Published Wednesday, June 24, 2026 at 12:47 PM PT

BREAKING: ACTIVE ZERO-DAY EXPLOITATION OF CISCO CATALYST SD-WAN MANAGER (CVE-2026-20245)

BLUF: Threat actors are actively exploiting a zero-day vulnerability in Cisco Catalyst SD-WAN Manager. Organizations running affected SD-WAN Manager instances should treat this as an active incident. Patch or mitigate immediately.

DETAILS

  • CVE-2026-20245 is under active exploitation in Cisco Catalyst SD-WAN Manager, according to Google Threat Intelligence reporting. Specific CVSS score and affected version range are not confirmed in available source material — verify against Cisco’s advisory.
  • Threat actors have demonstrated post-exploitation capability including selectively deleting and restoring system configuration files modified during their activity — a deliberate anti-forensic technique indicating a sophisticated, operationally aware actor.
  • The file manipulation behavior suggests actors are actively attempting to conceal their presence and timeline of access, complicating incident response and forensic reconstruction.
  • A prior related Cisco zero-day (CVE-2026-20230, Unified CM) had a public proof-of-concept available at time of disclosure — whether a PoC exists for CVE-2026-20245 is not confirmed at this time.
  • Attribution of the threat actor has not been confirmed in available reporting. Sophistication of anti-forensic tradecraft is noted.

IMPACT

  • Directly affected: Organizations running Cisco Catalyst SD-WAN Manager in their network infrastructure.
  • Scope concern: SD-WAN Manager serves as a centralized control plane for SD-WAN deployments. Compromise may provide adversary visibility into or control over wide-area network routing, policy, and configuration across multiple sites.
  • Secondary risk: Anti-forensic file manipulation means dwell time and scope of access may be significantly underestimated without deep forensic investigation.
  1. Immediately audit Cisco Catalyst SD-WAN Manager instances for unauthorized access, anomalous configuration changes, or unexpected file deletions and restorations.
  2. Apply Cisco patches as soon as available — check Cisco’s Security Advisory portal now for CVE-2026-20245 guidance.
  3. Restrict management-plane access to SD-WAN Manager: enforce allowlisting, disable unnecessary external access, require MFA.
  4. Preserve forensic artifacts now — given confirmed anti-forensic activity, initiate log preservation and memory capture before further remediation steps.
  5. Assume breach posture if your SD-WAN Manager has been internet-exposed or inadequately segmented pending full investigation.

SOURCES

  • Google Threat Intelligence — CVE-2026-20245 zero-day exploitation reporting
  • CyberScoop — prior Cisco zero-day exploitation context
  • SecurityWeek — CVE-2026-20230 Cisco Unified CM related reporting

⚠️ NOTE: Specific affected version ranges, CVSS score, and threat actor attribution are not confirmed in available source material at time of publication. Monitor Cisco PSIRT and CISA KEV catalog for updates.