Critical vulnerabilities and active exploitation of VPNs, SD‑WAN, routers, firewalls, ICS/OT gear, Serv‑U, and backup/storage products impacting infrastructure and management planes

The cybersecurity landscape in 2026 remains deeply challenged by a persistent wave of critical vulnerabilities and active exploitation campaigns targeting core infrastructure and management-plane technologies. VPNs, SD-WAN controllers, routers, firewalls, industrial control systems (ICS)/operational technology (OT) devices, Serv-U file transfer solutions, and backup/storage platforms continue to be prime targets for sophisticated adversaries. These attacks exploit zero-days and long-known flaws alike, enabling remote code execution (RCE), authentication bypasses, privilege escalation, and persistent footholds that threaten enterprise, telecom, and critical infrastructure environments globally.

---

Escalating Threat Landscape: New Developments and Persistent Exploits

Recent months have seen sustained and evolving exploitation efforts, underscoring the urgency for organizations to accelerate patching and adopt comprehensive defensive strategies:

• Cisco SD-WAN Controllers Under Continued Siege
  The zero-day authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controllers, actively exploited by the advanced threat group UAT-8616 since early 2023, remains a significant risk. Despite Cisco’s patches and CISA’s Emergency Directive 26-03 mandating immediate remediation, exploit activity persists, with attackers leveraging the flaw to execute arbitrary commands on management planes—jeopardizing enterprise WAN integrity. Recent telemetry indicates attackers have begun integrating AI-driven automation to enhance lateral movement and stealth, raising the bar for detection and response. (Source: Cisco Talos, CISA ED 26-03)

• Fortinet FortiGate Compromises Amplified by AI-Powered Attacks
  The compromise of over 600 FortiGate firewalls across 55 countries has escalated, with attackers employing generative AI models to automate exploit delivery, credential harvesting, and lateral pivoting. This AI-assisted approach has drastically reduced the time from vulnerability discovery to active exploitation, often culminating in ransomware deployment or cryptojacking operations that siphon computational resources. The rapid weaponization of known RCE and authentication bypass vulnerabilities in FortiGate appliances highlights the increasing sophistication and scale of adversary operations. [(Source: AWS Security Bulletin, SecurityWeek)]

• Juniper PTX Routers: Critical RCE and Complex Patch Management
  The critical RCE vulnerabilities impacting Juniper PTX routers, which underpin major telecom backbones, continue to pose grave risks. Operators face difficult patching decisions due to the routers’ critical roles and the requirement for out-of-band, rollback-safe updates. Recent reports show some telecom providers are delaying patches to avoid service disruptions, inadvertently extending exposure windows exploited by threat actors to gain full device control. This situation has prompted renewed calls for vendor collaboration to streamline secure patch deployment processes in critical network environments. [(Source: SecurityWeek, eSecurity Planet)]

• OPNsense and FortiCloud Breaches Enable Stealthy Infrastructure Pivoting
  The ongoing exploitation of Deciso OPNsense (CVE-2026-2035) and FortiCloud authentication bypass and command injection flaws allows attackers to circumvent zero-trust segmentation strategies. By compromising these management platforms, adversaries move laterally across segmented networks, often undetected, to access high-value targets. Recent incident analyses reveal attackers leveraging these vulnerabilities to implant persistent backdoors and manipulate firewall policies, increasing the risk of widespread internal compromise. [(Source: OPSWAT Technical Analysis, vendor advisories)]

• Honeywell CCTV Systems and OT Espionage Risks
  Critical authentication bypasses in Honeywell CCTV systems (e.g., CVE-2026-1670) continue to expose sensitive video feeds and operational control interfaces in OT environments. Attack campaigns targeting these devices have intensified, with evidence pointing to espionage activities against critical infrastructure sectors such as energy and manufacturing. The ability to manipulate CCTV feeds and control access remotely threatens both operational security and situational awareness. [(Source: Cyber Press)]

• SolarWinds Serv-U and BeyondTrust Remote Support: Persistent Backdoors and Command Injection
  Despite multiple patches, critical RCE vulnerabilities in SolarWinds Serv-U file transfer products and BeyondTrust remote support tools (notably CVE-2026-1731) are actively exploited to establish persistent root-level backdoors. Attackers use these footholds to maintain stealthy access within IT and OT networks, often deploying secondary payloads like VShell and SparkRAT for lateral movement and data exfiltration. Incident response teams report ongoing exploitation campaigns months after patch releases, emphasizing the importance of comprehensive remediation and continuous monitoring. [(Source: Palo Alto Unit 42, SecPod Blog, SolarWinds advisories)]

