An unknown threat actor has taken advantage of a significant security flaw in Cisco Catalyst SD-WAN, as revealed by Mandiant, a cybersecurity firm owned by Google. The vulnerability, known as CVE-2026-20245, was exploited as a zero-day, with the breach occurring at least two months prior to its public disclosure.
Understanding the Vulnerability
The flaw, assigned a CVSS score of 7.8, allows authenticated local attackers to run arbitrary commands with elevated privileges. This is achieved by providing a specially crafted file to the vulnerable system, exploiting its inadequate validation of user input. Cisco acknowledged the breach earlier this month, noting that attackers needed netadmin privileges to successfully exploit the vulnerability.
Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan from Mandiant highlighted that the threat actor used anti-forensic techniques throughout the attack, selectively deleting and restoring system files to maintain stealth. The attack targeted a communications service provider, enabling the attackers to elevate a compromised admin account to root-level access.
Timeline of the Attack
The breach involved two phases of unauthorized activity: the first between late 2025 and January 2026, and the second in March 2026. While it remains uncertain if the same actor was responsible for both, the initial wave of the attack exploited authentication bypass flaws in Cisco Catalyst SD-WAN controllers (CVE-2026-20127 or CVE-2026-20182), both undisclosed zero-days at the time.
In March 2026, a second series of rogue connections targeted updated software patched against CVE-2026-20127. Cisco confirmed these connections did not exploit CVE-2026-20182, suggesting the attacker might have used stolen certificates from a prior breach to gain initial access. The intruder then uploaded a malicious CSV file, leveraging CVE-2026-20245 to escalate privileges and create a root-level user account.
Implications and Future Concerns
The attackers took extensive measures to erase their digital footprint by deleting files and reverting configuration changes. This sophisticated approach complicates defenders’ efforts to evaluate the full scope of the breach. According to Austin Larsen from Google’s Threat Intelligence Group, the attackers altered admin credentials and exfiltrated configuration data, then restored the original password to avoid detection.
This incident underscores the persistent threat of zero-day exploits against network devices lacking deep forensic capabilities. Charles Carmakal, CTO of Mandiant Consulting, noted the trend of cyber adversaries targeting network devices, which often do not support Endpoint Detection and Response (EDR) solutions. This ongoing challenge emphasizes the need for enhanced security measures across network infrastructures.
