Two Months Inside: What the Cisco SD-WAN Zero-Day Reminds Us About Quiet Intrusions

Two Months Inside: What the Cisco SD-WAN Zero-Day Reminds Us About Quiet Intrusions For at least two months, attackers were operating inside Cisco Catalyst SD-WAN environments before the vulnerability was public. There was no patch yet, and nothing pointing defenders toward where to look. Cisco has since confirmed attackers were exploiting CVE-2026-20245 in the wild, using it to gain privileged access and stay resident. Another zero-day isn't really the story, because those come around regularly. The part we keep coming back to is the two months. For that entire window, the activity would have looked like a normal Tuesday to anyone watching from inside. That's worth sitting with, and not as a knock on anyone. The teams running that gear were doing the job, but there simply wasn't an obvious tell. No smoking gun, no ransom note, no server on fire. It's the reality all of us in this work…

Comments Off on Two Months Inside: What the Cisco SD-WAN Zero-Day Reminds Us About Quiet Intrusions

Monthly Threat Brief: June 2026

June 2026 Cyber Threat Brief June's headline incidents had almost nothing to do with clever code. FortiBleed harvested roughly 80,000 credentials from internet-facing FortiGate firewalls and VPNs across 194 countries, and it needed no zero-day to do it. Attackers used weak passwords, exposed configs, and sessions that were still valid. Around the same time, an 8.3 TB dump of 24 billion records surfaced, most of it infostealer logs, carrying live session cookies and MFA tokens. That combination lets an attacker skip the login entirely and walk in as you. The defenses didn't get bypassed this month. They got used. Every one of those logins was technically legitimate, which is exactly why so much of this activity slid past detection built to look for something broken. That is the throughline worth your time. Attackers Stopped Breaking In and Started Logging In When the biggest campaigns of the month run on valid…

Comments Off on Monthly Threat Brief: June 2026

Monthly Threat Brief: May 2026

May 2026 Cyber Threat Brief: Identity, Supply Chains, and the Growing Speed of Risk The cybersecurity landscape continued evolving rapidly throughout May, with several developments reinforcing a trend that has been building for years. Attackers are increasingly targeting trust itself. Rather than relying solely on malware or credential theft, threat actors are focusing on authentication systems, software supply chains, trusted platforms, and the relationships organizations depend on every day. At the same time, advances in AI and automation continue to shorten the time between vulnerability discovery and exploitation, creating additional pressure on security teams. Here are the key themes that emerged during May. Identity Is Becoming the Primary Attack Surface The FBI issued warnings regarding Kali365, a phishing-as-a-service platform designed to target Microsoft 365 environments through token theft and device-code authentication abuse. These attacks reflect a broader shift away from traditional password theft. Instead, attackers are increasingly targeting: Authenticated sessions…

Comments Off on Monthly Threat Brief: May 2026

The Future of OT Security Isn’t Louder Scanning. It’s Smarter Modeling.

Critical Path Security has announced the development of a new AI-driven OT Digital Twin Engine designed to combine graph-based attack-path analysis, deterministic simulation, and Large Language Model-assisted reasoning to evaluate industrial environments without actively interacting with production systems. The platform was developed in response to a growing problem across Operational Technology and critical infrastructure environments: traditional assessment methodologies were never designed for fragile industrial systems that cannot safely tolerate aggressive scanning, enumeration, or exploitation activity. In many OT environments, a malformed packet can disrupt operations. A vulnerability scan against an aging PLC or RTU can destabilize communications. A failed authentication attempt can interfere with emergency operational access. The consequence of intrusive testing inside industrial infrastructure is fundamentally different than in enterprise IT environments. The new Digital Twin Engine was architected around a different model. Rather than interrogating live systems directly, the platform ingests existing operational and security artifacts already maintained…

0 Comments