Cisco Talos: Windows COM abuse (ITaskService/BITS/WMI/DCOM) as EDR-evasion primitives

Palo Alto Unit 42 (2026-06-25) documented CL-STA-1062, a Chinese-speaking cluster overlapping with Cisco Talos's UAT-7237, targeting government and state-owned energy infrastructure across Southeast Asia (Unit 42, 2026-06-25; The Hacker News, 2026-06-26). Initial access is via internet-facing web apps and ASPX web shells (T1505.003), pivoting to a custom .NET backdoor, TinyRCT, delivered through AppDomainManager injection (T1574.014): a benign signed chrome_setup.exe ships in a ZIP alongside a malicious chrome_setup.exe.config, causing the .NET CLR to load MyAppDomainManager.dll from the same directory and bootstrap TinyRCT in-process — no child process, so it is low-visibility to EDR. TinyRCT beacons over HTTP with AES-128-CBC payloads, supports command execution via cmd.exe, chunked file exfiltration, and screen capture, and self-terminates unless run from %LOCALAPPDATA% or %USERPROFILE%\Downloads (anti-sandbox). Observed tooling includes Mimikatz, JuicyPotato and SoftEther VPN masqueraded as vmtools.exe. The defender value is the technique: T1574.014 AppDomainManager injection is widely under-detected, and the same web-shell-to-in-process-.NET pattern is directly applicable to European public-sector web estates. Hunt for .NET .config files written into user-writable directories adjacent to signed executables, and DLL loads of MyAppDomainManager.dll from a signed PE's own directory (Sysmon EID 7).

Cisco Talos published a reverse-engineering primer (2026-06-25) on how Windows threats weaponise Component Object Model (COM) interfaces to hide operations inside legitimate service call stacks (Cisco Talos, 2026-06-25). Four technique classes with a shared detection gap — function calls routed through vtable indirection rather than direct API imports limit EDR visibility: ITaskService/ITaskScheduler persistence creates scheduled tasks with no visible schtasks.exe (T1053.005); IBackgroundCopyJob (BITS) moves C2/files attributed to the trusted BITS service process (T1197); IWbemLocator/WMI blends discovery into svchost.exe (T1082, T1518.001); and DCOM/IDispatch enables remote object activation for lateral movement (T1021.003). Families studied include Gh0stRAT (ITaskService persistence), Attor (BITS C2 + WMI), Qakbot (WMI) and WarmCookie (ITaskScheduler 1.0). The actionable takeaway for detection engineers: scheduled-task-creation rules keyed on schtasks.exe/PowerShell miss COM-based task creation, which emits different event logs; build coverage for task creation where the creating image is unexpected, WMI activity from non-system parents, and BITS jobs created by non-svchost processes.

UPDATE (originally covered 2026-06-26): Google Mandiant (GTIG) published (2026-06-24) the first complete TTP chain for the Cisco Catalyst SD-WAN Manager zero-day activity, observed at a service-provider victim from late 2025 into 2026 (Google Mandiant, 2026-06-24). NCSC-CH amended its Security Hub post to add the report on 2026-06-25 (NCSC-CH Security Hub post 12579).

The chain: authentication bypass via CVE-2026-20182/CVE-2026-20127 (rogue peering connection), then privilege escalation via CVE-2026-20245 — a malicious evil_tenant.csv uploaded through the request tenant-upload CLI carries unsanitised shell commands that append a troot root user to /etc/passwd and /etc/shadow, after which the actor reverts configuration changes and deletes the file for anti-forensics. This gives defenders concrete hunts the earlier advisory could not: search SD-WAN Manager instances for unexpected /etc/passwd additions, evil_tenant.csv artefacts, and request tenant-upload execution in CLI logs.

