Active Exploitation of Cisco Catalyst SD-WAN CVSS 10.0 Zero-Day (CVE-2026-20127) [image: 1772739357402-553736f5-ce8e-4570-895f-541f9947337a-image.png] Overview Security researchers and government agencies have confirmed active exploitation of a critical vulnerability affecting Cisco Catalyst SD-WAN infrastructure. The vulnerability, tracked as CVE-2026-20127, allows an unauthenticated remote attacker to bypass authentication on affected Cisco Catalyst SD-WAN Controller and Manager systems and gain administrative access. The flaw carries a CVSS score of 10.0 (critical) and enables attackers to send crafted requests to the SD-WAN controller, resulting in login access as a high-privileged internal account. Once initial access is obtained, the attacker can manipulate SD-WAN network configuration and potentially gain full control of the platform. Cisco Talos attributes the activity to a sophisticated threat cluster tracked as UAT-8616. Investigation indicates that exploitation activity has likely been occurring since at least 2023, meaning organizations may have been compromised for several years before disclosure. Exploitation Chain Observed attacks follow a multi-stage compromise process: Initial Access Exploitation of CVE-2026-20127 allows authentication bypass on Cisco Catalyst SD-WAN controllers. Attackers gain administrative access as a privileged non-root user. Privilege Escalation Attackers downgrade the SD-WAN software to reintroduce CVE-2022-20775, a CLI path traversal vulnerability. This allows escalation from administrative access to root privileges. Persistence and Covering Tracks After obtaining root access, attackers restore the system to the original software version to conceal the downgrade. The actor establishes persistence through: Unauthorized SSH keys Creation and deletion of local user accounts Modification of startup scripts Rogue SD-WAN control connections Logs and command histories are frequently cleared or truncated to reduce forensic evidence. Observed Post-Compromise Activity Investigations identified several behaviors associated with successful compromise: Addition of rogue SD-WAN control peers to the network fabric. Creation of malicious or impersonated local user accounts. Deployment of unauthorized SSH keys in: /home/root/.ssh/authorized_keys /home/vmanage-admin/.ssh/authorized_keys Enabling root SSH login by modifying SSH configuration. Clearing or truncating logs including: syslog wtmp lastlog cli-history bash_history Unexplained software version downgrades followed by re-upgrades. Unusual control-plane peering events originating from unknown IP addresses. Threat actors also leveraged NETCONF (port 830) and SSH to move laterally between SD-WAN components within the management plane. Impact Cisco Catalyst SD-WAN components operate within the network control plane and manage connectivity between distributed sites and cloud environments. Compromise of these systems can allow attackers to: Modify routing and network policies Intercept or redirect traffic Maintain persistent access to enterprise networks Use the SD-WAN fabric as a foothold for broader compromise Organizations operating internet-exposed SD-WAN management interfaces are considered at highest risk. Government and Industry Response Multiple government cybersecurity agencies issued joint advisories warning of ongoing exploitation. U.S. federal agencies were directed to immediately inventory and patch affected SD-WAN deployments due to the risk posed to critical infrastructure and government networks. The vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog, requiring rapid remediation within federal environments. Detection and Threat Hunting Guidance Defenders are advised to investigate: Unexpected SD-WAN control-plane peering events Unknown public IP addresses establishing controller connections Root logins or SSH key changes on SD-WAN nodes Missing or abnormally small log files Evidence of temporary software downgrades followed by re-upgrades Manual validation of control connection events in SD-WAN logs is considered a critical indicator of potential exploitation. Mitigation Recommended defensive actions include: Immediately applying Cisco patches for affected SD-WAN components. Reviewing controller logs for unauthorized peering connections. Restricting access to management interfaces and SD-WAN control ports. Blocking unnecessary internet exposure of SD-WAN controllers. Implementing Cisco’s SD-WAN hardening guidance and continuous log monitoring. Organizations are strongly advised to assume potential compromise if indicators described in the advisories are present. Sources: https://blog.talosintelligence.com/uat-8616-sd-wan/ https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html https://www.tenable.com/blog/cve-2026-20127-cisco-catalyst-sd-wan-controllermanager-zero-day-authentication-bypass https://www.cve.org/CVERecord?id=CVE-2026-20127 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

