verification (Secure Boot, image signing)
   • Prepare full rebuild plans and budget for any device showing IOCs — do not trust a patch to clean a rootkit
   • Re-engage Volt Typhoon/Sylvanite threat hunting across OT and IT environments using Dragos 2026 Year in Review TTPs and IOCs

   Sources:Governments issue warning over Cisco zero-day attacks dating back to 2023 · 0-Days Sold to Russian Broker, Serv-U RCEs, RoguePilot Flaw, FileZen Exploitation · @RISK® The Consensus Security Vulnerability Alert: Vol. 26, Num. 08 · Claude Code Flaws Exposed Devices to Silent Hacking · Srsly Risky Biz: Is Claude Too Woke For War?

2. 02

   Developer Toolchain Under Siege: NPM Worms, AI Coding Tool Exploits, and Supply Chain Poisoning

   <h3>Three Simultaneous Attack Vectors</h3><p>The developer pipeline is under coordinated, multi-vector attack. Three distinct campaigns are active simultaneously, each targeting a different link in the software supply chain:</p><h4>1. SANDWORM_MODE: Self-Propagating NPM Worm</h4><p>Socket's research team discovered <strong>19 malicious npm packages</strong> forming a purpose-built worm targeting the AI-native development environment. The kill chain is sophisticated:</p><ul><li><strong>Credential theft</strong> from Bitwarden, 1Password, LastPass browser extensions</li><li><strong>MCP server injection</strong> into Claude Code, Cursor, VS Code Continue, and Windsurf — embedding prompt injections that instruct AI assistants to exfiltrate SSH keys and AWS credentials during normal coding</li><li><strong>Polymorphic self-rewriting</strong> using local Ollama (deepseek-coder:6.7b) to defeat signature-based detection</li><li><strong>Dead switch</strong> that wipes the home directory if C2 connection is lost</li><li><strong>Propagation</strong> via stolen npm/GitHub tokens injecting dependencies into downstream repos</li></ul><h4>2. Claude Code RCE (CVE-2025-59536, CVE-2026-21852)</h4><p>Three vulnerabilities in Anthropic's Claude Code enable <strong>remote code execution and API key exfiltration when developers open malicious repositories</strong>. The attack abuses Hooks, MCP server configurations, and environment variables embedded in cloned repos. No code execution required — <strong>just opening the project is sufficient</strong>. This fundamentally shifts the developer threat model from "don't run untrusted code" to "don't open untrusted projects."</p><h4>3. Multi-OS Supply Chain via 'ambar-src'</h4><p>A typosquatting npm package impersonating <strong>ember-source</strong> accumulated ~50,000 downloads in three days, deploying OS-specific malware via preinstall hooks: encrypted shellcode on Windows, Golang reverse SSH on Linux, and Apfell/MythicAgents on macOS — all using <strong>Yandex Cloud Functions for C2 evasion</strong>.</p><h3>Converging Threat: Job-Themed Repository Lures</h3><p>Microsoft flagged a parallel campaign using <strong>fake "technical assessment" GitHub repositories</strong> to deliver fileless multi-stage backdoors. Repos use repeatable naming conventions and retrieve loader scripts from remote infrastructure during build. This TTP is consistent with <strong>DPRK-linked threat actors</strong> (Lazarus Group). A separate malicious NuGet package named <strong>'StripeApi'</strong> targets .NET developers in the financial sector.</p><blockquote>AI is simultaneously the attack surface, the attack tool, and the target. The developer who sees their AI assistant working normally doesn't know it's silently stealing secrets via injected MCP server prompts.</blockquote><h3>The Cline Precedent</h3><p>Cline's Claude-powered Issue Triage workflow was compromised via prompt injection in GitHub Actions. A threat actor <strong>stole the researcher's own PoC from a test repository</strong> and used it to attack Cline directly, obtaining VS Code Marketplace publication credentials. This establishes a new pattern: threat actors are actively monitoring security researchers' public work to weaponize findings in real-time.</p>

   Action items

   • Scan all npm lockfiles and CI/CD pipelines for the 19 known SANDWORM_MODE packages and 'ambar-src' immediately; treat any match as full compromise requiring secret rotation from a clean machine and system reimage
   • Update Claude Code to latest patched version and enforce repository trust policies — block automatic execution of Hooks and MCP server configurations from untrusted repositories
   • Inspect MCP server configurations in all AI coding assistants (Claude Code, Cursor, VS Code Continue, Windsurf) for unauthorized entries; check for unexpected Ollama installations and deepseek-coder:6.7b model downloads on developer machines
   • Issue developer advisory about fake job-assessment repos and malicious 'StripeApi' NuGet package; run 'dotnet list package' across all .NET projects; require external code evaluation in sandboxed VMs
   • Implement AI agent sandboxing — evaluate nono (kernel-level enforcement via Landlock/Seatbelt with Claude Code profiles) and Wardgate (credential isolation gateway) for development environments

