Cisco Catalyst SD-WAN — 32 New Source Findings
What changed vs yesterday
Confidence: High
Yesterday led on CISA KEV CVE-2026-20182, Windows BitLocker/CTFMON monitoring and PAN-OS CVE-2026-0264. Today’s approved packet is different: it contains 32 NEW findings and no active-exploitation claim. The practical task is to verify exposure, assign owners, and enrich BSI-only advisories before stronger customer language is used.
Finding 1: Cisco Catalyst SD-WAN Controller and Manager need first attention
Confidence: Medium
The highest-priority item is the Cisco Catalyst SD-WAN Controller/Manager pair. BSI marks the Controller issue as critical, with CVSS 9.0, and NCSC-NL corroborates remediation for the SD-WAN platform family.
The action is concrete: verify fixed versions, check exposed administrative paths, and pair Controller and Manager remediation rather than treating them as separate queues.
Finding 2: TanStack/OpenAI supply-chain reporting needs developer-side checks
Confidence: High
The Register, BleepingComputer and The Hacker News report OpenAI as a named victim in a TanStack npm supply-chain compromise. The approved source set does not frame this as current active exploitation in customer environments, but it is still a high-confidence developer-supply-chain watchpoint.
Review lockfiles, developer-device telemetry, token rotation, npm cache history, and macOS patch completion. Keep the language narrow: the finding is about reported supply-chain compromise and exposure validation, not a broader claim about all npm users.
Finding 3: Linux Kernel and GitLab items widen the owner-routing queue
Confidence: Medium
The Linux Kernel Fragnesia item has BSI coverage and The Register corroboration of root-level impact reporting. Separate Linux Kernel BSI records mean kernel triage should not stop at one named issue.
GitLab also enters the queue through a BSI advisory affecting source-code and CI/CD paths. The immediate task is to verify self-managed GitLab exposure and patch level, then route remediation to platform owners.
Finding 4: BSI advisory backlog is broad, but most items remain unverified
Confidence: Unverified
The approved packet includes identity, edge, collaboration, mail, CI/CD, database, endpoint-management, and web-platform items: Microsoft Authenticator, Exchange, NGINX, Mattermost, GitHub Copilot, TeamViewer DEX, aria2, OpenShift, Flowise, HCL BigFix, PostgreSQL, Strapi, MISP, FortiOS, Fleet, Exim, Tomcat, Aruba, BigBlueButton, FortiAuthenticator, Nextcloud, Adobe Connect, Magento, Safari, and MongoDB.
Most are single-source BSI/CERT-Bund records with CVSS values withheld or unknown. That matters. These should drive discovery and enrichment, not inflated “known exploited” messaging.
Complete finding queue
1. UPDATE: Cisco Catalyst SD-WAN Controller critical admin-rights issue
Confidence: Medium
BSI marks the Controller issue critical and NCSC-NL states Cisco Catalyst SD-WAN Controller and Manager vulnerabilities are remediated. Verify fixed versions and exposed admin paths. Source marker: WID-SEC-2026-1534. Active exploitation: no. CVSS: 9.0.
2. UPDATE: Cisco Catalyst SD-WAN Manager multiple vulnerabilities
Confidence: Medium
BSI lists SD-WAN Manager and NCSC-NL corroborates remediation for the platform family. Pair Manager checks with Controller remediation. Source marker: WID-SEC-2026-1540. Active exploitation: no.
3. OpenAI named in TanStack npm supply-chain compromise
Confidence: High
The Register, BleepingComputer, and The Hacker News report OpenAI as a named victim in a TanStack npm supply-chain compromise. Review lockfiles, developer-device telemetry, token rotation, and macOS patch completion. Source marker: TANSTACK-OPENAI-2026-05. Active exploitation: no.
4. Linux Kernel Fragnesia privilege escalation
Confidence: Medium
BSI lists a Fragnesia Linux Kernel administrator-rights issue; The Register corroborates root-level impact reporting. Route to Linux fleet owners for distro and kernel patch mapping. Source marker: WID-SEC-2026-1530. Active exploitation: no.
