Internet-Scale Scanning and Exploitation Pressure on Edge Network Devices (Cisco SD-WAN, SonicWall SSL VPN)
Security monitoring and reporting highlighted escalating attacker focus on internet-exposed edge infrastructure, including active exploitation of a maximum-severity Cisco SD-WAN flaw and large-scale reconnaissance against SonicWall firewalls. Cisco disclosed CVE-2026-20127 (CVSS 10.0) affecting Cisco Catalyst SD-WAN Controller (vSmart) and Catalyst SD-WAN Manager (vManage), describing in-the-wild exploitation dating back to 2023 that enables unauthenticated authentication bypass leading to administrative privileges via crafted requests; Cisco attributes discovery to ASD-ACSC and tracks related activity as UAT-8616.
Separately, GreyNoise-tracked activity showed a coordinated scanning campaign against SonicWall SonicOS devices using 4,000+ unique IPs to enumerate targets—primarily probing a SonicOS REST API endpoint used to determine whether SSL VPN is enabled (a common precursor to follow-on credential attacks and exploitation). The campaign generated 84,142 scanning sessions over a four-day window and was assessed as a continuation/escalation of similar late-2025 scanning that targeted both Palo Alto and SonicWall VPN infrastructure, reinforcing the likelihood of an impending exploitation wave against exposed and unpatched perimeter devices.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA issues emergency directive over Cisco SD-WAN flaw
Following reports of active exploitation of the maximum-severity Cisco Catalyst SD-WAN Controller flaw CVE-2026-20127, CISA issued an emergency directive. The directive reflected the severity of the unauthenticated authentication-bypass issue and the risk to affected environments.
Anthropic Claude Code flaws disclosed
Check Point Research disclosed critical vulnerabilities in Anthropic's Claude Code that could allow remote code execution and theft of API keys through malicious project configurations. The issues were highlighted publicly in threat reporting on March 2, 2026.
Cisco SD-WAN zero-day reportedly exploited for years
Reporting in early March 2026 said the critical Cisco Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20127, had been actively exploited for years. Cisco associated related activity with threat cluster UAT-8616.
GreyNoise observes large-scale SonicWall SonicOS scanning
Between February 22 and February 25, 2026, GreyNoise recorded 84,142 scanning sessions from 4,305 unique IP addresses across 20 autonomous systems targeting internet-exposed SonicWall SonicOS devices. Most activity probed a REST API endpoint used to determine whether SSL VPN was enabled, suggesting target selection ahead of exploitation.
Mass scanning campaign targets VPN infrastructure
In December 2025, a reconnaissance campaign conducted millions of scans against Palo Alto and SonicWall VPN infrastructure using shared client fingerprints. Later reporting linked the February 2026 SonicWall activity to this earlier campaign as an escalation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
2nd March - Threat Intelligence Report - Check Point Research
research.checkpoint.com
Open source⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More
thehackernews.com
Open sourceHackers Attacking SonicWall Firewalls from 4,000+ unique IP Addresses to Exploit Vulnerabilities
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Cisco SD-WAN Vulnerabilities Beyond CVE-2026-20127
Researchers warned that defenders may be underestimating the risk from **Cisco SD-WAN** flaws beyond the widely publicized zero-day `CVE-2026-20127`, particularly **`CVE-2026-20133`**, a high-severity issue tied to inadequate file system access restrictions. VulnCheck reported that public attention and detection efforts have focused too narrowly on `CVE-2026-20127`, even though proof-of-concept activity attributed to that bug appears to affect other vulnerabilities, including `CVE-2026-20133`, `CVE-2026-20128`, and `CVE-2026-20122`. Defused researchers said their telemetry supports that assessment, indicating that `CVE-2026-20127` is generating heavy automated noise while activity involving `CVE-2026-20133`, if present, is likely quieter and easier to miss. Broader reporting indicates the SD-WAN issue is part of a larger pattern of **active exploitation across Cisco edge infrastructure**, with multiple recently disclosed SD-WAN and firewall vulnerabilities already exploited in the wild. CyberScoop reported that five of nine Cisco flaws disclosed across firewalls and SD-WAN systems in recent weeks have seen exploitation, including two SD-WAN zero-days abused for years before discovery and three additional SD-WAN defects later confirmed under attack. The reporting also noted exploitation of a maximum-severity Cisco firewall management flaw by **Interlock ransomware**, underscoring that attackers are targeting management-plane and control-plane weaknesses in network-edge products that often serve as enterprise trust anchors.
