Skip to content
You can now search across every topic, entity and event.What's new
Cisco
OrganisationUS

Cisco

US networking and cybersecurity giant; manufacturer of ASA and Firepower firewall appliances exploited by UAT-4356.

Last refreshed: 14 June 2026 · Appears in 2 active topics

Key Question

Seven SD-WAN CVEs in one calendar year: is Cisco's edge portfolio structurally compromised?

Timeline for Cisco

#1014 Jul

Mentioned in: A quiet KEV fortnight, then a 2008 bug

Cybersecurity: Threats and Defences
#929 Jun

Cisco tops a five-vendor KEV batch

Cybersecurity: Threats and Defences
#823 Jun
#818 Jun
#79 Jun

Mentioned in: Arista refuses to patch KEV flaw

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
How does the FIRESTARTER implant survive Cisco firewall patches?
FIRESTARTER embeds itself in the Cisco ASA and Firepower boot sequence via startup-configuration manipulation, self-backing-up before any shutdown. Ordinary patch or firmware updates do not touch the boot record where FIRESTARTER lives. The only confirmed removal method is a hard power cycle, which clears volatile memory structures the implant relies on.Source: CISA/NCSC AA26-113A
Which Cisco products are affected by the April 2026 CISA emergency deadline?
Three vulnerabilities in Cisco Catalyst SD-WAN Manager were added to the CISA Known Exploited Vulnerabilities catalogue on 20 April 2026 with a three-day remediation Deadline: CVE-2026-20122 (API privilege escalation), CVE-2026-20133 (sensitive information exposure), and CVE-2026-20128 (password storage weakness).Source: CISA KEV catalogue
What is Cisco Talos and what role did it play in the FIRESTARTER discovery?
Cisco Talos is Cisco's in-house threat-intelligence research team, one of the largest commercial threat-Intel operations globally. Talos tracked the UAT-4356 threat actor and contributed attribution analysis to the FIRESTARTER joint advisory, having previously investigated the same actor's 2024 ArcaneDoor campaign against Cisco network devices.Source: Cisco Talos / CISA AA26-113A

Background

Cisco Systems is the world's dominant enterprise networking vendor, founded in 1984 in San Jose, California, and listed on the Nasdaq as CSCO. With $56.65 billion in revenue for fiscal 2025 and around 86,200 employees, the company designs and manufactures hardware, software, and services across four principal areas: networking (Catalyst switches, Nexus data-centre platforms, routers), security (ASA firewalls, Firepower Threat Defense, OpenDNS), collaboration (Webex), and observability (AppDynamics). Its in-house threat-intelligence Arm, Cisco Talos, is one of the largest commercial threat-research teams in the industry, tracking advanced persistent threat actors and disclosing vulnerabilities across vendor ecosystems.

Cisco's products form the backbone of enterprise and government networks worldwide, making the company both a critical infrastructure dependency and a high-value target. The firm regularly co-operates with US and allied governments on vulnerability disclosure and Incident Response.

Cisco is under compound attack across three independent threat vectors in 2026, each from a distinct adversary. In April, the FIRESTARTER disclosures confirmed that UAT-4356 had planted a boot-sequence implant in Cisco ASA and Firepower Threat Defense appliances via CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362; one confirmed federal agency remained compromised until at least March 2026, six months after patching. In May, UNC6780 (also tracked as TeamPCP) used credentials stolen via the Trivy supply-chain CVE-2026-33634 to breach more than 300 private Cisco GitHub repositories, exfiltrating source code for Cisco AI Assistant and Cisco AI Defense. That breach gives a financially motivated cluster internal architectural knowledge of Cisco's flagship LLM-security product at the same moment enterprises are adopting it as an AI-defence layer.

Separately, UAT-8616 (an actor whose ORB infrastructure overlaps with the Flax Typhoon and Integrity Technology Group networks) was confirmed exploiting Cisco SD-WAN CVE-2026-20182 (CVSS 10.0), the sixth Cisco SD-WAN CVE catalogued by CISA in 2026, with an Emergency Directive requiring federal remediation by 17 May. On 9 June 2026, CISA catalogued CVE-2026-20245 as the seventh Cisco SD-WAN KEV entry of the year, sustaining a pace of roughly one new exploited SD-WAN CVE every three weeks since January. The Velocity distinguishes Cisco's SD-WAN exposure from the episodic patching cadence most enterprise procurement teams assumed when locking in the platform.

The concurrent visibility UNC6780 gained into Cisco's defensive source code raises the prospect that future SD-WAN and security-product exploit cycles may compress further than prior baselines suggest. Across hardware security products, the AI defence portfolio, and network infrastructure, Cisco faces simultaneous exploitation from three distinct actor profiles, consolidating its status as both critical-infrastructure dependency and premium attack target.

More questions
Is Cisco being held responsible for the FIRESTARTER backdoor vulnerabilities?
Cisco patched the two initial-access vulnerabilities in September 2025 and co-operated with CISA and NCSC on the disclosure. The company is positioned as a victim and responder rather than liable party, though critics note the CVSS 9.9 severity and six-month post-patch persistence raise questions about detection tooling provided to customers.Source: CISA/NCSC AA26-113A
What Cisco source code did UNC6780 steal in May 2026?
UNC6780 breached more than 300 private Cisco GitHub repositories using credentials stolen via the Trivy supply-chain CVE (CVE-2026-33634), exfiltrating source code for Cisco AI Assistant and Cisco AI Defense (Cisco's flagship LLM-security product) as well as unreleased products across the security portfolio.Source: Google GTIG
What is Cisco SD-WAN CVE-2026-20182 and how serious is it?
CVE-2026-20182 is a CVSS 10.0 authentication bypass in Cisco SD-WAN's vdaemon service actively exploited by UAT-8616. CISA added it to the Known Exploited Vulnerabilities catalogue on 14 May 2026 with a three-day federal remediation Deadline. It is the sixth Cisco SD-WAN CVE catalogued in 2026.Source: CISA ED 26-03
How many Cisco SD-WAN vulnerabilities have been exploited in 2026?
Seven Cisco SD-WAN CVEs were added to the CISA Known Exploited Vulnerabilities catalogue in 2026 as of 9 June. The most severe is CVE-2026-20182 (CVSS 10.0), exploited by UAT-8616 via authentication bypass in the vdaemon service, which triggered Emergency Directive ED 26-03 with a three-day federal Deadline in May.Source: CISA KEV catalogue
What is Cisco AI Defense and why was its source code stolen?
Cisco AI Defense is Cisco's flagship product for detecting and blocking attacks on LLM-powered applications. In May 2026, UNC6780 (also tracked as TeamPCP) breached more than 300 private Cisco GitHub repositories using credentials stolen via the Trivy supply-chain vulnerability CVE-2026-33634, exfiltrating source code for AI Defense alongside Cisco AI Assistant and other unreleased security products.Source: Google GTIG
Source Material