Perimeter/routers/firewalls exploited
Key Questions
What critical vulnerabilities are affecting perimeter devices like routers and firewalls?
Multiple high-severity issues include Cisco SD-WAN CVE-2026-20245 (CVSS 10, no patch), Check Point VPN zero-day CVE-2026-50751 exploited by Qilin, and UniFi OS RCE chain requiring urgent patching to 5.0.8. Other active exploits target Palo Alto GlobalProtect, Fortinet FortiSandbox, and F5 NGINX with out-of-band patches issued.
Is there ongoing exploitation of Cisco SD-WAN vulnerabilities?
Yes, CVE-2026-20245 and CVE-2026-20262 are actively exploited with CISA directives and KEV listings. APT groups like UAT-8616 are involved, prompting urgent patching and hunting recommendations.
What action is advised for the Check Point VPN zero-day?
Follow-up advisories confirm ongoing exploitation of CVE-2026-50751 by Qilin ransomware actors with public PoCs available. Organizations should apply mitigations and monitor for related activity.
Which Ivanti flaws are being actively exploited?
Ivanti Sentry CVE-2026-9614 in Neurons for ITSM is actively exploited alongside other critical patched flaws and an unpatched OS command injection. Patches should be applied where available.
What is the FortiBleed campaign and its impact?
The campaign has compromised 73k+ URLs with 30,000 verified Fortinet logins across 194 countries, affecting organizations like Accenture, Comcast, and Oracle. Credential-stuffing remains a key risk.
Has the FBI taken action against Russian GRU botnets?
Yes, Operation Masquerade shut down a GRU botnet operating on edge devices. This reinforces the need for patching and hunting on perimeter infrastructure.
What F5 NGINX vulnerabilities require urgent patching?
Critical unauthenticated RCE flaws (CVSS 9.2) in HTTP/3 and HTTP/2 components affect multiple products, with out-of-band patches released for CVE-2026-42530 and others. Immediate updates are recommended.
Are there resurfacing issues with older PAN-OS vulnerabilities?
The SAML bypass CVE-2020-2021 is resurfacing alongside newer Palo Alto VPN GlobalProtect auth bypass CVE-2026-0257 under active exploitation. Legacy devices need review.
Cisco SD-WAN CVE-2026-20245 (CVSS 10) no patch, CISA Emergency Directive. Check Point VPN zero-day (CVE-2026-50751) exploited by Qilin; public PoC – follow-up advisory confirms ongoing exploitation. UniFi OS critical RCE chain – patch to 5.0.8 urgent. cPanel CVE-2026-41940 hijacking 40k+ servers. Ivanti Sentry critical flaws patched but new perfect 10 OS command injection (unpatched). Ivanti Sentry CVE-2026-9614 in Neurons for ITSM actively exploited. Palo Alto VPN GlobalProtect auth bypass (CVE-2026-0257) active exploitation. VerdantBamboo APT campaign. APT28 hijacking old TP-Link routers. Cisco CVE-2026-20133 actively exploited. Cisco SD-WAN CVE-2026-20262 file upload actively exploited – CISA KEV, UAT-8616 APT. Fortinet FortiSandbox: three flaws actively exploited (one patched June 10). Cisco SD-WAN CVE-2026-20127 (Rapid7). Old PAN-OS SAML bypass CVE-2020-2021 resurfacing. FortiBleed credential-stuffing campaign: 73k+ URLs compromised, 30,000 verified logins across 194 countries (Accenture/Comcast/Oracle). Cisco ISE RCE (CVE-2026-20181, CVE-2026-20190) – patches available. F5 NGINX critical unauthenticated RCE (HTTP/3 use-after-free, HTTP/2 heap overflow, CVSS 9.2) – out-of-band patches for CVE-2026-42530 and others, patch urgently. FBI Operation Masquerade shut down Russian GRU botnet on edge devices. Patch/hunts urgent.