No Patch, Active Exploitation: What This Week's Cisco and SolarWinds Flaws Mean for Your Business

Threats & Attacks

No Patch, Active Exploitation: What This Week's Cisco and SolarWinds Flaws Mean for Your Business

By Corrine Jefferson ·

Two confirmed, actively exploited vulnerabilities surfaced this week. Both are on CISA’s Known Exploited Vulnerabilities catalog. One has no patch at time of writing. The noise around them has been considerable. The signal is more precise than most coverage suggests.

Here is what the data shows.

CVE-2026-20245: Cisco Catalyst SD-WAN Manager, No Fix, Active Exploitation

Cisco confirmed active exploitation of CVE-2026-20245 on 6 June 2026. The vulnerability sits in the command-line interface of Cisco Catalyst SD-WAN Manager. CVSS score: 7.8. Classification: high severity.

The mechanism is specific. An authenticated attacker with local access can exploit insufficient validation of user-supplied input to escalate their privileges to root. That means someone who already has a foothold on the system can convert limited access into complete control.

The critical detail for UK small businesses: there is no patch available. Cisco’s mitigation guidance at time of writing is to restrict CLI access and monitor for suspicious activity. That is not a fix. That is a compensating control.

Why does this matter if you are running a 15-person accountancy practice in Bristol or a logistics firm in Manchester? Because SD-WAN is infrastructure that managed service providers frequently deploy on behalf of clients. You may be running Cisco Catalyst SD-WAN without knowing the brand name. Ask your MSP directly: are any systems in our environment running Cisco Catalyst SD-WAN Manager, and have you assessed our exposure to CVE-2026-20245?

If they cannot answer that question by end of day, that is a problem worth documenting.

CVE-2026-28318: SolarWinds Serv-U, CISA KEV Confirmed

CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog this week. The vulnerability affects SolarWinds Serv-U, a multi-protocol file server used for managed file transfer. Classification: high severity.

The flaw enables a denial-of-service condition. On its own, a DoS vulnerability looks less alarming than remote code execution. The risk calculus changes when you consider how these flaws are used in practice: DoS conditions in file transfer software are frequently chained with other weaknesses to force failover states, disrupt logging, or create windows for further exploitation.

SolarWinds carries specific historical weight. The 2020 supply chain compromise affected thousands of organisations globally, including UK public sector bodies. Threat actors have continued to target SolarWinds products because the installed base remains large and the software sits in privileged network positions.

If your business uses any managed file transfer service, ask your IT provider whether Serv-U is in the stack. If it is, ask whether the vendor patch has been applied and what monitoring is in place.

The Supply Chain Problem Nobody Talks About Plainly

Both of these vulnerabilities share a characteristic that matters more than the technical details. They are not in software you probably chose deliberately. They are in infrastructure software that sits beneath your visible technology layer, managed by third parties on your behalf.

This is the supply chain risk that security briefings understate. Your MSP’s tooling is part of your attack surface. Their unpatched systems can become your incident.

The NCSC’s supply chain security guidance is explicit on this point: organisations should understand what software their suppliers are running on their behalf and what patch management processes those suppliers follow. Most UK SMBs have never asked their MSP this question. Most MSPs have never been asked.

That asymmetry is where incidents originate.

Why This Gives You a Practical Edge

Businesses that ask these questions are genuinely harder to compromise than those that do not. The attacker’s economics are straightforward: move to the next target when resistance appears. A client who asks their MSP pointed questions about patch status and compensating controls on actively exploited CVEs is a more expensive target than one who trusts implicitly.

This is also a procurement differentiator. If you are bidding for contracts with larger organisations, demonstrating that you actively monitor threat intelligence and hold your suppliers accountable is a concrete, verifiable security posture. It is the difference between saying “we take security seriously” and showing the evidence.

Cyber Essentials certification requires you to keep software patched. That requirement extends, in practice, to asking whether the managed services you rely on are meeting the same standard.

Making the Business Case

Three points worth raising with your board or owner-director this week:

Known Exploited means actively targeted now, not theoretically. CISA’s KEV catalog is not a risk forecast. It is a confirmed exploitation list. Both of this week’s entries represent real attacks happening in the real world against real organisations.

No patch available does not mean no action available. Compensating controls, access restrictions, and network segmentation can reduce exposure while vendors develop fixes. These controls require someone to implement them. That is a legitimate budget conversation.

Your MSP’s security posture is your security posture. If their infrastructure is compromised, your data is at risk. The contract with your MSP should include patch management obligations and incident notification timelines. If it does not, that gap needs closing.

What to Do Before Friday

  1. Ask your MSP or IT provider in writing whether any systems in your environment are running Cisco Catalyst SD-WAN Manager or SolarWinds Serv-U. Request a written response. A verbal “we’ll look into it” is not sufficient.

  2. If Cisco SD-WAN Manager is present, confirm that CLI access has been restricted to authorised personnel only and that enhanced monitoring is active. Document the conversation.

  3. If SolarWinds Serv-U is present, confirm whether the vendor patch for CVE-2026-28318 has been applied and request the patch date. If it has not been applied, ask for the remediation timeline.

  4. Review your MSP contract for patch management obligations. Specifically: what is their SLA for applying patches to actively exploited vulnerabilities? If there is no clause, raise it at the next review.

  5. Log this week’s events in your risk register. Even if your environment is not affected, recording that you assessed exposure and confirmed status is evidence of due diligence. It matters for cyber insurance claims and regulatory discussions.

SourceArticle
CISAKnown Exploited Vulnerabilities Catalog
The Hacker NewsCisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available
The Hacker NewsCISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog
Cyber Security NewsCISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks
TheCyberThroneCVE-2026-20245: Cisco Catalyst SD-WAN Manager Privilege Escalation
NCSCSupply Chain Security Guidance
NCSCCyber Essentials: Requirements for IT Infrastructure

Filed under

  • smb-security
  • uk-business
  • vendor-risk
  • supply-chain-risk
  • msp-security
  • incident-response
  • business-risk