5. GitLab multiple vulnerabilities
Confidence: Low
BSI added GitLab vulnerabilities affecting source-code and CI/CD paths. Verify self-managed GitLab exposure and patch level. Source marker: WID-SEC-2026-1523. Active exploitation: no.
6. Linux Kernel multiple vulnerabilities
Confidence: Low
Separate BSI Linux Kernel batch means kernel triage should not be limited to Fragnesia. Enrich affected kernel branches and distro errata. Source marker: WID-SEC-2026-1531. Active exploitation: no.
7. Microsoft Authenticator information disclosure
Confidence: Low
BSI added a Microsoft Authenticator information-disclosure advisory. Route to identity and mobile-fleet owners for impact enrichment. Source marker: WID-SEC-2026-1537. Active exploitation: no.
8. Microsoft Exchange Server XSS and spoofing
Confidence: Low
BSI added an Exchange Server XSS/spoofing advisory. Check internet-facing Exchange assets and patch state. Source marker: WID-SEC-2026-1536. Active exploitation: no.
9. NGINX Open Source and NGINX Plus multiple vulnerabilities
Confidence: Low
BSI added NGINX Open Source and NGINX Plus vulnerabilities. Prioritize public web-edge and reverse-proxy inventory. Source marker: WID-SEC-2026-1527. Active exploitation: no.
10. Mattermost Server multiple vulnerabilities
Confidence: Low
BSI added Mattermost Server vulnerabilities. Collaboration platforms may hold credentials, files, and incident-response discussions. Source marker: WID-SEC-2026-1529. Active exploitation: no.
11. Microsoft GitHub Copilot code execution
Confidence: Low
BSI added a GitHub Copilot code-execution advisory. Validate developer tenant, extension, and endpoint exposure. Source marker: WID-SEC-2026-1521. Active exploitation: no.
12. TeamViewer DEX code execution
Confidence: Low
BSI added a TeamViewer DEX code-execution advisory. Remote support tooling should be owner-routed because of high trust. Source marker: WID-SEC-2026-1522. Active exploitation: no.
13. aria2 security-bypass issue
Confidence: Low
BSI added an aria2 security-bypass advisory and the sweep notes it as unpatched. Check automation and build-pipeline use. Source marker: WID-SEC-2026-1524. Active exploitation: no.
14. Red Hat OpenShift code execution and information disclosure
Confidence: Low
BSI added a distinct OpenShift advisory for code execution and information disclosure. Map affected versions and hosted workloads. Source marker: WID-SEC-2026-1550. Active exploitation: no.
15. Flowise multiple vulnerabilities enable code execution
Confidence: Low
BSI added Flowise multiple vulnerabilities with code-execution impact. Check exposed Flowise or internal AI-workflow deployments and restrict admin access pending patch confirmation. Source marker: WID-SEC-2026-1554. Active exploitation: no.
16. HCL BigFix data manipulation and XSS
Confidence: Low
BSI added an HCL BigFix advisory covering data manipulation and XSS. Endpoint-management consoles carry high blast radius. Source marker: WID-SEC-2026-1549. Active exploitation: no.
17. PostgreSQL multiple vulnerabilities
Confidence: Low
BSI added PostgreSQL multiple vulnerabilities. Prioritize multi-tenant, internet-facing, or regulated-service databases. Source marker: WID-SEC-2026-1544. Active exploitation: no.
18. Strapi multiple vulnerabilities
Confidence: Low
BSI added Strapi multiple vulnerabilities. Inventory public Strapi admin panels and API backends. Source marker: WID-SEC-2026-1552. Active exploitation: no.
19. MISP and MISP Modules multiple vulnerabilities
Confidence: Low
BSI added a MISP and MISP Modules advisory. Check threat-intelligence platforms, SOC tooling, and CTI lab instances for MISP exposure. Source marker: WID-SEC-2026-1547. Active exploitation: no.
20. Linux Kernel denial-of-service advisory
Confidence: Low
BSI added a Linux Kernel denial-of-service advisory distinct from earlier Fragnesia and broad kernel records. Queue kernel-owner enrichment. Source marker: WID-SEC-2026-1555. Active exploitation: no.
