Cisco SD-WAN seventh zero-day this year, no patch yet  ·  PAN-OS exploitation started May 17, three weeks before vendor confirmation  ·  HP Poly VoIP phones have unauthenticated root RCE  ·  CYBERSIP.NET  ·  ISSUE 56
CYBERSIPTM
Daily Cyber Brief  ·  Intelligence Without the Noise
Issue No. 56June 7, 2026cybersip.net
Issue No. 56  ·  June 7, 2026  ·  3 active items  ·  Under 5 min read
Today’s picture
Cisco disclosed CVE-2026-20245 on June 5, a seventh Catalyst SD-WAN Manager vulnerability exploited in 2026. No patch exists yet. An authenticated local attacker can use the CLI to execute arbitrary commands as root by passing crafted files through a component that fails to validate user-supplied input. Rapid7 published a detailed exploitation timeline for PAN-OS CVE-2026-0257, confirming that attackers began exploiting the GlobalProtect authentication bypass on May 17, eleven days before Palo Alto disclosed it and twelve days before CISA added it to KEV. Rapid7 also published details this week of CVE-2026-0826, a critical unauthenticated stack overflow in HP Poly conference phones and VoIP devices that allows full root remote code execution with patches now available.
Threat snapshot
3 active items · 2 monitoring
1 Exploited / no patch 1 Exploitation timeline update 1 VoIP critical RCE / patched 3 items this issue
June 5Cisco SD-WANExploitedNo Patch
Seventh Cisco SD-WAN zero-day exploited in 2026, and no patch exists. CVE-2026-20245 allows authenticated CLI access to execute arbitrary commands as root via crafted files.
Cisco acknowledged active exploitation and has published indicators of compromise but no fixed software version. CISA added CVE-2026-20245 to KEV on June 5 with a three-day deadline. The KEV catalog now lists 15 Cisco SD-WAN vulnerabilities, seven of which were exploited this year alone.
June 6PAN-OS
Rapid7 confirms PAN-OS CVE-2026-0257 exploitation began May 17. Two attack waves from separate hosting providers. Vendor confirmation came eleven days later.
First wave from Vultr on May 17, injecting VPN sessions via authentication cookie bypass. Second wave from Dromatics Systems on May 21. Both waves predate the May 29 public advisory update that first acknowledged exploitation. The pre-confirmation window was three weeks.
June 6HP PolyUnauthenticated RCE
HP Poly VoIP and conference phones CVE-2026-0826: unauthenticated stack overflow leads to root RCE. Affects widely deployed enterprise conference room equipment. Patches available.
Rapid7 disclosed CVE-2026-0826 this week. The flaw is a critical unauthenticated overflow in multiple HP Poly device models. No authentication required, no user interaction. Patches are available for affected models. Exploitation not yet confirmed in the wild.
Detailed intelligence
Full analysis
01 Cisco SD-WAN Exploited No Patch
Seventh Cisco SD-WAN zero-day exploited in 2026. CVE-2026-20245 allows root command execution via the CLI. No fixed software version exists yet.
CVE-2026-20245 · CVSS 7.8
Cisco disclosed the vulnerability on June 5 and confirmed active exploitation. CISA added CVE-2026-20245 to KEV the same day. An authenticated local attacker can execute arbitrary commands as root by passing crafted files to a CLI component that fails to validate user-supplied input properly.
Executive Impact
No patch exists. The compensating control is restricting CLI access to the Cisco Catalyst SD-WAN Manager to trusted administrators only, and monitoring for unexpected command execution or file activity on affected systems. Apply Cisco’s published indicators of compromise to SIEM detection rules today. Patch immediately when Cisco releases a fixed version.
Don’t Miss
The CISA KEV catalog now lists fifteen Cisco SD-WAN vulnerabilities, and seven of them were exploited in 2026 alone. That is not a series of isolated bugs. It is a systematic research effort against a single product line that manages network routing and segmentation for large enterprise environments. SD-WAN Manager occupies a similar position in the network hierarchy to the management platforms this brief has tracked throughout May: one compromise gives an attacker visibility into and control over the entire network fabric it manages. The appropriate response is not just patching individual CVEs as they surface. It is treating SD-WAN Manager as a high-value target that requires the same hardening, segmentation, and monitoring discipline as any internet-facing management platform.
CyberSip Take
Seven exploited SD-WAN vulnerabilities in one calendar year from a single vendor. That count now exceeds the total from the previous three years combined. Restrict CLI access to SD-WAN Manager, apply Cisco’s IOCs, and watch Cisco’s security advisory page for the patch. When it ships, treat it as a same-day priority regardless of your standard patch cycle cadence.
What happened

Cisco disclosed CVE-2026-20245 on June 5, a high-severity vulnerability in the CLI of Cisco Catalyst SD-WAN Manager. The flaw results from insufficient validation of user-supplied input, which allows an authenticated local attacker to pass specially crafted files to the affected CLI component and execute arbitrary operating system commands as root. Cisco confirmed active exploitation in the wild and has published indicators of compromise to help organisations detect potential attacks.

