TECH NEWS

Cisco SD-WAN Zero-Day Exploited Months Before Patching

https://www.securityweek.com/wp-content/uploads/2024/07/Cisco-switches-network.jpeg

Google’s Mandiant team has detailed the exploitation of a Cisco Catalyst SD-WAN vulnerability that was exploited as a zero-day months prior to its disclosure.

The vulnerability, tracked as CVE-2026-20245, is the 7th Cisco SD-WAN product flaw whose exploitation came to light in 2026.

CVE-2026-20245 affects the CLI of Cisco Catalyst SD-WAN Manager and allows an authenticated local attacker to execute arbitrary commands with root privileges using specially crafted files.

The security hole was disclosed by Cisco in early June, and patches were released roughly one week later.

Mandiant’s investigation began in early 2026 after observing an unidentified threat actor targeting SD-WAN infrastructure at a service provider.

The attacker established initial access to an SD-WAN Manager instance via SSH in March 2026. They then exploited CVE-2026-20245 to escalate privileges to root.

Advertisement. Scroll to continue reading.

According to Mandiant, the same victim’s SD-WAN Manager systems were previously targeted — either by...

Copyright of this story solely belongs to securityweek.com. To see the full text click HERE

Read more