UPDATE (originally covered 2026-06-06): When we first noted CVE-2026-20245 it was a fresh Cisco advisory for a command-injection-to-root flaw in Catalyst SD-WAN Manager with confirmed exploitation but little public detail. Mandiant/GTIG has now published the forensic reconstruction, confirming the flaw was used as a zero-day at a communications service provider from late 2025 through March 2026 — months before the patch (Mandiant/GTIG, 2026-06-24).

The new substance is the kill chain: a peering-authentication-bypass foothold (CVE-2026-20127 / CVE-2026-20182) into SSH as vmanage-admin, then a crafted tenant CSV through the request tenant-upload CLI handler injecting commands that planted a backdoor troot UID-0 account, with anti-forensic clean-up (admin-password change-then-revert, history/syslog deletion). Mandiant names no threat actor. Full mechanics, ATT&CK mapping and host-level detection are in §5.

Cisco PSIRT's advisory (2026-06-03) for CVE-2026-20230 (CVSS 8.6, CWE-918 SSRF) describes a flaw in the WebDialer service of Cisco Unified Communications Manager (Unified CM) releases 14 and 15: the service fails to validate HTTP requests, so an unauthenticated remote attacker can send a crafted request with a file:// payload to write arbitrary files to the underlying OS, which Cisco states can subsequently be used to escalate to root (Cisco PSIRT, 2026-06-03; BleepingComputer, 2026-06-23). WebDialer is disabled by default, so exposure requires it to have been enabled. Threat-intelligence firm Defused observed exploitation over the weekend of ~2026-06-21/22 from a single source IP, writing a marker file (/tmp/cve-2026-20230-test.txt) — a vulnerability-fingerprinting pattern that historically precedes a targeted exploitation wave. A public PoC (SSD Secure Disclosure) exists. Not KEV-listed as of this run. Patched in 14SU6 for Release 14, with a COP interim fix for Release 15 (full 15SU5 is not due until September 2026). Maps to T1190 (Exploit Public-Facing Application) and T1068 (privilege escalation via the written file). Defenders with internet-facing Unified CM should disable WebDialer if unused (Service Parameters → Cisco WebDialer Web Service), and hunt WebDialer access logs for file:// URIs and unexpected file-creation events (Sysmon EID 11 / auditd) outside normal WebDialer paths — without treating absence of the marker file as proof of safety, since it is trivially cleaned up.

A path-traversal weakness in the web UI of Cisco Catalyst SD-WAN Manager (formerly vManage) lets an authenticated remote attacker create or overwrite any file on the underlying OS and escalate to root code execution; Cisco patched it after zero-day exploitation and CISA added it to KEV (Cisco PSIRT; daily 06-16). SD-WAN Manager is the centralised control plane for an entire SD-WAN fabric, so a rooted controller is a fabric-wide compromise. Patch on emergency cadence and restrict management-plane access to a dedicated administrative network.

Two flaws in Cisco ISE and the ISE Passive Identity Connector let an unauthenticated attacker read credentials (CVE-2026-20181, 9.1) that chain to authenticated root command execution (CVE-2026-20190, 7.5); BSI flagged the pair for DACH operators (Cisco PSIRT; daily 06-19). ISE is the network-access-control and policy backbone in many enterprise and public-sector networks — a rooted ISE undermines NAC posture wholesale. Patch promptly.

Cisco's advisory cisco-sa-ise-multi-G5WP8vv (2026-06-17) covers two flaws in ISE and ISE Passive Identity Connector (Cisco PSIRT, 2026-06-17; SecurityWeek, 2026-06-18). CVE-2026-20190 (improper authorization, CVSS 7.5) lets an unauthenticated remote attacker read sensitive data — including hashed administrator credentials — via crafted HTTP requests to specific APIs. CVE-2026-20181 (path traversal, CWE-22, CVSS 9.1) lets an authenticated administrator execute arbitrary OS commands and escalate to root; on single-node deployments it also causes a DoS. Cisco states there is no workaround and reports no known exploitation. Fixed in ISE 3.3 Patch 11 and 3.4 Patch 6 (available now); ISE 3.5 Patch 4 is scheduled for August 2026, with 3.5 Patch 3 closing only CVE-2026-20190 in the interim. The combined two-stage chain — and the detection/hardening for the identity plane it controls — is this brief's § 5 deep dive.

