Published Wednesday, June 24, 2026 at 12:47 PM PT

BREAKING: Cisco Zero-Day Exploited for Highest Privilege Access at Communications Service Provider

BLUF: Threat actors have actively exploited an unpatched Cisco vulnerability to gain maximum-level access at a communications service provider. All organizations running affected Cisco infrastructure — particularly Cisco Catalyst SD-WAN Manager — should treat this as an active threat and apply mitigations immediately.

DETAILS

  • Mandiant documented active zero-day exploitation of CVE-2026-20245 in Cisco Catalyst SD-WAN Manager, enabling root-level command execution on affected systems, per Google Threat Intelligence reporting.
  • Attackers achieved the highest available access level on compromised systems at a confirmed communications service provider victim; the identity of the victim has not been publicly disclosed.
  • Observed attacker behavior includes selective deletion and restoration of system configuration files, suggesting deliberate anti-forensic or persistence activity.
  • Attribution is unconfirmed. Mandiant has not publicly identified the threat actor or linked the activity to a known group as of this alert.
  • Whether attackers gained broad visibility into internal traffic — a critical concern given the victim’s role as a communications provider — remains unconfirmed.

IMPACT

  • Directly affected: Organizations running Cisco Catalyst SD-WAN Manager.
  • Elevated risk: Communications service providers, whose infrastructure may carry third-party customer traffic, represent high-value targets with potential downstream exposure to the provider’s clients.
  • Scope of broader campaign: Unknown. It is unclear whether this is an isolated incident or part of a wider targeting pattern.
  1. Patch immediately — Apply Cisco’s available patch for CVE-2026-20245. A proof-of-concept has been publicly available, increasing exploitation risk across the broader threat landscape.
  2. Audit SD-WAN Manager logs for unauthorized configuration changes, unexpected deletions, or anomalous privileged access events.
  3. Review network segmentation around SD-WAN management planes to limit lateral movement potential.
  4. Communications providers should assess whether customer traffic visibility may have been exposed and consider notification obligations accordingly.
  5. Monitor Mandiant and Cisco advisories for updated indicators of compromise (IOCs) — none have been confirmed publicly at this time.

SOURCES

  • Mandiant / Google Threat Intelligence: Zero-Day Exploitation of CVE-2026-20245 in Cisco Catalyst SD-WAN Manager
  • CyberScoop: Malicious hackers exploit Cisco zero-day for highest access level at communications service provider
  • SOC Prime: CVE-2026-20245 analysis

⚠️ UNCERTAINTY FLAG: Threat actor identity, full victim scope, and whether traffic interception occurred are all unconfirmed. This alert will require update as Mandiant releases additional findings.