Affected Systems or Products

*FortiClient EMS 7.4.7 will also include a hotfix for this issue, but it has not been released at the time of this writing.

Mitigations / Workarounds

As active exploitation has been confirmed in the wild and hotfixes have been released, organizations should patch as soon as possible. If patching is not an immediate option, risk can be temporarily reduced by:

• Restricting access to FortiClient EMS management interfaces to internal, trusted networks only.

• If remote access is required to manage endpoint security, secure access to FortiClient EMS behind a Virtual Private Network.

Patches

Fortinet has confirmed that hotfixes have been released for versions 7.4.5 and 7.4.6 to prevent exploitation of this vulnerability. FortiClient EMS 7.4.7 will also include a fix. Hotfixes can be found by accessing the PSIRT advisory.

Indicators of Compromise (IoCs)

At the time of this writing, Fortinet PSIRT confirmed active exploitation in the wild but have not publicly released indicators of compromise or technical details about the vulnerability.

The attack does not require authentication or user interaction, meaning exploitation can be carried out remotely by an attacker that has network access to an exposed FortiClient EMS instance.

Although no indicators of compromised have been released, defenders can monitor for:

• Unexpected configuration changes to FortiClient EMS devices or modifications to downstream endpoint security policies.

• Unauthorized user accounts or privilege escalation on FortiClient EMS devices.

• Unexpected process execution or processes spawned by EMS services.

Technical Details

Fortinet PSIRT teams have not released technical details regarding this vulnerability at the time of writing. CVE-2026-35616 is classified with NIST as an insufficient access control vulnerability meaning a remote attacker can exploit the vulnerability without any authentication checks.

FortiClient EMS functions as an endpoint management platform handling endpoint security policy such as antivirus configuration, web filtering, and other endpoint security features. Compromise of an EMS server could grant an attacker administrative positioning within the management plane of an environment. An attacker with control over EMS could issue malicious commands to compromise downstream managed endpoints and further compromise sensitive data and assets.

Given active exploitation in the wild and downstream impacts of compromise, Beazley Security recommends affected organizations apply hotfixes immediately.

Our Organizational Response

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• https://nvd.nist.gov/vuln/detail/CVE-2026-35616

• https://fortiguard.fortinet.com/psirt/FG-IR-26-099

• https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484

• https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484

Affected Systems or Products

*All 6.x versions are unaffected. Customers on vulnerable versions of 5.x can also upgrade to 6.x releases for remediation

Mitigations / Workarounds

Given the recent exploit disclosure by WatchTowr, it is strongly recommended that affected organizations upgrade to fixed versions of the ShareFile Storage software. Progress ShareFile has released patches to remediate these vulnerabilities. Please see the “Patches” section for more information.

If patching cannot be immediately applied, these mitigations may help temporarily reduce risk of compromise:

• Restrict network access to the Storage Zones Controller to trusted and expected B2B traffic only.

• Implement a Web Application Firewall (WAF) to detect and block malicious requests to the /ConfigService/Admin.aspx endpoint.

• Ensure modern EDR is running and up to date on the affected hosting server.

Patches

Patches have been made available by Progress ShareFile via their documentation website. Affected customers on versions of the 5.x branch should upgrade to 5.12.4 or migrate to supported 6.x releases. Technical support is available to customers under active warranty and maintenance.

Indicators of Compromise (IoCs)

At the time of this writing, Progress Software confirmed they’ve not had reports of these vulnerabilities exploited in the wild. However, watchTowr Labs publicly disclosed a full exploit chain and working proof of concept as of April 2, 2026.

Defenders can watch for the following behavioral indicators of attack:

• Monitor for suspicious access attempts to /ConfigService/Admin.aspx, especially requests that return HTTP 302 responses with very large response bodies.

• Review ShareFile Storage Zone configurations for unauthorized or unexpected changes to Storage Repositories, which could indicate post exploitation activity.

• Audit webroot directories such as c:\inetpub\wwwroot\ShareFile\StorageCenter\ for unexpected .aspx files, which may be an indicator of a webshell deployment.

Technical Details

According to research from watchTowr, the unauthenticated RCE exploit chain involves two vulnerabilities: CVE-2026-2699, an authentication bypass, and CVE-2026-2701, which enables RCE through an arbitrary file upload within the ShareFile Storage Zone Controller.

