Cisco SD-WAN Zero-Day Exploitation and the Rise of AI-Driven Cyber Threats

Introduction

Cybersecurity continues to present complex challenges, with threat actors showing increasing sophistication. Recent weeks highlighted a critical Cisco Catalyst SD-WAN Controller vulnerability, actively exploited as a zero-day. A concerning npm supply chain attack involving the node-ipc package also occurred. These incidents show persistent weaknesses in digital infrastructure and the need for continuous security adaptation.

AI is transforming offensive capabilities beyond traditional attack vectors. New platforms, such as EvilTokens, use AI to automate and enhance phishing campaigns, bypassing established defenses. Vulnerabilities in AI orchestration frameworks, like PraisonAI, are rapidly exploited following public disclosure, showing emerging risks in AI-driven development.

This analysis details these developments, their mechanisms, and broader implications. Understanding these events helps organizations handle the current threat environment and strengthen defenses against advanced cyber attacks.

What is the Cisco Catalyst SD-WAN Zero-Day Exploitation (CVE-2026-20182)?

A critical authentication bypass flaw, identified as CVE-2026-20182, affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in both on-premises and cloud deployments. This vulnerability, with a maximum severity rating of 10.0, was actively exploited in zero-day attacks. Attackers used the flaw to gain administrative privileges on compromised devices.

Cisco disclosed that the issue originates from a malfunctioning peering authentication mechanism within the affected systems. Attackers could exploit this by sending crafted requests, enabling them to log in as an internal, high-privileged, non-root user. Access to NETCONF via this account then allowed manipulation of network configuration for the SD-WAN fabric. PurpleOps previously detailed similar attacks and their impact in articles such as CVE-2026-20127: Cisco SD-WAN Vulnerability Exploited Since 2023 and Cisco SD-WAN Exploitation: A Deep Dive into Recent Vulnerabilities.

Cisco detected active exploitation of CVE-2026-20182 in May 2026. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch affected devices by May 17, 2026. This urgency shows the immediate risk posed by the vulnerability. Organizations should review logs from internet-exposed Catalyst SD-WAN Controller systems for indicators of compromise (IOCs).

IOCs include:

  • Entries in /var/log/auth.log showing "Accepted publickey for vmanage-admin" from unknown IP addresses.
  • Unauthorized peering activity in SD-WAN Controller logs, indicating attempts to register rogue devices within the SD-WAN fabric.

Such unauthorized peering events can allow an attacker to insert a malicious device that appears legitimate, establishing encrypted connections and advertising networks under their control, moving deeper into an organization's network. This vulnerability mirrors aspects of the Cisco Catalyst SD-WAN zero-day previously explored in our discussions, for instance, on the Cisco SD-WAN zero-day.

What are the Risks of the node-ipc Credential Stealer?

A supply chain attack recently impacted the widely used Node.js library node-ipc, leading to the publication of malicious versions on npm. Versions 9.1.6, 9.2.3, and 12.0.1 were released by a compromised maintainer account, atiertant, on May 14, 2026. These versions contained an 80KB obfuscated payload appended to node-ipc.cjs, designed to steal sensitive files.

The attacker gained control of the atiertant account, which maintains approximately 20 other npm packages. The simultaneous release across multiple version lines, with 12.0.1 tagged as latest, ensured widespread infection. This allowed the compromised code to run as a side effect when node-ipc.cjs was required. Monitoring such widely used packages for supply-chain risk is critical for developer security.

The payload's function is to steal over 100 categories of sensitive files. These include:

  • SSH keys: ~/.ssh/id_rsa, ~/.ssh/id_ed25519
  • Cloud provider credentials: ~/.aws/credentials, ~/.azure/accessTokens.json, ~/.config/gcloud/application_default_credentials.json
  • Development environment secrets: **/.env, ~/.npmrc, ~/.git-credentials
  • Kubernetes configurations: ~/.kube/config, /etc/rancher/k3s/k3s.yaml
  • AI tool configurations: ~/.claude.json, .kiro/settings/mcp.json

The stolen data is exfiltrated as HMAC-signed, gzipped tar archives via DNS tunneling. This technique is designed to bypass common egress firewalls and network monitoring. The command and control (C2) endpoint used is sh[.]azurestaticprovider[.]net:443, mimicking legitimate Azure infrastructure. This sophisticated evasion of breach detection shows the adversary's tactical development.

The malware ensures persistence by forking a detached child process, continuing execution even after the parent Node.js process exits. This allows ample time for file collection and DNS exfiltration. The inclusion of AI tool configurations among targeted credentials indicates that threat actors are adapting to new technological trends. Organizations must strictly monitor supply-chain risk and review dependency management processes to prevent similar incidents.

How does EvilTokens Turbocharge Phishing with AI?

EvilTokens is a phishing-as-a-service (PhaaS) platform that uses AI to enhance device code phishing attacks and enables successful multi-factor authentication (MFA) bypass. This platform, available on Telegram channels for a fee, automates the creation and execution of sophisticated phishing campaigns. The attack capitalizes on legitimate Microsoft authentication flows.

In a device code phishing scenario, attackers initiate an authentication process and then send a phishing email containing a valid device code. Users, following typical security training, enter this code on a genuine Microsoft page, inadvertently granting the attacker a fully valid session token. This bypasses both passwords and MFA, as the user performs a seemingly correct authentication for the wrong session.

