Cisco SD-WAN Zero-Day Exploited Months Before Patch Released
CVE-2026-20245 in Cisco Catalyst SD-WAN Manager was exploited as zero-day for months; attackers achieved root access via SSH and privilege escalation.
Attack Brief
TargetCisco Catalyst SD-WAN ManagerVectorAuthenticated local command execution via CLI; privilege escalation to root using specially crafted filesAttributionunattributed
Technical Details
CVE IDsCVE-2026-20245CVE-2026-20127CVE-2026-20182MITRE ATT&CKT1548.004T1021.004AffectedCisco Catalyst SD-WAN Manager; default accounts vmanage-admin and admin
Impact
Affected OrganisationsService provider SD-WAN infrastructureSectorsTelecommunications/Service ProvidersConfirmed DamageRoot-level compromise of SD-WAN Manager instances; attacker deleted forensic evidence and restored system configurations
Mitigation
PatchesCisco released patches approximately one week after early June 2026 disclosureDetectionMonitor for SSH access to vmanage-admin and admin accounts; track password changes on default accounts; audit CLI command execution logs
Context
Previous CampaignsSame victim previously targeted via CVE-2026-20127 or CVE-2026-20182; CVE-2026-20245 is the 7th Cisco SD-WAN zero-day exploited in 2026Similar AttacksAttackers prioritize network appliances and SD-WAN orchestrators to bypass traditional security perimeters; living off the edge tactics employed
Source
https://www.securityweek.com/cisco-sd-wan-zero-day-exploited-months-before-patching/by Google Mandianton 2026-06-25T00:00:00Z4 sources