Cisco SD-WAN Exploit Exposed Months Before Patch

Cisco SD-WAN Exploit Exposed Months Before Patch

Posted on By CWS

Google’s cybersecurity team, Mandiant, has revealed a significant security breach involving a Cisco Catalyst SD-WAN vulnerability. This flaw was exploited as a zero-day months before it was publicly disclosed and patched, raising concerns over network security.

Details of the Vulnerability

The identified vulnerability, officially recorded as CVE-2026-20245, marks the seventh known flaw in Cisco’s SD-WAN products in 2026. This particular issue affects the Command Line Interface (CLI) of the Cisco Catalyst SD-WAN Manager, allowing authenticated local attackers to execute commands with root privileges through specially crafted files.

Cisco made the vulnerability public in early June, with a patch following approximately a week later. However, it had already been exploited, as Mandiant’s investigation revealed, by a threat actor targeting a service provider’s SD-WAN infrastructure earlier in the year.

Mandiant’s Investigation and Findings

Mandiant began its investigation in early 2026 after noticing suspicious activity within SD-WAN infrastructure. The threat actor initially accessed the SD-WAN Manager instance via SSH in March 2026 and used CVE-2026-20245 to elevate their privileges to root level.

Further analysis suggested that the same system may have been targeted previously, possibly exploiting other zero-day vulnerabilities such as CVE-2026-20127 or CVE-2026-20182. In one instance, the attackers used the ‘vmanage-admin’ account to change and later restore the default admin account’s password, likely to avoid detection.

Implications and Future Outlook

Once they secured admin privileges, the attackers exploited the vulnerability to gain complete root-level access. They then attempted to erase their digital footprint by deleting files created during the attack and restoring system configurations.

This incident highlights the risks associated with software-defined networking, as attackers increasingly target network appliances to bypass traditional security measures. Mandiant emphasized the importance of safeguarding network orchestrators, which are becoming prime targets.

In related news, a separate vulnerability, CVE-2026-20230, affecting Cisco Unified CM, has been reported by another cybersecurity firm. Although patched in early June, Cisco has not confirmed active exploitation as of June 24.

For more technical details and indicators of compromise, refer to Mandiant’s official blog post.

Security Week News Tags:, , , , , , , , , , , , , ,

Related Posts

New Sturnus Banking Trojan Targets WhatsApp, Telegram, Signal Messages New Sturnus Banking Trojan Targets WhatsApp, Telegram, Signal Messages Security Week News
Gerrit Misconfiguration Exposed Google Projects to Malicious Code Injection Gerrit Misconfiguration Exposed Google Projects to Malicious Code Injection Security Week News
North Korean Hackers Have Stolen Billion in Cryptocurrency in 2025 North Korean Hackers Have Stolen $2 Billion in Cryptocurrency in 2025 Security Week News
Zafran Security Raises Million in Series C Funding Zafran Security Raises $60 Million in Series C Funding Security Week News
Ingram Micro Scrambling to Restore Systems After Ransomware Attack Ingram Micro Scrambling to Restore Systems After Ransomware Attack Security Week News
Critical Outlook Vulnerability Poses Serious Risk to Enterprises Critical Outlook Vulnerability Poses Serious Risk to Enterprises Security Week News