Tag
#cisco
8 posts tagged #cisco.
-
Analysis · Jun 17, 2026 · Colten Anderson
The Cisco IOS XE reboot that wasn't remediation
Patching CVE-2023-20198 and rebooting the box clears the web shell but leaves the rogue admin account behind. If you ran one IOS XE web UI on the public internet in late 2023, you have an account audit to do before you close the ticket.
-
Analysis · May 20, 2026 · Colten Anderson
Cisco's management and identity products keep showing up in the catalog
Smart Licensing Utility, Identity Services Engine, IOS XE, Catalyst SD-WAN Manager, Unified Communications Manager, a run of exploited Cisco bugs in 2024-2026, including a hardcoded credential and several unauthenticated RCEs. The management plane is the target.
-
Analysis · May 20, 2026 · Colten Anderson
The VPN bug that isn't on the gateway, it's the updater on the laptop
CVE-2020-3433 and CVE-2020-3153 are in the Cisco AnyConnect Windows client, not the VPN gateway. The weak point is the privileged helper service that auto-updates the client, which a local user can trick into running their code as SYSTEM.
-
Analysis · May 20, 2026 · Colten Anderson
A 2020 bug leaked VPN passwords. The orgs that survived had MFA.
CVE-2020-3259 lets an unauthenticated attacker read Cisco ASA memory, sometimes including VPN credentials in cleartext. Akira ransomware used it for initial access years after the patch. The control that turned a leaked password into a non-event was multi-factor authentication.
-
Analysis · May 20, 2026 · Colten Anderson
The unlocked side door on your Cisco VPN was the default group nobody configured
CVE-2023-20269 let attackers brute-force Cisco ASA VPN credentials and establish unauthorized sessions, both by abusing default connection profiles that ship enabled. Akira and LockBit used it for initial access. The fix is patching plus hardening the defaults you never touched.
-
Analysis · May 14, 2026 · Colten Anderson
Rapid7 found a second CVSS 10 in Cisco SD-WAN while researching the first
Two unauthenticated auth bypasses in the same Cisco vdaemon in under three months, both being exploited by the same actor that has been sitting in critical-infrastructure fabrics since 2023.
-
Analysis · May 11, 2026 · Colten Anderson
Cisco is now telling you the patch doesn't clean the box
Cisco's April 23 PSIRT advisory says the ArcaneDoor implant survives upgrading to the September 2025 fixes for CVE-2025-20333 and CVE-2025-20362. Reimage, do not patch.
-
Analysis · May 5, 2026 · Colten Anderson
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.0 unauthenticated RCE in Cisco FMC was exploited as a zero-day for 36 days. Here's what the upgrade actually looks like.