Surges in Cisco Exploitation Activity Precede CVE-2026-20127 Disclosure

Severity: High (Score: 69.8)

Sources: Cyberscoop, Greynoise

Summary

Before the public disclosure of CVE-2026-20127 on February 25, 2026, GreyNoise observed eight distinct surges of Cisco-targeting activity, with the earliest occurring 39 days prior to the advisory. This CVE has a CVSS score of 10.0 and is linked to a critical vulnerability affecting Cisco systems. The study tracked 147.8 million sessions across 18 network infrastructure vendors over 103 days, identifying 68 pre-disclosure surges related to 33 CVEs. The mean time-to-exploit for vulnerabilities has reportedly gone negative, indicating that attackers are exploiting vulnerabilities before they are publicly disclosed. Mandiant's M-Trends 2026 report corroborates this trend, revealing that nearly 29% of known exploited vulnerabilities in 2025 were exploited on or before their publication date. This pattern suggests a significant gap in traditional vulnerability management practices, emphasizing the need for proactive monitoring and response strategies. Key Points: • CVE-2026-20127 is a critical zero-day vulnerability with a CVSS score of 10.0. • GreyNoise detected Cisco-targeting activity surges up to 39 days before the CVE advisory. • 28.96% of known exploited vulnerabilities in 2025 were exploited on or before their publication date.

Key Entities

• Zero-day Exploit (attack_type)
• Cisco (company)
• CVE-2026-20127 (cve)