The full exploitation process is more involved, and watchTower provides a detailed technical write-up of how the vulnerabilities were identified and chained together. A simplified summary is provided below:

CVE-2026-2699 – Authentication Bypass

A flaw exists due to how the application handles unauthenticated requests in its admin page (/ConfigService/Admin.aspx). When a user who is not logged in accesses this page, the application attempts to redirect them away. In this case, the redirect is implemented in a way that the server still provides the rest of the admin page in its redirect response. An attacker can force the application to ignore the redirect behavior, allowing the full admin interface to load without authentication.

CVE-2026-2701 – Post Authentication Remote Code Execution

After bypassing authentication with CVE-2026-2699, an attacker can access admin interfaces and modify network storage locations, including pointing to local filesystem and web accessible directories on the controller. The /StorageCenter/Upload.aspx endpoint can then be used to upload and extract zipped archives. When these issues are combined, a malicious .aspx webshell can be uploaded and then extracted to an exposed repository location reachable over HTTP to execute commands resulting in RCE.

In summary, CVE-2026-2699 allows attackers to bypass authentication and access the ShareFile admin interface, while CVE-2026-2701 can then be used to upload and execute malicious files on the server resulting in RCE and compromise of the server.

Our Organizational Response

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Affected Systems or Products

Mitigations / Workarounds

Block the endpoint used for Command and Control for this attack: sfrclak[.]com on port 8000 at the time of the attack this was resolving to 142.11.206.73 If you believe that a machine has already been compromised, we do not advise cleaning in place and recommend re-imaging or rebuilding affected machines from known good images. Using pinned versions of libraries is recommended to prevent this kind of attack if new malicious versions are released for any library. To specifically pin axios to a known unaffected version perform the following depending on your existing version:

• npm install axios@1.14.0

• npm install axios@0.30.3

NPM offers a configuration npm config set min-release-age 3 that will enforce a two to 3 day waiting period on new package releases before installing them on your machine. This is advised for all developers using external packages. For machines running without human interaction, such as CI/CD pipelines we advise not only version pinning of packages but disabling scripts on installs with the --ignore-scripts argument wherever possible.

Patches

While not strictly a patch, ensuring that any installed affected npm packages are removed and purged from your machines is strongly recommended. This involves removing the affected packages and installing pinned versions of the unaffected axios package:

• rm -rf node_modules/plain-crypto-js

• npm install --ignore-scripts

• npm cache clean –force

Indicators of Compromise (IoCs)

• Network Activity

  • sfrclak[.]com:8000

  • callnrwise[.]com

  • 142.11.206[.]73

• Windows Files

  • %PROGRAMDATA%\wt.exe

  • %PROGRAMDATA%\system.bat

  • %TEMP%\6202033.vbs

  • %TEMP%\6202033.ps1

  • %TEMP%\<GUID>.ps1

• Windows Registry Entries

  • Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • Name: MicrosoftUpdate

  • Value: %PROGRAMDATA%\system.bat

• macOS Files

  • /Library/Caches/com.apple.act.mond

  • /tmp/.XXXXXX.scpt

  • /private/tmp/.*

• Linux Files

  • /tmp/ld.py

File Hashes

Our Organizational Response

Beazley Security is conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• https://github.com/axios/axios/issues/10604

• https://www.invictus-ir.com/news/the-poisoned-pipeline-axios-supply-chain-attack

• https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package

Affected Systems or Products

CVE-2025-53521 affects BIG-IP devices where Access Policy Manager (APM) has been enabled. For more details on that system see the product documentation.

Mitigations / Workarounds

No mitigations or workarounds aside from the security patches were reported for CVE-2025-53521.

Patches

Patches have been available for some time now, review the table above for specific version numbers and the vendor advisory for guidance on applying upgrades.

Indicators of Compromise (IoCs)

F5 provided a detailed article documenting IOCs observed in an incident referenced by their CVE-2025-53521 advisory. We will summarize some of those here.

