CISA Orders Hunt for Cisco Device Compromise as New Exploited CVEs Mount
CISA issued Emergency Directive 25-03 ordering federal civilian agencies to identify and mitigate potential compromise of Cisco devices, then followed with supplemental guidance covering core-dump collection and threat-hunting steps. The directive indicates concern that Cisco infrastructure may already have been breached and requires agencies to validate device integrity, investigate for signs of compromise, and take remediation actions to reduce ongoing risk.
At the same time, CISA continued expanding its Known Exploited Vulnerabilities catalog with numerous newly listed flaws, including CVE-2026-33634, CVE-2026-5281, CVE-2026-32201, CVE-2026-3502, CVE-2026-33017, CVE-2026-20131, CVE-2026-3909, CVE-2026-1603, CVE-2026-21385, CVE-2026-22719, CVE-2026-2441, and CVE-2026-1281, alongside older but still exploited issues such as CVE-2025-40551, CVE-2025-20393, CVE-2025-15556, CVE-2024-43468, CVE-2023-48788, CVE-2021-44529, and CVE-2021-39935. The combined actions show U.S. authorities escalating warnings that active exploitation is broadening across enterprise technologies, with network appliances, email platforms, and internet-facing systems remaining priority targets for defenders.
How this story unfolded
31 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2026-20963 to the KEV catalog
CISA published a Known Exploited Vulnerabilities catalog entry or search-indexed listing for CVE-2026-20963, indicating the vulnerability was known to be exploited in the wild. The addition elevated the urgency of remediation for affected organizations, especially federal agencies.
CISA adds CVE-2025-68613 to the KEV catalog
CISA published a Known Exploited Vulnerabilities catalog entry or search-indexed listing for CVE-2025-68613, indicating the vulnerability was known to be exploited. The publication elevated remediation priority for affected organizations, particularly federal agencies.
CISA refreshes multiple KEV catalog entries and search pages
CISA published or refreshed multiple KEV search-result pages for previously listed CVEs, including CVE-2026-32201, CVE-2025-60710, CVE-2026-3502, CVE-2026-33017, CVE-2026-20131, CVE-2025-32432, CVE-2025-31277, CVE-2025-43510, CVE-2025-43520, CVE-2023-48788, CVE-2021-44529, CVE-2026-3909, CVE-2026-1603, CVE-2026-21385, CVE-2026-22719, CVE-2026-2441, CVE-2025-15556, CVE-2024-43468, CVE-2026-1281, CVE-2021-39935, and CVE-2025-20393. Based on the provided data, these are catalog/search refreshes and do not provide enough detail to separate them into distinct real-world incident events.
CISA adds CVE-2025-26399 search-indexed KEV update
CISA republished or refreshed catalog search results for CVE-2025-26399 on its KEV site. This appears to be a site indexing or search update rather than a distinct new exploitation event.
CISA updates ED 25-03 with version 1 guidance on Cisco compromise
CISA published Version 1 of ED 25-03, continuing guidance to identify and mitigate potential compromise of Cisco devices. The updated directive indicated an ongoing federal response and refined mitigation expectations.
CISA adds CVE-2026-5281 to the KEV catalog
CISA added CVE-2026-5281 to the Known Exploited Vulnerabilities catalog. The listing reflected active exploitation and increased urgency for remediation.
CISA adds CVE-2026-33634 to the KEV catalog
CISA published a KEV entry for CVE-2026-33634, indicating the vulnerability was known to be exploited. The addition required prompt mitigation by affected entities.
CISA adds CVE-2025-26399 to the KEV catalog
CISA added CVE-2025-26399 to its KEV catalog, identifying it as actively exploited. The publication elevated the vulnerability's remediation priority.
HHS settles HIPAA investigation over MMG Fusion breach affecting 15 million
HHS' Office for Civil Rights announced a settlement of its HIPAA investigation into MMG Fusion, LLC following a breach affecting 15 million individuals. The action represented a regulatory resolution tied to a large healthcare data breach.
CISA adds CVE-2026-20127 to the KEV catalog
CISA published a Known Exploited Vulnerabilities entry for CVE-2026-20127. The listing reflected confirmed exploitation and prompted prioritization of defensive action.
CISA adds CVE-2026-1731 to the KEV catalog
CISA added CVE-2026-1731 to the KEV catalog, indicating the vulnerability had been exploited. The entry made the flaw subject to heightened remediation urgency.
