Perimeter Meltdown — Five Pre-Auth RCEs Hammer the Network Edge in One Fortnight

Window: 2026-05-08 → 2026-05-21 | Threats analysed: 6 | Average CVSS: 9.5 | CISA Emergency Directive: ED-26-03 | Maximum CVSS 10.0: 1 (Cisco SD-WAN)

Six pre-authentication, internet-facing remote-code-execution vulnerabilities landed across the entire perimeter stack inside one CISA Patch Tuesday window — an SD-WAN controller, an identity broker, a reverse proxy used by a third of the public web, the default Debian mail transport, two SAP HotNews, and a Drupal core SQLi. Cisco's UAT-8616 zero-day spawned the third CISA Emergency Directive of 2026 inside seventy-two hours. Exim "Dead.Letter" represents the first publicly disclosed LLM-assisted vuln-research-to-PoC pipeline. NGINX "Rift" surfaces eighteen years of dormant heap-overflow risk across CDN, ingress, and load-balancer deployments worldwide. Nation-state, ransomware-affiliate, and opportunistic scanning all converged on the perimeter at the same time.

This post correlates the six threats into a single architectural picture, traces the convergence across the perimeter stack, and ships production-ready SPL, KQL, and Sigma detections for every layer.

The Perimeter, Mapped

// fig.1 — Six pre-auth RCEs across the perimeter stack inside 14 days. Solid red arrows = direct exploitation. Peach = adjacent CMS attack surface (Drupal). Dashed lavender = post-compromise impact reaching downstream control- and data-plane systems.

Executive Summary

What: Six pre-authentication RCEs published 2026-05-08 → 2026-05-21 across the perimeter stack — Cisco SD-WAN CVE-2026-20182 (CVSS 10.0), Fortinet CVE-2026-44277 + CVE-2026-26083 (CVSS 9.8 twin), NGINX Rift CVE-2026-42945 (CVSS 9.2 v4.0), Exim Dead.Letter CVE-2026-45185 (CVSS 9.8), SAP HotNews CVE-2026-34263 + CVE-2026-34260 (CVSS 9.6), Drupal CVE-2026-9082 (CVSS 9.8 anon SQLi).
Mandatory action: CISA Emergency Directive ED-26-03 — FCEB agencies must remediate Cisco SD-WAN within 7 days (deadline 2026-05-21).
Novelty: Exim Dead.Letter is the first publicly disclosed LLM-assisted vuln-research-to-PoC pipeline (XBOW). NGINX Rift is the result of autonomous vulnerability discovery (DepthFirst). The patch cycle is now competing with autonomous research pipelines.
Convergence: Nation-state (UAT-8616), opportunistic ransomware-affiliate scanners, and PoC-armed researchers all hitting the perimeter simultaneously.
Detection: 54 production-ready detection rules across SPL, KQL, and Sigma — nine per threat.

Threat 1 — Cisco Catalyst SD-WAN CVE-2026-20182 (UAT-8616 zero-day)

TL-2026-0516 · CVSS 10.0 · CISA KEV + ED-26-03 · Exploitability: Active

On 2026-05-14, Cisco Talos disclosed ongoing in-the-wild exploitation of a previously unknown authentication-bypass vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage). The flaw carries the maximum CVSS v3.1 base score of 10.0. Talos attributes the campaign with HIGH confidence to UAT-8616 — the sophisticated actor previously linked to the CVE-2026-20127 exploitation (TL-2026-0145/0166/0236) and the CVE-2026-20122/20128/20133 chain (TL-2026-0185).

UAT-8616 operates an Operational Relay Box (ORB) network — a mesh of compromised SOHO routers, VPS instances, and small enterprise edges — used to obscure command infrastructure. Once authenticated as the high-privileged internal non-root user, the attacker pivots to NETCONF (TCP/830) to modify SD-WAN fabric configuration, inject SSH keys into /system/aaa/user[name='admin']/public-key, escalate to root, and insert rogue OMP peers. Rogue peers redirect branch traffic through attacker-controlled routers, enabling MITM interception of every branch transaction.

