Description: Cisco has was targeted in a data leaked by the Yanluowang ransomware gang in September 2022. The gang leaked the data that was stolen from the company network during a cyberattack in May. The stolen data included non-sensitive files from the employee’s Box folder and thousands of files amounting to 55GB and that the cache included classified documents, technical schematics, and source code.

Description: A former Cisco employee accessed the company's cloud infrastructure in 2018, five months after resigning, to deploy code that led to the shutdown of more than 16,000 WebEx Teams accounts and the deletion of 456 virtual machines. 30-year-old Sudhish Kasaba Ramesh accessed Cisco's cloud infrastructure hosted on Amazon Web Services without permission on September 24, 2018. The shutdown forced Cisco to spend more than $2,400,000 in customer refunds and employee time needed to restore the damage caused by Ramesh.

Description: CISCO got hit and they immediately took control of the story. The threat actors posted a directory of Drive C on their leak site. The directory listed 3,176 files, comprising 2,875,897,023 bytes in 2111 Directories. That information matches was sent as a tip. It was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized. The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker succeeded in achieving an MFA push acceptance which grant them access to VPN in the context of the targeted user.

Description: In May 2022, Cisco faced a cyberattack initiated through sophisticated voice phishing attacks, targeting a Cisco employee's Google account. The attacker managed to gain unauthorized access to Cisco's internal systems by exploiting the employee's synchronized credentials in a browser. Cisco's quick response allowed its security team to eliminate the attacker from their network before any significant damage could occur. Later, the ransomware gang Yanluowang claimed to have leaked Cisco's files on their website. Despite this, Cisco asserted that the incident had no operational impact on its business.

Description: Cisco has addressed a security flaw that allowed personal data to leak from the company's Professional Careers portal. Cisco clarifies that just a small amount of information connected to job applications was stolen from the mobile version of the website in its email notification of the issue to the impacted individuals. As to the security alert distributed by Cisco to its users, an erroneous security configuration on a third-party site following system repair was the cause of data leaking. The information leaked by Cisco comprises personal details such as name, password, email address, phone number, security question answers, professional profile and educational background, cover letter, resume content, and other details.

Description: Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen. The compromised information includes cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations. A redacted NDA agreement that was obtained in the attack was also supplied to BleepingComputer by the threat actors as evidence of the incident and a "hint" that they had infiltrated Cisco's network and taken files. They immediately took action to contain and eradicate the bad actors.

Description: Cisco, a leading technology company known for its cybersecurity and incident response services through Cisco Talos, experienced a significant ransomware attack on May 24, 2022. The ransomware group identified as Yanluowang was able to gain access to an employee’s credentials via a compromised personal Google account. This breach allowed the attackers to infiltrate Cisco’s systems, representing a severe security incident for the company. Although Cisco is renowned for its robust security measures, the attack highlights the sophisticated techniques employed by ransomware gangs to target and compromise even the most secure entities. The company embarked on a comprehensive response to mitigate the impact of the attack, demonstrating the importance of preparedness and swift action in the face of ransomware threats. The incident underscores the ongoing challenges organizations face in protecting against the evolving landscape of cyber threats and the necessity for continuous enhancement of cybersecurity protocols.

Description: Cisco has released security patches for multiple vulnerabilities in its Small Business RV Series router platform. This vulnerability could allow any remote attacker to gain complete control over the device without authentication. The attacker could execute arbitrary code, elevate privileges, run commands, bypass authentication protections, and retrieve and execute unsigned software if exploits the flaw.

Description: In April 2024, the China-linked APT group Velvet Ant exploited zero-day vulnerability CVE-2024-20399 in Cisco switches to deploy custom malware, gaining control over the network devices. Attackers with valid administrator credentials executed commands as root, bypassing security measures and installing the 'VELVETSHELL' malware for persistent access and espionage. The malware granted capabilities for command execution, file management, and creating traffic tunnels, compromising the integrity of Cisco's network infrastructures and potentially leading to data exfiltration.

Description: Cisco's Smart Licensing Utility (CSLU) was targeted by attackers exploiting a vulnerability that allowed for an undocumented administrative account to be accessed remotely. This vulnerability, known as CVE-2024-20439, alongside another flaw, CVE-2024-20440, which enabled unauthorized access to log files, could have severe ramifications if exploited. The impact and intent of these attacks are not yet fully understood, but they could potentially lead to unauthorized access to Cisco's products, leading to informational leaks or full system control. This exposure might result in tarnishing Cisco's reputation and financial losses, further impacting customers who rely on Cisco's network solutions.