• Dell RecoverPoint Backup Systems: Long-Term Espionage via Hardcoded Credentials
  The hardcoded credential vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines has been exploited by a suspected Chinese nation-state group for over 18 months. This access has enabled persistent espionage within backup infrastructures, allowing attackers to exfiltrate sensitive data and manipulate backup integrity. The stealth and longevity of this campaign highlight the critical need for credential hygiene and secure configuration management in backup systems. [(Source: Dell Advisory, live threat intelligence)]

• Telecom Gear Under Siege: Grandstream and Sangoma Vulnerabilities
  Critical RCE flaws in Grandstream VoIP phones (CVE-2026-2329) continue to facilitate attacker footholds into telecom voice networks. Additionally, the persistence of PHP-based EncystPHP web shells on over 900 Sangoma FreePBX instances underscores widespread compromises in telecom management planes. These breaches allow remote code execution and lateral movement, threatening the confidentiality and availability of voice and data communications. [(Source: Shadowserver Foundation, security advisories)]

• Wi-Fi AirSnitch Client Isolation Bypass: New Variant Amplifies Wireless Threats
  Researchers from UC Riverside have identified a new variant of the AirSnitch vulnerability that bypasses Wi-Fi client isolation on multiple router brands. This flaw enables attackers connected to guest or IoT networks to perform full machine-in-the-middle (MitM) attacks and pivot into secure enterprise segments, dramatically increasing the threat to wireless infrastructure and highlighting the ongoing risks of insufficient network segmentation. [(Source: UC Riverside research)]

• Kernel-Adjacent and Runtime Zero-Days Weaponized in Developer and Cloud Environments
  High-severity zero-days, including telnetd in GNU Inetutils (CVE-2026-24061), Windows Notepad (CVE-2026-20841), and AI runtime Wasmtime (CVE-2026-27572), are actively exploited to gain root shells, execute arbitrary commands, and harvest credentials. These vulnerabilities impact developer workstations, CI/CD pipelines, and cloud workloads, broadening the attack surface beyond infrastructure devices and underscoring the need for comprehensive security across the software stack. [(Source: National Vulnerability Database, PoC releases)]

---

CISA and Vendor Guidance: KEV Updates and Emergency Directives

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) continues to play a pivotal role in coordinating national response efforts:

• Expanded KEV Catalog
  CISA recently added four critical vulnerabilities under active exploitation to its Known Exploited Vulnerabilities (KEV) catalog, including Serv-U RCEs and Roundcube webmail flaws exploited within 48 hours of disclosure. This expansion reflects the rapid weaponization of newly disclosed vulnerabilities and the need for accelerated patching.

• Emergency Directives and Federal Mandates
  Emergency Directive 26-03 mandates federal agencies and critical infrastructure entities to prioritize patching of Cisco SD-WAN and other vulnerable systems. CISA’s updated BRICKSTORM malware report details ransomware and cryptojacking campaigns that exploit edge devices such as VPN gateways and SD-WAN controllers to infiltrate and persist within networks.

• Vendor Patching and Advisory Efforts
  Vendors including SolarWinds, BeyondTrust, Juniper, and Fortinet have released patches, but real-world exploitation continues, emphasizing the importance of rapid deployment combined with rollback-safe orchestration to maintain operational uptime.

---

Edge-Focused Attack Trends: Ransomware, Cryptojacking, and IT/OT Convergence

• Management-Plane Attacks Driving Ransomware Access
  Ransomware groups increasingly leverage management-plane vulnerabilities in VPNs, SD-WAN, and firewall devices to gain initial access with minimal detection. The exploitation of these edge devices enables rapid deployment of ransomware payloads that can paralyze organizations.

• Cryptojacking’s Growing Footprint
  Cryptojacking campaigns exploit vulnerable drivers and firmware on endpoint and edge devices, maximizing illicit cryptocurrency mining while evading conventional endpoint detection and response (EDR) tools.