CISA issued Emergency Directive ED-26-03 the same day. There are no workarounds — only patched firmware mitigates. Upgrade to 20.6.7.4, 20.9.5.3, 20.12.3.2, or 20.15.1.1, restrict the management plane (HTTPS/443, NETCONF/830, SSH/22) to a dedicated management VLAN behind a jump host with MFA, force-rotate every controller credential, and audit /system/aaa/user/*/public-key entries plus NETCONF audit logs for unexpected <edit-config> operations targeting /vpn, /omp, or /policy.

Threat 2 — Fortinet FortiAuthenticator + FortiSandbox (twin 9.8 RCEs)

TL-2026-0503 · CVSS 9.8 each · FG-IR-26-128 / FG-IR-26-136 · Exploitability: Theoretical (KEV candidate)

On 2026-05-12, Fortinet PSIRT published two synchronized advisories disclosing CRITICAL unauthenticated RCE vulnerabilities in FortiAuthenticator (FG-IR-26-128 / CVE-2026-44277) and FortiSandbox plus its Cloud and PaaS variants (FG-IR-26-136 / CVE-2026-26083). Both carry CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — 9.8 — and both are pre-authentication.

This is a tier-0 identity-plane and inspection-plane compromise rolled into one Patch Tuesday. FortiAuthenticator handles RADIUS, LDAP proxy, certificate issuance, two-factor authentication tokens, FSSO collector, and SAML/OIDC federation for the Fortinet Security Fabric — compromise yields RADIUS bypass, SAML/OIDC token forgery, FortiToken seed disclosure, and certificate-authority abuse, mapping to T1556 (Modify Authentication Process), T1649 (Forge Auth Certificates), T1111 (MFA Interception), and T1550 (Use Alternate Auth Material).

FortiSandbox sits inline behind FortiGate, FortiMail, and FortiWeb to perform behavioural malware analysis. Compromise enables undetected malware delivery (the sandbox can be made to grade attacker payloads as benign) and behavioural-detection blind-spotting. Fortinet has 26 prior entries on the CISA KEV catalog — these two will almost certainly join shortly. Upgrade FortiAuthenticator to 8.0.3 / 6.6.9 / 6.5.7+; FortiSandbox on-prem to 5.0.2 / 4.4.9+; FortiSandbox Cloud to 5.0.6+; FortiSandbox PaaS to 5.0.2 / 4.4.9+. If immediate patching is impossible, restrict the FortiAuthenticator API via trustedhost and disable the FortiSandbox WEB UI listener (CLI/SSH-only management).

Threat 3 — NGINX "Rift" CVE-2026-42945 (18-year-old heap overflow)

TL-2026-0517 · CVSS v4.0 9.2 · Exploitability: Public PoC

On 2026-05-13, autonomous vulnerability discovery system DepthFirst disclosed CVE-2026-42945 — branded "NGINX Rift" — an unauthenticated heap-based buffer overflow in NGINX's ngx_http_rewrite_module. The bug exists in code dating to NGINX 0.6.27 (2009), making it an 18-year-old vulnerability sitting in the world's most widely deployed reverse proxy and web server (NGINX powers an estimated 33% of the public web by request volume).

The trigger is a specific configuration idiom: a rewrite directive followed by a rewrite, if, or set directive in the same scope, combined with an unnamed PCRE capture ($1, $2, ...) whose replacement string contains a literal question mark. A crafted HTTP request corrupts the heap of an NGINX worker. The deterministic outcome is a worker crash and denial-of-service; on hosts with ASLR disabled (embedded appliances, legacy containers, statically-linked builds), the primary is full RCE. DepthFirst published a weaponized PoC at github.com/DepthFirstDisclosures/Nginx-Rift; the repo reached 433 stars and 77 forks within 24 hours.

F5 issued patches the same day as disclosure: NGINX OSS 1.31.0 / 1.30.1, NGINX Plus R36 P4 / R32 P6. Distro backports landed within 48 hours. Use the DepthFirst config auditor (nginx-rift-audit.py) to find affected rewrite chains; rewrite-with-named-capture ((?<name>...)) is the temporary workaround if you cannot patch immediately. The flaw cascades into NGINX Plus, NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect (WAF and DoS), NGINX Gateway Fabric, and NGINX Ingress Controller — meaning every Kubernetes ingress, every cloud WAF built on NGINX, and every CDN edge that hasn't patched is exposed.

