top of page
Search

If You Run Cisco SD-WAN, Fortinet, Oracle PeopleSoft, or Cisco ASA — You Are Running the Four Most Actively Exploited Products Right Now

  • Writer: Patrick Duggan
    Patrick Duggan
  • 3 minutes ago
  • 4 min read

Not historically. Right now. CISA says so. The patch deadlines are already past.


Four technology products account for the majority of active exploitation activity in the last thirty days. Two of the four are Cisco. The other two are Fortinet and Oracle. If you run any of these, you are not facing a theoretical risk. You are facing adversaries who are currently inside organizations that run the same software you do.


Here is what is happening with each.



Cisco Catalyst SD-WAN Manager — Seven Zero-Days in Thirteen Months


CVE-2026-20262 hit the CISA Known Exploited Vulnerabilities catalog on June 15. The federal remediation deadline is June 29. Cisco confirmed limited active exploitation in targeted attacks. That is the seventh CVE on Cisco Catalyst SD-WAN Manager in thirteen months.


The shape of this product line is the problem, not the individual CVEs. SD-WAN Manager is the brain of the network — the single console that pushes configuration to every edge device in the fabric. When we mapped the May chain, the path was clear: chain four independent CVEs and you walk from an anonymous HTTP request to administrative control over every router that Manager touches. You do not need to compromise each device individually. You compromise the brain once.


Seven independent flaws in thirteen months means the product is being systematically hunted by multiple actors who have determined that its architectural position makes it worth the research investment. CVE-2026-20245, CVE-2026-20262, and four others before them — the catalog keeps growing because the target keeps delivering access at scale.


If you run Cisco Catalyst SD-WAN Manager and you have not applied the June patch, you have a federally-confirmed actively-exploited vulnerability in the one system that controls your entire edge routing fabric. That sentence should not require elaboration.



Fortinet — FortiBleed and the Open Perimeter


FortiBleed is the name attached to a campaign that has been running since at least February 2026. Eighty-six thousand FortiGate firewalls and FortiProxy VPN gateways with confirmed working administrative usernames and passwords, collected across 194 countries by a Russian-speaking crew through a combination of eight years of unpatched CVEs and a patch that did not re-hash existing credentials.


The mechanism is worth understanding. Fortinet patched a directory traversal vulnerability in 2022. The fix closed the traversal. It did not invalidate the credentials that had already been extracted via the traversal before patching. Organizations that patched the CVE were still running with compromised admin credentials because the patch did not force a credential rotation. The crew behind FortiBleed understood this and built a collection that spans four years of unpatched and post-patch-but-still-exposed environments simultaneously.


On May 13, 2026, Fortinet patched CVE-2026-44277 — a pre-authentication remote code execution vulnerability in FortiAuthenticator, the appliance that issues authentication tokens, federates with SSO, and stamps approved on every VPN session and network access request. Pre-authentication means no credentials required to achieve code execution. On the box that decides who gets onto your network.


The perimeter firewall exists to be the door. FortiBleed demonstrated that the door has been left open at 86,000 organizations. CVE-2026-44277 demonstrated that the authentication layer behind the door has the same problem. Both in the same thirty-day window.



Oracle PeopleSoft — [CVE-2026-35273](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-35273) and 100 Organizations in a Single Month


CVE-2026-35273 is an Oracle PeopleSoft zero-day. ShinyHunters exploited it against more than one hundred organizations in June 2026 alone. The primary confirmed victims were in education — Canvas/Instructure was the public case — but PeopleSoft runs HR, finance, and student systems across healthcare, government, and enterprise at global scale.


The exploitation pattern is straightforward. Organizations exposed PeopleSoft login pages to the internet. The CVE allowed unauthenticated access. ShinyHunters automated the discovery and exploitation at scale, chaining the zero-day into their established data exfiltration and extortion pipeline.


The reach of this CVE into adjacent sectors is still expanding. Healthcare organizations running PeopleSoft for HR or finance — Baxter, Humana, McKesson, Blackboard among others — have confirmed PeopleSoft subdomains in public DNS. The same zero-day that hit education is sitting in front of healthcare IT infrastructure right now.



Cisco ASA — The Pre-Auth RCE Chain on the VPN Gateway


CVE-2025-20333 and CVE-2025-20362. Buffer overflow in the VPN web services of Cisco ASA. Pre-authentication remote code execution when chained. CISA added both to the Known Exploited Vulnerabilities catalog on May 13, 2026.


The threat actor on this platform is ArcaneDoor, tracked by Microsoft as UAT4356, assessed with high confidence as a Chinese nation-state operation. ArcaneDoor has been systematically targeting network edge appliances — the devices that handle VPN termination, remote access, and perimeter inspection — with custom implants that survive firmware updates. The ASA pre-auth RCE chain is the entry point. The objective is persistence and intelligence collection on organizations running critical infrastructure.


We named ArcaneDoor on the Cisco ASA platform on March 17. CISA added the CVEs fifty-seven days later. The federal remediation deadline has passed.



The Compound Picture


Cisco appears twice because it is the networking incumbent across most enterprise environments. SD-WAN Manager and ASA address different parts of the same infrastructure — the routing fabric and the remote access gateway — and both are under active exploitation by different threat actors simultaneously. That is not coincidence. It is the result of systematic research against the dominant network vendor.


Fortinet occupies the perimeter security stack. Oracle PeopleSoft occupies the enterprise HR and finance layer. The four products together cover the networking layer, the perimeter security layer, the remote access layer, and the business application spine. An adversary who achieves access through any one of them has a foothold in a functionally different part of the environment than the others.


The CISA federal patch deadlines for these CVEs range from June 29 backward. If you are a federal civilian agency, you are already past several of them. If you are everyone else, the active-exploitation flag on each of these products is the operationally relevant signal, not the deadline.


Patch. Credential-rotate. Verify the patch actually closed the vulnerability and did not leave previously exfiltrated credentials valid. The FortiBleed lesson applies more broadly than Fortinet.







The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.


bottom of page