Cisco FMC/SD-WAN/IOS XE/IMC/SSM zero-day RCE/auth bypass exploited (CVE-2026-20131/20079/20093/20160 + SSM/IMC fixes + Salt Typhoon + ShinyHunters + FBI DCSNet + AVrecon + APT28 router hijack quashed)
Key Questions
What critical Cisco vulnerabilities were recently patched?
Cisco patched unauthenticated root RCE vulnerabilities in FMC, Secure Firewall, IMC, SSM, and UCS, along with a new SSM On-Prem RCE and IMC password bypass (CVSS 10, added to CISA KEV). These were fixed starting April 22 and beyond. Urgent patching is recommended due to active exploitation risks.
What is the SD-WAN vulnerability and who is exploiting it?
CVE-2026-20127 in Cisco SD-WAN is a local privilege escalation flaw listed in CISA ED 26-03, actively exploited by groups like Interlock and NodeSnake. Organizations should follow CISA guidance for mitigation. Inventory and verification tools like Forward Networks can assist in response.
What happened with the FBI's AVrecon and DCSNet systems?
The FBI classified a breach of its AVrecon system (scanning ~369k routers) and DCSNet surveillance system as a 'major incident' under FISMA, likely China-linked. This exposes significant law enforcement data. Security experts are weighing in on the implications.
Who are ShinyHunters and what Cisco data did they leak?
ShinyHunters leaked over 3 million Cisco records, plus 21k Wynn records. This adds to ongoing data breach concerns. Affected parties should monitor for credential misuse.
What is Salt Typhoon and its relation to telcos?
Salt Typhoon refers to China-linked intrusions targeting telcos. It is part of broader espionage activities highlighted in the summary. Defensive measures include network hunts and segmentation.
How did the US respond to APT28/GRU router espionage?
US authorities neutralized a Russia-backed (APT28/GRU) espionage network compromising over 18,000 TP-Link and MikroTik routers across 120+ countries. The operation spanned widespread devices. Inventory and patching are urged.
What products are affected by the Cisco IMC flaw?
The Cisco IMC authentication bypass flaw grants unauthenticated admin access and remote control over servers, present in many products. Cisco has released fixes. Immediate updates are critical.
What actions are recommended for organizations?
Organizations should prioritize urgent patching, inventory of affected systems, and conduct threat hunts. Monitor CISA KEV and EDs for SD-WAN. Tools like Forward Networks aid verification.
Unauth root RCE on FMC/Secure Firewall/IMC/SSM/UCS + new SSM On-Prem RCE/IMC pw bypass (CVSS10 CISA KEV, patched 4/22+); SD-WAN CVE-2026-20127 LPE CISA ED exploited by Interlock/NodeSnake; FBI AVrecon ~369k routers & DCSNet FISMA breach; ShinyHunters 3M+ Cisco leaks + Wynn 21k; Salt Typhoon telcos; APT28/GRU 18k TP-Link/MikroTik router espionage neutralized by feds. Urgent patching/inventory/hunts.