Threat 4 — Exim "Dead.Letter" CVE-2026-45185 (first AI-assisted CVE PoC)

TL-2026-0513 · CVSS 9.8 · Exploitability: Public PoC (XBOW)

On 2026-05-12 the autonomous AI-driven offensive-research team at XBOW (Federico Kirschbaum and Andres Luksenberg) disclosed CVE-2026-45185 — "Dead.Letter" — a pre-authentication use-after-free in the Exim MTA. Exim is the default mail transport on Debian and Ubuntu and the most widely deployed Internet MTA globally.

The bug lives at the intersection of Exim's BDAT/CHUNKING receive path and GnuTLS shutdown handling. Under a precisely-shaped TCP/TLS sequence — TLS close_notify alert sent during an active BDAT transfer, followed by a single cleartext byte on the same TCP connection — Exim's nested BDAT receive wrapper retains a stale pointer to state->xfer_buffer that has already been freed by GnuTLS teardown. The follow-up ungetc() writes a single newline (0x0A) byte into the freed allocation. That allocation lies in glibc's tcache/fastbin range; the write reliably lands on allocator metadata, providing the foothold for heap-shaping primitives. XBOW achieved ASLR-enabled full RCE using a chain seeded entirely by this single-byte overwrite.

What makes Dead.Letter notable beyond its severity: XBOW publicly described their methodology as a vuln-research-to-PoC pipeline driven by an autonomous offensive-AI system. The defect was identified, root-caused, exploit-primitive-developed, and weaponized end-to-end by their internal AI agent system before human review. This is — by their own framing and the dating — the first publicly disclosed CVE whose end-to-end research path was AI-assisted. Patch cadence is now competing not with human researcher capacity but with autonomous research pipelines that run 24/7.

The vulnerability affects Exim 4.97 → 4.99.2 with USE_GNUTLS=yes — the default on Debian, Ubuntu, and Debian-derived distributions. OpenSSL-linked builds (RHEL/SUSE) are not vulnerable. Fixed in Exim 4.99.3 (2026-05-12), Debian DSA-6265-1, Ubuntu USN-7100-1. Temporary workaround if you cannot upgrade: chunking_advertise_hosts = : in exim.conf (breaks RFC 3030 CHUNKING). Threadlinqs honeypots observed a BDAT-capability probe surge on TCP/25 within 24 hours of disclosure.

Threat 5 — SAP HotNews CVE-2026-34263 / CVE-2026-34260

TL-2026-0501 · CVSS 9.6 each · Exploitability: Theoretical · 15 SAP security notes total

SAP's May 2026 Security Patch Day (2026-05-12) addressed 15 security notes, headlined by two HotNews CRITICAL vulnerabilities both rated 9.6:

CVE-2026-34263 — SAP Commerce Cloud unauthenticated RCE (SAP Note 3733064). Root cause: overly permissive Spring Security configuration with improper rule ordering — a permitAll rule evaluated before a requiresAuthentication rule, causing authentication checks to be bypassed entirely. The Hybris Administration Console's Groovy scripting engine and ImpEx import functionality are the high-value post-bypass targets.
CVE-2026-34260 — SAP S/4HANA Enterprise Search SQL injection (SAP Note 3724838). Authenticated attacker reads sensitive data and disrupts availability via the ABAP Enterprise Search interface; SQL meta-characters (UNION SELECT, OR 1=1, --) injected into ESH_SEARCH / TREX_SEARCH function-module parameters.
CVE-2026-34259 (companion, CVSS 8.2) — SAP Forecasting and Replenishment OS command injection (SAP Note 3732471).

Affected platforms include HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21 (Commerce Cloud), and SAP_BASIS 751 → 758, 816 (S/4HANA). Apply the SAP Notes, restrict HAC to trusted admin IPs only, disable HAC Groovy scripting if not required, and watch SM20 audit logs + DB02 monitoring for SQL meta-character injection patterns in Enterprise Search RFC/HTTP traffic.

