# Months of Exploitation: Cisco SD-WAN Zero-Day Uncovered

*Published June 26, 2026*
*Source: [https://www.securityweek.com/cisco-sd-wan-zero-day-exploited-months-before-patching/](https://www.securityweek.com/cisco-sd-wan-zero-day-exploited-months-before-patching/)*

## Executive Summary

A zero-day vulnerability in Cisco's Catalyst SD-WAN Manager, tracked as CVE-2026-20245, was exploited by attackers for months before being patched. The incident underscores the importance of rapid detection and mitigation strategies to protect against increasingly targeted network appliance attacks.

## Article

A significant vulnerability in Cisco's Catalyst SD-WAN Manager, identified as CVE-2026-20245, has been exploited for months before a proper patch was available. This zero-day flaw, which allows authenticated local attackers to execute commands with root privileges, was initially discovered by Google's Mandiant team. The vulnerability was part of a series of similar flaws affecting Cisco's SD-WAN products throughout 2026.

Mandiant's investigation into this issue began after a service provider's SD-WAN infrastructure was targeted by an unknown threat actor. The initial access was gained in March 2026 via SSH using a 'vmanage-admin' account. The attackers then leveraged CVE-2026-20245 to escalate their privileges, ultimately gaining root access to the system. To remain undetected, they altered system configurations and deleted any traces of their activity.

This incident highlights a broader trend where threat actors are focusing on network appliances to bypass traditional security measures. As more organizations move towards software-defined networking, the management orchestrators become appealing targets for cybercriminals. Cisco has since released a patch, but the extended period of vulnerability underscores the need for rapid detection and response strategies.

In parallel, another Cisco vulnerability, CVE-2026-20230, was also reportedly exploited, although its in-the-wild exploitation has not been confirmed by Cisco as of late June. These events emphasize the critical need for organizations to prioritize patch management and enhance their monitoring capabilities to protect against similar threats in the future.