A path-traversal weakness in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) lets an authenticated, remote attacker create or overwrite any file on the underlying OS because the file-upload handler fails to validate the supplied filename (NVD CVSS 6.5; Cisco PSIRT, 2026-06-15). Writing a JSP/WAR into the Tomcat deploy path yields a web shell and root-level execution, so the modest 6.5 base score understates impact on an exposed network-management plane. Cisco confirms active exploitation and CISA added it to the KEV catalog on 2026-06-15 (BleepingComputer, 2026-06-15). Patch to 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2. Full kill-chain, hunt and hardening detail in § 5.

If you did nothing this week: attackers with netadmin access to your Catalyst SD-WAN Manager can execute arbitrary commands as root and, per NCSC-CH's 5 June advisory update, push malicious configurations to every downstream edge device. No patch exists.

CVE-2026-20245 is a command injection in SD-WAN Manager's CLI file-upload handler (Cisco PSIRT; daily 2026-06-06). An authenticated attacker with netadmin privileges injects arbitrary OS commands that execute as root (T1059.004). In observed limited incidents, exploitation of CVE-2026-20245 resulted in malicious configurations pushed to downstream edge devices — extending attacker control from the management plane into the forwarding plane (NCSC-CH advisory 12579, updated 2026-06-05). The realistic attack path is a three-CVE chain: CVE-2026-20182 provides unauthenticated management-interface access (T1190), CVE-2026-20127 escalates to netadmin (T1078), and CVE-2026-20245 executes OS commands as root. The first two CVEs are patched in post-14-May SD-WAN Manager builds; CVE-2026-20245 has no fix — Cisco's only guidance is management-plane access restriction.

The forwarding-plane impact is the operationally critical new fact from this week: in transit-mode SD-WAN deployments, attacker-controlled edge-device configurations can cascade into routing-table manipulation, traffic interception, and service disruption across every site managed from the compromised Manager instance. Defender actions: apply the post-14-May SD-WAN Manager builds (patches chain entry points CVE-2026-20182/20127); ACL the management interface to a dedicated management VLAN; enforce MFA for netadmin and rotate Manager credentials; hunt the CLI audit log for anomalous file-upload events; and treat any unscheduled edge-device config-push as a hunting trigger.

Cisco has confirmed a second actively-exploited zero-day in Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20245 (Cisco PSIRT; NCSC-CH GovCERT, 2026-06-05). It is a command-injection flaw: an attacker with netadmin privileges can inject arbitrary OS commands that execute as root on the underlying appliance (T1059.004 Unix Shell, following T1078 Valid Accounts). Per Cisco, exploitation requires either valid netadmin credentials or prior exploitation of the pre-auth bypass CVE-2026-20182 (covered in weekly W22) or CVE-2026-20127 — making the realistic path an unauthenticated-to-root chain against an internet-exposed Manager. Cisco states it has "observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices," i.e. the blast radius extends from the management plane to every managed edge router. No fixed release is available; Cisco's only guidance is to restrict management-plane access to trusted hosts and verify edge-device configuration. Detection concepts: review the SD-WAN Manager CLI audit log for unexpected command execution and EDR/host telemetry for shells spawned under the management daemon's service account; treat any unplanned config push to edge devices as a hunting trigger. Hardening: ACL the management interface to a dedicated management VLAN, enforce MFA for netadmin, and rotate Manager credentials given confirmed in-the-wild use.

