Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager
Belgium’s CCB (Safeonweb) warned of multiple critical vulnerabilities across several Cisco products—specifically calling out Cisco Secure Firewall (including Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD)) and Cisco Catalyst SD-WAN Manager—and stated that some vulnerabilities are being actively exploited, urging immediate patching. The advisory lists a broad set of weakness classes including authentication bypass (CWE-288/CWE-287), deserialization of untrusted data (CWE-502), buffer overflow (CWE-120), SQL injection (CWE-89), and sensitive information exposure (CWE-200), and highlights multiple CVEs including CVE-2026-20079 and CVE-2026-20131 with CVSS 10.0.
A separate advisory from the Center for Internet Security (CIS) also reported multiple vulnerabilities in Cisco products that could enable remote code execution, enumerating a large set of related CVEs (including CVE-2026-20001, CVE-2026-20002, CVE-2026-20003, and CVE-2026-20039). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Authorities and security organizations warn that some Cisco flaws are actively exploited
On the same day, Belgium's CCB Safeonweb warned about multiple critical Cisco vulnerabilities and urged immediate patching, noting that some were being actively exploited. CIS also issued an advisory aggregating the affected CVEs and Cisco security notices for defenders.
Cisco discloses multiple critical vulnerabilities across several products
Cisco published a set of security advisories covering multiple vulnerabilities in products including Cisco Secure Firewall and Cisco Catalyst SD-WAN Manager. The advisories referenced issues such as remote code execution, authentication bypass, SQL injection, command injection, directory traversal, cross-site scripting, and denial-of-service flaws.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Warning: Multiple critical vulnerabilities in several Cisco products, including Cisco Secure Firewall and Cisco Catalyst SD-WAN Manager. Some are being actively exploited, Patch Immediately! | CCB Safeonweb
ccb.belgium.be
Open sourceMultiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution
cisecurity.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco Patches Critical Firewall Management RCE Vulnerabilities
Cisco released emergency fixes for two **critical (CVSS 10.0)** vulnerabilities in its firewall management software that could allow **remote, unauthenticated attackers** to execute code and gain **root-level** access to the underlying operating system. The issues are tracked as `CVE-2026-20079` and `CVE-2026-20131`, and reporting emphasized the risk profile given Cisco’s widespread deployment in large enterprises and the historical interest of sophisticated actors in rapidly weaponizing Cisco bugs. Available reporting stated there were **no confirmed in-the-wild exploitation** reports at the time of publication, but urged rapid patching due to the combination of unauthenticated reachability and full compromise potential. Separate coverage packaged the Cisco flaws alongside other weekly security items (e.g., Tycoon2FA infrastructure takedown and other incidents), but the Cisco item consistently described the same two maximum-severity firewall management vulnerabilities and their impact (RCE leading to root access).
Mar 21, 2026
Critical Remote Code Execution and Authorization Bypass Vulnerabilities in Cisco ASA and FTD WebVPN
Multiple critical vulnerabilities have been discovered in the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) WebVPN components, which are being actively exploited in the wild. The vulnerabilities, identified as CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363, allow attackers to bypass authentication and achieve remote code execution (RCE) as root on affected devices. CVE-2025-20362 is an unauthenticated authorization bypass that enables attackers to access restricted endpoints without valid credentials, serving as a key component in exploit chains. When combined with CVE-2025-20333, attackers can send malicious HTTPS requests to execute arbitrary code as root, even without prior authentication. CVE-2025-20363 is a related flaw that also enables unauthenticated RCE on ASA/FTD devices and authenticated RCE on some Cisco IOS components. These vulnerabilities affect Cisco ASA versions 9.16 through 9.23 and Cisco FTD versions 7.0 through 7.7, with specific software images requiring validation against Cisco advisories. Cisco and CISA have confirmed active exploitation and widespread scanning for these vulnerabilities, prompting CISA to issue Emergency Directive 25-03 on September 25, 2025, mandating immediate action by federal agencies. The threat actor responsible for these attacks is attributed to the same group behind the ArcaneDoor (UAT4356) state-sponsored espionage campaign first observed in 2024. Organizations are urged to patch or upgrade to Cisco’s fixed releases without delay, and to restrict or disable vulnerable devices if immediate upgrades are not possible. Compromised devices should be isolated and thoroughly investigated for signs of threat actor presence. Cisco has provided detailed guidance for detection, and CISA’s Malware Next Generation tool can be used to hunt for indicators of compromise. Security researchers, including Rapid7, have published technical analyses and exploit chains demonstrating the severity and ease of exploitation. The vulnerabilities are considered highly critical due to their unauthenticated nature and the potential for full device compromise, which could lead to further lateral movement within affected networks. The rapid response from both Cisco and CISA underscores the urgency and scale of the threat. Organizations using Cisco ASA or FTD devices should assume exposure if running affected versions and prioritize remediation. The vulnerabilities highlight the ongoing targeting of network edge devices by sophisticated threat actors, particularly those engaged in espionage. Failure to address these vulnerabilities could result in significant operational disruption and data compromise. The security community continues to monitor for new exploitation techniques and advises ongoing vigilance. The release of proof-of-concept code and active scanning increases the risk of opportunistic attacks by additional threat actors. Timely patching and adherence to Cisco and CISA recommendations are essential to mitigate risk from these critical vulnerabilities.
Mar 21, 2026
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Mar 21, 2026