A Hospital Fell to LockBit This Weekend While CISA Cataloged Cisco's SD-WAN Brain as a Weapon. Same Story. Here's the Hunt-Tonight So You're Not the Next Sierra Vista.

Two things happened while most of the country was asleep this weekend, and the security press is filing them as two stories. They are one story. Story one: Sierra Vista Hospital went down to LockBit, one of fifteen-plus organizations posted to ransomware leak sites in a forty-eight-hour window — a weekend surge from Akira, Play, Qilin, Brain Cipher, and LockBit, the exact Saturday-strike behavior we have been documenting since "35 Ransomware Victims in 48 Hours, Happy Easter." Story two: overnight, CISA promoted a cluster of Cisco Catalyst SD-WAN Manager vulnerabilities to its Known Exploited Vulnerabilities catalog — CVE-2026-20122, 20127, 20128, 20133, and 20182 — on top of the unpatched, actively-exploited CVE-2026-20245 we wrote about Friday. A hospital fell, and a network's brain got officially labeled a weapon, in the same overnight. If you think those are unrelated, you are reading the wrong half of the page.

Here is why they are the same story, and it is the shape we have drawn over and over this year. Cisco Catalyst SD-WAN Manager — vManage — is not an edge device. It is the console that pushes configuration to every edge device in the fabric. It is the brain. The CVE cluster CISA just cataloged includes authentication bypasses that let an unauthenticated remote attacker obtain administrative privileges by sending crafted requests, plus privilege-escalation and credential-exposure flaws that chain behind them. Translated: an anonymous request on the internet becomes admin on the box that controls every router you own. We mapped this in May when the first four CVEs landed — "chain them and you go from anonymous HTTP request to owning every router in the fabric" — and Friday's zero-day plus this weekend's KEV cluster are the federal catalog finally agreeing with the map. The brain is full of holes, the holes are exploited, and one of them has no patch.

Now connect it to the hospital, because the connection is not a leap, it is a rerun. In March we published "They Had 36 Days. Cisco Had Zero." — Interlock ransomware exploited a Cisco Secure Firewall Management Center zero-day, CVE-2026-20131, for thirty-six days before Cisco disclosed it, and used it to hit hospitals and the city of Saint Paul. Amazon found it, not Cisco. The pattern is mechanical: an internet-facing Cisco management appliance with an unauthenticated flaw becomes the foot in the door, a ransomware crew walks through it, and because the target is a hospital and the timing is a weekend, the leverage is maximal and the defenders are minimal. Akira, the gang riding second only to Qilin in volume right now, specializes in exactly this — Cisco edge and VPN flaws as initial access. The SD-WAN Manager cluster is a fresh set of those doors, cataloged the same weekend a hospital went dark. Sierra Vista is the receipt for a pattern, not an outlier.

So here is the protective part, the reason we publish these on a Saturday instead of waiting for a tidy Monday. If you run Cisco Catalyst SD-WAN Manager, or FMC, or any management console for your network edge, do this hunt tonight, not after the weekend:

First, find out if your SD-WAN Manager administrative interface is reachable from the internet. It should not be. The single highest-value move you can make in the next ten minutes is to confirm that vManage's admin plane is behind a VPN or an allowlist and not answering crafted requests from the open web. Every one of these auth-bypass CVEs assumes the attacker can reach the interface. Take that assumption away and most of the cluster dies.

Second, patch what has a patch and restrict what does not. The KEV'd CVEs have fixes — apply them on the emergency timeline, not the quarterly one. CVE-2026-20245 does not have a patch yet, which means access restriction is your only control, which means step one is not optional.

Third, hunt for the exploitation pattern, not just the signature. Look for anomalous administrative sessions on vManage, unexpected configuration pushes to edge devices, new or unfamiliar peering requests, and credential-file access by low-privileged accounts. The chain ends in a config push to every router; an unexplained push is the loudest alarm you have.

Fourth, block the ransomware infrastructure before it blocks you. We have published free, copy-paste IOC packs and five-minute block guides for exactly this class of threat — "Your Cisco ASA Is Getting Popped Right Now" walks the blocks across OPNsense, Zscaler, Splunk ES, Palo Alto, and Cisco ISE — and our STIX feed carries the indicators for the active ransomware crews at no cost. Defenders should not have to buy the thing that stops the thing.

The honest cap, 95% as always: we cannot tell you that you are not already inside the window Cisco's FMC customers lived in for thirty-six days, because the nature of an exploited-before-disclosure flaw is that the clock started before anyone told you. We cannot promise the SD-WAN cluster is the last set of edge doors this quarter — it will not be, because the edge appliance is the foot in the door and every appliance is a foot. What we can tell you is that the door has a name, the pattern has a name, the weekend is when they use it, and the hunt is free. A hospital already paid the demonstration cost this weekend. Spend ten minutes tonight so the next one isn't you.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register