← Back to Security Blog
Security Briefing 7 min read

Cisco SD-WAN CVE-2026-20127 Exploited Since 2023 — CarGurus 12M Breach — SLH Recruits Women for Vishing

A CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN has been actively exploited since 2023. CarGurus confirms 12.4 million users compromised by ShinyHunters. A cybercrime supergroup is paying women $1,000 per call to social-engineer IT help desks. Plus: SolarWinds patches four critical Serv-U RCE flaws and a defense contractor gets 87 months for selling exploits to Russia.


Critical: Cisco SD-WAN Authentication Bypass (CVE-2026-20127)

CVSS 10.0 — Exploited as Zero-Day Since 2023

Cisco has disclosed a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage). The flaw allows remote, unauthenticated attackers to log in as a high-privileged internal user and manipulate the entire SD-WAN fabric via NETCONF.

What Happened

The vulnerability stems from a broken peering authentication mechanism. Attackers exploit it to add rogue peers to the SD-WAN environment — effectively injecting malicious devices that appear legitimate and can route traffic through attacker-controlled infrastructure.

Cisco Talos tracks the activity as UAT-8616 and attributes it with high confidence to a highly sophisticated threat actor. Telemetry shows exploitation dating back to at least 2023. The actor escalated to root by downgrading firmware to exploit an older vulnerability (CVE-2022-20775), then restoring the original version to evade detection.

The disclosure was coordinated between Cisco, the Australian Cyber Security Centre (ASD's ACSC), CISA (Emergency Directive 26-03), and UK authorities.

Who Is Affected

Immediate Actions

  1. Patch immediately — Cisco has released emergency updates
  2. Audit peer lists — Check for unauthorized rogue peers in your SD-WAN fabric
  3. Review firmware history — Look for unexpected version changes (downgrade/upgrade pattern)
  4. Network forensics — Inspect traffic for connections to unknown controllers
  5. Assume breach if unpatched — This has been exploited for 3+ years

CarGurus Breach: 12.4 Million Users Exposed

Automotive marketplace CarGurus has confirmed a data breach affecting over 12.4 million users. The ShinyHunters group claimed responsibility, stating they exfiltrated personally identifiable information and internal corporate data.

This follows ShinyHunters' attack on Wynn Resorts, where employee data was stolen — though the listing was later removed from the leak site after apparent negotiations.

Exposed Data

Impact: If you or your employees used CarGurus, monitor for phishing campaigns leveraging the stolen data. Credential stuffing attacks are expected within days.


SLH Supergroup Pays $1,000/Call for Vishing Recruits

The cybercrime supergroup Scattered LAPSUS$ Hunters (SLH) — a merger of LAPSUS$, Scattered Spider, and ShinyHunters — is now actively recruiting women to conduct voice phishing (vishing) attacks against IT help desks.

Social Engineering at Scale

According to Dataminr's threat intelligence, SLH offers $500–$1,000 per call plus pre-written scripts. The strategy: female voices may have higher success rates when impersonating employees calling help desks for password resets or MFA bypasses.

SLH has a documented history of MFA prompt bombing, SIM swapping, and help desk social engineering. This recruitment campaign signals an industrialization of social engineering — moving from opportunistic attacks to paid, organized call center operations.

Defense Recommendations


SolarWinds Serv-U: Four Critical RCE Vulnerabilities

SolarWinds has patched four critical vulnerabilities in Serv-U file transfer software that could allow remote code execution. While the flaws require administrative privileges, Serv-U has been a historically targeted product (remember the 2021 supply chain attack).

Why It Matters

File transfer appliances remain the #1 initial access vector for ransomware groups. MOVEit, GoAnywhere, Citrix ShareFile — and now Serv-U again. If you run Serv-U, patch before exploit code inevitably drops.


Chinese Cyber Espionage: Dozens of Telecoms and Government Agencies Breached

Google's Threat Intelligence Group (GTIG), Mandiant, and international partners have disrupted a global espionage campaign attributed to Chinese threat actor UNC2814. The group has been active since at least 2017, targeting organizations across 42 countries.

The attackers used legitimate SaaS API calls to disguise malicious traffic, making detection exceptionally difficult. Targets included telecom providers and government agencies — classic intelligence collection objectives.


Defense Contractor Gets 87 Months for Selling Exploits to Russia

Former U.S. defense contractor executive Peter Williams has been sentenced to 87 months in federal prison for selling cyber exploits to a Russian broker. The case underscores the ongoing risk of insider threats in the defense supply chain.


Supply Chain Corner: Malicious NuGet + Fake Next.js Interviews

Two separate supply chain campaigns discovered this week:

Developer teams: Audit your NuGet dependencies and be suspicious of any repository linked from unsolicited job interviews.


UFP Technologies: Medical Device Maker Hit by Ransomware

American medical device manufacturer UFP Technologies disclosed a cyberattack with confirmed data theft and file-encrypting malware. The healthcare sector continues to be disproportionately targeted — attackers know patient data commands premium ransoms and regulatory pressure forces fast payments.


Today's Priority Actions

  1. Cisco SD-WAN — Patch CVE-2026-20127 immediately (CVSS 10.0, exploited since 2023)
  2. SolarWinds Serv-U — Apply critical RCE patches
  3. Help desk hardening — SLH vishing campaign is active and scaling
  4. CarGurus breach — Monitor for credential stuffing and phishing using stolen data
  5. Developer supply chain — Audit NuGet packages, beware fake interview repos
  6. Telecom/Govt — Review for UNC2814 indicators if in targeted sectors

How Kensai Protects You

Cisco SD-WAN Detection — Scan for CVE-2026-20127 and vulnerable configurations

Supply Chain Monitoring — Track malicious packages across NuGet, npm, PyPI

AI-Powered Remediation — Get patches, not just alerts. Auto-generated PRs for your codebase.

NIS2 Compliance — German-language reports for regulatory requirements

Scan Your Infrastructure in 60 Seconds

332,000+ CVEs indexed. AI-generated patches. GitHub PR automation.

Start Free Trial

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles