Zero-Day Exploitation of Vulne... Note

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager

In early 2026, Mandiant detected a threat actor targeting a service provider's SD-WAN infrastructure. The actor gained initial access through rogue peering connections, manipulating default account passwords. They then exploited a zero-day vulnerability, CVE-2026-20245, in Cisco Catalyst SD-WAN. This allowed them to escalate privileges from an administrative account to root-level access. The vulnerability exploited a flaw in the device's file upload feature which lacked proper filtering of malicious data. The threat actor also utilized anti-forensic techniques, selectively deleting and restoring system configuration files. They even executed a validation script to ensure all traces of their activities were purged. This campaign highlights the growing trend of compromising network appliances to bypass traditional security perimeters. SD-WAN orchestrators are becoming prime targets due to their central control and limited telemetry. Organizations are urged to patch Cisco Catalyst SD-WAN Manager immediately and follow hardening guidelines for enhanced security.