The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.

The inclusion of these vulnerabilities in the KEV Catalog confirms that threat actors are actively exploiting affected systems. KEV-listed vulnerabilities receive heightened attention because they represent real-world risks rather than theoretical security weaknesses.

Through this blog, we will understand what the vulnerability is about, the threat posed by the vulnerability, and some of the security actions that organizations can take to prevent/mitigate the threats posed by the vulnerability.

About the vulnerability

What can attackers do with vulnerability?

Directory traversal vulnerabilities like the Cisco Catalyst SD-WAN Manager flaw occur when an application improperly validates user-supplied file paths, potentially allowing attackers to access restricted files, configuration data, credentials, or sensitive system resources outside intended directories.

Given SD-WAN Manager’s role as a centralized network management platform, successful exploitation could provide attackers with access to highly sensitive network management functions and enterprise infrastructure.

Symlink-following vulnerabilities like the LiteSpeed cPanel Plugin flaw occur when applications improperly trust symbolic links created by users or processes. An attacker may abuse these conditions to access unauthorized files, manipulate application behavior, or escalate privileges depending on the affected environment.

In shared hosting environments, such vulnerabilities can present significant risks because compromise of a single tenant account may lead to broader server-level impact.

• By exploiting the vulnerabilities, the attackers can:
• Gain unauthorized access to sensitive system files, configuration files, and credentials
• Break into SD-WAN management infrastructure
• Gain administrative control of networking environments
• Escalate privileges within hosting environments
• Gain unauthorized access to hosted websites and applications
• Steal and exfiltrate data
• Laterally move across enterprise infrastructure
• Disrupt service and operations
• Deploy ransomware after initial access

SharkStriker’s recommendations

To reduce the risk associated with these actively exploited vulnerabilities, SharkStriker recommends implementing the following defensive measures:

Prioritize Immediate Patching

Apply vendor-provided updates and security fixes for affected Cisco SD-WAN Manager and LiteSpeed cPanel Plugin deployments as soon as operationally possible.

Review Internet-Facing Assets

Identify all exposed SD-WAN management interfaces and cPanel hosting environments within your infrastructure and verify patch status.

Conduct Compromise Assessment

Because active exploitation has been confirmed, organizations should not assume patching alone is sufficient. Review the following for signs of historical compromise.

• Authentication logs
• Administrative activity
• Configuration changes
• File access records
• User account modifications

Restrict Administrative Access

Limit access to management interfaces through:

• VPN-only access
• Network segmentation
• IP allowlisting
• Multi-factor authentication (MFA)

Monitor for Suspicious Activity

Investigate indicators such as:

• Unauthorized configuration changes
• Unexpected administrative logins
• Unusual file access activity
• Unexpected creation of symbolic links
• Privilege escalation attempts

Strengthen Detection Coverage

Ensure SIEM, EDR, and network monitoring platforms are configured to detect:

• Directory traversal exploitation attempts
• Suspicious file access patterns
• Privilege escalation behavior
• Administrative account abuse
• Unauthorized network configuration changes

Review Shared Hosting Security Controls

• Organizations utilizing LiteSpeed and cPanel should validate tenant isolation controls and review access permissions to minimize the impact of potential exploitation.

Maintain Continuous Vulnerability Monitoring

• Monitor CISA KEV updates, vendor advisories, and threat intelligence sources for additional information, indicators of compromise, and future exploitation activity associated with these vulnerabilities.