What is CVE-2026-20245 in Cisco SD-WAN?

CVE-2026-20245 is an actively exploited zero-day in Cisco Catalyst SD-WAN Manager that allows authenticated attackers to execute commands as root. CVSS 8.8. No patch is available — Cisco has published workarounds only.

What is the IronWorm npm supply-chain attack?

IronWorm is a Rust-written infostealer planted in 36 npm packages that targets CI/CD pipelines. It harvests environment variables, SSH keys, and cloud tokens from build systems and propagates through dependency chains.

What is the Five Eyes advisory on Chinese fake recruiters?

All Five Eyes intelligence agencies issued a joint advisory warning that Chinese intelligence officers are posing as job recruiters on LinkedIn and professional platforms to target government and military personnel for espionage.

How critical is CVE-2026-3300 in Everest Forms Pro?

CVE-2026-3300 is a CVSS 9.8 unauthenticated RCE in the Everest Forms Pro WordPress plugin. It is actively exploited in the wild. Sites running versions prior to 1.9.13 are exposed to full server compromise without authentication.

What should defenders do about CVE-2026-20245 with no patch?

Apply Cisco's published workarounds immediately, restrict management-plane access to trusted networks only, and monitor SD-WAN Manager logs for anomalous root-level command execution. Segment the management plane from production traffic.

Cisco SD-WAN Zero-Day CVE-2026-20245 — Exploited, No Patch

A Cisco SD-WAN zero-day with no patch, a supply-chain worm stealing CI/CD credentials from 36 npm packages, and a Five Eyes advisory naming Chinese intelligence recruitment operations targeting government staff. Three stories that touch three different parts of the attack surface — network infrastructure, software supply chain, and the human element. All three require action today.

In the News

Cisco SD-WAN Zero-Day CVE-2026-20245 — Root Access, No Patch

CVE-2026-20245 is an actively exploited vulnerability in Cisco Catalyst SD-WAN Manager that allows an authenticated attacker to escalate to root-level command execution. The CVSS score is 8.8. Cisco has confirmed exploitation in the wild but has not yet released a patch — only workaround guidance.

This is the seventh Cisco SD-WAN zero-day disclosed in 2026. The pattern is no longer an anomaly; it is a sustained targeting campaign against SD-WAN management infrastructure. Attackers who gain authenticated access to the SD-WAN Manager — through stolen credentials, session hijacking, or an adjacent vulnerability — can leverage CVE-2026-20245 to execute arbitrary commands as root on the underlying operating system. That means full control of the management plane, and from there, the ability to manipulate routing, tunnel configurations, and potentially pivot to managed edge devices.

The absence of a patch makes this a pure detection-and-containment problem. Cisco’s published workarounds focus on restricting management-plane access to trusted networks and disabling certain service interfaces. Organizations running Catalyst SD-WAN should treat management-plane segmentation as the primary compensating control. If the SD-WAN Manager web interface is reachable from untrusted networks, that exposure should be eliminated immediately — before worrying about detection signatures that may or may not exist yet.

For context on how management-plane hardening intersects with SD-WAN architecture, the core principle is the same as any control plane: if an attacker can reach it, they will try to own it. This zero-day reinforces that SD-WAN management infrastructure needs the same level of access control discipline as a domain controller.

What defenders should do: Apply Cisco workarounds now. Restrict SD-WAN Manager access to dedicated management VLANs. Monitor for anomalous root-level process execution on SD-WAN Manager nodes. Treat any authenticated session from an unexpected source as a high-fidelity indicator.

IronWorm Supply-Chain Attack Hits 36 npm Packages

A Rust-written infostealer called IronWorm has been identified in 36 npm packages targeting CI/CD pipelines. The malware harvests environment variables, SSH keys, and cloud provider tokens from build systems. It then uses the compromised packages as a vector to propagate further through dependency chains — a worm-like behavior that distinguishes it from the typical “malicious package sits and waits” model.

The campaign shares tactical similarities with last week’s Miasma attack against the npm ecosystem but uses a different payload written in Rust — a choice that complicates static analysis and signature-based detection. The targeting is precise: IronWorm activates only in CI/CD contexts by checking for common CI environment variables (CI, GITHUB_ACTIONS, GITLAB_CI, JENKINS_URL) before executing its credential-theft routines. Build servers that pull these packages in automated pipelines are the primary victims.

