Breach Roundup: How Hackers Exploited a Cisco SD-WAN Flaw

Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response Breach Roundup: How Hackers Exploited a Cisco SD-WAN Flaw Also, Three Ubiquiti Flaws Under Exploitation Anviksha More (AnvikshaMore) • June 25, 2026     Credit Eligible Get Permission Image: Shutterstock Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, Mandiant detailed a Cisco SD-WAN hack, bucket hijacking risk, Ubiquiti flaws exploited, Canada utility disclosed a breach, researchers flagged a cross-cloud hijacking risk, exposed server reveals INC ransomware's mainframe focus, Texas breach exposed data of 3 million, Gravity SMTP flaw targeted in mass exploitation campaign. See Also: Know Thy Enemy: Threats to Cyber Resilience How Hackers Exploited a Cisco SD-WAN Flaw Hackers exploited a now-patched zero-day vulnerability in Cisco Catalyst SD-WAN devices to obtain root-level access and maintain covert control over a communications service provider's network, threat intel firm Mandiant said Wednesday. Cisco previously confirmed the flaw - tracked as CVE-2026-20245 - was exploited before patches became available. Google-owned Mandiant responded to a hacking incident involving multiple phases of unauthorized activity spanning late 2025 through March. Investigators observed rogue peering connections to the victim's SD-WAN environment, suggesting attackers had gained access through weaknesses affecting SD-WAN controllers or by using credentials and certificates obtained during an earlier compromise. Once inside the environment, the threat actor altered administrative credentials and uploaded a malicious CSV file named evil_tenant.csv to exploit the flaw. The exploit enabled privilege escalation to root and enabled the creation of a hidden account called troot, giving the attacker unrestricted access to the affected system. The actor demonstrated a strong emphasis on operational security. After collecting SD-WAN configuration data, the attacker restored modified passwords and configuration settings to their original state, reducing the likelihood that administrators would notice suspicious activity. The intruder also deleted files, removed evidence of commands executed during the attack and ran validation scripts to verify that traces of the compromise had been erased. 3 Maximum-Severity Ubiquiti Flaws Under Active Exploitation Attackers are exploiting three maximum-severity vulnerabilities in enterprise wireless router maker Ubiquiti's UniFi OS that can be chained to achieve unauthenticated remote-code execution with root privileges. The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday added the flaws to its Known Exploited Vulnerabilities catalog. The vulnerabilities, tracked as CVE-2026-34908, CVE-2026-34909 and CVE-2026-34910, affect the broader UniFi OS device family in addition to the UniFi OS Server, the self-hosted version of Ubiquiti's network management platform. Ubiquiti disclosed and patched the flaws in May. Security researchers at Bishop Fox said the three vulnerabilities can be combined into a single exploit chain that requires no authentication or user interaction. The chain allows attackers to bypass authentication, traverse the file system and execute arbitrary commands as the root user, giving them complete control over vulnerable systems. UniFi OS is used to centrally manage Ubiquiti networking equipment, surveillance cameras, access control systems and other enterprise infrastructure. A successful compromise could provide attackers with administrative control over connected environments, including the ability to unlock doors and disable or erase camera footage where UniFi Access and Protect are deployed. Canadian Utility London Hydro Discloses Customer Data Breach The electric grid distribution company servicing London, Ontario, is investigating a data security incident that may have exposed customer personal and account information. London Hydro disclosed the incident in a notice posted to its website. The utility said the potentially affected data includes customers' names, addresses, email addresses, phone numbers, account and billing numbers, service addresses, pricing plans, contract start dates and meter information. The incident did not involve financial information or more sensitive data such as dates of birth, government-issued identification numbers, payment card information, or banking details. London Hydro has not disclosed how many customers were affected, how the intrusion occurred, or whether data was exfiltrated. Researchers Warn of Cross-Cloud Bucket Hijacking Risk A newly disclosed attack technique could enable threat actors to silently redirect cloud data streams and exfiltrate sensitive information by exploiting the global naming architecture used by major cloud providers, found researchers at Palo Alto Networks' Unit 42. Dubbed "bucket hijacking," the technique targets cloud storage buckets used to receive logs, backups and other automated data streams. Because bucket names