File Activity

• Presence of new files /run/bigtlog.pipe and/or /run/bigstart.ltm

• Changes to existing files /usr/bin/umount and/or /usr/sbin/httpd

Log Activity

• Log file: /var/log/restjavad-audit.<NUMBER>.log

[ForwarderPassThroughWorker{"user":"local/f5hubblelcdadmin","method":"POST","uri":"http://localhost:8100/mgmt/tm/util/bash","status":200,"from":"Unknown"}

• Log file: /var/log/auditd/audit.log.<NUMBER>

msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

• Log file: /var/log/audit

user=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash <VARIABLE_COMMAND>

Command Output

• sys-eicheck: An integrity check application that was observed reporting failures for the files /usr/bin/umount and /usr/sbin/httpd mentioned above

• lsof -n: The common ‘list open files’ application was observed showing entries for the above mentioned /run/bigtlog.pipe file

Technical Details

No in-depth technical details of the vulnerability or proof-of-concept exploit code are known at time of writing.

Our Organizational Response

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• F5: K000156741: BIG-IP APM vulnerability CVE-2025-53521

• F5: K000160486: Indicators of Compromise for c05d5254

• CISA KEV: F5 BIG-IP Remote Code Execution Vulnerability

• BSL: A1140 - F5 Source Code, Engineering Documentation and undisclosed vulnerabilities stolen by Nation State Threat Actors

Affected Systems or Products

The advisory only affects customer-managed NetScaler ADC and Gateway products. Citrix-managed appliances had software updates applied prior to disclosure.

Additionally, a device needed to be configured as a SAML Identity Provider (IdP) to be vulnerable. Citrix provided the following configuration string to help identify impacted device configurations:

add authentication samlIdPProfile.*

Mitigations / Workarounds

Citrix provided no specific mitigation or workaround steps in their advisory outside of applying product upgrade patches. However, given the pre-condition of having SAML IdP configured in order for a device to be vulnerable, Beazley Security recommends turning this feature off as a precaution if you are unable to apply patches immediately.

Additional information regarding this component can be found in the NetScaler SAML IdP product documentation.

Patches

Patches were made available at the time of disclosure, more details can be found in the official Citrix advisory here.

Technical Details

03/30/2026 Update: Citrix included additional details identifying vulnerable systems as those configured as a SAML identity provider. This was likely Citrix attempting to communicate the affected population was smaller than every publicly accessible ADC instance, but it reveals the specific component required for an attackers. With this update, reports have shown that there is an increase in traffic to SAML endpoints on ADC hosts. Administrators should identify if the Add authentication samlIdPProfile .* configuration string is present on a host to know if they are actively being targeted, and should prioritize patching immediately.

The bug was discovered by internal Citrix teams, and no in-depth technical details were provided within their advisory at the time of this writing. However, a pre-authentication, network reachable vulnerability that results in a “memory overread” is a highly similar condition to previous high-impact information disclosure vulnerabilities in Citrix products infamously dubbed CitrixBleed and CitrixBleed 2.

Our Organizational Response

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• Citrix: NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2026-3055 and CVE-2026-4368

• Cyberreason: Threat Alert: CitrixBleed (CVE-2023-4966)

• Akamai: Mitigating CitrixBleed 2 (CVE‑2025‑5777) NetScaler Memory Disclosure with App & API Protector

Affected Systems or Products

Affected versions patched via Oracle out-of-band update (KB878741). Please see the “Patches” section for more information.

Mitigations / Workarounds

Given recent targeting and active exploitation events against Oracle components by Ransomware operators, patching is strongly encouraged. Oracle has released emergency patches to remediate this vulnerability, please see the “patches” section for more information.

• If patching cannot be immediately applied, the following mitigations may temporarily reduce the risk of exposure:

• If possible, restrict public network access to or consider temporary isolation of Oracle systems, especially those exposing OIM and WSM endpoints

• Implement Web Application Firewall (WAF) rules to detect and block malicious or unexpected payloads targeting Oracle middleware endpoints

• Monitor OIM and OWSM servers for unusual activity, including unexpected process executions and other outbound connections

Patches

Patches are available through Oracle’s Fusion Middleware Patch Availability Document (requires Oracle login) which provides step-by-step installation instructions tailored to supported versions.

For additional information, please see Oracle’s original security advisory.

Indicators of Compromise (IoCs)

Oracle has not confirmed active exploitation of CVE-2026-21992 or released any public indicators of compromise at the time of this advisory. Given the history of Oracle Identity Manager vulnerabilities being targeted, defenders can monitor for the following indicators of attack:

• Unusual HTTP/HTTPS POST requests to Oracle middleware endpoints

• Unexpected access attempts to oim or wsm resource paths

• Unexpected process execution on Oracle application servers

• Abnormal outbound network connections originating from affected servers

Technical Details

The vulnerability in Oracle Identity Manager and Oracle Web Services Manager products is being tracked as CVE-2026-21992 and classified by Oracle as “remotely exploitable without authentication”. If exploited, the flaw allows unauthenticated attackers with network access to compromise Oracle Identity Manager and Oracle Web Services Manager via HTTP, potentially resulting in full system compromise.