CN passwords International

A "clean one" I wean that not all third pepole have it. I had a couple but that was along time ago. So if you please. I will be thankful

hashcat v7.0.0+4.2 benchmark (updated 2025/08/02@16:25) # gpu: nvidia rtx 4090 # manufacture: msi # model: suprim liquid x # settings: 450w stock settings # vbios: 95.02.18.00.52 # 08/02/2025 # NVIDIA-SMI 575.57.08 # CUDA Version: 12.9.1 # hashcat (v7.0.0+4.2) ./hashcat.bin -b hashcat (v7.0.0-4-g9727714cf) starting in benchmark mode Benchmarking uses hand-optimized kernel code by default. You can use it in your cracking session by setting the -O option. Note: Using optimized kernel code limits the maximum supported password length. To disable the optimized kernel code in benchmark mode, use the -w option. Initializing bridges. Please be patient...Initialized bridgesInitializing backend runtimes. Please be patient...Initialized backend runtimesInitializing backend devices. Please be patient...Initialized backend devicesCUDA API (CUDA 12.9) ==================== * Device #01: NVIDIA GeForce RTX 4090, 23688/24080 MB, 128MCU OpenCL API (OpenCL 3.0 CUDA 12.9.76) - Platform #1 [NVIDIA Corporation] ======================================================================= * Device #02: NVIDIA GeForce RTX 4090, skipped Benchmark relevant options: =========================== * --backend-devices=2 * --backend-devices-virtmulti=1 * --backend-devices-virthost=1 * --optimized-kernel-enable ------------------- * Hash-Mode 0 (MD5) ------------------- Speed.#01........: 164.2 GH/s (90.81ms) @ Accel:128 Loops:1024 Thr:896 Vec:8 ---------------------- * Hash-Mode 100 (SHA1) ---------------------- Speed.#01........: 58208.9 MH/s (73.51ms) @ Accel:64 Loops:1024 Thr:512 Vec:1 --------------------------- * Hash-Mode 1400 (SHA2-256) --------------------------- Speed.#01........: 21947.7 MH/s (91.50ms) @ Accel:15 Loops:1024 Thr:1024 Vec:4 --------------------------- * Hash-Mode 1700 (SHA2-512) --------------------------- Speed.#01........: 7476.6 MH/s (89.57ms) @ Accel:8 Loops:1024 Thr:640 Vec:1 ------------------------------------------------------------- * Hash-Mode 22000 (WPA-PBKDF2-PMKID+EAPOL) [Iterations: 4095] ------------------------------------------------------------- Speed.#01........: 2574.3 kH/s (88.52ms) @ Accel:7 Loops:1024 Thr:1024 Vec:1 ----------------------- * Hash-Mode 1000 (NTLM) ----------------------- Speed.#01........: 284.1 GH/s (73.54ms) @ Accel:192 Loops:1024 Thr:896 Vec:8 --------------------- * Hash-Mode 3000 (LM) --------------------- Speed.#01........: 155.7 GH/s (95.78ms) @ Accel:448 Loops:1024 Thr:256 Vec:1 -------------------------------------------- * Hash-Mode 5500 (NetNTLMv1 / NetNTLMv1+ESS) -------------------------------------------- Speed.#01........: 158.2 GH/s (77.39ms) @ Accel:96 Loops:1024 Thr:1024 Vec:1 ---------------------------- * Hash-Mode 5600 (NetNTLMv2) ---------------------------- Speed.#01........: 11696.0 MH/s (89.49ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 -------------------------------------------------------- * Hash-Mode 1500 (descrypt, DES (Unix), Traditional DES) -------------------------------------------------------- Speed.#01........: 6321.6 MH/s (84.67ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 ------------------------------------------------------------------------------ * Hash-Mode 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)) [Iterations: 1000] ------------------------------------------------------------------------------ Speed.#01........: 70840.0 kH/s (96.54ms) @ Accel:56 Loops:1000 Thr:1024 Vec:1 ---------------------------------------------------------------- * Hash-Mode 3200 (bcrypt $2*$, Blowfish (Unix)) [Iterations: 32] ---------------------------------------------------------------- Speed.