
Cisco
US networking and cybersecurity giant; manufacturer of ASA and Firepower firewall appliances exploited by UAT-4356.
Last refreshed: 14 June 2026 · Appears in 2 active topics
Seven SD-WAN CVEs in one calendar year: is Cisco's edge portfolio structurally compromised?
Timeline for Cisco
Mentioned in: A quiet KEV fortnight, then a 2008 bug
Cybersecurity: Threats and DefencesCisco tops a five-vendor KEV batch
Cybersecurity: Threats and DefencesMentioned in: Triple CVSS-10 Ubiquiti chain hits root
Cybersecurity: Threats and DefencesMentioned in: 86,644 Fortinet logins become a hit list
Cybersecurity: Threats and DefencesMentioned in: Arista refuses to patch KEV flaw
Cybersecurity: Threats and DefencesHow does the FIRESTARTER implant survive Cisco firewall patches?
Which Cisco products are affected by the April 2026 CISA emergency deadline?
What is Cisco Talos and what role did it play in the FIRESTARTER discovery?
Background
Cisco Systems is the world's dominant enterprise networking vendor, founded in 1984 in San Jose, California, and listed on the Nasdaq as CSCO. With $56.65 billion in revenue for fiscal 2025 and around 86,200 employees, the company designs and manufactures hardware, software, and services across four principal areas: networking (Catalyst switches, Nexus data-centre platforms, routers), security (ASA firewalls, Firepower Threat Defense, OpenDNS), collaboration (Webex), and observability (AppDynamics). Its in-house threat-intelligence Arm, Cisco Talos, is one of the largest commercial threat-research teams in the industry, tracking advanced persistent threat actors and disclosing vulnerabilities across vendor ecosystems.
Cisco's products form the backbone of enterprise and government networks worldwide, making the company both a critical infrastructure dependency and a high-value target. The firm regularly co-operates with US and allied governments on vulnerability disclosure and Incident Response.
Cisco is under compound attack across three independent threat vectors in 2026, each from a distinct adversary. In April, the FIRESTARTER disclosures confirmed that UAT-4356 had planted a boot-sequence implant in Cisco ASA and Firepower Threat Defense appliances via CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362; one confirmed federal agency remained compromised until at least March 2026, six months after patching. In May, UNC6780 (also tracked as TeamPCP) used credentials stolen via the Trivy supply-chain CVE-2026-33634 to breach more than 300 private Cisco GitHub repositories, exfiltrating source code for Cisco AI Assistant and Cisco AI Defense. That breach gives a financially motivated cluster internal architectural knowledge of Cisco's flagship LLM-security product at the same moment enterprises are adopting it as an AI-defence layer.
Separately, UAT-8616 (an actor whose ORB infrastructure overlaps with the Flax Typhoon and Integrity Technology Group networks) was confirmed exploiting Cisco SD-WAN CVE-2026-20182 (CVSS 10.0), the sixth Cisco SD-WAN CVE catalogued by CISA in 2026, with an Emergency Directive requiring federal remediation by 17 May. On 9 June 2026, CISA catalogued CVE-2026-20245 as the seventh Cisco SD-WAN KEV entry of the year, sustaining a pace of roughly one new exploited SD-WAN CVE every three weeks since January. The Velocity distinguishes Cisco's SD-WAN exposure from the episodic patching cadence most enterprise procurement teams assumed when locking in the platform.
The concurrent visibility UNC6780 gained into Cisco's defensive source code raises the prospect that future SD-WAN and security-product exploit cycles may compress further than prior baselines suggest. Across hardware security products, the AI defence portfolio, and network infrastructure, Cisco faces simultaneous exploitation from three distinct actor profiles, consolidating its status as both critical-infrastructure dependency and premium attack target.