The cybersecurity landscape has been shaken by the revelation of a significant vulnerability within Cisco's Catalyst SD-WAN systems. Tracked as CVE-2026-20245, this zero-day flaw allowed attackers to execute arbitrary commands with root privileges on the SD-WAN Manager, posing a severe risk to affected systems. Cisco disclosed the vulnerability in early June, but it had already been exploited for months before patches were available. The issue impacts the command-line interface of Cisco Catalyst SD-WAN Manager, where authenticated local attackers could use specially crafted files to gain unauthorized root access.
Mandiant, a cybersecurity firm under Google's umbrella, uncovered the exploitation during an investigation that began in early 2026. They discovered that an unidentified threat actor had compromised an SD-WAN infrastructure at a service provider using this vulnerability. The attack was initiated in March 2026 when the attacker accessed an SD-WAN Manager instance via SSH using the 'vmanage-admin' account. The attacker then escalated privileges to root by exploiting CVE-2026-20245. Mandiant noted that the same victim's systems were previously targeted, possibly through other zero-day vulnerabilities like CVE-2026-20127 or CVE-2026-20182.
The threat actor cleverly masked their tracks by altering system configurations and deleting evidence of their actions, reducing the likelihood of detection. This incident highlights the growing trend among threat actors to exploit network appliances to circumvent traditional security defenses. As software-defined networking becomes more prevalent, the systems managing these networks are increasingly attractive targets for attackers. Organizations must remain vigilant and implement robust security measures to protect against such sophisticated threats.