Cisco PSIRT disclosed an SSRF in the Unified CM / Unified CM SME WebDialer service where improper HTTP input validation lets an unauthenticated remote attacker coerce the device into fetching an attacker URL and writing the response to arbitrary OS locations — a write primitive Cisco states "could be used later to elevate to root" via a drop into cron/service directories (Cisco PSIRT, 2026-06-03). Cisco rates it Critical (SIR) despite CVSS 8.6 because of the root path. WebDialer is disabled by default; affected are Release 14 (pre-14SU6) and 15 (pre-15SU5). Cisco reports no confirmed in-the-wild exploitation at disclosure but states that proof-of-concept exploit code is publicly available — which compresses the window before opportunistic exploitation. Disable WebDialer if unused, patch to 14SU6 / apply the Release 15 COP, restrict admin-interface access to management networks, and hunt for unexpected outbound HTTP from Unified CM hosts.

Cisco Talos published a technical study on 2026-05-28 examining how the DICOM medical-imaging file format yields heap out-of-bounds-write conditions across three parsers — the Python pydicom library, GDCM (Grassroots DICOM), and the parser inside Orthanc, the open-source PACS (Picture Archiving and Communication System) server widely deployed in hospital radiology (Cisco Talos, 2026-05-28). Talos frames the upload/ingestion pathway as the highest-concern surface: hospital PACS routinely auto-ingest DICOM studies received over the network from imaging modalities (CT, MRI, X-ray) via DICOM C-STORE, so a malformed study from any connected modality or compromised upstream institution can directly reach the vulnerable decoder without user action. The write primitive arises from the format's variable-length Value Representation (VR) tag structure combined with lax bounds-checking in heap allocation. The public blog post discloses no CVE identifiers and no exploit code — the underlying technique class is T1190 (exploit public-facing application) where a PACS endpoint is network-reachable, or delivery via a malicious study over DICOM networking. [SINGLE-SOURCE] (Cisco Talos primary research).

Why it matters to us: Swiss cantonal and university hospitals and EU healthcare providers — NIS2 critical entities — universally run PACS/DICOM infrastructure, and Orthanc is common in academic medical centres. The attack surface is structural to how PACS operate (mandatory DICOM connectivity to vendor equipment), so it cannot be closed by patching a single product alone. Defender posture from the research: review network segmentation between PACS servers and clinical workstations; restrict DICOM C-STORE acceptance to known modality Application Entity (AE) titles via the PACS ACL; confirm Orthanc instances run a supported version; treat studies arriving from referring institutions as untrusted input.

Healthcare's exposure this week sat almost entirely in the administrative and imaging layers rather than clinical systems — the same structural lesson W21 drew from the Unimed billing-processor breach. Cisco Talos published a technical tour of the DICOM-format attack surface against Orthanc PACS, showing how network-ingested medical images become a heap out-of-bounds-write primitive precisely because PACS systems automatically ingest files received over the network (2026-05-31). France's CNIL fined IQVIA Operations France €5M for health-data-warehouse security failures — no MFA, no log monitoring, no network segmentation (2026-05-30) — a concrete regulatory marker of what "inadequate" looks like for a health-data processor. And California's AG sued the former 23andMe over the 2023 genetic-data breach (bulk-enumeration coding error plus absent credential-stuffing defences) affecting ~6.9M customers (2026-05-31). For CH/EU healthcare SOCs: treat auto-ingesting imaging pipelines as an untrusted-input attack surface, and read the IQVIA fine as a checklist of the baseline controls a regulator now expects on a health-data store.

CVE-2026-20223 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) is an access validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform (Cisco PSIRT, 2026-05-20). An unauthenticated remote attacker sends a single crafted HTTP request to an internal API endpoint to be granted Site Admin-level privileges — enabling cross-tenant data read, configuration modification, and full visibility over workload segmentation policy across all tenant boundaries. Both SaaS-hosted and on-premises deployments are affected; Cisco silently patched SaaS. On-premises operators must upgrade: 4.0.x → 4.0.3.17; 3.10.x → 3.10.8.3; 3.9 and earlier must migrate (no fix available). No workaround exists. Cisco found no evidence of exploitation at disclosure (2026-05-20); the vulnerability was discovered internally. NCSC-CH flagged this on 2026-05-21. The attack surface is the internal REST API management plane — restrict untrusted network access to the Secure Workload cluster API as the primary compensating control until patching is complete. Technique: T1190 Exploit Public-Facing Application. This is distinct from CVE-2026-20182 (Cisco Catalyst SD-WAN) covered on 2026-05-20.

