The Shadowserver FoundationCisco SD-WAN incidents: we are sharing information on identified Cisco SD-WAN instances in Device ID reporting - https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/
We see over 5.5K Cisco SD-WAN IPs (control plane) (https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=cisco&model=cisco+sd-wan+%28peering%29&data_set=count&scale=log), & over 270 management interfaces (https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=cisco&type=device-management&model=cisco+sd-wan&data_set=count&scale=log)
We are also sharing SSH port 830 data in our Accessible SSH reporting - this includes potential NETCONF instances https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssh-report/
Around 90K SSH instances seen exposed, but this includes generic SSH population (NETCONF uses SSH).
Background: https://www.ncsc.gov.uk/news/exploitation-cisco-catalyst-sd-wans
https://blog.talosintelligence.com/uat-8616-sd-wan/
https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf
https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
