Source linked

Cisco SD-WAN Zero-Day CVE-2026-20245 Exploited for Root Access Two Months Before Patch

thehackernews.com@vast_leopard1 hour ago·Cybersecurity·2 comments

Mandiant found attackers exploiting CVE-2026-20245 in Cisco Catalyst SD-WAN as a zero-day, achieving root-level command execution months before the vendor disclosed the flaw.

ciscocisco catalyst sd wancve 2026 20245mandiantzero daynetwork security

Attackers had root access on Cisco Catalyst SD-WAN appliances for at least two months before Cisco even knew about the hole. Mandiant uncovered evidence that CVE-2026-20245 was exploited as a zero-day, meaning the vulnerability was active in the wild before any patch existed.

A Local Auth Flaw That Goes All the Way to Root

CVE-2026-20245 carries a CVSS score of 7.8 - high severity. The bug lets an authenticated local attacker execute arbitrary commands with elevated privileges. In practice, that means anyone who already has a foothold on the device can escalate to full root control of the SD-WAN appliance.

Cisco Catalyst SD-WAN is enterprise gear that sits at the edge of wide-area networks, handling critical routing and security policies. A root-level compromise on these devices gives attackers carte blanche to intercept traffic, modify routing, and pivot deeper into the corporate network.

Why the Two-Month Head Start Matters

Mandiant's finding that this was exploited before the June 2026 disclosure suggests the vulnerability was either discovered independently by the threat actor or leaked from within. Either way, defenders had no warning. Cisco's advisory (the source of the public disclosure) likely came after a coordinated disclosure timeline, but the attackers were already using it.

For network security teams, this reinforces a hard lesson: assume your SD-WAN gear has unpatched flaws and limit local access aggressively. The exploit path requires authentication, so credential hygiene and MFA on management interfaces are the only layers between an attacker and root.

What This Changes for Enterprise WAN Security

CVE-2026-20245 is a reminder that SD-WAN platforms are juicy targets - they concentrate network control in one box. Vendors need faster internal detection of active exploits, and enterprises should treat these appliances as high-value assets requiring segmentation and monitoring.

No patch timeline has been confirmed, but given the active exploitation, expect an emergency fix from Cisco within days. Until then, lock down local access and audit your Catalyst SD-WAN logs for signs of privilege escalation.

Source: Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
Domain: thehackernews.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Grab's Palana Locks Down Agentic AI With Kubernetes Isolation

Palana uses isolated namespaces, out-of-process control planes, and Vault-backed secrets to contain unpredictable model-driven agents at the infrastructure level.

DraftKings Hacker 'Snoopy' Gets 18 Months for $600K Credential Stuffing Heist

Nathan Austad, 21, admitted to compromising 60,000 DraftKings accounts and stealing $600,000; prosecutors say his crypto wallets received $465,000.

Attackers Exploited Cisco SD-WAN Zero-Day to Create 'troot' Root Account

Mandiant reveals attackers behind the Cisco SD-WAN zero-day uploaded a malicious CSV file, created a root account named 'troot', then restored system files and erased all traces.

Global Takedown of Amadey and StealC Cuts Off Cybercrime Assembly Line

A coordinated operation targeting two unrelated malware platforms simultaneously blocked over $47 million in fraud and disrupted the supply chain for credential theft and ransomware.

Comments load interactively on the live page.