CISA adds CVE-2025-11953 to the KEV catalog
CISA published a KEV entry for CVE-2025-11953, identifying it as a known exploited flaw. The addition signaled that affected organizations should prioritize mitigation.
CISA adds CVE-2026-24423 to the KEV catalog
CISA added CVE-2026-24423 to the Known Exploited Vulnerabilities catalog. The listing indicated exploitation in the wild and required accelerated remediation attention.
CISA adds CVE-2025-40551 to the KEV catalog
CISA published a KEV listing for CVE-2025-40551, marking it as actively exploited. The catalog addition elevated patching priority for affected systems.
CISA adds CVE-2025-64328 to the KEV catalog
CISA added CVE-2025-64328 to its Known Exploited Vulnerabilities catalog. The entry signaled observed exploitation and the need for prompt mitigation.
CISA adds CVE-2026-23760 to the KEV catalog
CISA published a KEV entry for CVE-2026-23760, indicating the flaw was known to be exploited. The addition placed the vulnerability into federal remediation workflows.
CISA republishes ED 21-01 on SolarWinds Orion compromise as closed
CISA published the closed version of Emergency Directive 21-01 concerning mitigation of the SolarWinds Orion code compromise. This reflected archival or status-updated publication of the directive on CISA's site.
CISA adds CVE-2025-37164 to the KEV catalog
CISA added CVE-2025-37164 to the KEV catalog, identifying it as a known exploited vulnerability. The listing increased urgency for patching and mitigation among affected organizations.
FBI warns Silent Ransom Group is targeting law firms
The FBI published an alert stating that the Silent Ransom Group was targeting law firms. The warning represented a law enforcement notification to a specific sector about an active threat campaign.
CISA adds CVE-2025-59718 to the KEV catalog
CISA published a Known Exploited Vulnerabilities catalog entry for CVE-2025-59718, indicating the vulnerability was known to be exploited in the wild. The addition elevated the urgency of remediation for affected organizations, especially federal agencies.
CISA adds CVE-2025-54236 to the KEV catalog
CISA published a Known Exploited Vulnerabilities entry for CVE-2025-54236. The addition indicated active exploitation and triggered prioritization for mitigation.
CISA publishes supplemental core dump and hunt guidance for ED 25-03
CISA released a supplemental direction to ED 25-03 providing core dump collection and threat hunting instructions. The update expanded the government's response guidance for investigating suspected Cisco device compromise.
CISA issues ED 25-03 on potential compromise of Cisco devices
CISA published Emergency Directive 25-03 instructing agencies to identify and mitigate potential compromise affecting Cisco devices. The directive reflected concern that impacted devices may already have been compromised and required immediate defensive action.
CISA adds CVE-2025-4428 to the KEV catalog
CISA added CVE-2025-4428 to the KEV catalog, signaling that exploitation had been observed in the wild. The listing made the vulnerability a priority for federal remediation timelines.
CISA adds CVE-2024-23113 to the KEV catalog
CISA added CVE-2024-23113 to the Known Exploited Vulnerabilities catalog. The entry indicated the flaw was being exploited and should be remediated on an accelerated basis.
CISA adds CVE-2024-28986 to the KEV catalog
CISA published a KEV entry for CVE-2024-28986, identifying it as a vulnerability under active exploitation. The addition required heightened patching priority for impacted systems.
HHS opens OCR investigation into Change Healthcare cyberattack
HHS' Office for Civil Rights announced it had issued a letter and opened an investigation into the Change Healthcare cyberattack. The action signaled federal scrutiny of potential HIPAA-related impacts from the incident.
CISA adds CVE-2024-21762 to the KEV catalog
CISA added CVE-2024-21762 to its Known Exploited Vulnerabilities catalog, reflecting confirmed exploitation activity. The listing elevated urgency for remediation across affected organizations, especially federal agencies.
CISA publishes guidance for Citrix Bleed vulnerability
CISA published guidance addressing CVE-2023-4966, known as Citrix Bleed, affecting Citrix NetScaler ADC and Gateway devices. The guidance provided mitigation direction for organizations responding to the actively exploited vulnerability.
CISA adds CVE-2020-0796 to the KEV catalog
CISA published a Known Exploited Vulnerabilities catalog entry for CVE-2020-0796, indicating the vulnerability was known to be exploited in the wild. Federal agencies would be expected to prioritize remediation under KEV requirements.