21. Fortinet FortiOS privilege-escalation advisory
Confidence: Low
BSI added a Fortinet FortiOS privilege-escalation advisory. Route to edge and network owners for inventory and fixed-version lookup. Source marker: WID-SEC-2026-1492. Active exploitation: no.
22. Fleet multiple-vulnerability advisory
Confidence: Low
BSI added a Fleet advisory. Check endpoint-management and device-fleet management inventories. Source marker: WID-SEC-2026-1553. Active exploitation: no.
23. Exim code-execution advisory
Confidence: Low
BSI added an Exim code-execution advisory. Identify internet-facing mail transfer agents and enrich upstream fixed versions. Source marker: WID-SEC-2026-1505. Active exploitation: no.
24. Apache Tomcat multiple vulnerabilities
Confidence: Low
BSI added Apache Tomcat multiple vulnerabilities. Map Tomcat versions in application hosting and middleware estates. Source marker: WID-SEC-2026-1514. Active exploitation: no.
25. Aruba AOS-8 Instant AP and AOS-10 AP multiple vulnerabilities
Confidence: Low
BSI added an Aruba AOS AP advisory. Identify managed Aruba AP estates, owner, firmware branch, and maintenance window. Source marker: WID-SEC-2026-1515. Active exploitation: no.
26. BigBlueButton cross-site scripting
Confidence: Low
BSI added a BigBlueButton XSS advisory. Check education, webinar, and internal meeting deployments for public exposure and custom theme/plugin risk. Source marker: WID-SEC-2026-1501. Active exploitation: no.
27. FortiAuthenticator code execution
Confidence: Low
BSI added a FortiAuthenticator code-execution advisory. Map instances and administrative exposure; notify identity owners after vendor fixed-version enrichment. Source marker: WID-SEC-2026-1509. Active exploitation: no.
28. Nextcloud multiple vulnerabilities
Confidence: Low
BSI added a Nextcloud multiple-vulnerability advisory. Inventory externally reachable Nextcloud and managed file-sharing deployments. Source marker: WID-SEC-2026-1517. Active exploitation: no.
29. Adobe Connect multiple vulnerabilities
Confidence: Low
BSI added an Adobe Connect advisory. Identify training and webinar environments, then enrich fixed versions. Source marker: WID-SEC-2026-1496. Active exploitation: no.
30. Adobe Magento multiple vulnerabilities
Confidence: Low
BSI added an Adobe Magento advisory. Map ecommerce estates using Magento or Adobe Commerce and collect update status. Source marker: WID-SEC-2026-1497. Active exploitation: no.
31. Apple Safari multiple vulnerabilities
Confidence: Low
BSI added an Apple Safari advisory. Confirm macOS and iOS browser patch cadence, especially for privileged endpoints. Source marker: WID-SEC-2026-1543. Active exploitation: no.
32. MongoDB multiple vulnerabilities
Confidence: Low
BSI added a MongoDB advisory. Map MongoDB exposure and managed-service ownership before customer escalation. Source marker: WID-SEC-2026-1516. Active exploitation: no.
Why This Matters
The value today is not a single dramatic exploit story. It is a clean, approved list of assets and product families that need ownership, version mapping, and remediation evidence. That keeps customer communication honest whilst still giving operations teams a practical queue.
- Recommended Actions
- Start with Cisco Catalyst SD-WAN Controller/Manager fixed-version verification and exposed-admin-path review.
- Route Linux Kernel, GitLab, TanStack/OpenAI, MISP, Fleet, FortiOS, Exim, Tomcat, FortiAuthenticator, Aruba, Nextcloud, Magento and MongoDB checks to the right owners.
- Treat LOW / UNVERIFIED BSI-only items as enrichment tasks until vendor, NVD, KEV or exploitation evidence appears.
- Keep prior unchanged stories out of today’s customer narrative unless new corroboration changes their status.
All findings grounded in a13e intelligence sweeps through 05:49 UTC 16 May 2026.