What is CVE-2026-20245 in Cisco SD-WAN?

CVE-2026-20245 is a high-severity vulnerability in Cisco Catalyst SD-WAN that allowed attackers to establish rogue vBond peering and create root-level accounts. Mandiant confirmed exploitation began at least two months before Cisco disclosed the flaw in May 2026.

What is CVE-2025-67038 in Lantronix EDS5000?

CVE-2025-67038 is a CVSS 9.8 critical code injection vulnerability in Lantronix EDS5000 serial-to-IP converters used in OT/ICS environments. It was disclosed as part of the BRIDGE:BREAK research in April and is now confirmed exploited in the wild with a CISA KEV deadline of June 26, 2026.

What was Operation Endgame's impact on Amadey and StealC?

Operation Endgame, a joint Microsoft DCU and Europol operation, disrupted over 300 command-and-control servers supporting the Amadey and StealC malware families and recovered 27 million stolen credentials. Both families serve as ransomware feeders used by initial access brokers.

How does Gaslight macOS malware evade AI analysis?

Gaslight is a Rust-based macOS infostealer that embeds adversarial prompt injection payloads within its binary. When AI-assisted analysis tools process the malware, the injected prompts cause large language models to misclassify Gaslight as benign — the first observed case of malware targeting AI-driven SOC workflows.

What is the Mistic backdoor and how does it relate to ransomware?

Mistic is a Rust-based backdoor linked to the initial access broker KongTuke. It targets insurance, education, IT, and professional services organizations, providing access that is subsequently sold to ransomware operators including Qilin, Interlock, Akira, and Black Basta.

Cisco SD-WAN Zero-Day CVE-2026-20245 — Root for 2 Months

Attackers had root-level access on Cisco SD-WAN edge routers for two months before anyone knew the vulnerability existed. That is not a theoretical risk window — it is confirmed, post-exploitation dwell time on network infrastructure that controls traffic flow for entire organizations. Today’s brief covers the SD-WAN zero-day, a CVSS 9.8 OT flaw with a patch deadline of tomorrow, the takedown of two major credential-stealing malware operations, and a new macOS malware that poisons AI analysis tools with prompt injection.

In the News

Cisco SD-WAN Zero-Day CVE-2026-20245 — Rogue Peering Enabled Root Access for Months

CVE-2026-20245 is the seventh Cisco Catalyst SD-WAN vulnerability exploited in the wild in 2026, and the exploitation timeline makes it one of the most consequential. Mandiant confirmed that threat actors leveraged the flaw to establish rogue vBond peering sessions, effectively inserting unauthorized orchestration nodes into the SD-WAN fabric. From that position, they created root-level accounts on edge routers — accounts that persisted through normal operations and would not be flagged by standard monitoring unless vManage audit logging was properly configured and reviewed.

The exploitation began at least two months before Cisco’s May 2026 disclosure. That means organizations running unpatched Catalyst SD-WAN during March and April should assume potential compromise and treat this as an incident response exercise, not just a patching exercise. The attack vector — rogue peering — is particularly concerning because it abuses the SD-WAN control plane itself rather than exploiting a traditional software bug in a management interface.

For defenders, the critical question is whether vManage audit logs were retained and centralized during the exploitation window. If those logs were overwritten or never forwarded to a SIEM, the forensic record is gone. This is a textbook case where centralized log management is the difference between a confirmed-clean assessment and an assumption. Organizations should audit for unauthorized vBond entries, unexpected root account creation events, and anomalous control-plane traffic patterns on SD-WAN edge devices.

What defenders should do: Patch immediately. Audit vManage logs for unauthorized peering sessions and root account creation between March and May 2026. Forward vManage syslog to a centralized SIEM if not already configured. Treat any finding as a full incident response trigger.

Lantronix EDS5000 CVE-2025-67038 — CVSS 9.8 OT Flaw, KEV Deadline Tomorrow

A critical code injection vulnerability in Lantronix EDS5000 serial-to-IP converters is now confirmed exploited in the wild. CVE-2025-67038 carries a CVSS score of 9.8 and was originally disclosed as part of the BRIDGE:BREAK OT security research in April 2026. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog with a remediation deadline of June 26 — tomorrow.

Serial-to-IP converters are the connective tissue of legacy OT environments. They bridge older serial-protocol industrial equipment to Ethernet networks, and they are frequently deployed without the same patch management discipline applied to IT infrastructure. Many organizations do not even have a complete inventory of these devices. The Lantronix EDS5000 is widely used in water utilities, manufacturing, and energy environments — exactly the sectors where a compromise has operational safety implications.

The BRIDGE:BREAK research that produced this CVE identified multiple vulnerabilities across serial-to-Ethernet converters from several vendors. CVE-2025-67038 is the first from that batch to reach confirmed exploitation. Organizations with OT environments should treat this as a catalyst for inventorying all serial converter hardware, not just Lantronix devices.

What defenders should do: Inventory all serial-to-Ethernet converters in OT environments. Patch Lantronix EDS5000 devices immediately. If patching is not possible within the KEV deadline, isolate affected devices behind IT/OT segmentation boundaries and monitor for anomalous traffic to and from converter IP addresses.