Threat 6 (adjacent) — Drupal SA-CORE-2026-004 (anonymous PostgreSQL SQLi)

TL-2026-0542 · CVSS 9.8 · Drupal risk 20/25 · Exploitability: Public PoC anticipated

On 2026-05-20 the Drupal Security Team published SA-CORE-2026-004, assigning CVE-2026-9082, after a two-day pre-disclosure window (PSA-2026-05-18). The advisory describes an unauthenticated SQL injection in Drupal core's Database Abstraction API affecting only sites backed by PostgreSQL. The flaw scores 20/25 on Drupal's NIST-derived risk model.

Reported by independent researcher Michael Maturi, the defect is PostgreSQL-driver-specific: the abstraction layer's quoting / placeholder handling fails to neutralize a class of input only when the active driver is pgsql. MySQL and MariaDB sites are unaffected. Drupal pre-warned the community via PSA-2026-05-18 that exploits were expected within hours of disclosure — consistent with the Drupalgeddon (CVE-2014-3704) and Drupalgeddon 2 (CVE-2018-7600) historical patterns. Patches landed for all supported branches (11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10), and hotfixes were issued even for EOL 8.9 and 9.5.

This is adjacent to the perimeter cluster rather than core to it — the SQLi requires the site already be reachable from the internet — but the exploitation profile (anonymous, time-zero, mass-scannable) aligns perfectly with the surge. Subscribe to Drupal Steward for advance virtual-patching, restrict PostgreSQL role permissions (deny COPY ... FROM PROGRAM, deny superuser), and front affected sites with a WAF rule blocking UNION SELECT, pg_sleep, comment sequences, and trailing semicolons on /search, /node/*, /jsonapi/*, /entity/*, and exposed view filters.

Cross-Threat MITRE Coverage

Six threats, one converging MITRE pattern: Exploit Public-Facing Application → Web Shell or NETCONF persistence → Credential Access / Account Manipulation → Lateral / Impact.

Technique	Where it appears
`T1190` Exploit Public-Facing Application	All six — entry vector
`T1595.002` Vulnerability Scanning	All six — pre-exploit recon
`T1505.003` Server Software Component: Web Shell	Cisco, Fortinet, SAP, Drupal
`T1098.004` Account Manipulation: SSH Authorized Keys	Cisco SD-WAN (NETCONF push)
`T1059.008` Network Device CLI	Cisco SD-WAN (vshell)
`T1556` Modify Authentication Process	Fortinet FortiAuthenticator
`T1649` Steal or Forge Auth Certificates	Fortinet FortiAuthenticator
`T1111` Multi-Factor Authentication Interception	Fortinet FortiAuthenticator (FortiToken seeds)
`T1499.004` Application Exhaustion / Service Stop	NGINX Rift (worker crash storm)
`T1114.001` Local Email Collection	Exim Dead.Letter
`T1557` Adversary-in-the-Middle	Cisco SD-WAN (rogue OMP peer)
`T1070.002` Clear Linux/Mac System Logs	Cisco SD-WAN (audit-log truncation)

Detection

Each threat ships with 9 production-ready rules on the Threadlinqs Intelligence platform — 54 detection queries across this cluster. The three below cover the highest-fidelity behaviors.

Splunk SPL — Cisco SD-WAN unauthenticated `/dataservice` success

index=netflow OR sourcetype=nginx_access OR sourcetype=vmanage_access
  (dest_app="vmanage" OR dest_port IN (443) OR uri_path="*/dataservice/*")
  http_method=POST
| rex field=request_headers "Authorization:\s*(?[^\r\n]*)"
| eval has_jsessionid=if(match(_raw, "JSESSIONID="), 1, 0)
| eval no_j_security=if(NOT match(_raw, "/j_security_check"), 1, 0)
| where http_status IN (200, 302) AND has_jsessionid=1 AND no_j_security=1
| stats count, values(src_ip) AS sources, values(uri_path) AS paths by host, _time
| where count >= 1spl