• ICS/OT Exposures and Blurring of IT/OT Boundaries
  The exposure of ICS/OT environments through compromised edge devices has reached record levels. Forescout’s recent report highlights an unprecedented number of ICS vulnerabilities and growing ransomware group interest in zero-days targeting critical infrastructure. Attackers increasingly exploit interconnected management consoles, remote support tools, and backup systems to establish persistent, high-impact footholds that bridge IT and OT domains.

---

Strategic Defensive Measures: Harden, Monitor, and Respond

To mitigate these multifaceted and sophisticated threats, organizations should adopt a holistic, layered security approach:

• Accelerated, Rollback-Safe Patch Deployment
  Immediate patching of all VPNs, SD-WAN controllers, routers, firewalls, Serv-U, backup/storage products, and ICS management consoles identified in KEV lists and vendor advisories is critical. Employ rollback-safe orchestration frameworks to prevent service disruptions during patch rollouts.

• Continuous Behavioral Monitoring and Firmware Attestation
  Deploy real-time anomaly detection and behavioral analytics on management planes and firmware layers. Implement hardware-rooted firmware attestation where feasible to detect stealth implants and firmware-level compromises.

• Zero-Trust Micro-Segmentation and Access Controls
  Enforce strict network segmentation around management consoles, remote support tools, and critical infrastructure components to limit lateral movement from compromised edge devices.

• Edge Device Hardening and Secure Configuration
  Harden VPNs, SD-WAN, and firewall appliances through secure baseline configurations, strong multi-factor authentication, and minimization of exposed attack surfaces.

• Incident Response Preparedness and KEV Intelligence Integration
  Integrate KEV intelligence feeds and actively monitor for known exploit indicators. Conduct targeted tabletop exercises simulating edge device compromise and lateral movement scenarios to enhance readiness.

• Cross-Sector Collaboration and Information Sharing
  Engage with CISA alerts, vendor security advisories, and OT cybersecurity coalitions such as VulnCheck to remain informed of emerging threats and coordinate defensive responses.

---

Conclusion

The convergence of critical vulnerabilities and active exploitation campaigns across VPNs, SD-WAN, routers, firewalls, ICS/OT gear, Serv-U file transfer products, and backup/storage platforms continues to pose a formidable threat to infrastructure and management-plane security in 2026. Adversaries increasingly leverage AI-accelerated weaponization, zero-day exploits, and advanced lateral movement techniques to compromise enterprise and critical infrastructure environments rapidly.

Urgent, coordinated action is essential to patch vulnerable systems, harden edge devices, and implement zero-trust architectures. By following CISA guidance, leveraging KEV updates, and adopting advanced detection and response capabilities, organizations can significantly reduce their exposure to these high-impact threats and strengthen resilience against increasingly automated and targeted attacks.

---

Selected References

• Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability – Cisco Talos, CISA ED 26-03
• Active exploitation of Cisco Catalyst SD-WAN by UAT-8616 – Cisco Talos
• SolarWinds Serv-U Critical RCE Vulnerabilities – SolarWinds Advisory, Palo Alto Unit 42
• BeyondTrust CVE-2026-1731 Exploitation with VShell and SparkRAT – SecPod Blog, H-ISAC Bulletin
• Hacker used AI to breach 600 FortiGate appliances across 55 countries – AWS Security Bulletin
• Juniper PTX Router Full Takeover Vulnerability – SecurityWeek
• Deciso OPNsense Authentication Bypass (CVE-2026-2035) – OPSWAT
• Honeywell CCTV Authentication Bypass (CVE-2026-1670) – Cyber Press
• AirSnitch Wi-Fi Client Isolation Bypass – UC Riverside Research
• Dell RecoverPoint Hardcoded Credential Zero-Day – Dell Advisory
• 900+ Sangoma FreePBX Instances Compromised by EncystPHP Web Shell – Shadowserver Foundation
• CISA Known Exploited Vulnerabilities Catalog Updates – CISA.gov
• Forescout Report on Record ICS Vulnerabilities – Forescout

---

By prioritizing rapid patch management, zero-trust micro-segmentation, continuous behavioral monitoring, and robust cross-sector collaboration, organizations can better defend the critical infrastructure and management planes that underpin today’s interconnected digital ecosystems.