   Sources:[tl;dr sec] #317 - 100+ Kernel Bugs in 30 Days, Secret Scanning, Threat Actors Stealing Your PoC · Manus Prompt Injection, CarGurus 12.M Leak, LLM-based Deanonymization · 0-Days Sold to Russian Broker, Serv-U RCEs, RoguePilot Flaw, FileZen Exploitation · 5 trends that should top CISO's RSA 2026 agendas · Claude Code Flaws Exposed Devices to Silent Hacking

3. 03

   Autonomous AI Agents Are Your Next Shadow IT Crisis — 21K Unmanaged Instances and Counting

   <h3>The Convergence</h3><p>In a single week, the AI industry crossed an inflection point that most security programs aren't equipped to handle. <strong>Perplexity Computer</strong> launched as a "general-purpose digital worker" that operates GUIs and claims to run for <strong>hours or months</strong>. <strong>Claude Cowork</strong> added scheduled tasks with a plugin architecture across engineering, design, and operations. <strong>Cursor Cloud Agents</strong> got dedicated VMs with full dev environments, shipping merge-ready PRs to GitHub via Slack. Anthropic acquired <strong>Vercept</strong> to enhance Claude's computer-use capabilities. And <strong>21,000 OpenClaw AI agent instances</strong> connected to Slack, Gmail, and Google Drive in just two weeks — with RCE vulnerabilities and leaked OAuth tokens — while most security teams had zero visibility.</p><h3>Why This Is Different From Traditional Shadow IT</h3><p>Computer-use AI agents break every assumption in your current security model:</p><table><thead><tr><th>Traditional Shadow IT</th><th>AI Agent Shadow IT</th></tr></thead><tbody><tr><td>Uses APIs with scoped tokens</td><td>Inherits user's full session — SSO tokens, browser cookies, application state</td></tr><tr><td>Generates API-level audit logs</td><td>Interacts via GUI clicks indistinguishable from human actions</td></tr><tr><td>Operates per-task</td><td>Runs persistently for hours to months</td></tr><tr><td>Requires explicit integration</td><td>Works with any application the user can access</td></tr><tr><td>Detectable by CASB</td><td>Your CASB can't distinguish agent clicks from human clicks</td></tr></tbody></table><h3>The SaaS Vendor Response Complicates Things</h3><p>Enterprise SaaS vendors are reacting defensively. Workday's CEO called third-party AI agent providers <strong>"parasites"</strong> and announced plans to restrict data access. HubSpot declared it will <strong>"monitor, meter, and monetize"</strong> all AI agent access. Google suspended accounts using OpenClaw. These vendor policy changes are effectively <strong>unannounced changes to your data flow architecture</strong> that your security team may not be consulted on — integrations could break, data could reroute, and monitoring gaps could emerge.</p><blockquote>A months-long autonomous agent session means credential rotation policies don't apply, behavioral baselines are invalid, and attributing actions to a responsible human becomes nearly impossible — creating compliance gaps across SOC 2, GDPR, and HIPAA.</blockquote><h3>The Systemic Trust-Boundary Failure</h3><p>The <strong>SilentBridge</strong> vulnerability family in Meta's Manus AI (CVSS 9.8) demonstrated that this isn't a vendor-specific bug — it's an <strong>architectural class of vulnerability</strong>. Researchers achieved Gmail data exfiltration, reverse shell with passwordless sudo escalation, and cross-tenant media access simply by having the agent "summarize this page" containing hidden instructions. Any agentic AI platform that processes untrusted content while holding privileged access is exposed.</p>

   Action items

   • Query your IdP (Entra ID, Google Workspace) for all OAuth app consents granted in the last 30 days — search specifically for OpenClaw, Perplexity, Claude Cowork, and Cursor agent connections to Slack, Gmail, and Drive; revoke unauthorized grants immediately
   • Publish an AI Agent Acceptable Use Policy defining approved agents, maximum session durations, mandatory security review requirements, and prohibited autonomous actions by end of this sprint
   • Require dedicated service accounts (not user credentials) for any approved AI agent, with enforced credential rotation shorter than standard policy, MFA re-authentication intervals, and behavioral baselining
   • Disable auto-merge for all AI-agent-generated pull requests; require explicit human approval and SAST scanning gates for agent-authored code
   • Establish security review process for Claude Cowork plugins and AI agent connectors — treat each as a new vendor integration requiring TPRM assessment before org-wide deployment

   Sources:Claude has some conflicts · Perplexity Computer, DeepSeek withholds v4, Cowork scheduled tasks · 0-Days Sold to Russian Broker, Serv-U RCEs, RoguePilot Flaw, FileZen Exploitation · Manus Prompt Injection, CarGurus 12.M Leak, LLM-based Deanonymization · agent vs SaaS · Applied AI: From 'Parasites' to 'SaaSquatch'