Microsoft KQL — Exim Dead.Letter BDAT-during-close_notify

// Linux EDR or Zeek smtp.log forwarded into Sentinel/Defender
Syslog
| where Facility == "mail" or ProcessName == "exim4" or ProcessName == "exim"
| where SyslogMessage has_any ("BDAT", "tls: read failure", "received BDAT", "use after free")
| extend Crash = SyslogMessage has_any ("SIGSEGV", "received signal 11", "ALERT")
| where Crash or SyslogMessage matches regex @"BDAT.+(close_notify|tls.*alert)"
| project TimeGenerated, Computer, ProcessName, SyslogMessage
| order by TimeGenerated desckql

Sigma — NGINX worker crash storm (Rift exploitation signature)

title: NGINX Worker Process Crash Storm — Rift Exploitation Signature
id: 4c2a8e9f-1d6b-4f2c-9a3e-7b8c5d2a1f6e
status: experimental
description: Detects rapid SIGSEGV crash + respawn cycles in NGINX worker processes consistent with active exploitation of CVE-2026-42945 (NGINX Rift, ngx_http_rewrite_module heap overflow). Worker death + immediate respawn from a parent NGINX master in tight succession indicates either DoS or attempted RCE on ASLR-disabled hosts.
references:
  - https://depthfirst.com/nginx-rift
  - https://my.f5.com/manage/s/article/K000161019
  - https://intel.threadlinqs.com/threat/TL-2026-0517
logsource:
  category: process_termination
  product: linux
detection:
  selection_proc:
    Image|endswith: '/nginx'
    ExitSignal: 'SIGSEGV'
  selection_log:
    LogSource: 'nginx_error_log'
    Message|contains:
      - 'worker process exited on signal 11'
      - 'worker process exited on signal 6'
  timeframe: 5m
  condition: selection_proc | count() by ParentImage > 5
fields:
  - SourceIp
  - ParentImage
  - ProcessName
  - ProcessExitTime
level: high
tags:
  - attack.impact
  - attack.t1499.004
  - attack.t1489sigma

Indicators of Compromise

Type	Value	Threat / Context
IP	`185.196.9.156`	UAT-8616 first-hop ORB relay (Chang Way AS57523), Cisco SD-WAN exploitation
IP	`194.169.175.42`	UAT-8616 staging VPS (Hosting Solution Ltd AS207713)
IP	`45.155.91.118`	UAT-8616 NETCONF SSH-key push relay
IP	`91.219.236.89`	UAT-8616 rogue OMP peer endpoint
Domain	`sdwan-update.cdn-pkg[.]net`	UAT-8616 staging payload host
File path	`/tmp/.x`	UAT-8616 local privilege-escalation staging
File path	`/var/lib/vmanage/customer/template/feature/_uat_persist.xml`	UAT-8616 SD-WAN feature-template persistence
Behavior	POST to `/dataservice/*` producing `X-Auth-Token` without `/j_security_check`	Cisco SD-WAN auth-bypass primitive
Behavior	TLS close_notify during active BDAT + cleartext byte	Exim Dead.Letter exploit primitive
Behavior	NGINX worker SIGSEGV burst + immediate respawn	NGINX Rift exploitation signature
URL	`/hac/console/scripting/execute`	SAP Commerce Cloud HAC Groovy RCE endpoint
URL	`/hac/impex/import` with embedded `groovy:` / `jndi:`	SAP Commerce ImpEx injection
SQL	`UNION SELECT` / `pg_sleep(` / `COPY ... FROM PROGRAM`	Drupal PostgreSQL SQLi probes
PoC URL	`github.com/DepthFirstDisclosures/Nginx-Rift`	NGINX Rift weaponizable PoC repository

The Bigger Picture — Patch Cycle vs Autonomous Research

Two of these six disclosures — NGINX Rift and Exim Dead.Letter — are not products of conventional human security research. They are outputs of autonomous vulnerability-discovery and exploit-development pipelines (DepthFirst and XBOW respectively). That changes the economics of the patching arms race in a measurable way.