Oracle has released limited technical details about the flaw at the time of this advisory. Although exploit details have not been publicly disclosed, the affected components (OIM and OWSM) are commonly exposed through web accessible middleware endpoints. NIST has assessed the vulnerability as “easily” exploitable, indicating that the flaw may not require sophistication to compromise.

Beazley Security Labs cannot confirm the validity of a publicly referenced exploit posted on GitHub at the time of this writing, but a purported PoC was observed for sale at approximately $2.5k USD given current exchange rates. A seemingly related vulnerability (CVE-2025-61757) stemmed from insufficient authentication protections within Oracle Identity Manager in October 2025 and was quickly confirmed as exploited in the wild after disclosure.

Given the severity of this vulnerability, potential for exploitation, and historical targeting and weaponization of similar flaws discovered in Oracle, Beazley Security strongly recommends that organizations apply the available patches as soon as possible.

Our Organizational Response

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• https://support.oracle.com/support/?documentId=KB878741

• https://nvd.nist.gov/vuln/detail/CVE-2026-21992

• https://www.oracle.com/security-alerts/alert-cve-2026-21992.html

• https://labs.beazley.security/advisories/BSL-A1145

• https://github.com/TEXploited/CVE-2026-21992

Affected Systems or Products

Mitigations / Workarounds

Given the sensitive nature of SharePoint data and confirmed active exploitation of CVE-20216-20963, organizations should prioritize patching with the available January 2026 fixes provided by Microsoft. If patching is not immediately possible, risk may be reduced by:

• Restricting network access to affected SharePoint servers from the internet and other untrusted sources.

• Following best practice network segmentation to isolate vulnerable SharePoint servers from other sensitive internal resources, which limits potential for lateral movement if compromised.

• Deploying Web Application Firewalls (WAFs) to detect and block attacks targeting vulnerable systems.

Patches

Patches are available through the “Security Updates” section within Microsoft’s Security Response Center (MSRC) and can be located toward the bottom of this website.

Microsoft originally released fixes as part of its January 2026 “Patch Tuesday” release cycle.

Indicators of Compromise (IoCs)

Neither CISA nor Microsoft have publicly released details about indicators of compromise or attack. The identity or attribution of threat actors exploiting this vulnerability have also not been publicly disclosed at the time of this writing.

Prior critical SharePoint vulnerabilities such as “ToolShell” have been targeted by state-sponsored groups and ransomware operators, who deployed and weaponized web shells on affected systems.

Given the lack of public indicators, defenders can watch for the following behaviors common to deserialization attacks against SharePoint servers:

• Unexpected processes spawned by SharePoint worker processes, such as w3wp.exe launching system tools like cmd.exe, powershell.exe, or net.exe.

• Malicious webshell files commonly appended with .aspx, .ashx, or .asmx, indicating post-exploitation activity and persistence.

• Other unexpected or unauthorized files appearing on vulnerable SharePoint servers, specifically in SharePoint web directories.

Technical Details

CVE-2026-2093 is classified as a deserialization vulnerability affecting SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This flaw allows an unauthenticated remote attacker to send a specially crafted serialized payload to a vulnerable SharePoint endpoint, resulting in remote code execution on the hosting server.

If successfully exploited, executed code is expected to run under the security context of the SharePoint application process, granting the attacker ability to read and write files to the server, interact with connected resources, and deploy additional payloads in attempt to establish persistence.

Active exploitation has been confirmed in the wild, and SharePoint has a documented history of being targeted by nation-state actors and opportunistic ransomware operators.

Given that SharePoint commonly serves as a central repository for sensitive information, Beazley Security strongly recommends that affected organizations apply provided January 2026 fixes immediately.

Our Organizational Response

Beazley Security is monitoring client environments through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963

• https://www.cve.org/CVERecord?id=CVE-2026-20963

• https://labs.beazley.security/advisories/BSL-A1124

Affected Systems or Products

Mitigations / Workarounds

Currently no mitigations and workarounds exist for this vulnerability. Ubiquiti and Beazley Security advise updating any Network instances in your UniFi console. It’s advisable to not allow external network access to your UniFi Management console and instead leverage Ubiquiti’s Remote Site Management service.