AI integration within EvilTokens provides several enhancements:

  • AI-generated lures: Role-specific and contextually relevant phishing emails (e.g., construction bids, DocuSign impersonations) are created at machine speed. This personalization increases their efficacy.
  • Dynamic code generation: Device codes are generated the moment a user lands on a phishing page, eliminating previous timing windows that limited such attacks.
  • Post-compromise automation: After token capture, the platform scans victim inboxes, calendars, and documents. This context is used to generate convincing follow-on attacks, such as wire fraud emails drafted in the victim's own voice and sent within minutes.

Traditional email defenses, including Cisco Secure Email, Trend Micro, and Mimecast, often fail to detect these attacks. The emails appear legitimate, URLs are clean, and authentication flows are genuine, making breach detection challenging at network and endpoint layers. The threat is primarily visible at the identity and behavior layers. This new automation in phishing operations demonstrates a significant shift in attack capabilities. Specialized dark web monitoring and underground forum intelligence are useful here.

What is the Impact of the British Airways Alleged Breach?

The Infrastructure Destruction Squad, also known as Dark Engine, a pro-Russian hacktivist group, claimed to have breached British Airways' servers and systems. In a post on Telegram channels, the group asserted access to "highly sensitive information" from medical servers and the Crew Portal. This marks another significant incident for the airline, following its involvement in the 2023 MOVEit supply chain attack.

The threat actors claim to have accessed the Crew Portal using a compromised individual account, granting them entry to the admin control panel. This access allegedly exposed various types of data:

  • Crew and pilot information: Including schedules, sick leave data, employee names, reasons for leave, supervisor approvals, and AI confidence levels used to evaluate leave request validity.
  • Medical data: Sensitive medical training files, genetic diseases, and health-related files exposed through the Cognino AI 360 data analysis and knowledge management platform.
  • API keys: For insurance and financial services, found within the Cognino AI 360 system.
  • Internal network structure data: Details regarding a penetration-testing tool and internal network maps.

The group offered "full access to all compromised systems" for $1,000 USD, including login credentials for the British Airways Crew Portal and Cognino AI 360 Suite, AI API keys, sensitive medical files, flight crew schedules, and employee personal information. This shows the market for such information in underground forums. Screenshots purporting to show the Crew Portal, API servers, and Cognino 360 were posted to substantiate these claims.

The Infrastructure Destruction Squad has a history of cyber attacks targeting critical infrastructure systems, including water treatment facilities and industrial control systems (ICS). The alleged breach of British Airways shows the severe consequences of compromised credentials and the ongoing challenge of protecting sensitive corporate and personal data. This incident shows the necessity of dark web monitoring and brand leak alerting to track threat actor claims and potential data exposures.

What is the Rapid Exploitation of PraisonAI (CVE-2026-44338)?

The PraisonAI open-source multi-agent orchestration framework, designed for AI-driven workflows, recently faced rapid exploitation following the disclosure of CVE-2026-44338. This vulnerability, an authentication bypass with a CVSS score of 7.3, exposes sensitive API endpoints by disabling authentication by default in its legacy Flask API server. Within hours of its public disclosure on May 11, 2026, threat actors began actively probing internet-exposed instances.

Specifically, the src/praisonai/api_server.py component hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None. This configuration allows any caller able to reach the server to access /agents and trigger the configured agents.yaml workflow through /chat without providing an authentication token. This flaw impacts PraisonAI Python package versions 2.5.6 through 4.6.33 and has been patched in version 4.6.34.

Sysdig observed scanner activity originating from 146.190.133[.]49, identifying itself as CVE-Detector/1.0. The scanner specifically targeted AI-agent surfaces, including PraisonAI, with a GET /agents request lacking an Authorization header. This request successfully confirmed the bypass by returning agent configuration details. This rapid response shows how quickly new vulnerabilities, particularly those affecting AI infrastructure, can be weaponized.

The impact of this exploitation can vary depending on the permissions of the agents.yaml workflow. Potential consequences include:

  • Unauthenticated enumeration of the configured agent file.
  • Unauthenticated triggering of locally configured workflows.
  • Repeated consumption of model/API quotas.
  • Exposure of workflow results to unauthenticated callers.

Organizations using such AI frameworks should update to PraisonAI version 4.6.34 immediately, audit existing deployments for suspicious activity, review model provider billing for anomalies, and rotate credentials referenced in agents.yaml. This incident reinforces the need for continuous breach detection and proactive cyber threat intelligence integration for AI infrastructure.

Technical Takeaways

  • Cisco Catalyst SD-WAN Controller (CVE-2026-20182) requires immediate patching due to active zero-day exploitation, which permits administrative privilege escalation via a faulty peering authentication mechanism.
  • The node-ipc npm package suffered a supply chain compromise affecting versions 9.1.6, 9.2.3, and 12.0.1, distributing a credential stealer that exfiltrates SSH keys, cloud, Kubernetes, and AI tool configurations through DNS tunneling.
  • EvilTokens is an AI-powered phishing-as-a-service platform that automates device code phishing, dynamically generating personalized lures and bypassing MFA, with post-compromise automation for follow-on fraud.
  • The Infrastructure Destruction Squad claimed a breach of British Airways, alleging theft of pilot and medical data, and API keys from the Cognino AI 360 platform, with data offered for sale on underground channels.
  • PraisonAI (CVE-2026-44338), an AI orchestration framework, experienced exploitation attempts within four hours of disclosure due to a default-disabled authentication mechanism, enabling unauthenticated access to agent configurations and workflows.