Historically, the time from CVE disclosure to weaponization has tracked the time it takes for a competent attacker to read the advisory, locate the vulnerable code path, reverse-engineer the patch, and write an exploit — typically days to weeks for non-trivial bugs. PraisonAI (from the AI-stack cluster) clocked in at 3 hours 44 minutes. NGINX Rift's PoC repo had 433 stars within 24 hours. XBOW developed Dead.Letter end-to-end with autonomous AI agents before coordinated disclosure even started. The patch cycle is no longer competing with a human reverse engineer reading the diff — it is competing with always-on systems that read the diff in seconds and write the PoC in minutes.

The defensive implications: same-day triage is no longer a stretch goal; it is the new baseline. Same-day Patch Tuesday SLA is what separates organisations that get hit from organisations that do not.

Why Cisco UAT-8616 Is the Story Underneath the Story

The single highest-priority item in this cluster is not the dramatic 18-year-old NGINX bug or the AI-assisted Exim disclosure. It is UAT-8616's third documented exploitation of a Cisco SD-WAN management-plane vulnerability in five months — CVE-2026-20127, the CVE-2026-20122/20128/20133 chain, and now CVE-2026-20182. This is not opportunistic scanning. This is a sustained, capability-led, edge-targeting campaign with a confirmed track record and an Operational Relay Box network purpose-built to obscure command infrastructure.

SD-WAN controllers are tier-0: compromise grants attacker-controlled fabric configuration, branch-traffic MITM, and east-west pivot into customer routing. The same posture you apply to your identity provider — strict management-plane segmentation, MFA-protected jump hosts, source-IP allow-lists, NETCONF audit-log streaming to SIEM, regular fabric certificate rotation — needs to apply to SD-WAN management. The CISA Emergency Directive ED-26-03 codifies this for FCEB agencies; everyone else should treat it as their own deadline.

Action Items

Immediate (24-48 hr): Apply Cisco SD-WAN patches (20.6.7.4 / 20.9.5.3 / 20.12.3.2 / 20.15.1.1); apply Fortinet FortiAuth + FortiSandbox patches; apply NGINX 1.31.0 / 1.30.1 / R36 P4 / R32 P6; upgrade Exim to 4.99.3 (or Debian DSA-6265-1 / Ubuntu USN-7100-1); apply SAP Notes 3733064 + 3724838 + 3732471; upgrade Drupal to 11.3.10 / 10.6.9 / 10.5.10 / 10.4.10.
Network: Restrict every management plane (HTTPS/443, SSH/22, NETCONF/830) to dedicated management VLAN behind MFA-protected jump host. Block external access to FortiAuthenticator API, FortiSandbox WEB UI, SAP HAC, and Drupal admin paths.
IOC blocks: Block UAT-8616 infrastructure (185.196.9.156, 194.169.175.42, 45.155.91.118, 91.219.236.89, sdwan-update.cdn-pkg[.]net) and known KEV-listed adjacent infrastructure.
Audit: Hunt for SSH-key entries in /system/aaa/user/*/public-key; review NETCONF audit logs for <edit-config> against /vpn, /omp, /policy; rotate FortiAuthenticator-managed secrets (RADIUS, LDAP bind, SAML/OIDC signing keys, FortiToken seeds); check Exim paniclog for BDAT-during-close_notify crashes since 2026-04-01; check NGINX error.log for worker SIGSEGV bursts.
Detect: Deploy the 54 SPL / KQL / Sigma rules on the platform. Set up worker-crash-rate alerting for NGINX; SQL meta-character WAF rules for Drupal and S/4HANA; outbound NETCONF anomaly detection for SD-WAN.
Process: 24-hour Patch Tuesday triage SLA; 72-hour patch SLA on HotNews / KEV-listed CVEs; subscribe to Drupal Steward, Fortinet PSIRT, Cisco PSIRT, SAP Security Patch Day, and F5 advisory feeds for advance warning.

This post correlates six threats from the Threadlinqs Intelligence platform. Full IOC sets, MITRE technique chains, and 54 production detection rules are available via the threat-detail pages linked above.