Apr 22, 2026
Coordinated Reconnaissance and Exploitation Activity Targeting Edge VPN Appliances
CISA issued updated technical details on **RESURGE**, a stealthy implant used in zero-day intrusions of **Ivanti Connect Secure** appliances via **CVE-2025-0282**. The malware (a 32-bit Linux shared object, `libdsupgrade.so`) is designed for long-term persistence and covert access, with capabilities described as including rootkit/bootkit-style functionality, credential theft via webshells, account manipulation, privilege escalation, and tunneling/proxying. CISA highlighted that RESURGE can remain **dormant** and evade detection by acting as a *passive* C2: rather than beaconing out, it waits for specific inbound TLS connections and, when loaded under the `web` process, hooks `accept()` to inspect TLS packets and only activate on attacker-identified traffic (using a CRC32-based TLS fingerprinting approach); non-matching traffic is passed through to the legitimate service. Reporting cited Mandiant’s attribution of the early exploitation activity to a China-linked actor tracked as **UNC5221**, with zero-day exploitation reported since mid-December 2024. Separately, GreyNoise reported a large-scale **reconnaissance campaign** against **SonicWall SonicOS/SSL VPN** infrastructure (84,142 scanning sessions over several days) focused primarily on enumerating whether SSL VPN is enabled by probing a single API endpoint—behavior consistent with pre-attack target mapping rather than immediate CVE exploitation. The activity came from thousands of IPs across multiple ASNs and included heavy use of **commercial proxy** infrastructure (rotating exits) in short, concentrated bursts, a pattern GreyNoise assessed as coordinated and operationally segmented. GreyNoise assessed this recon as a precursor to credential-based intrusion and ransomware operations frequently associated with edge VPN access (citing **Akira** and **Fog** as examples), and noted broad internet exposure and a meaningful population of devices running vulnerable or unsupported firmware—conditions that increase the likelihood that reconnaissance will translate into follow-on compromise attempts.
Mar 21, 2026
Coordinated Attacks and Zero-Day Exploitation Targeting Cisco, Palo Alto, and Fortinet Network Devices
A coordinated cyberattack campaign has been identified targeting major networking devices from Cisco, Palo Alto Networks, and Fortinet, with evidence suggesting a single threat actor is orchestrating the activity. Security researchers at GreyNoise observed simultaneous scanning of Cisco ASA devices, increased login attempts against Palo Alto Networks portals, and brute-force attacks on Fortinet SSL VPNs, all originating from shared subnets and exhibiting recurring TCP fingerprints. This temporal and infrastructural correlation points to a sophisticated, cross-vendor campaign rather than opportunistic attacks. Experts note that adversaries are leveraging generative AI to automate these attacks, adopting tactics typically associated with nation-state actors. The campaign is notable for its focus on high-value targets such as networking devices and VPNs, which serve as critical gateways into enterprise networks and often possess privileged access that can bypass internal security controls. Industries such as manufacturing, industrials, and utilities are particularly at risk due to the potential for operational disruption and rapid financial gain for attackers. Concurrently, Cisco disclosed two zero-day vulnerabilities in its ASA and Secure Firewall Threat Defense software, identified as CVE-2025-20333 and CVE-2025-20362, which are being actively exploited in the wild. CVE-2025-20333 allows authenticated remote code execution due to improper input validation in the VPN web server, potentially granting attackers root-level access. CVE-2025-20362 is an authentication bypass flaw that enables remote attackers to access restricted endpoints without credentials. The combination of these vulnerabilities poses a severe risk, as attackers can gain full control of affected devices. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed ongoing exploitation and is collaborating with government agencies to coordinate a response. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, urging all federal agencies to immediately mitigate exposure and assess for compromise. Over 90,000 Cisco FTD devices are reportedly exposed, highlighting the scale of the threat. Attackers are conducting large-scale scanning campaigns to identify vulnerable ASA login portals and entry points. Security experts emphasize the urgent need for organizations to inventory their Cisco ASA and FTD devices, apply available patches, and implement recommended mitigations. The campaign’s use of shared infrastructure and advanced automation underscores a shift in attacker methodology toward more efficient and targeted operations. The strategic targeting of network infrastructure devices reflects their critical role in enterprise security and the high impact of successful compromise. Organizations are advised to monitor for signs of compromise, follow vendor and government guidance, and prioritize remediation of affected systems. The ongoing nature of the attacks and the active exploitation of zero-day vulnerabilities make this a critical threat to enterprise and government networks worldwide.
Mar 21, 2026