Patches

Updating a Ubiquti UniFi Network Application is performed through the UniFi Portal within the Control Plane Settings.

1. Click the settings cog in on the left-most pane.

2. Access the “Control Plane” settings.

3. Within the loaded pane, ensure you select “Updates”

4. Click the “Update to X.X.X” button within the Network Application Row.

Beazley Security also advises users running the UniFi Management Systems to enable automatic updates on their machines if possible. This is accessible by clicking the Application row within the UI and selecting a Release Channel and update Cadence from within the UI.

Indicators of Compromise (IoCs)

Ubiquiti has not released any IoCs or indicators of attack related to this vulnerability at the time of disclosure.

Given that successful exploition of this vulnerability could give attackers the ability to make changes to the UniFi network, add accounts, or add other mechanisms to access to internal systems it is advised to review affected UniFi Console configurations for unexpected or anomalous activity.

UniFi Consoles enable backups and restoration of the Control Plane and should be leveraged if unexpected changes appear to be made.

Technical Details

At the time of this writing Ubiquiti have released limited technical details within their security advisory. The vulnerability is stated as a Path Traversal vulnerability within the UniFi Network Application, that if exploited could allow an unauthenticated attacker access to sensitive accounts.

Our Organizational Response

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b

• https://help.ui.com/hc/en-us/articles/20680072882967-UniFi-Remote-Management-via-Site-Manager

Affected Systems or Products

Mitigations / Workarounds

Affected organizations that are unable to immediately patch should ensure strict network access controls are in place. Any organization with a publicly exposed Ivanti EPM product should immediately rotate passwords and access for all EPM accounts, as well as audit authentication logs for any unexplained access.

Patches

Ivanti has released fixes for all supported versions of the Ivanti Endpoint Manager in their Ivanti License System portal which requires login.

Indicators of Compromise (IoCs)

While Ivanti stated it was unaware of customer exploitation prior to public disclosure, CISA confirmed active exploitation of CVE-2026-1603 in the wild as of March 9, 2026, when the vulnerability was added to its KEV catalog.

Ivanti has not published specific indicators of compromise tied to active exploitation of this vulnerability, however Beazley Security recommends organizations monitor for the following indicators:

• Unusual or unexpected access attempts against Ivanti EPM services

• Unexpected or anomalous administrative actions within the EPM console, such as unauthorized user creations

• Unexpected or suspicious outbound connections originating from the EPM server

We believe that outside of WAF logs that could identify this specific parameter being passed to an EPM instance, little can be discerned to identify compromises of publicly accessible Ivanti EPM systems running vulnerable software versions.

Technical Details

WatchTowr disclosed that CVE-2026-1906’s authentication bypass is an undocumented logintype parameter with a value of 64 provided as a POST request to the /RemoteControlAuth/api/Auth endpoint in Ivanti EPM bypasses regular authenticated attempts.

Our Organizational Response

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US

• https://www.cve.org/CVERecord?id=CVE-2026-1603

• https://x.com/watchtowrcyber/status/2022305033086235108

• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Affected Systems or Products

03/09/2026 Update: The table has been updated with asterisks identifying changes from the original publication based on additional CVE releases.

According to Cisco’s official advisory, organizations running versions earlier than 20.9, or versions 20.11, 20.13, 20.14, and 20.16 (which have reached End of Software Maintenance) should migrate to a supported fixed release immediately.

Mitigations / Workarounds

Cisco has released software updates addressing CVE-2026-20127 and applying the vendor provided patches to affected Cisco SD-WAN controller and manager systems is the recommended course of action to reduce risk.

Beyond patching, organizations should consider reviewing Cisco’s SD-WAN hardening guide including steps to:

• Inventory and audit expected peer networks within SD-WAN infrastructure.

• Reduce internet exposure by locking SD-WAN controller peering services down to known and authorized peer networks.

• Restrict access to SD-WAN controller and management planes to a dedicated administrative network.

Affected organizations that are unable to immediately patch should ensure strict network access controls are in place around SD-WAN controllers, related peering services, and check audit logs any signs of compromise.

