Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
8MAY

Cisco tops a five-vendor KEV batch

2 min read
10:57UTC

CISA drew two more Cisco flaws into its catalogue this fortnight, alongside a SimpleHelp bypass that reopens the managed-service-provider route used by DragonForce in 2025.

TechnologyDeveloping
Key takeaway

Cisco tops the KEV catalogue with five entries since April across three separate product lines.

CISA cleared two Known Exploited Vulnerabilities (KEV) batches this fortnight. On Thursday 25 June, due 28 June, it listed a Cisco Unified Communications Manager server-side request forgery (SSRF) flaw, CVE-2026-20230, and a flaw in PTC Windchill, CVE-2026-12569, allowing unauthenticated remote code execution (RCE). On Monday 29 June, due 2 July, came a SimpleHelp single-sign-on (SSO) authentication bypass, CVE-2026-48558, a Cisco Catalyst SD-WAN Manager path traversal, CVE-2026-20262, and a Joomla Widget Factory flaw, CVE-2026-48907. 1

That makes Cisco the most repeat-listed vendor on this beat, with five KEV entries across three product lines since April, following the CVSS-10 Catalyst flaw that the UAT-8616 group was already exploiting in May . An SSRF flaw lets an attacker make a server issue requests on their behalf, reaching systems the attacker cannot touch directly. SimpleHelp is the Remote Monitoring and Management (RMM) tool tied to the 2025 DragonForce campaign against managed service providers (MSPs), and an SSO bypass re-opens the same one-to-many route into every downstream client.

PTC Windchill sits in the product-lifecycle-management (PLM) systems that aerospace, automotive and defence suppliers use to hold engineering data. An unauthenticated RCE there is a supply-chain entry rather than a perimeter one: the attacker needs no credential, and the prize is the design data a supplier holds on behalf of its customers.

Deep Analysis

In plain English

Managed service providers, or MSPs, are companies that IT departments hire to remotely manage computers for lots of different clients at once, often using a tool called SimpleHelp. A newly listed flaw lets an attacker skip the login step in SimpleHelp, which matters because whoever controls that one tool can potentially reach every client the MSP looks after. Cisco and the website-building tool Joomla also had flaws added to the same must-fix list this fortnight. The common thread is that all five bugs let an attacker either break into a network from outside or move around inside it once they are in, and criminals often buy and sell working exploits for bugs like these rather than write their own.

Deep Analysis
Root Causes

SimpleHelp, like most remote monitoring and management tools built for MSPs, runs on a one-to-many trust model: a single administrator credential on the server can push software to every client endpoint it manages, which is exactly the feature ransomware crews weaponise once they compromise the server itself.

Cisco's Catalyst SD-WAN Manager path-traversal flaw follows the same access-broker pattern already logged against Cisco SD-WAN infrastructure through the UAT-8616 cluster: a criminal broker validates access into edge network-management consoles, then resells it to whichever ransomware affiliate pays first, rather than exploiting the flaw directly.

What could happen next?
  • Risk

    Any MSP running a self-hosted, internet-reachable SimpleHelp instance faces a Kaseya-scale downstream exposure if the SSO bypass is exploited before patching, since one compromised server reaches every managed client.

  • Consequence

    Cisco's repeated appearance in KEV batches this fortnight, alongside the SD-WAN Manager flaw already tied to the UAT-8616 broker network, suggests the same access-broker group may be scouting or reselling access to this new path-traversal bug.

First Reported In

Update #9 · FortiBleed harvest linked to Lynx crew

CISA· 4 Jul 2026
Read original
Causes and effects
This Event
Cisco tops a five-vendor KEV batch
A repeat run of Cisco flaws and a SimpleHelp bypass put both vendor concentration and the managed-service-provider supply chain back on defenders' radar.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.