Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-zero-day-cve-2026.html
Publish Date: 2026-06-25 01:46:00
Source Domain: thehackernews.com
An unknown threat actor exploited a recently disclosed high-severity security flaw impacting Cisco Catalyst SD-WAN as a zero-day at least two months before it was publicly disclosed, according to new findings from Google-owned Mandiant.
The vulnerability, tracked as CVE-2026-20245 (CVSS score: 7.8), allows an authenticated, local attacker to execute arbitrary commands with elevated privileges by supplying a crafted file to the affected system by taking advantage of the device’s insufficient validation of user-supplied input.
Earlier this month, Cisco acknowledged that it became aware of exploitation of this vulnerability, adding that a malicious actor must have netadmin privileges on an affected system to pull off a successful attack.
“Throughout the intrusion, to maintain operational security and avoid detection, the threat actor consistently employed anti-forensic techniques, selectively deleting and restoring system configuration files that were modified during their activities,” Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said.
The incident, the tech giant’s incident response and threat intelligence arm added, targeted an unspecified communications service provider to elevate a compromised admin account to full root-level access.
Two distinct periods of unauthorized activity have been detected, one taking place between late 2025 and January 2026 and the other in March 2026. At this stage, it’s unclear if these two events are connected and the work of the same threat actor.
During the first wave, the victim is said to have experienced unauthorized peering connections that likely exploited one of two authentication bypass flaws in Cisco Catalyst SD-WAN controllers (CVE-2026-20127 or CVE-2026-20182). It’s worth noting that both the security vulnerabilities were undisclosed zero-days at that point.
Then in March 2026, a second wave of rogue peering…
