​

I was in an architecture review where someone questioned why SD-WAN traffic got fewer inspection passes than east-west traffic deeper in the stack. The answer: “It’s Cisco, it’s hardened, we can’t afford the performance hit.” This week, CISA confirmed attackers had been inside Cisco SD-WAN infrastructure since at least 2023. Not months. Three years.

That same week, CISA lost another round of key people and programs. The coordination capacity enterprise IR plans have quietly relied on, threat intel, incident response support, the focal point that brought industry and government together, is significantly diminished. Organizations that used to get direct briefings are describing radio silence.

Add a 29-minute average attacker breakout time, AI-assisted campaigns hitting edge devices at scale, and supply chain malware now weaponizing the AI tools engineers trust. The assumptions underneath our security posture are shifting faster than the posture itself.

Top Story

Cisco SD-WAN Zero-Days Ran for Three Years Undetected

Source: https://cyberscoop.com/cisco-zero-days-cisa-emergency-directive-five-eyes/

TLDR

A sophisticated threat actor exploited two zero-days in Cisco SD-WAN software from at least 2023 through this week, prompting a CISA emergency directive and Five Eyes joint hunting guidance. The exploit chain bypasses authentication and downgrades firmware to escalate to root; for some affected customers, patching alone is already insufficient.

Why It Matters to Enterprises

This is the second Cisco network edge emergency directive in eight months, and both campaigns ran undetected for over a year. Your SD-WAN layer carries architectural trust that rarely gets questioned, receiving less scrutiny than east-west traffic while granting deep access to everything behind it. If attackers were resident since 2023, the question isn’t whether to patch; it’s what was exfiltrated, where they moved, and whether your forensic capability can answer either. The recommendation to consider full rebuilds for high-risk systems isn’t overreach. For some organizations, it’s the only honest path forward.

What to Do This Week

• Inventory all Cisco SD-WAN systems and confirm patch status for CVE-2026-20127 and CVE-2022-20775 before the federal deadline.
• Preserve logs from affected systems before patching; post-patch forensics lose critical visibility into prior activity.
• Run CISA’s published threat hunt guide against affected systems to assess for compromise, not just close the patching ticket.
• Evaluate full rebuild for systems in critical infrastructure segments rather than patch-in-place, per Cisco and watchTowr guidance.
• Map lateral movement paths from your SD-WAN layer into the broader environment and verify your detections cover them.

Big Stories

CISA Has Lost a Third of Its People. It Shows.

Source: https://cyberscoop.com/cisa-personnel-cuts-trump-second-term-analysis/

What Happened

A year into the second Trump administration, CISA has lost roughly a third of its workforce. Threat hunting, secure-by-design leadership, election security, and the division coordinating with state, local, and international partners have all been gutted; the Cyber Safety Review Board was disbanded and two key information sharing centers lost federal funding.

Sean Plankey’s Senate confirmation to lead the agency permanently has stalled, leaving it under an acting director whose tenure has been marked by a series of damaging public revelations.

Why It Matters

Enterprise security programs have quietly assumed CISA would coordinate when things got serious, but former officials and industry partners now describe an agency where outreach goes unanswered and coordination has severely diminished. One former official said directly that if Volt Typhoon-linked malware triggered tomorrow, the response would not be ready. The coordination capability CISA built over years doesn’t transfer to private sector alternatives. If your IR plan assumes a federal partner, it’s worth asking which version of CISA it assumes.

40,000 CVEs in 2025. You Needed to Care About 422.

Source: https://cyberscoop.com/vulncheck-exploited-vulnerabilities-report-2025/

What Happened

VulnCheck’s annual exploit intelligence report found that of more than 40,000 CVEs published in 2025, only 422 were actually exploited in the wild. Network edge devices accounted for 28% of targeted products, with Microsoft, Ivanti, Fortinet, and VMware dominating the top-50 most routinely exploited list.

The year’s most targeted vulnerability was React2Shell, a maximum-severity React Server Components flaw that generated 236 validated public exploits within weeks of disclosure and compromised three federal departments.

Why It Matters

The problem isn’t CVE volume; it’s that CVSS-based prioritization is directing defenders toward the wrong 99% of the list while the 1% that matters gets weaponized before most organizations finish triage. VulnCheck’s research lead put it plainly: “Threat actors are much more organized presently than we all collectively are on defense.” Attackers have automated analysis pipelines that reverse newly published patches into working exploits in hours, and edge device firmware that hasn’t changed materially in a decade gives them a predictable, well-studied attack surface. If your vulnerability management program still runs primarily on CVSS severity, you’re producing compliance documentation, not managing risk.

Quick Hits

AI Turned a Low-Skill Actor Into a 55-Country Operation

A low-skill actor used commercial AI to compromise 600+ FortiGate devices across 55 countries with no zero-days needed, just exposed management ports and weak credentials that AI helped exploit at scale. The gap between opportunistic scanning and structured intrusion campaigns is gone, and the credential hygiene failures it exploits have been sitting in enterprise environments for years. https://thehackernews.com/2026/02/ai-assisted-threat-actor-compromises.html

Supply Chain Malware Is Now Targeting Your AI Coding Tools

The Sandworm_Mode NPM campaign deployed rogue MCP servers that weaponized Claude Code, Cursor, and Windsurf to exfiltrate SSH keys, cloud credentials, and API tokens via prompt injection. If your engineers use AI coding assistants connected to source repos and cloud environments, the trust boundary isn’t just your code pipeline; it includes whatever’s running inside the tool. https://www.securityweek.com/new-sandworm_mode-supply-chain-attack-hits-npm/

Attackers Are Through Your Network in Under 30 Minutes

CrowdStrike’s annual threat report puts average attacker breakout time at 29 minutes in 2025, 65% faster year-over-year, with 82% of attacks involving no malware and one in three cloud IR cases tracing back to a valid credential. Your detection and response capability needs to be measured against those numbers, not against the threat model you built two years ago. https://cyberscoop.com/crowdstrike-annual-global-threat-report-attack-breakout-time/

Wrapping it up

The CISA story keeps getting read as political. It’s a resilience story. We’ve quietly depended on federal coordination for years: threat intel, incident response backup, a focal point when things go sideways. That capacity is significantly diminished. Whether it rebuilds is outside your control. Whether your program was already standing on its own isn’t.

The Cisco story points to something harder. Three years is a long time to be resident inside critical network infrastructure without triggering an alert. Patient, deliberate, surgical. The detection strategies most enterprises have built are optimized for the adversary who moves quickly and leaves traces. The one who doesn’t is the harder problem, and it’s the one nation-state actors have invested in most.

Every story this week converges on the same question: which of your current security assumptions would you actually bet your incident response on? Not the ones you’d defend in a board meeting. The ones you’d stake a breach investigation on. The organizations that navigate the next 12 months well won’t be the ones that patched the most CVEs. They’ll be the ones that went in already skeptical of inherited trust.