CVE Summary Table

Cisco Talos published on 2026-05-19 the first MaaS-ecosystem analysis of a BadIIS variant identifiable by embedded demo.pdb path strings in the ISAPI DLL binary. PDB-metadata correlation traces development to a single developer alias "lwxat" active from at least September 2021 through January 2026, with iterative updates and Norton-AV-specific evasion features. Talos recovered a dedicated builder tool that lets operators generate configuration files and inject parameters into BadIIS ISAPI DLL payloads — traffic redirection to illicit sites, search-engine-crawler proxying, content hijacking, and back-link injection for SEO-fraud monetisation. The ISAPI DLL hooks into the Windows IIS request pipeline by registering as an ISAPI filter or extension (loaded from applicationHost.config or per-site web.config), intercepting HTTP requests to hosted sites and selectively modifying responses — serving different content to crawler vs. human browsers or proxying requests to attacker-controlled infrastructure. Talos describes the geographic distribution as primarily the Asia-Pacific region with a smaller number of compromised servers in South Africa, Europe, and North America; the activity overlaps with the broader DragonRank SEO-poisoning ecosystem Talos previously documented under the actor cluster UAT-8099. BadIIS itself is not a vulnerability — it requires a prior IIS-server compromise (web-shell, vulnerable CMS plugin) to plant the DLL. Detection concepts: enumerate applicationHost.config and each site's web.config for unexpected <isapiFilters> / <httpModules> entries; alert on IIS worker (w3wp.exe) loading DLLs from non-standard paths (Sysmon EID 7); monitor IIS response-body sizes for anomalies on content that should be static; alert on w3wp.exe initiating outbound HTTP to non-allow-listed destinations. Relevance for Swiss / EU public-sector defenders is secondary (regional focus is APAC), but the IIS-pipeline hijack pattern is jurisdiction-agnostic — any organisation with IIS-fronted CMS deployments should run the configuration-enumeration sweep.

An access-validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform, lets an unauthenticated network attacker obtain Site Admin privileges across all tenants (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). There is no workaround — patching is the only remediation. No confirmed exploitation yet, but a perfect-10 zero-auth admin bug on a segmentation controller is an attractive target: compromise of the micro-segmentation fabric undermines every downstream lateral-movement control. NCSC.ch carried it on the Cyber Security Hub (post 12588). Patch on the highest-priority schedule and restrict management-plane network reachability in the interim.

If you did nothing this week: any Catalyst SD-WAN Manager or Controller with an internet-reachable management plane has been within UAT-8616's active exploitation window per Cisco Talos's 2026-05-14 timeline — with full fabric-takeover capability via a pre-authentication HTTP-header parsing bypass in the NETCONF gateway. The published kill chain is HTTP-header injection → authentication bypass → vManage administrative API → orchestrator-level configuration push → arbitrary device-config rewrite across every fabric member. Patches are available (vManage 20.13.4 / 20.12.6 / 20.9.7 / earlier branches per Cisco PSIRT); CISA issued Emergency Directive ED-26-03 on 2026-05-15 mandating identification, mitigation, and reporting for US federal civilian agencies with a 2026-05-17 (today) deadline (Cisco PSIRT; CISA ED-26-03; daily 2026-05-15).