This is the operational reality of supply-chain risk: the attack surface is not the application code a team writes — it is every transitive dependency their build system resolves. Organizations building on Node.js should audit their package-lock.json files against the published list of compromised packages, rotate any secrets that were present as environment variables on affected build servers, and implement software composition analysis tooling that flags newly published or recently modified packages with low download counts.

What defenders should do: Audit npm dependencies against the published IronWorm package list. Rotate CI/CD secrets — SSH keys, cloud tokens, API keys — on any build server that pulled compromised packages. Implement lockfile pinning and SCA scanning in the CI pipeline.

Five Eyes Advisory: Chinese Spies Use Fake Job Offers to Target Government Staff

All Five Eyes intelligence agencies — the US, UK, Canada, Australia, and New Zealand — have issued a joint advisory warning that Chinese intelligence officers are operating fabricated recruiter profiles on LinkedIn and other professional networking platforms. The campaign targets current and former government and military personnel with access to classified or privileged information.

The social engineering methodology is not technically sophisticated, but it is operationally effective. Fake recruiters build relationships over weeks or months, offer consulting or advisory roles, and gradually steer conversations toward sensitive topics. The advisory notes that targets are often not aware they are being intelligence-collected — the requests are framed as market research, competitive analysis, or thought leadership opportunities. This is a human intelligence (HUMINT) operation scaled through digital platforms.

For organizations in the public sector and defense industrial base, this advisory should trigger a review of security awareness training. Most phishing training focuses on email — but this campaign operates entirely through professional networking platforms where users expect unsolicited outreach. The advisory provides specific indicators of fraudulent recruiter profiles that security teams can incorporate into awareness materials.

What defenders should do: Brief cleared personnel on the Five Eyes advisory. Update security awareness training to cover professional networking platform social engineering, not just email phishing. Implement phishing-resistant MFA on all systems accessible by targeted personnel.

Defender Action Items

CVE-2026-20245 (Cisco SD-WAN): Apply Cisco workarounds immediately. Restrict management-plane access to trusted networks. Monitor for root-level command execution on SD-WAN Manager nodes. No patch available — do not wait.
IronWorm (npm): Audit package-lock.json against published compromised package list. Rotate all CI/CD secrets on affected build servers. Implement SCA scanning and lockfile integrity checks.
Five Eyes advisory: Brief government and defense personnel. Update awareness training for LinkedIn-based social engineering. Enforce phishing-resistant MFA (FIDO2) on sensitive systems.
CVE-2026-3300 (Everest Forms Pro): Update to v1.9.13 immediately or disable the plugin. Scan for indicators of compromise on WordPress servers running earlier versions.
CVE-2026-20230 (Cisco Unified CM): Patch to the latest release. PoC code is public — exploitation is expected. Audit for unauthorized file writes on Unified CM servers.

Detection Spotlight

For organizations monitoring Cisco SD-WAN Manager nodes, the following Splunk SPL query detects anomalous root-level process execution that may indicate exploitation of CVE-2026-20245. This query assumes syslog ingestion from the SD-WAN Manager host.

index=network_infrastructure sourcetype=syslog host="sdwan-manager*"
| search process_user="root" NOT process_name IN ("vmanage", "confd", "ncs_cli", "neo4j", "elasticsearch")
| where NOT match(process_command_line, "^/opt/viptela/scripts/")
| stats count earliest(_time) AS first_seen latest(_time) AS last_seen values(process_name) AS processes values(process_command_line) AS commands by host
| where count > 0
| sort - count

This query filters out expected root processes on the SD-WAN Manager (vManage services, ConfD, NCS CLI, Neo4j, Elasticsearch) and flags any unexpected root-level execution. False positive rate depends on the environment — baseline expected root processes before deploying. Any hit warrants immediate investigation given the confirmed in-the-wild exploitation of CVE-2026-20245.

References

Cisco SD-WAN zero-day CVE-2026-20245 — BleepingComputer
IronWorm npm supply-chain attack — BleepingComputer
Five Eyes advisory on Chinese recruitment operations — SecurityWeek
CVE-2026-3300 Everest Forms Pro RCE — The Hacker News
CVE-2026-20230 Cisco Unified CM SSRF — The Hacker News
TA4922 phishing expansion — The Hacker News
PCPJack cloud server hijacking — The Hacker News
FlutterShell macOS backdoor — The Hacker News
Palantir CTO considered for CISA director — The Record
DentaQuest breach — 2.6M impacted — SecurityWeek

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.