The Cisco Zero-Day That Hid for Three Years Shows Why We Need to Rethink Detection

Page content

The Cisco Zero-Day That Hid for Three Years Shows Why We Need to Rethink Detection

I’ll be honest – when I saw the news about CVE-2026-20127, the maximum-severity Cisco SD-WAN vulnerability that went undetected for three years, my first thought wasn’t about the technical details. It was about all those security assessments where we confidently told clients their networks were secure.

This story, along with some other developments this week, really drives home how attackers are getting better at staying invisible while we’re still playing catch-up with detection.

The Cisco Reality Check

Let’s start with the big one. Cisco’s SD-WAN zero-day wasn’t just another vulnerability – it was exploited by what Cisco describes as “an unknown but sophisticated threat actor who left very little evidence behind” for three entire years.

Think about that timeline. Three years means this vulnerability was being exploited while we were all talking about zero trust, while companies were investing millions in security tools, while we were patching everything else religiously. And nobody knew.

What really gets me is the “very little evidence behind” part. This wasn’t some script kiddie making noise. This was a professional operation that understood how to move through SD-WAN infrastructure without triggering our detection systems. They knew exactly what logs to avoid, what behaviors would blend into normal network traffic, and how to maintain persistence without raising flags.

When Blockchain Becomes the Enemy

While we’re dealing with invisible network intrusions, attackers are also getting creative with infrastructure. The new Aeternum C2 botnet caught my attention because it’s doing something we probably should have seen coming – storing encrypted commands on the Polygon blockchain.

Qrator Labs found that instead of using traditional command-and-control servers that we can take down, Aeternum stores its instructions on a public blockchain. It’s brilliant from an attacker’s perspective and absolutely frustrating from ours.

We’ve spent years getting good at disrupting botnets by going after their infrastructure. Domain takedowns, server seizures, DNS blocking – these have been reliable tools in our playbook. But how do you take down a blockchain? You can’t exactly send a takedown notice to Ethereum.

This isn’t just a technical evolution; it’s attackers learning from our defensive strategies and adapting. They’re using the decentralized nature of blockchain against us, turning a technology designed for transparency and resilience into a weapon for persistence.

The Trend Micro Reminder

Meanwhile, Trend Micro patched two critical RCE vulnerabilities in Apex One this week. On the surface, this looks like business as usual – vendor finds bugs, vendor patches bugs, we all move on.

But when you consider it alongside the Cisco situation, it raises uncomfortable questions. How many other critical vulnerabilities are sitting in our security tools right now? The irony of having remote code execution flaws in endpoint protection software isn’t lost on anyone who’s been doing this work for a while.

What This Means for Our Approach

Here’s what I think we need to take away from all this. First, we need to get more comfortable with the idea that we’re already compromised. The Cisco zero-day proves that sophisticated attackers can live in our networks for years without us knowing. Our detection strategies need to assume breach, not try to prevent it.

Second, we need to start thinking about blockchain-based threats seriously. The Aeternum botnet won’t be the last to use this approach. We need new strategies for dealing with command-and-control infrastructure that we can’t simply shut down.

SecurityWeek had a piece this week about risks boards can’t ignore, and the key point resonates here: “The goal isn’t about preventing every attack but about keeping the business running when attacks succeed.”

That’s exactly right. We need to shift from a prevention-focused mindset to a resilience-focused one. Assume the Cisco zero-day is already in your network. Assume there’s a blockchain-based botnet you can’t take down targeting your users. Now what?

The answer isn’t more security tools – it’s better detection, faster response, and more robust recovery capabilities. It’s about building systems that can function even when they’re partially compromised, and teams that can respond effectively to threats they’ve never seen before.

We’re not losing the security game, but we are playing it wrong. Time to adjust our strategy.

Sources