No fixed software version is available at time of writing. CISA added CVE-2026-20245 to the Known Exploited Vulnerabilities catalog on June 5, instructing federal agencies to address it within three days. Rapid7 discovered the vulnerability during analysis of CVE-2026-20127, a related flaw in the same SD-WAN component, and disclosed technical details this week.

CVE-2026-20245 is the seventh Cisco SD-WAN vulnerability confirmed exploited in 2026. The others are CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, CVE-2026-20127, CVE-2026-20182, and CVE-2022-20775, which was first exploited this year despite being patched in 2022. The CISA KEV catalog now lists fifteen Cisco SD-WAN entries in total.

Recommended actions
Derived from SecurityWeek reporting on CVE-2026-20245 and CISA KEV catalog addition, June 5–6, 2026.
02 PAN-OS Exploitation Timeline
PAN-OS CVE-2026-0257 exploitation began May 17, three weeks before Palo Alto’s public acknowledgement. Rapid7 documented two distinct attack waves from separate hosting providers.
CVE-2026-0257 · PAN-OS
Rapid7 published a detailed post-incident timeline on June 6. Attackers began exploiting the GlobalProtect authentication bypass on May 17, moving through compromised customer environments before Palo Alto updated its advisory to acknowledge exploitation on May 29.
Executive Impact
Any organisation running GlobalProtect with authentication override cookies enabled should review VPN connection logs from May 17 onward, not from May 29 when exploitation was publicly confirmed. The pre-confirmation exploitation window was twelve days. Unexpected VPN sessions established via cookie authentication during that window are exploitation indicators.
Don’t Miss
Rapid7 observed the first exploitation wave on May 17, the day Palo Alto originally disclosed CVE-2026-0257 as a medium-severity flaw rated “less likely” to be exploited. Attackers were already in customer environments before the advisory was published. The twelve-day gap between first exploitation and vendor acknowledgement, and the eleven-day gap between the original disclosure and confirmed exploitation, are both consistent with the Netlogon CVE-2026-41089 pattern from Issue 51, where exploitation was also underway before the vendor confirmed it. Vendors’ initial exploitation assessments are not reliable indicators of whether a vulnerability is being actively exploited.
CyberSip Take
The practical lesson is that “exploitation less likely” or the absence of a confirmed exploitation acknowledgement is not the same as no exploitation. For high-severity vulnerabilities in widely deployed edge infrastructure, the working assumption should be that exploitation begins at or near the disclosure date, not when a vendor confirms it. Log review and compensating controls should start on disclosure day, not confirmation day.
What happened

Rapid7 published a detailed exploitation timeline for CVE-2026-0257 on June 6. The flaw is an authentication bypass in the PAN-OS GlobalProtect portal and gateway that allows an attacker to establish an unauthorised VPN session when authentication override cookies are enabled with a specific certificate configuration. Palo Alto originally disclosed it on May 13, rating it medium severity and assessing exploitation as less likely.

Rapid7’s incident response telemetry shows the first exploitation wave beginning on May 17, four days after the original disclosure. In this wave, attackers used the cookie authentication bypass to access the local admin account across multiple customer environments, all originating from the hosting provider Vultr. On May 21, a second wave began from a different provider, Dromatics Systems. In this second wave, Rapid7 observed VPN IP assignment following the cookie authentication, confirming that attackers were accessing internal networks through the compromised GlobalProtect gateway.

Palo Alto updated its advisory on May 29 to acknowledge limited exploitation, twelve days after Rapid7’s data shows the first attacks. CISA added CVE-2026-0257 to KEV the same day. This brief first covered the vulnerability in Issue 49 on June 1, when Palo Alto confirmed exploitation. Rapid7’s timeline now pushes the start of exploitation back to May 17.