Operation Endgame Dismantles Amadey and StealC — 27 Million Credentials Recovered

Microsoft’s Digital Crimes Unit (DCU) and Europol disrupted the infrastructure supporting the Amadey and StealC malware families as part of the ongoing Operation Endgame campaign. Over 300 command-and-control servers were seized or sinkholed, and 27 million stolen credentials were recovered.

Both Amadey and StealC function as ransomware feeders in the initial access broker (IAB) ecosystem. They harvest credentials, browser session tokens, and system reconnaissance data, which is then packaged and sold to ransomware operators. Threat intelligence links both families to downstream access sales that have fed Qilin, Black Basta, Akira, and Interlock ransomware operations. The Mistic backdoor, attributed to IAB KongTuke and reported this week, is part of the same ecosystem — a Rust-based implant that targets insurance, education, and professional services organizations.

The 27 million recovered credentials represent 27 million accounts that were already compromised. Organizations should check credential monitoring services for exposure and enforce phishing-resistant MFA across all externally accessible systems. Takedowns like this create temporary disruptions in IAB supply chains, but the operators adapt — new loader malware typically emerges within weeks to fill the gap.

What defenders should do: Check credential monitoring services for organizational exposure in the recovered dataset when it becomes available. Enforce phishing-resistant MFA (FIDO2) on all external-facing authentication. Ensure EDR is configured to detect credential-dumping tools and infostealer behavior patterns.

Gaslight macOS Malware Embeds Prompt Injection to Sabotage AI Analysis

A Rust-based macOS infostealer dubbed Gaslight introduces a new evasion technique: adversarial prompt injection targeting AI-assisted malware analysis tools. The malware embeds crafted text strings within its binary that, when processed by large language models used in automated triage or reverse engineering workflows, cause the models to classify the sample as benign.

This is the first documented case of malware specifically designed to exploit AI-driven SOC workflows. The implication is straightforward — any organization relying on LLM-based analysis as a primary classification layer without human validation or complementary detection engines now has a demonstrated bypass in the wild. Traditional behavioral analysis, signature-based detection, and sandbox detonation are unaffected by prompt injection, which is why multi-engine detection architectures remain the operational standard.

What defenders should do: Treat AI-assisted malware classification as one signal among several, not as a definitive verdict. Ensure endpoint protection includes behavioral analysis and signature-based detection independent of any LLM component. Audit macOS endpoint coverage — Rust-based macOS malware is an increasing trend.

Defender Action Items

Cisco SD-WAN (CVE-2026-20245): Patch Catalyst SD-WAN immediately. Audit vManage logs for rogue vBond peering and root account creation between March–May 2026. Forward vManage syslog to SIEM.
Lantronix EDS5000 (CVE-2025-67038): Inventory all serial-to-Ethernet converters in OT environments. Patch by June 26 KEV deadline or isolate behind segmentation controls.
Credential exposure (Amadey/StealC takedown): Monitor for organizational credential exposure from the 27M recovered dataset. Enforce FIDO2 MFA on external-facing systems.
Cisco UCM (CVE-2026-20230): Patch Unified Communications Manager — public PoC is weaponized and exploitation is confirmed.
AI workflow validation: If using LLM-based malware analysis, implement human-in-the-loop review and multi-engine detection to mitigate prompt injection evasion.

Detection Spotlight

The Cisco SD-WAN exploitation leveraged rogue vBond peering — an activity that generates specific log entries in vManage. The following Splunk SPL query searches for unauthorized vBond registration events and unexpected root account creation in vManage syslog data. Tune the known_vbond_ips lookup to your environment.

index=network sourcetype="cisco:sdwan:vmanage"
  (event_type="vbond-registration" OR event_type="user-account-create")
| eval is_known_vbond=if(like(src_ip, "10.10.%") OR like(src_ip, "172.16.5.%"), "yes", "no")
| where is_known_vbond="no" OR (event_type="user-account-create" AND user_privilege="root")
| stats count by _time, src_ip, event_type, device_hostname, user_name, user_privilege
| sort - _time

This query surfaces two high-fidelity indicators: vBond registrations from IP addresses outside your known orchestration infrastructure, and root account creation events on edge devices. False positive rate is low if the known_vbond_ips filter is properly scoped — legitimate vBond registrations come from a small, static set of IPs in most deployments.

References

Cisco SD-WAN zero-day exploited months before patching — SecurityWeek
Lantronix serial-to-IP converter flaw exploited in attacks — SecurityWeek
Amadey, StealC malware operations disrupted in Operation Endgame — BleepingComputer
New Gaslight macOS malware uses prompt injection — The Hacker News
New Mistic backdoor linked to KongTuke IAB — The Hacker News
Cordyceps CI/CD flaws expose 300+ GitHub repos — The Hacker News
Malicious Edge extension abuses Native Messaging — BleepingComputer
Cisco Unified CM flaw exploited after PoC release — The Hacker News
Cal Water finds no evidence of OT activity after hacker claims — SecurityWeek

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.