Plenty happened this week. Most of it does not change your Monday. Two things should. Cisco's SD-WAN platform is under active attack again, and ransomware groups spent the week inside energy and manufacturing on both sides of the Atlantic. If you run remote sites, field operations or a plant, this is your brief.
SD-WAN is under active attack, again
The one to act on first is CVE-2026-20127, a CVSS 10.0 authentication flaw that gives a remote, unauthenticated attacker administrative access to the SD-WAN control plane. Five Eyes agencies and the Canadian Centre for Cyber Security (alert AL26-004) report rogue peers being added and access kept over the long term. On top of that, Cisco confirmed a new zero-day in Catalyst SD-WAN Manager (CVE-2026-20245) where a netadmin account can reach root through a crafted file upload, with configuration changes pushed down to edge devices in observed cases. That makes seven SD-WAN flaws exploited this year.
Here is why it matters for your environment. A controller is branch connectivity, including the links into substations, remote sites and field operations. Those edge devices are part of your external attack surface whether you track them as such or not, and control of the controller is pre-positioning, the kind of quiet foothold espionage actors want. Confirm you are on a fixed release for CVE-2026-20127, lock netadmin behind phishing-resistant MFA, and read your configuration-change logs since mid-May for anything you cannot explain. Cisco points operators to the CVE-2026-20182 patches while a dedicated fix for the new zero-day lands.
Ransomware came for energy and manufacturing
Qilin listed Trican Well Service, a major Alberta oilfield services company, on June 4. The group runs double extortion and has a track record in industrial targets. INC_RANSOM hit Stuga Machinery, a UK automation and machinery maker, and an automation supplier on a leak site is a supply-chain problem for every plant downstream of it.
The wider pattern is worth noting. Overall ransomware volumes are roughly flat year over year, but the activity is concentrating in the US, Germany, Canada, the UK and France, and the pool of active groups keeps fragmenting. Energy services and niche industrial suppliers sit squarely in that target set. The defensive work is the unglamorous kind: validate segmentation between corporate IT, field and OT, and your SD-WAN links, confirm you hold backups an intruder cannot reach, and treat your automation and OT vendors as high-value third parties rather than line items.
Also worth patching
CISA added a SolarWinds Serv-U denial-of-service flaw (CVE-2026-28318) to its KEV list this week. If you run managed file transfer in your DMZ, patch to 15.5.4 Hotfix 1 and block the deflate-encoded POST pattern at your proxy. A file-transfer server that can be crashed on demand usually feeds a lot of internal workflows.
The rest of the week's headlines included an e-commerce RCE and a run of healthcare breaches. Real and serious, just not the center of gravity for critical-infrastructure teams. The signal here is narrower and older than it looks: the network edge is the target, and the fastest win available is closing the gap between a fix that exists and a fix you have applied. Seeing which of those exposures actually reaches you, correlated with live threat intelligence rather than read about after the fact, is where the leverage is.