Cisco SD-WAN Bug Actively Exploited

Feb 27, 2026

A critical Cisco SD-WAN vulnerability has been actively exploited, prompting emergency inventory and hardening orders. Researchers demonstrate how MCP integration flaws could lead to remote code execution and even Azure tenant takeover. A large CarGurus data leak raises phishing and fraud risks tied to vehicle shopping. Law enforcement teams trace and recover funds from a tech support scam.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ADVICE

Patch Cisco SD-WAN Now Or Assume Compromise

Apply Cisco's patched SD-WAN software immediately to stop authentication bypass and rogue peering.
CISA ordered agencies to inventory systems, collect logs and hunt for compromises with a 5:00 PM ET February 27, 2026 deadline because exploitation dates back to 2023.

ADVICE

Hunt For SD-WAN Indicators With Published Playbooks

Follow Cisco and government hunt guides to look for unauthorized peering, software downgrades, and root-level persistence indicators.
There are detailed detection instructions and log artifacts because agencies expect widespread compromise.

INSIGHT

MCP Turns LLMs Into Actionable Enterprise Entry Points

Model Context Protocol is becoming the enterprise integration layer that lets LLMs act on behalf of users, not just fetch data.
That standardization creates a uniform attack surface enabling prompt injection, tool impersonation, RCE, and tenant takeover risks demonstrated at RSA.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Cisco SD-WAN Bug Actively Exploited, MCP Azure Takeover Demo, CarGurus Data Leak, and Secret Service Scam Recovery

Host Jim Love covers four cybersecurity stories: CSA warns a critical Cisco Catalyst SD-WAN controller vulnerability (CVE-2026-20127) has been exploited since 2023, enabling authentication bypass and rogue peering sessions, and orders U.S. federal agencies to inventory systems, collect logs and forensic artifacts, hunt for compromise, and apply Cisco's fixes by 5:00 PM ET on February 27, 2026, with no workarounds. At RSA, researchers show how flaws in Model Context Protocol (MCP)—a key integration layer for agentic AI—could lead to remote code execution and even Azure tenant takeover, highlighting rising enterprise risk. ShinyHunters reportedly published 12.4 million stolen CarGurus records, raising phishing and fraud concerns tied to vehicle shopping and financing context. Finally, an Ontario tech support scam victim recovers funds through coordinated work by Ontario Provincial Police and the U.S. Secret Service, which traced and froze the money in time.

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at Meter.com/cst

LINKS Cisco Advisory Cisco Security Advisory – CVE-2026-20127 Authentication bypass vulnerability in Cisco Catalyst SD-WAN https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

CISA Supplemental Hunt and Hardening Guidance (Cisco SD-WAN Systems) https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems

Threat Hunt Guide (Technical PDF) Cisco SD-WAN Threat Hunt Guide (jointly referenced in federal guidance) https://media.defense.gov/2026/Feb/25/2003880299/-1/-1/0/CISCO_SD-WAN_THREAT_HUNT_GUIDE.PDF

00:00 Sponsor Message 00:19 Cisco SD-WAN Under Attack 02:48 MCP Azure Takeover Demo 05:28 CarGurus Data Dump 07:16 Secret Service Scam Recovery 09:24 Closing Sponsor Thanks