Cisco SD-WAN Exploit Exposed Months Before Patch

Cisco SD-WAN Exploit Exposed Months Before Patch

Posted on By CWS

Google’s cybersecurity team, Mandiant, has revealed a significant security breach involving a Cisco Catalyst SD-WAN vulnerability. This flaw was exploited as a zero-day months before it was publicly disclosed and patched, raising concerns over network security.

Details of the Vulnerability

The identified vulnerability, officially recorded as CVE-2026-20245, marks the seventh known flaw in Cisco’s SD-WAN products in 2026. This particular issue affects the Command Line Interface (CLI) of the Cisco Catalyst SD-WAN Manager, allowing authenticated local attackers to execute commands with root privileges through specially crafted files.

Cisco made the vulnerability public in early June, with a patch following approximately a week later. However, it had already been exploited, as Mandiant’s investigation revealed, by a threat actor targeting a service provider’s SD-WAN infrastructure earlier in the year.

Mandiant’s Investigation and Findings

Mandiant began its investigation in early 2026 after noticing suspicious activity within SD-WAN infrastructure. The threat actor initially accessed the SD-WAN Manager instance via SSH in March 2026 and used CVE-2026-20245 to elevate their privileges to root level.

Further analysis suggested that the same system may have been targeted previously, possibly exploiting other zero-day vulnerabilities such as CVE-2026-20127 or CVE-2026-20182. In one instance, the attackers used the ‘vmanage-admin’ account to change and later restore the default admin account’s password, likely to avoid detection.

Implications and Future Outlook

Once they secured admin privileges, the attackers exploited the vulnerability to gain complete root-level access. They then attempted to erase their digital footprint by deleting files created during the attack and restoring system configurations.

This incident highlights the risks associated with software-defined networking, as attackers increasingly target network appliances to bypass traditional security measures. Mandiant emphasized the importance of safeguarding network orchestrators, which are becoming prime targets.

In related news, a separate vulnerability, CVE-2026-20230, affecting Cisco Unified CM, has been reported by another cybersecurity firm. Although patched in early June, Cisco has not confirmed active exploitation as of June 24.

For more technical details and indicators of compromise, refer to Mandiant’s official blog post.

Security Week News Tags:, , , , , , , , , , , , , ,

Related Posts

The Root of AI Hallucinations: Physics Theory Digs Into the ‘Attention’ Flaw The Root of AI Hallucinations: Physics Theory Digs Into the ‘Attention’ Flaw Security Week News
High-Severity Vulnerabilities Patched by Fortinet and Ivanti High-Severity Vulnerabilities Patched by Fortinet and Ivanti Security Week News
Chinese Researchers Suggest Lasers and Sabotage to Counter Musk’s Starlink Satellites Chinese Researchers Suggest Lasers and Sabotage to Counter Musk’s Starlink Satellites Security Week News
In Other News: 8,000 Ransomware Attacks, China Hacked US Gov Emails, IDHS Breach Impacts 700k In Other News: 8,000 Ransomware Attacks, China Hacked US Gov Emails, IDHS Breach Impacts 700k Security Week News
Russian Cyberspies Target Foreign Embassies in Moscow via AitM Attacks: Microsoft Russian Cyberspies Target Foreign Embassies in Moscow via AitM Attacks: Microsoft Security Week News
Lumma Stealer Malware Returns After Takedown Attempt Lumma Stealer Malware Returns After Takedown Attempt Security Week News