Cisco Zero-Day, Amadey/StealC Takedown, and CI/CD Supply-Chain Risks
Summary
Today's threat landscape is defined by operational security wins and persistent, high-stakes vulnerabilities. A coordinated law enforcement takedown dismantled the infrastructure behind the Amadey botnet and StealC infostealer, recovering 27 million stolen credentials. Simultaneously, a sophisticated intrusion at a communications service provider exploited a Cisco SD-WAN zero-day, demonstrating how adversaries are targeting the network edge for stealthy, persistent access. Defenders must also contend with a new class of CI/CD workflow weakness -- dubbed Cordyceps -- that exposes hundreds of major open-source repositories to supply-chain compromise.
Today's developments
Cisco SD-WAN Zero-Day Exploited at Service Provider: Google Threat Intelligence and Mandiant detailed an intrusion where a threat actor exploited CVE-2026-20245, a privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager, to gain root-level access at a communications service provider. The actor allegedly used rogue peering connections and manipulated default admin credentials to evade detection, then deployed anti-forensic techniques to cover their tracks. This campaign underscores the "living off the edge" paradigm, where network appliances become prime targets for long-term strategic access.
Amadey and StealC Infrastructure Disrupted: In a first-of-its-kind coordinated action, Microsoft's Digital Crimes Unit, Europol, and private sector partners (including ESET and Bitdefender) took down over 200 command-and-control servers powering the Amadey botnet and StealC infostealer. The operation, part of "Operation Endgame," recovered approximately 27 million stolen credentials. Industry researchers note that these tools are often used in conjunction, forming an "assembly line" for ransomware and financial fraud.
Cordyceps CI/CD Flaws Expose Supply Chains: Researchers at Novee Security identified a critical exploitable pattern in CI/CD workflows, codenamed Cordyceps, affecting over 300 GitHub repositories at major organizations including Microsoft, Google, and Apache. The flaw could allow attackers to hijack workflows and compromise open-source software supply chains, granting full attacker control of repositories.
Cisco Unified CM Flaw Under Active Exploitation: Following the public release of a proof-of-concept, threat actors have begun exploiting CVE-2026-20230, a critical vulnerability in Cisco Unified Communications Manager. The flaw allows unauthenticated, remote attackers to achieve file-write access and potentially root-level compromise.
CISA Warns of Lantronix EDS5000 Exploitation: CISA added CVE-2025-67038, a critical code injection flaw in Lantronix EDS5000 Series devices, to its Known Exploited Vulnerabilities catalog, urging FCEB agencies to patch by June 26, 2026.
DoJ Seizes Huione Cloud Account: The U.S. Department of Justice seized a cloud computing account used by subsidiaries of the Cambodia-based HuiOne Group, linked to cyber scam money laundering. Concurrently, the Treasury sanctioned nine individuals and 26 entities tied to the Prince Group.
StrikeShark Campaign Delivers Cobalt Strike: Kaspersky researchers analyzed a new global campaign, dubbed StrikeShark, that delivers Cobalt Strike Beacon via a custom loader called SharkLoader.
Threat landscape signals
The convergence of law enforcement action and sophisticated zero-day exploitation paints a picture of a threat landscape that is both being actively disrupted and continuously evolving. The Amadey/StealC takedown is a significant operational victory, but the rapid recovery of stolen credentials (27 million) highlights the sheer scale of credential theft as a persistent enabler of further attacks. The Cisco SD-WAN intrusion is a stark reminder that as organizations adopt software-defined networking, the orchestrators themselves become high-value targets, offering adversaries a stealthy platform for broad internal access. The Cordyceps CI/CD findings further emphasize that supply-chain security remains a critical, unresolved challenge, with attackers increasingly targeting the development pipeline itself. Defenders should prioritize patching edge devices, auditing CI/CD workflows, and monitoring for anomalous authentication patterns on network management platforms.