Description: Splunk has suffered a security incident due to two separate high-severity vulnerabilities. The first vulnerability enables RCE, allowing low-privileged users to execute arbitrary code through malicious file uploads, affecting Splunk Enterprise and Splunk Cloud Platform before certain versions. The second vulnerability affects the Splunk Secure Gateway app, where users can search with higher-privileged permissions, leading to potential unauthorized disclosure of sensitive information. Both issues have been patched, with suggested updates provided to Splunk users to remediate the risk. The security flaws highlight the critical importance of maintaining updated systems and monitoring access control within corporate environments to prevent data breaches and maintain operational integrity.

Description: A significant security breach due to a critical vulnerability CVE-2024-20439 in the Cisco Smart Licensing Utility has been actively exploited, allowing attackers to gain administrative access via hardcoded credentials. This flaw exposes organizations to potential data leaks and unauthorized control over affected systems, leading to operational disruptions, reputational damage, and compromising sensitive information. The vulnerability, coupled with other exploits like CVE-2024-20440, presents a considerable risk, as it simplifies the attackers' process to compromise systems and extract sensitive data.

Description: A severe vulnerability in Cisco's networking equipment, identified as CVE-2018-0171, has been exploited by attackers, notably by the APT group Salt Typhoon. Despite a patch released in 2018, over 1,200 devices remain unpatched, providing an attack surface for unauthorized remote code execution and configuration theft. The attack chiefly involves using the Smart Install feature to extract sensitive data from networking devices, exacerbating the risk of further infiltrations and potentially catastrophic network breaches. This enduring security oversight, which notably affected telecommunications providers, exemplifies the danger legacy systems pose to the current technology infrastructure.

Description: Cisco has patched a critical flaw in its IOS XE Software for Wireless LAN Controllers. The vulnerability, due to hardcoded tokens, allows threat actors to upload files, perform path traversal, and execute arbitrary commands with root privileges. The flaw is tracked as CVE-2025-20188 and has a maximum security score of 10/10. Although there is no evidence of abuse in the wild yet, users should patch immediately. Vulnerable devices include Catalyst 9800-CL Wireless Controllers for Cloud and other Catalyst 9800 series controllers.

Description: A critical security vulnerability in Cisco IOS XE Wireless Controller Software has been identified, allowing attackers to achieve remote code execution with root privileges. The flaw stems from a hard-coded JSON Web Token (JWT) present in the Out-of-Band Access Point (AP) Image Download feature. This vulnerability affects multiple enterprise-grade wireless controller products, including Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers, and Catalyst 9800 Series Wireless Controllers. The vulnerability, tracked as CVE-2025-20188, has been assigned the maximum CVSS score of 10.0, highlighting its severe impact on affected systems.

Description: A significant vulnerability in Cisco’s Integrated Management Controller (IMC) allows malicious actors to gain elevated privileges and access internal services without proper authorization. This vulnerability, classified as a privilege escalation flaw, exploits weaknesses in the authentication and authorization mechanisms within the management controller’s web interface. Attackers can leverage improper input validation and insufficient access controls to bypass security restrictions and execute commands with administrative privileges. The exploitation can have far-reaching consequences, enabling attackers to access the Baseboard Management Controller (BMC) functionalities, modify BIOS settings, and potentially install persistent firmware-level malware.

Description: Cisco has identified a critical security vulnerability in its Meraki MX and Z Series devices, which could allow unauthenticated attackers to launch denial of service (DoS) attacks against AnyConnect VPN services. The flaw, tracked as CVE-2025-20271 with a CVSS score of 8.6, stems from variable initialization errors during SSL VPN sessions. Exploitation of this vulnerability can cause the VPN server to restart, terminating all sessions and forcing users to re-authenticate. A sustained attack could render the VPN service unavailable, preventing legitimate users from establishing new connections. The vulnerability affects a wide range of Cisco Meraki devices and requires no authentication to execute, making it particularly dangerous for exposed systems.

Description: A critical vulnerability in Cisco Unified Communications Manager (Unified CM) systems allows remote attackers to gain root-level access. The flaw, CVE-2025-20309, stems from hardcoded SSH credentials that cannot be modified. Affected are Engineering Special releases 15.0.1.13010-1 through 15.0.1.13017-1. Attackers can exploit this to execute arbitrary commands without authentication, posing a severe risk to organizations with internet-facing Unified CM deployments. Immediate patching or system updates are recommended.