#01........: 248.8 kH/s (95.61ms) @ Accel:8 Loops:32 Thr:24 Vec:1 -------------------------------------------------------------------- * Hash-Mode 1800 (sha512crypt $6$, SHA512 (Unix)) [Iterations: 5000] -------------------------------------------------------------------- Speed.#01........: 1210.2 kH/s (85.52ms) @ Accel:4 Loops:1000 Thr:1024 Vec:1 -------------------------------------------------------- * Hash-Mode 7500 (Kerberos 5, etype 23, AS-REQ Pre-Auth) -------------------------------------------------------- Speed.#01........: 3642.8 MH/s (95.91ms) @ Accel:334 Loops:256 Thr:32 Vec:1 ------------------------------------------------- * Hash-Mode 13100 (Kerberos 5, etype 23, TGS-REP) ------------------------------------------------- Speed.#01........: 3551.8 MH/s (96.00ms) @ Accel:326 Loops:256 Thr:32 Vec:1 --------------------------------------------------------------------------------- * Hash-Mode 15300 (DPAPI masterkey file v1 (context 1 and 2)) [Iterations: 23999] --------------------------------------------------------------------------------- Speed.#01........: 463.4 kH/s (82.19ms) @ Accel:7 Loops:1000 Thr:1024 Vec:1 --------------------------------------------------------------------------------- * Hash-Mode 15900 (DPAPI masterkey file v2 (context 1 and 2)) [Iterations: 12899] --------------------------------------------------------------------------------- Speed.#01........: 262.2 kH/s (76.61ms) @ Accel:4 Loops:512 Thr:1024 Vec:1 ------------------------------------------------------------------ * Hash-Mode 7100 (macOS v10.8+ (PBKDF2-SHA512)) [Iterations: 1023] ------------------------------------------------------------------ Speed.#01........: 3273.1 kH/s (79.01ms) @ Accel:4 Loops:512 Thr:1024 Vec:1 --------------------------------------------- * Hash-Mode 11600 (7-Zip) [Iterations: 16384] --------------------------------------------- Speed.#01........: 2231.6 kH/s (91.80ms) @ Accel:17 Loops:4096 Thr:512 Vec:1 ------------------------------------------------ * Hash-Mode 12500 (RAR3-hp) [Iterations: 262144] ------------------------------------------------ Speed.#01........: 287.1 kH/s (71.10ms) @ Accel:5 Loops:16384 Thr:512 Vec:1 -------------------------------------------- * Hash-Mode 13000 (RAR5) [Iterations: 32799] -------------------------------------------- Speed.#01........: 278.7 kH/s (85.27ms) @ Accel:12 Loops:1024 Thr:512 Vec:1 -------------------------------------------------------------------------------- * Hash-Mode 6211 (TrueCrypt RIPEMD160 + XTS 512 bit (legacy)) [Iterations: 1999] -------------------------------------------------------------------------------- Speed.#01........: 1989.6 kH/s (90.02ms) @ Accel:6 Loops:500 Thr:1024 Vec:1 ----------------------------------------------------------------------------------- * Hash-Mode 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES)) [Iterations: 24569] ----------------------------------------------------------------------------------- Speed.#01........: 332.1 kH/s (82.05ms) @ Accel:10 Loops:1024 Thr:512 Vec:1 ------------------------------------------------------------------- * Hash-Mode 6800 (LastPass + LastPass sniffed) [Iterations: 100099] ------------------------------------------------------------------- Speed.#01........: 92374 H/s (86.89ms) @ Accel:8 Loops:1024 Thr:768 Vec:1 -------------------------------------------------------------------- * Hash-Mode 11300 (Bitcoin/Litecoin wallet.dat) [Iterations: 200459] -------------------------------------------------------------------- Speed.#01........: 34141 H/s (78.29ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Started: Sat Aug 2 16:11:47 2025 Stopped: Sat Aug 2 16:19:10 2025