4. 04

   Critical Patch Surge: 6 CVSS 10.0s, 2 KEV Additions, and Sandworm Expanding to NATO

   <h3>CISA KEV: Patch or Perish</h3><p>Two actively exploited vulnerabilities hit CISA's Known Exploited Vulnerabilities catalog this week, triggering mandatory patching under BOD 22-01:</p><table><thead><tr><th>CVE</th><th>Product</th><th>CVSS</th><th>Vulnerability</th><th>Fix</th></tr></thead><tbody><tr><td>CVE-2026-22769</td><td>Dell RecoverPoint for VMs</td><td><strong>10.0</strong></td><td>Hardcoded credentials</td><td>Upgrade to 6.0.3.1 HF1+</td></tr><tr><td>CVE-2025-49113</td><td>Roundcube Webmail</td><td>High</td><td>RCE via PHP deserialization</td><td>1.5.10+ or 1.6.11+</td></tr></tbody></table><p>Dell RecoverPoint's hardcoded credentials are particularly dangerous because <strong>backup infrastructure is a ransomware operator's primary target</strong> — compromising backup systems eliminates recovery options. Roundcube has been a repeated target of state-sponsored espionage groups including APT28 and Winter Vivern.</p><h3>The CVSS 10.0 Cluster</h3><p>Six maximum-severity vulnerabilities dropped in a single week — an extraordinary concentration:</p><ul><li><strong>CVE-2026-27211</strong> (Cloud Hypervisor): Guest-to-host file exfiltration via virtio-block — a <strong>multi-tenant cloud isolation failure</strong></li><li><strong>CVE-2025-12107</strong> (WSO2 Identity Server 5.11.0): Velocity template injection in your <em>authentication infrastructure</em></li><li><strong>Dell RecoverPoint</strong>, plus three others across enterprise software</li></ul><h3>SolarWinds Serv-U: Complete Compromise Chain</h3><p>Four new critical CVEs (<strong>CVE-2025-40538 through 40541</strong>) in SolarWinds Serv-U enable <strong>unauthenticated admin account creation followed by domain admin code execution</strong>. Given SolarWinds' history as a nation-state target, this is an especially high-priority patch. Multiple sources independently flagged this as critical.</p><h3>Sandworm Expands Wiper Operations to NATO</h3><p>ESET Research and CERT Polska attributed <strong>DynoWiper</strong> — deployed against Polish energy companies in late December 2025 — to infrastructure consistent with <strong>Russian APT Sandworm</strong> (GRU Unit 74455). This geographic expansion from Ukraine to Poland is a <strong>strategic escalation</strong>. DynoWiper is a simple 32-bit Windows executable with no packing, meaning signature-based detection is viable if you have the IOCs.</p><h3>AI-Powered Mass Exploitation: 600+ FortiGates, Zero CVEs</h3><p>A Russian-speaking actor used <strong>commercial AI toolkits</strong> to compromise over 600 FortiGate firewalls starting January 11, 2026 — without exploiting a single vulnerability. The attack vector: <strong>exposed management ports, weak passwords, no MFA</strong>. AWS's security team reported the campaign. This is a paradigm shift in threat economics: the barrier to mass exploitation just dropped to near zero for any actor willing to pay for commercial AI tools.</p><blockquote>AI just made finding kernel 0-days cheaper than a nice dinner — researchers found 100 exploitable kernel LPE bugs across AMD, Intel, NVIDIA, Dell, Lenovo, and IBM drivers for $600 total, and only Fujitsu has patched.</blockquote>

   Action items

   • Patch Dell RecoverPoint (CVE-2026-22769) and Roundcube Webmail (CVE-2025-49113) within 24 hours — both are confirmed exploited and on CISA KEV
   • Patch SolarWinds Serv-U (CVE-2025-40538 through 40541) and GitHub Enterprise Server (CVE-2026-0573, CVSS 9.0) within 48 hours
   • Audit all FortiGate devices for exposed management interfaces, enforce MFA on all admin access, rotate credentials, and review logs from January 11 onward
   • Request DynoWiper IOCs from ESET/CERT Polska and deploy detection rules if you operate in European energy, critical infrastructure, or defense sectors; hunt against 90 days of historical telemetry
   • Inventory Windows kernel drivers from AMD, Intel, NVIDIA, Dell, Lenovo, and IBM; implement WDAC driver allowlisting to block unsigned or vulnerable versions

   Sources:@RISK® The Consensus Security Vulnerability Alert: Vol. 26, Num. 08 · 0-Days Sold to Russian Broker, Serv-U RCEs, RoguePilot Flaw, FileZen Exploitation · [tl;dr sec] #317 - 100+ Kernel Bugs in 30 Days, Secret Scanning, Threat Actors Stealing Your PoC · Srsly Risky Biz: Is Claude Too Woke For War? · 5 trends that should top CISO's RSA 2026 agendas