A surge of actively exploited vulnerabilities affecting Cisco’s network edge software, including its firewalls and SD-WAN systems, has been disclosed since late February. Researchers report that five of the nine vulnerabilities Cisco has revealed in these critical security products have already been exploited by malicious actors in the wild, raising significant concerns for organizations relying on these devices.
This trend highlights a growing risk for businesses, as attackers are targeting sophisticated network infrastructure. The rapid exploitation of these Cisco SD-WAN and firewall vulnerabilities underscores the importance of prompt security updates and proactive threat monitoring for network administrators worldwide.
Flurry of Exploited Cisco Vulnerabilities Poses Widespread Risk
Since late February, Cisco has disclosed a series of critical vulnerabilities affecting its firewalls and SD-WAN solutions. These include zero-day exploits, some of which were reportedly active for years before detection. Notably, attackers exploited a pair of these defects in Cisco SD-WANs for at least three years before Cisco and authorities became aware and issued warnings.
Adding to the concern, Amazon Threat Intelligence reported that one of two maximum-severity defects in Cisco’s firewall management software had been actively exploited by Interlock ransomware since January 26, over a month before the vulnerability was publicly disclosed. This pre-disclosure exploitation, coupled with vulnerabilities having low CVSS ratings, complicates risk assessment for many organizations.
Cisco SD-WAN Vulnerabilities Under Attack
Cisco’s SD-WAN systems have been particularly targeted, with multiple vulnerabilities being actively exploited. Cisco Talos previously attributed long-running attacks involving CVE-2026-20127 and CVE-2022-20775 to a specific threat group, UAT-8616. However, it remains unclear if the same actors are behind all the observed SD-WAN exploits.
Researchers anticipate that other threat actors will likely leverage public research on these vulnerabilities to develop their own attacks. This could lead to further exploitation attempts by a wider range of malicious actors, including those with lower technical skill. The cluster of disclosed vulnerabilities often follows the discovery of a significant defect in a specific product line, such as Cisco’s SD-WAN offerings.
Interlock Ransomware Exploits Cisco Firewalls
The ongoing ransomware campaign identified by Amazon Threat Intelligence, involving CVE-2026-20131, demonstrates a significant exploit in Cisco firewalls. Researchers stated that Interlock ransomware possessed a zero-day exploit, giving them an advantage to compromise organizations before defenses were even aware of the threat. Interlock’s attack methods are described as extensive, incorporating post-compromise reconnaissance, custom remote access trojans, webshells, and the abuse of legitimate tools.
Interlock has a history of targeting sectors where operational disruptions can maximize pressure for ransom payments. These sectors include education, engineering, healthcare, and government entities. The group has been known to threaten victims with data encryption and regulatory fines, compounding the impact of a successful breach.
Implications for Network Security
Experts emphasize that these vulnerabilities are not minor bugs but weaknesses in management and control planes of network edge devices. Douglas McKee, director of vulnerability intelligence at Rapid7, noted that compromising these systems provides attackers with access to policy, visibility, routing, segmentation, and administrative trust across a large portion of an enterprise environment. When attackers find a pre-authentication path, especially one that can lead to root access, it becomes a highly attractive target.
Caitlin Condon, vice president of security research at VulnCheck, highlighted that some exploited vulnerabilities in this batch of Cisco SD-WAN flaws do not have critical CVSS scores. This means organizations relying solely on CVSS for prioritization might overlook medium- or high-scored vulnerabilities that still present real-world adversary utility. The ongoing attacks serve as a reminder to not deprioritize potentially less severe, yet still exploitable, vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) has added only two of the disclosed defects to its Known Exploited Vulnerabilities catalog. The agency has not provided details on why other actively exploited Cisco vulnerabilities have not been included, potentially due to its ongoing funding shutdown since February. The situation with vulnerable network edge infrastructure continues to evolve, underscoring the need for vigilance among organizations using Cisco products.