MalwareExploits 3 CVEs

KScan

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

3 CVES

CVE-2026-20128Credential Disclosure in Cisco Catalyst SD-WAN Manager Data Collection AgentExploited in the wild

Cisco Talos said it observed multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026. The three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device. They were added to the CISA's KEV catalog last month. The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems.

via the hacker newsthehackernews.com

CVE-2026-20122Arbitrary File Overwrite in Cisco Catalyst SD-WAN Manager APIExploited in the wild

via the hacker newsthehackernews.com

CVE-2026-20133Sensitive Information Exposure in Cisco Catalyst SD-WAN ManagerExploited in the wild

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

Multiple post-exploitation tooling clusters have been identified, including deployments of Godzilla webshell, AdaptixC2, Sliver C2, XMRig miners, the KScan asset mapping tool, a NimPlant-based Nim backdoor

Credential Access

1 technique

T1110Brute ForceEvidence1

It can perform automatic brute-force cracking and brute-force RDP.

Discovery

2 techniques

T1046Network Service DiscoveryEvidence1

The first tool is KScan, an asset mapping tool, that can port scan, TCP fingerprint, capture banners for specified assets, and obtain as much port information as possible without sending more packets.

T1082System Information DiscoveryEvidence1

Cluster 8 ... deploys the KScan asset mapping tool and Nim-based backdoor that's likely based on NimPlant and comes with capabilities to perform file operations, execute files using bash, and collect system information

Lateral Movement

1 technique

T1021.001Remote Desktop ProtocolEvidence1

It can perform automatic brute-force cracking and brute-force RDP.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

talos intelligence blogNews

May 14, 2026

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

An asset mapping and offensive scanning tool capable of port scanning, TCP fingerprinting, banner capture, and brute-force functions including RDP brute force.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities3

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.