are globally unique across cloud platforms such as Google Cloud, Amazon Web Services and Microsoft Azure, attackers who gain permission to delete a bucket can recreate a bucket with the same name under their own account and intercept data intended for the original destination. Unit 42 researchers demonstrated the technique across multiple cloud services, including Google Cloud Logging, Pub/Sub, Storage Transfer Service, AWS S3 replication and Amazon Data Firehose. In each case, data streams continued sending information to attacker-controlled storage after the original bucket was deleted and recreated. The attack does not rely on a software vulnerability. Rather, it exploits a common architectural design across cloud providers. Researchers said the risk is amplified by excessive permissions, particularly bucket deletion rights, which can effectively bypass more restrictive permissions normally required to modify data-stream destinations. Unit 42 identified two primary attack scenarios: privilege escalation involving compromised accounts with bucket deletion permissions and "dangling" resources left behind after a bucket is removed but associated routing configurations remain active. In both cases, attackers could potentially reroute logs, backups and other sensitive data without disrupting the appearance of normal operations. Researchers said they have not observed the technique being used in real-world attacks. But they warned that such activity could be difficult to detect because automated data streams often operate without ongoing oversight. Exposed Server Reveals INC Ransomware's Mainframe Focus An exposed server linked to an affiliate of the INC ransomware operation has provided rare insight into the group's evolving tactics, including attacks targeting IBM mainframes, cross-platform malware development and a focus on organizations in the Asia-Pacific region. Researchers Michael Koczwara and NahamSec found evidence that the ransomware group has developed encryptors for Windows, Linux and IBM AIX systems. The exposed infrastructure also contained victim-related data indicating that organizations in Japan, India and other Asia-Pacific countries were among the group's recent targets. Analysis of files stored on the server revealed ransomware payloads designed for multiple operating systems, references to IBM AIX environments and operational data tied to recent intrusions. Texas Breach Exposes Data of 3M Residents A data breach affecting a Texas state government department exposed sensitive personal information belonging to more than 3 million people, including driver's license details and passport numbers. The Texas Parks and Wildlife Department disclosed the incident and said Texas' cybersecurity team recently identified unauthorized access involving a third-party vendor that manages the sale of hunting and fishing licenses. Hackers were able to access information stored in the vendor's licensing system, exposing driver's license numbers, passport information, email addresses, phone numbers and residential addresses of affected individuals. Officials did not disclose when the intrusion occurred or how long attackers had access to the system. The department did not identified the vendor involved and did not provide details on the threat actor responsible for the breach. It is also unclear whether the agency has received any communication or extortion demands related to the incident. Gravity SMTP Flaw Targeted in Mass Exploitation Campaign Threat actors are exploiting a vulnerability in the Gravity SMTP WordPress plugin to harvest sensitive configuration data and credentials from vulnerable websites. The flaw, tracked as CVE-2026-4020, affects Gravity SMTP versions 2.1.4 and earlier and stems from an improperly secured REST API endpoint that can be accessed without authentication. Successful exploitation enables attackers to retrieve detailed system information, including WordPress and PHP versions, active plugins, database details, server configuration data and, in some cases, API keys, secrets and OAuth tokens used by email services. Researchers said attackers have been exploiting the vulnerability since at least May, with activity surging in June. WordPress security firm Defiant reported blocking more than 17 million exploitation attempts targeting the flaw, which impacts a plugin installed on roughly 100,000 websites. The exposed credentials could enable attackers to access third-party email platforms such as Amazon SES, Google, Mailjet, Resend and Zoho, potentially enabling account compromise, phishing campaigns or further attacks against affected organizations. Other Stories From This Week Slow OT Patching a Boon for Iranian Nation-State Hackers Russia's Gamaredon Adapts Tactics to Target Ukraine Open-Source Coalition Pushes California to Rework AI Act OpenAI Unveils 'Jalapeño' Inference Chip Five Eyes Warn the Frontier AI Cyberthreat Is Months Away With reporting from Information Security Media Group's Pooja Tikekar in Mumbai.