First, make sure to read through the Forum Rules: https://forum.hashpwn.net/topic/27/welcome-to-hashpwn-start-here There's several ways to contact me: Reply to this Topic with your question Chat with me here on hashpwn: https://forum.hashpwn.net/user/cyclone Message me on Matrix: https://forum.hashpwn.net/post/138

Thanks to everyone who played along! Rust is the clear favorite out of the 59 responses. https://www.rust-lang.org/ With Zig trailing behind for second place. https://ziglang.org/ [image: 1745243283992-2ea96ec5-2d29-4f6b-972f-e42303887766-image.png]

Update: The fake issue posted by djiazz, and the user's account have been removed from GitHub. GitHub's response: ...Our review of the account named in your report has concluded. We have determined that one or more violations of GitHub’s Terms of Service have occurred and have taken appropriate action in response... Full response: GitHub (GitHub Support) Mar 16, 2025, 9:27 PM UTC Hi cyclone, Our review of the account named in your report has concluded. We have determined that one or more violations of GitHub’s Terms of Service have occurred and have taken appropriate action in response. Please note that our response to abuse on GitHub varies depending on the exact circumstances of each case, as noted in our Community Guidelines: What happens if someone violates GitHub's Policies Additional information on dealing with offensive users or content can be found here: What if something or someone offends you? Thank you for helping create a safe and welcoming environment for software developers. Regards, GitHub Trust & Safety

GitHub Repo Updates: 2025/02/22 - Issue: jetkvm/kvm https://github.com/jetkvm/kvm/issues/187 2025/02/24 - Issue: jetkvm/rv1106-system https://github.com/jetkvm/rv1106-system/issues/6 2025/02/24 - PR: jetkvm/rv1106-system https://github.com/jetkvm/rv1106-system/pull/7 2025/02/24 - PR: chemhack removed default root password "rockchip" https://github.com/jetkvm/rv1106-system/pull/8

New GitHub Release: https://forum.hashpwn.net/post/434

Just wanted to stop by and say thanks for giving the challenge a go. Your uploads were a fun surprise also, as it's still on the down low :). Made my day, cheers.

Updated mine just now.

And the same to you.

Update. I solve the issue I put -O in the commandline.

Merry Christmas and Happy New Year everyone!

First, you'll need to compile the source code as specified in the GitHub README under Compile from source: https://github.com/cyclone-github/phantom_pwn/blob/main/README.md For your reference, I've included this below: Compile from source: This assumes you have Go and Git installed git clone https://github.com/cyclone-github/phantom_pwn.git phantom_extractor cd phantom_pwn/phantom_extractor go mod init phantom_extractor go mod tidy go build -ldflags="-s -w" . phantom_decryptor cd phantom_pwn/phantom_decryptor go mod init phantom_decryptor go mod tidy go build -ldflags="-s -w" . Compile from source code how-to: https://github.com/cyclone-github/phantom_pwn/blob/main/README.md Note: all of my crypto wallet *_pwn toolsets are similar in how to compile the binaries, extract crypto wallet hashes and decrypting / cracking them. Once you have the extractor and decryptor compiled, you'll need to run the extractor by pointing it at the directory with your wallet vault: phantom_extractor path/to/your/wallet Once the wallet hash has been extracted, save this to a file such as phantom.txt, then run phantom_decryptor with your phantom.txt and wordlist. This is similar to how you would run hashcat, jtr or mdxfind, but mind the specific -h {hash} and -w {wordlist} CLI commands below: phantom_decryptor -h phantom.txt -w wordlist.txt Running these toolsets requires a prior knowledge of CLI tools. If you're still stumped, send me a DM and I'll walk you through the process.

@oe3p32wedw Rep added. You can send me a DM here on the forum or on Matrix: https://forum.hashpwn.net/topic/65/matrix-encrypted-chat-info