← Back to blog

Cisco SD-WAN Zero-Day Exploited for Months Before Disclosure

A high-severity vulnerability in Cisco Catalyst SD-WAN was actively exploited as a zero-day for at least two months before public disclosure, according to Mandiant research. The flaw allows authenticated local attackers to execute arbitrary commands with root privileges.

TL;DR

  • CVE-2026-20245 (CVSS 7.8) in Cisco Catalyst SD-WAN was exploited in the wild before official disclosure
  • Threat actors gained root-level command execution through local authenticated access
  • Mandiant discovered the zero-day campaign, indicating a significant window of undetected exploitation
  • Organizations running affected Cisco SD-WAN deployments should prioritize patching immediately

Security researchers at Mandiant have uncovered evidence that a high-severity vulnerability in Cisco Catalyst SD-WAN was actively exploited by unknown threat actors for at least two months before Cisco publicly disclosed the flaw. This extended pre-disclosure exploitation window represents a significant risk to organizations relying on Cisco SD-WAN infrastructure for network connectivity and security.

The vulnerability, designated CVE-2026-20245 with a CVSS score of 7.8, requires an authenticated local attacker to execute arbitrary commands with elevated privileges on affected systems. The discovery highlights the ongoing challenge of zero-day vulnerabilities remaining undetected in production environments and underscores the importance of rapid threat intelligence sharing and patching cycles.

This incident demonstrates that even well-known vendors' enterprise products can be targeted by sophisticated threat actors who maintain operational security during their exploitation campaigns, delaying detection and remediation efforts across affected customer bases.

Vulnerability Details and Attack Vector

  • CVE-2026-20245 affects Cisco Catalyst SD-WAN platforms with a CVSS severity rating of 7.8
  • Exploitation requires local access and valid authentication credentials
  • Successful exploitation grants attackers arbitrary command execution with root-level privileges
  • The vulnerability was actively exploited in the wild for a minimum of two months before public disclosure

Implications for Enterprise Security Teams

  • Organizations should assume potential compromise if SD-WAN systems were unpatched during the exploitation window
  • Immediate patching of affected Cisco Catalyst SD-WAN deployments is critical to prevent ongoing exploitation
  • Forensic analysis and log review may be necessary to determine if systems were targeted or compromised
  • Network segmentation and access controls should be reviewed to limit local attacker reach on SD-WAN infrastructure

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Cisco SD-WAN Zero-Day Exploited for Months Before Disclosure — Agent Breach Blog | Agent Breach