Patches

03/09/2026 Update: Cisco has provided an upgrade path tool for upgrading Cisco Catalyst SD-WAN Instances. The initial links below to the software download center are accurate and provide updated patches.

At the time of writing, Cisco has released fixes for all supported versions of their Catalyst SD- Wan solution except for 20.9 which is estimated to be released February 27, 2026. Please see the Affected System and Products section above in this report for additional information.

Cisco’s original advisory provides this guidance document for obtaining software fixes and the vendor also hosts a software download center requiring login.

Alternatively, customers can contact Cisco’s Technical Assistance Center (TAC) to request additional software upgrade support.

Indicators of Compromise (IoCs)

A detailed Cisco SD-WAN threat hunting guide has been compiled by multiple agencies which includes post-exploitation activity and can be found here.

Cisco Talos has also provided validation checks that can be performed within SD-Wan logging:

• Peer type mismatches for your environment, especially vManage peering types if not expected as exampled in the log below:

Feb 20 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5- NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanage peer- system-ip:1.1.1.10 public-ip:<unexpected IP> public-port:12345 domain-id:1 site-id:1005

• Peering connections from unexpected or unrecognized IP addresses

• Peering connections established outside of expected windows your environment

• Logs showing indicators of CVE-20222-20775 exploitation - username path traversal strings (E.g. /../../ or /\n&../\n&../).

• Unexpected reboots, and upgraded versions reverting to previous software versions

• Evidence of log and history clearing

On March 1st, Cisco published additional remediation and collection guidance to help identify affected and potentially compromised devices.

Technical Details

03/09/2026 Update: The newly disclosed CVEs are listed below with their associated CVE scores and details:

• CVE-2026-20122 - (7.1): An API vulnerability in Cisco Catalyst SD-WAN Manager allows for authenticated remote attackers with read-only credentials to overwrite arbitrary files on the host system.

• CVE-2026-20126: - (7.8): An REST API authentication vulnerability in Cisco Catalyst SD-WAN Manager allows for unauthenticated local attackers to gain root privileges on the host system.

• CVE-2026-20128 - (5.5): The Cisco SD-WAN Manager's Data Collection Agent (DCA) has a vulnerability that allows an unauthenticated local attacker to access user privileges on SD-WAN Manager instances so long as the user has vmanage credentials on the system.

• CVE-2026-20129 - (9.8): An API authentication vulnerability in Cisco SD-WAN Manager allows an unauthenticated remote attacker to gain access to the netadmin role.

• CVE-2026-20133 - (7.5): The Cisco Catalyst SD-WAN Manager allows an unauthenticated remote attacker to read "sensitive information" on the host system due to insufficient file system access restrictions.

CVE-2026-20127 is reported as a critical vulnerability within the peering authentication flow of Cisco Catalyst SD-WAN components, affecting the control connection peering mechanism that establishes trust relationships between SD-WAN components.

The flaw allows an unauthenticated attacker to establish rogue peer connections originating from attacker-controlled infrastructure. If successfully exploited, the rogue peer is given an IP address within the SD-WANs network, allowing a threat actor access to the SD-WAN management and control plane. With adequate privileges to the SD-WAN controller, an attacker can further leverage NETCONF to manipulate and alter configurations within the SD- WAN network.

Cisco Talos has reported that CVE-2026-20127 was observed to be abused in combination with CVE-2022-20775, an older local privilege escalation vulnerability affecting Cisco SD-Wan software. The threat actor, tracked as UAT-8616 reportedly performed a software downgrade to a vulnerable version of software, exploited CVE-2022-20775 via the CLI to obtain root access, and then restored back to original versioning to persist root access.

In response to active exploitation, the U.S. Cyber Security and Infrastructure Security Agency (CISA) has issued emergency directive 26-03 requiring impacted agencies to apply Cisco provided updates by February 27th, 2026.

Beazley Security recommends that affected organizations check for signs of compromise, and upgrade to fixed versions of SD-WAN Controller or SD-WAN Manager software immediately.

This Cisco SD-WAN hardening guide can also be referenced for configuring SD-WAN fabric and implementations to best practices.

Our Organizational Response

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients. If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

• https://software.cisco.com/download/home

• https://nvd.nist.gov/vuln/detail/cve-2022-20775

• https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf

• https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide

• https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf

• https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems

• https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/225525-internal-remediate-catalyst-sd-wan.html

• https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/catalyst-sdwan-upgrade-matrix/index.html