|
The Weekly Packet
Networking, IT, and the week in security. Plain language. No vendor pitch.
|
The Management Plane Is the New Target
CISA added three Cisco Catalyst SD-WAN Manager CVEs to their Known Exploited Vulnerabilities list this week. Not theoretical. Not "could be exploited under specific conditions." Actively being used right now. The CVEs cover privilege abuse, passwords stored in recoverable format, and sensitive data exposure. If you're running SD-WAN Manager unpatched, someone is looking for you.
But the specific CVEs aren't really the story. The target is.
|
|
Quick primer: the three planes of a network
If you're newer to networking, you've probably heard the terms thrown around but maybe never had them explained cleanly. Every network device operates across three distinct planes, and understanding the difference matters a lot here.
The data plane is the actual traffic. Your email, your video call, the file you're downloading. It's packets moving from point A to point B. This is what most people think of when they think of "the network."
The control plane is what decides where that traffic goes. Routing protocols live here. OSPF, BGP, EIGRP are all control plane functions. The control plane builds the map. The data plane follows it.
The management plane is how you, the engineer, talk to the device. SSH sessions, web interfaces, SNMP, APIs. Anything used to configure, monitor, or administer network equipment is management plane traffic. It's separate from the other two on purpose. You don't want someone's Netflix stream competing with your ability to log into a router during an outage.
Most attacks historically targeted the data plane or exploited the control plane. The management plane was an afterthought for attackers because it was harder to reach. That's changed.
|
|
Why the management plane is now the prize
SD-WAN Manager isn't a router. It's the system that tells all your routers what to do. Policy, routing decisions, trust relationships, connectivity across your entire WAN. All of it is configured and pushed through Manager. In a traditional network you'd have to compromise devices one at a time. In an SD-WAN environment, compromising Manager means you didn't lose a site. You handed someone the keys to the whole overlay at once.
Attackers have figured this out. The management plane is high-value, often under-hardened, and in a lot of environments it's sitting on a VM somewhere with a web interface that's more reachable than it should be. I've seen SD-WAN Manager accessible from the internet in production. When I point it out it's usually "oh yeah we meant to fix that." Cool.
This isn't just a Cisco problem. Whatever platform sits above your data plane and makes decisions for the rest of the network is a target: cloud controllers, NMS platforms, zero-trust policy engines. If it has authority over everything else, attackers want it.
For SD-WAN Manager specifically: patch to the fixed versions in Cisco's advisory, get management access off any internet-reachable path, and go look at who actually has admin rights. That last one is always worse than you expect.
|
|
Practical things to check this week
→ Pull admin access on every management platform you run. Who's on the list? When did they last log in? Any service accounts with passwords that haven't rotated in two years? (There are.)
→ Is your management plane internet-reachable? SD-WAN Manager, vManage, Meraki, whatever you're running. If yes, that's not a backlog item.
→ Bookmark cisa.gov/known-exploited-vulnerabilities-catalog. Anything on that list is actively being exploited. It should factor into how you prioritize patches, not get discovered after the fact.
→ Cisco's advisory covers affected and fixed versions for CVE-2026-20122, -20128, and -20133. Know where you stand before end of week.
|
|
|
Also worth knowing
3 million compromised devices, four botnets, one takedown
US, German, and Canadian law enforcement dismantled four botnets made up of routers, webcams, and DVRs running weak or default credentials. The devices were being rented out as a service and had been used to hit US Department of Defense infrastructure. The takedown is good news. The 3 million number is not.
Attacks on US critical infrastructure via exposed OT devices
CISA issued a joint advisory on escalating attacks against US critical infrastructure through internet-exposed OT devices. Attack vectors are embarrassingly basic: public-facing industrial control interfaces, no MFA, default credentials. Targets include water, energy, and local government systems. If your work touches OT or ICS, read the advisory.
April Patch Tuesday: 164 CVEs, two zero-days
Microsoft patched 164 CVEs including two zero-days: one in SharePoint (CVE-2026-32201, actively exploited) and one in Defender. Don't let this cycle slip.
Booking.com breach: no payment data, but worse in a different way
Names, emails, addresses, phone numbers, and full reservation details exposed for an undisclosed number of users. The reason this matters for IT and security people: reservation context makes social engineering very convincing. Someone who knows your employee is in Amsterdam on Tuesday and staying at a specific hotel can write a believable email. Worth a heads-up to your team if your org books travel through Booking.com.
|
|
The Weekly Packet by Kevin Nanns
Network engineer. Content creator. adjacentnode.com
|
|