Recommended actions
Derived from SecurityWeek and Rapid7 post-incident analysis of CVE-2026-0257, published June 6, 2026.
03 HP Poly Unauthenticated RCE
HP Poly conference phones and VoIP devices CVE-2026-0826: unauthenticated stack overflow leads to root remote code execution. Patches available for affected models.
CVE-2026-0826 · HP Poly
Rapid7 disclosed CVE-2026-0826 this week. The flaw is a critical unauthenticated stack overflow affecting multiple HP Poly conference phone and VoIP device models. No authentication or user interaction is required. Exploitation has not yet been confirmed in the wild.
Executive Impact
HP Poly conference phones and VoIP devices are standard enterprise conference room equipment and are frequently overlooked in patch management programmes because they are not considered traditional IT assets. Any such device on the network is reachable via the overflow. Apply the available patches or isolate affected devices on a dedicated VLAN that restricts inbound access while patching is arranged.
Don’t Miss
VoIP and conferencing infrastructure is a broadly deployed category of networked device that sits in meeting rooms, reception areas, and shared workspaces across most enterprise environments, and is rarely included in the same vulnerability management programme as servers and workstations. A root RCE on a conference phone gives the attacker a foothold on the corporate network from a device that typically has no EDR installed, is unlikely to have its traffic monitored, and connects to both the corporate voice network and, in many deployments, the data network. The combination of low monitoring visibility and network adjacency makes VoIP infrastructure a higher-value target than its apparent simplicity suggests.
CyberSip Take
Patch the affected Poly devices using Rapid7’s guidance. If patching cannot happen immediately, isolate the devices on a voice VLAN with restricted data-network routing. Then consider whether your vulnerability management programme formally includes network-attached VoIP and conferencing equipment. If it does not, CVE-2026-0826 is a reasonable prompt to add it.
What happened

Rapid7 published details of CVE-2026-0826 this week, a critical unauthenticated stack overflow vulnerability affecting multiple models of HP Poly conference phones and VoIP devices. The flaw allows a remote unauthenticated attacker to send a specially crafted request to an affected device, overflow a stack buffer, and gain root-level code execution. No user interaction is required. Patches are available for the affected device models, and Rapid7’s disclosure includes the specific models and firmware versions affected.

HP Poly devices are widely deployed as conference room phones, desktop VoIP handsets, and video conferencing endpoints in enterprise environments. Rapid7’s advisory notes that exploitation has not been confirmed in the wild at time of disclosure, but given the severity and the unauthenticated nature of the flaw, organisations should treat patching as urgent rather than routine.

Recommended actions
Derived from Security Affairs and Rapid7 disclosure of CVE-2026-0826, June 5–6, 2026.
Still watching
Aging items · days 2–6
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
CISA KEV supply chain triple (Issue 46). DAEMON Tools, TanStack, Nx Console. June 10 deadline — 3 days away. Update software, run SCA for TanStack transitive dependencies, rotate developer credentials. Day 7
Miasma worm (Issue 55). 73 Microsoft GitHub repos disabled. Rotate all developer credentials if your team ran npm install against affected packages this week. Audit Claude Code and VS Code configs for unexpected persistence entries. Day 2
Cross-source standouts
01
Vendor exploitation acknowledgements are lagging actual exploitation by weeks
CVE-2026-0257 was exploited from May 17. Palo Alto confirmed it May 29. Twelve days. CVE-2026-41089 in Netlogon was exploited before Belgium’s CCB issued its urgent alert on June 1. Microsoft had rated it “less likely” to be exploited. Both cases show the same pattern: vendors’ initial exploitation assessments underestimate attacker speed for widely deployed edge and network infrastructure. Defenders who wait for vendor confirmation before responding are responding to the second or third wave, not the first. For high-severity vulnerabilities in network edge products, begin compensating controls on the day of original disclosure.
02
Seven Cisco SD-WAN zero-days in one year is a research programme, not a run of bad luck
CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, CVE-2026-20127, CVE-2026-20182, CVE-2022-20775, and now CVE-2026-20245. Seven exploited vulnerabilities across one product line in six months. The CISA KEV catalog has fifteen Cisco SD-WAN entries in total. Cisco SD-WAN Manager controls network routing, segmentation, and policy for large enterprise environments, which is exactly the kind of platform that systematic security research focuses on. Each vulnerability in this list is a separate flaw in a product that receives sustained, serious research attention. The patch cycle for SD-WAN infrastructure needs to reflect that reality.
Our methodology
  • Federal cybersecurity advisories
  • Law enforcement threat bulletins
  • National vulnerability databases
  • Major vendor security advisories
  • Cross-referenced for relevance and corroboration
About CyberSip
A cyber brief for leaders and practitioners who need signal, not noise. Intelligence without the noise, published on cybersip.net.

CyberSip aggregates cybersecurity information from publicly available sources for informational purposes only. CyberSip does not provide legal, technical, incident response, or compliance advice, and makes no guarantee regarding completeness, accuracy, or timeliness. Organizations should validate all findings within their own environments and consult qualified professionals as appropriate. Original advisories, remediation guidance, and technical details remain with the referenced source organizations. Items remain active for no more than 7 days from publication unless materially updated.