What makes the SD-WAN picture operationally critical for Swiss / EU defenders even after the patches land is the approximately 10 additional intrusion clusters Talos and CISA jointly identified exploiting February-2026 Catalyst SD-WAN companion CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 — patched in Q1 2026 but with public-PoC availability that drove a wave of secondary exploitation against organisations that lagged the original patch). The 10-cluster figure indicates the SD-WAN attack surface is being mined systematically by multiple unrelated operators, not just UAT-8616, so the hunt is not bounded to a single named cluster's TTPs: review vmanage_event and NETCONF-gateway logs for any 401/403→200 transitions on /dataservice/* endpoints from external source IPs across the entire Q1-2026 → present window, and assume any unpatched device has been visited.

Issued 2026-05-15 mandating identification, mitigation, and reporting on CVE-2026-20182 for US federal civilian agencies with a 2026-05-17 (today) deadline. For Swiss / EU public-sector defenders the US-FCEB compliance date itself is not operational signal (per the inherited PD-13) but the issuance of an Emergency Directive is. Use the ED's mitigation matrix as a reference for your own SD-WAN response posture (CISA ED-26-03; Daily 2026-05-15).

Cisco Talos published an updated exploitation bulletin on 2026-05-14 documenting active, in-the-wild exploitation of CVE-2026-20182 — a complete pre-authentication bypass in the Cisco Catalyst SD-WAN Controller — by UAT-8616, a highly sophisticated actor assessed to have operated against Cisco SD-WAN infrastructure since at least 2023 with ORB-network-hosted tooling (Cisco Talos, 2026-05-14). Separately, at least 10 additional less-sophisticated threat clusters (Cluster #1 through #10 in Talos's taxonomy) have been exploiting the companion February 2026 CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) since March 2026 (Rapid7, 2026-05-14). Post-exploitation activity includes deployment of Godzilla, Behinder, and XenShell webshells; AdaptixC2, Sliver, and Nimplant C2 frameworks; XMRig cryptomining; and log-wiping to remove syslog, wtmp, and lastlog artefacts. UAT-8616 additionally performs a targeted version-downgrade to re-expose CVE-2022-20775 (local privilege escalation to root), then restores the original version to erase the downgrade trace. CISA issued Emergency Directive ED-26-03 on 2026-05-14 designating this the sixth Cisco SD-WAN CVE exploited in 2026; companion CVEs CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 were being exploited by multiple clusters since March 2026. Snort detection signatures: 66482–66483 (CVE-2026-20182), 66468–66469 (CVE-2026-20133), 66461–66462 (CVE-2026-20122). Hunt: look for unexpected NETCONF sessions on TCP/830 from Controller processes; additions to /home/vmanage-admin/.ssh/authorized_keys; out-of-sequence software downgrade/upgrade log events in vManage; and peer registrations from unknown ASNs in show sdwan control connections.

CVE-2026-20182 (CVSS 10.0, CWE-287) is a complete authentication bypass in the vdaemon service's DTLS control-plane peering on UDP/12346 (Cisco PSIRT cisco-sa-sdwan-rpa2-v69WY2SW, 2026-05-14 · Rapid7, 2026-05-14). The vbond_proc_challenge_ack() function processes CHALLENGE_ACK messages without checking the claimed device type: a connecting device claiming type 2 (vHub) using a self-signed certificate is unconditionally marked as authenticated. The attacker then sends MSG_VMANAGE_TO_PEER (message type 14) to inject an SSH public key into /home/vmanage-admin/.ssh/authorized_keys, achieving persistent SSH access to the SD-WAN Manager on NETCONF port TCP/830. From there, the attacker has full control of SD-WAN fabric configuration, routing policy, and can read or modify all managed-site configurations. Added to CISA KEV on 2026-05-14 with active exploitation confirmed. No workaround exists; network segmentation of the UDP/12346 interface is the only partial mitigation where upgrading is not immediately possible. Fixed: 20.9.9.1, 20.12.5.4/6.2/7.1, 20.15.4.4/5.2, 20.18.2.2, 26.1.1.1.