Skip to content
.ca
sign in
4 mincritical

Cyber Centre Daily Advisory Digest — 2026-05-15 (2 advisories)

The Canadian Centre for Cyber Security issued advisories warning of active exploitation of two critical vulnerabilities. CVE-2026-20182 affects Cisco Catalyst SD-WAN devices, allowing unauthenticated remote attackers to bypass authentication and gain root privileges, while CVE-2026-42897 is a spoofing vulnerability affecting on-premises Microsoft Exchange Servers.

Sens:ImmediateConf:highAnalyzed:2026-05-15Google

Authors: Canadian Centre for Cyber Security

Active ExploitationMicrosoft ExchangeCVE-2026-20182Cisco SD-WANCVE-2026-42897

Source:Canadian Centre for Cyber Security

IOCs · 5

Detection / HunterGoogle

What Happened

The Canadian Centre for Cyber Security has warned that hackers are actively exploiting critical security flaws in two major enterprise systems. The first flaw affects Cisco Catalyst SD-WAN networking devices, allowing attackers to take full control of the network and maintain long-term access. The second flaw affects Microsoft Exchange email servers, which attackers are using to spoof identities. These vulnerabilities pose a severe risk to organizations relying on these systems for networking and communication. IT administrators should immediately apply the latest security patches provided by Cisco and Microsoft to protect their networks.

Key Takeaways

  • Active exploitation of a critical improper authentication vulnerability (CVE-2026-20182) in Cisco Catalyst SD-WAN devices is ongoing.
  • Attackers exploiting the Cisco SD-WAN flaw are adding SSH keys and modifying NETCONF configurations to gain root privileges and establish persistence.
  • Limited active exploitation has been observed for a critical spoofing vulnerability (CVE-2026-42897) affecting on-premises Microsoft Exchange Servers.
  • Organizations must immediately patch affected Cisco SD-WAN and Microsoft Exchange instances to mitigate these actively exploited flaws.

Affected Systems

  • Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart)
  • Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)
  • Microsoft Exchange Server 2016 on-premises
  • Microsoft Exchange Server 2019 on-premises
  • Microsoft Exchange Server Subscription Edition (SE) on-premises

Vulnerabilities (CVEs)

  • CVE-2026-20182
  • CVE-2026-20133
  • CVE-2026-20128
  • CVE-2026-20122
  • CVE-2026-42897

Attack Chain

Attackers exploit CVE-2026-20182 in Cisco Catalyst SD-WAN devices to bypass the peering authentication process. Upon successful exploitation, they elevate privileges to root. The attackers then establish persistence by adding unauthorized SSH keys and modifying NETCONF configurations, granting them long-term administrative access to the SD-WAN networks.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The advisory does not provide specific detection rules, but recommends reviewing Cisco and Talos Intelligence articles for IOCs and using the 'request admin-tech' command to preserve forensic data.

Detection Engineering Assessment

EDR Visibility: Low — EDR agents typically cannot be installed directly on proprietary network appliances like Cisco Catalyst SD-WAN controllers or managers. Network Visibility: High — Exploitation occurs over the network targeting the peering authentication process, and subsequent activity involves SSH and NETCONF traffic which can be monitored via network sensors. Detection Difficulty: Moderate — Detecting the initial exploit may require specific network signatures, but post-exploitation activities like unauthorized SSH key additions or NETCONF modifications should be visible in appliance audit logs.

Required Log Sources

  • Cisco SD-WAN appliance audit logs
  • Network traffic logs
  • Microsoft Exchange Server logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for unexpected modifications to NETCONF configurations or the addition of new SSH keys on Cisco SD-WAN controllers.Appliance audit logsPersistenceLow to Medium (depending on the frequency of legitimate administrative changes)

Control Gaps

  • Lack of network segmentation for management interfaces
  • Insufficient monitoring of appliance configuration changes

Key Behavioral Indicators

  • Unexpected SSH key additions on SD-WAN appliances
  • Unauthorized NETCONF configuration changes
  • Unexpected root-level administrative sessions on SD-WAN controllers

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Immediately apply the provided patches for Cisco Catalyst SD-WAN and Microsoft Exchange Server instances.
  • If patching is delayed, consider restricting internet access to Cisco Catalyst SD-WAN Controller management interfaces.
  • Issue the 'request admin-tech' command on Cisco SD-WAN control components to preserve logs before applying upgrades.

Infrastructure Hardening

  • Evaluate whether management interfaces for network appliances can be isolated from the public internet.
  • Implement recommendations from the Cisco SD-WAN hardening guide.
  • Consolidate, monitor, and defend Internet gateways to reduce the attack surface of exposed applications.

User Protection

  • Ensure administrative access to network appliances and Exchange servers requires multi-factor authentication where supported.

Security Awareness

  • Ensure IT and network administration teams are aware of the critical need to promptly patch internet-facing infrastructure.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1068 - Exploitation for Privilege Escalation
  • T1098.004 - Account Manipulation: SSH Authorized Keys

Additional IOCs

  • Command Lines:
    • Purpose: Preserve possible indicators of compromise from SD-WAN control components before upgrading. | Tools: Cisco SD-WAN CLI | Stage: Incident Response | request admin-tech

Related