Weekly Threat Roundup: Cisco SD-WAN Zero-Day Under Attack (May 11-17)

This Week at a Glance

A critical zero-day in Cisco Catalyst SD-WAN (CVE-2026-20182, CVSS 10.0) is being actively exploited to grant admin access, demanding immediate patching. Concurrently, a high-severity XSS vulnerability in Microsoft Exchange Server is under active attack, while a proof-of-concept exploit for a critical heap overflow in NGINX (CVE-2026-42945) has been published. On the breach front, over 1.2 million records were exposed across Abrigo, Cushman & Wakefield, and Canada Life, and the Qilin ransomware group has claimed new victims in the healthcare sector.

Top Vulnerabilities

• CVE-2026-20182 (CVSS 10.0, Critical, Actively Exploited): An authentication bypass in Cisco Catalyst SD-WAN Controller allows unauthenticated attackers to gain full administrative access. Immediate patching is critical.
• CVE-2026-42897 (CVSS 8.1, High, Actively Exploited): A stored XSS vulnerability in Microsoft Exchange Server enables attackers to perform spoofing attacks. Apply the May 2026 security updates.
• CVE-2026-42945 (CVSS 9.2, Critical): A heap overflow in the ngx_http_rewrite_module of NGINX Plus and Open Source. A proof-of-concept has been published; prioritize patching.

Data Breaches

• Abrigo: 711,000 accounts exposed. The breach impacted customer contacts and email addresses. Full report.
• Cushman & Wakefield: 310,000 records exposed in a data breach. Full report.
• Canada Life: 238,000 accounts exposed. The ShinyHunters group claimed responsibility for the incident. Full report.

Threat Intelligence

• Cisco Catalyst SD-WAN Exploitation: The critical authentication bypass (CVE-2026-20182) is being actively weaponized in the wild to take over vulnerable controllers. Threat news.
• Qilin Ransomware Activity: The Qilin group has claimed attacks on Clinica Avellaneda Medical Center and PNSB Insurance Brokers Sdn Bhd. Intel report | Intel report.
• DragonForce Ransomware: The DragonForce group has claimed an attack on AdvancedHEALTH. Intel report.

Key Takeaway

This week reveals a troubling convergence: attackers are simultaneously weaponizing a perfect 10.0 CVSS vulnerability in network infrastructure (Cisco SD-WAN) while maintaining pressure on the healthcare sector via ransomware. Security teams should treat any SD-WAN controller as a critical asset and verify it is patched, while also reviewing third-party access controls in healthcare environments to limit the blast radius of ransomware attacks.