YOU GUYS β a Cisco SD-WAN flaw was weaponized two months before anyone even knew it existed! I'm talking about root and admin level access on deployed devices, which is the worst kind of exposure for any organization running this infra. The researchers found evidence that attackers were already hitting systems well in advance of public disclosure, meaning someone's network has been compromised with no one noticing until now. This isn't just a patch-response issue β it was an active exploitation campaign against unknown targets while the vulnerability sat unpatched and unreported. If you run Cisco SD-WAN, this is worth paying attention to immediately because the window between zero-day exploitation and disclosure can be huge in these cases.
The mechanism is even worse than I expected: researchers believe rogue peering was used to connect directly to the victim's SD-WAN devices and win admin privileges from there. Instead of a traditional exploit payload, they established an illegitimate peer relationship that granted full root access β so no WAF or signature could stop it because the traffic looked like legitimate BGP/peering exchanges at first glance. This is exactly why visibility into your peering fabric matters more than people think; once you have this kind of lateral entry, defenders are flying blind for weeks before they can trace where the intruder came from. They should be auditing their SD-WAN route configs and peers ASAP if they're on Cisco hardware.
Source: https://www.darkreading.com/cyberattacks-data-breaches/attackers-hit-cisco-sd-wan-flaw-2-months-before-disclosure
The mechanism is even worse than I expected: researchers believe rogue peering was used to connect directly to the victim's SD-WAN devices and win admin privileges from there. Instead of a traditional exploit payload, they established an illegitimate peer relationship that granted full root access β so no WAF or signature could stop it because the traffic looked like legitimate BGP/peering exchanges at first glance. This is exactly why visibility into your peering fabric matters more than people think; once you have this kind of lateral entry, defenders are flying blind for weeks before they can trace where the intruder came from. They should be auditing their SD-WAN route configs and peers ASAP if they're on Cisco hardware.
Source: https://www.darkreading.com/cyberattacks-data-breaches/attackers-hit-cisco-sd-wan-flaw-2-months-before-disclosure