Cisco Patches Critical Zero-Day Hack Actively Exploited In Wild Attacks

By 813 Staff

Cisco Patches Critical Zero-Day Hack Actively Exploited In Wild Attacks

Engineers and executives are reacting to Cisco Patches Critical Zero-Day Hack Actively Exploited In Wild Attacks, according to BleepingComputer (@BleepinComputer) (in the last 24 hours).

Source: https://x.com/BleepinComputer/status/2066569681478074427

Six months ago, a network engineer in Dallas named Aisha Patel started seeing something strange in her Cisco SD-WAN vManage console. Devices she hadn’t touched were sending configuration requests. Alarms she hadn’t set were triggering at 3 a.m. Then one morning, the logs showed a user account with zero permissions had quietly escalated to full admin. Patel’s team is still scrubbing their network for backdoors. She is not alone.

Internal documents show that Cisco has finally released a security patch for a critical vulnerability in its SD-WAN vManage platform, a flaw that attackers had already weaponized in real-world zero-day attacks. According to a report from cybersecurity outlet @BleepinComputer, the vulnerability allows unauthenticated remote code execution on affected systems, and evidence suggests threat actors were exploiting it before Cisco issued a fix. Engineers close to the project say the company’s security response team was aware of active exploitation for at least two weeks prior to the patch release, but the rollout has been anything but smooth.

The flaw resides in the vManage web-based management interface, the central control plane for Cisco’s SD-WAN fabric. Attackers who successfully exploit it can gain full administrative control over the network management system, effectively owning the backbone of an organization’s wide-area network. The affected software versions span multiple releases, including several widely deployed builds from 2024 and early 2025. Cisco has assigned the vulnerability a severity score of 9.8 out of 10.

Why this matters: SD-WAN vManage is used by thousands of enterprises, service providers, and government agencies to manage remote and branch office connectivity. A compromise at this layer means an attacker can redirect traffic, install persistent backdoors, or eavesdrop on encrypted communications without ever touching individual routers. For companies that rely on Cisco’s SD-WAN for core networking, the window between exploitation and patch is the difference between containment and a full-scale incident response.

What happens next depends on how fast organizations act. Cisco has published updated software builds and recommended immediate upgrades. But patching a management plane that runs the network is never simple—it requires planned maintenance windows, testing against production configurations, and often physical access to appliances in remote sites. For now, defenders are racing to apply the fix while researchers monitor for signs that the exploit code has been published publicly. If history is any guide, this vulnerability will be reverse-engineered within days.

Source: https://x.com/BleepinComputer/status/2066569681478074427

Related Stories

More Technology →