WAF Weekly: Cisco SD-WAN Under Siege, Ubiquiti 10/10 CVEs Hit CISA KEV, June 22-26, 2026
Cisco's 7th SD-WAN zero-day of 2026 exploited for months before disclosure. Ubiquiti UniFi OS criticals under active attack. FFmpeg PixelSmash bug threatens cloud infrastructure. Plus curl patches a 25-year-old vulnerability.
Cisco SD-WAN Zero-Day Exploited Months Before Disclosure
Mandiant published research detailing how an unknown threat actor exploited CVE-2026-20245, a privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager, as a zero-day at least two months before Cisco disclosed it on June 4. The attacker used a malicious CSV file to escalate from admin to root-level access on a service provider's SD-WAN infrastructure.
The victim's systems were previously targeted in late 2025 and January 2026 through zero-day exploitation of related SD-WAN flaws (CVE-2026-20127 and CVE-2026-20182). The threat actor consistently employed anti-forensic techniques: deleting files, restoring configuration changes, and changing admin passwords back to their original values to avoid detection.
Mandiant called this "the living off the edge paradigm," where attackers target network orchestrators to bypass traditional security perimeters. For WAF operators managing edge infrastructure, this underscores the importance of monitoring SD-WAN control planes and treating them as critical security boundaries.
Ubiquiti UniFi OS 10/10 CVEs Under Active Attack
CISA added three critical vulnerabilities in Ubiquiti UniFi OS to its KEV catalog on Tuesday: CVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), and CVE-2026-34910 (command injection), all scoring CVSS 10.0. Patches were released May 21 in UniFi OS 5.0.8, but widespread exploitation -- creating rogue admin accounts under the username "John Sim" -- was reported on forums and Reddit before the fix.
BishopFox's analysis revealed the chain: an NGINX authentication gateway bypass leads to unauthenticated command injection through crafted package names. Organizations using UniFi OS devices should patch immediately. If your infrastructure relies on centrally managed networking appliances, consider layering WAF inspection with Cloudflare or AWS WAF between those devices and the internet.
FFmpeg PixelSmash: Media Files Become RCE Weapons
JFrog disclosed CVE-2026-8461 (CVSS 8.8), a heap out-of-bounds write in FFmpeg's MagicYUV decoder that allows remote code execution through crafted media files. Dubbed PixelSmash, the bug affects any application using FFmpeg: desktop video players, media servers, cloud transcoding pipelines, NAS appliances, and smart TVs.
The exploit is delivered as a 50 KB AVI, MKV, or MOV file. On servers, uploading the file to a media platform or chat service triggers automatic processing, making this a near-zero-click vector. JFrog confirmed successful exploitation against Kodi, mpv, Nextcloud, and GNOME/KDE file managers.
For security teams running media-processing infrastructure, this is a reminder that WAF rules from providers like ModSecurity and Coraza alone won't catch file-based exploits. Consider input validation and sandboxing at the application layer, and ensure your file upload endpoints are hardened.
Curl Patches 25-Year-Old Vulnerability
Curl 8.21.0 fixed 18 vulnerabilities, including CVE-2026-8932, an mTLS connection reuse bug introduced in version 7.7 from March 2001. The flaw could lead to authentication bypass in libcurl applications when client certificate or private key settings changed. Aisle discovered six of the patched CVEs using its AI platform.
Aisle noted that "the easy bugs are long gone" in curl, which powers data transfer on over 30 billion devices. No in-the-wild exploitation has been reported, but the sheer footprint of curl means WAF appliances, proxies, and security tools that rely on libcurl for data transfer should update promptly.
Chrome 149 Fixes 18 Vulnerabilities
Google released Chrome 149.0.7827.196/197 for Windows and macOS, resolving 18 security defects including four critical and 14 high-severity issues. Over half were use-after-free bugs that could enable sandbox escape when combined with OS-level vulnerabilities. Notably, Google's own internal discovery of 17 of the 18 bugs continues a trend likely driven by AI-assisted fuzzing.
Also Notable
- Cisco Unified CM flaw CVE-2026-20230 was weaponized within 24 hours of disclosure, according to a cybersecurity firm tracking exploit activity.
- Black Kite reported ransomware incidents in Europe rose 55% year-over-year in early 2026, with supply chain attacks as the primary vector.
- Five Eyes intelligence agencies warned that frontier AI models could reshape cyber attacks against governments within months.
- Anthropic's Mythos model identified vulnerabilities in classified US government systems within hours during Project Glasswing testing, per a US official.
WAFplanet Take
This week's theme: edge infrastructure is the new battleground. The Cisco SD-WAN campaign shows threat actors spending months silently compromising SD-WAN orchestrators, not because they want to disrupt SD-WAN, but because those control planes give them a stealthy, persistent pivot into enterprise traffic. Traditional perimeter defenses miss this entirely. If you manage WAF infrastructure -- especially if you run edge devices at remote sites -- audit your SD-WAN and management plane access. And patch your Ubiquiti gear. Today.