CISA orders removal of Kaspersky-branded products from federal systems
CISA issued Binding Operational Directive 17-01 directing federal agencies to identify and remove Kaspersky-branded products from federal information systems. This marked a formal U.S. government mitigation action against the vendor's software in federal environments.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Known Exploited Vulnerabilities Catalog | CISA
cisa.gov
Open sourceKnown Exploited Vulnerabilities Catalog | CISA
cisa.gov
Open sourceKnown Exploited Vulnerabilities Catalog | CISA
cisa.gov
Open sourceKnown Exploited Vulnerabilities Catalog | CISA
cisa.gov
Open sourceKnown Exploited Vulnerabilities Catalog | CISA
cisa.gov
Open sourceSilent Ransom Group Targeting Law Firms - FBI
fbi.gov
Open sourceKnown Exploited Vulnerabilities Catalog | CISA
cisa.gov
Open sourceKnown Exploited Vulnerabilities Catalog | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Mar 21, 2026
Exploitation of Cisco ASA Firewall Vulnerabilities Leading to Federal Agency Breach and Senate Scrutiny
US Senator Bill Cassidy has demanded answers from Cisco regarding critical vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, specifically CVE-2025-20333 and CVE-2025-20362, which have been actively exploited by threat actors. The senator's letter to Cisco CEO Chuck Robbins follows reports that at least one federal agency was breached as a direct result of these flaws, though Cisco has not publicly confirmed the breach. The vulnerabilities prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive, requiring all federal civilian agencies to identify affected devices, review logs for signs of compromise, and apply Cisco's patches within 24 hours. Devices that had reached end of support were ordered to be removed from service entirely. Cisco acknowledged that exploitation of these vulnerabilities had been ongoing since at least May, when government incident responders involved Cisco in investigations of compromised ASA 5500-X firewalls. Attackers were observed deploying implants, executing commands, and exfiltrating data from affected systems well before the vulnerabilities were publicly disclosed. The exploitation campaign, known as ArcaneDoor, was attributed by Cisco to a Chinese-linked threat group identified as UAT4356, which has targeted government systems globally since November 2023. Senator Cassidy's letter raises concerns about Cisco's transparency regarding the impact of these vulnerabilities on both government and private sector customers. He questioned whether Cisco has identified specific threats to its customers, how it communicates security issues, and whether CISA's guidance to federal agencies is also being provided to private organizations. The senator emphasized the critical role Cisco plays in national infrastructure, noting that vulnerabilities in its products could jeopardize access to essential services for millions of Americans. Cisco has not responded to media requests for comment on the senator's inquiries or the reported breach. The emergency directive from CISA underscores the severity of the risk, highlighting the widespread use of ASA appliances in both government and large enterprise environments. The incident has drawn attention to the need for rapid patching and clear communication from vendors when critical vulnerabilities are discovered. Security agencies in both the US and UK have issued urgent advisories, warning of active exploitation and the necessity for immediate remediation. The ongoing investigation seeks to determine the full scope of the compromise and whether additional agencies or organizations have been affected. The situation has reignited debate over the security of widely deployed network infrastructure and the responsibilities of vendors in managing and disclosing vulnerabilities. The case also illustrates the persistent threat posed by sophisticated state-linked actors targeting critical government systems. As the response continues, both public and private sector organizations are urged to review their exposure and ensure all relevant patches are applied without delay.
Mar 21, 2026
CISA Flags Actively Exploited Vulnerabilities in SolarWinds Web Help Desk and Major Platforms
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, triggering mandatory remediation timelines for U.S. federal civilian agencies. The newly listed issues include an actively exploited flaw in **SolarWinds Web Help Desk** (`CVE-2025-40536`) with an accelerated patch deadline, alongside additional KEV additions affecting **Apple** platforms (iOS, macOS, tvOS, watchOS, visionOS), **Microsoft** products, and **Notepad++**. Apple stated it was aware of reports the issue “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” with **Google Threat Analysis Group** credited with discovery, underscoring continued targeting of high-value users via mobile/endpoint zero-days. Separate reporting highlighted the broader operational context driving these directives: **Microsoft’s February security update** addressed **59 vulnerabilities**, including **six zero-days under active exploitation**, reinforcing that exploit timelines are compressing and patching is increasingly a “defense sprint.” In parallel, CISA also moved to reduce systemic exposure at the perimeter by ordering agencies to **remove unsupported network edge devices** (e.g., firewalls/routers) within a year, reflecting concern that end-of-support infrastructure and rapidly weaponized vulnerabilities are converging into a persistent, high-impact federal risk.
Mar 21, 2026