Published Wednesday, June 24, 2026 at 06:48 PM PT

🚨 BREAKING SECURITY ALERT β€” CISCO SD-WAN ZERO-DAY: ROOT ACCESS ACHIEVED IN ACTIVE EXPLOITATION

BLUF: Threat actors have actively exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager to gain root-level access. At least one confirmed victim is a communications service provider. Organizations running Cisco Catalyst SD-WAN Manager must treat this as a priority incident and apply mitigations immediately.

DETAILS

  • Mandiant has published technical analysis revealing the exploitation mechanism used to achieve root access on Cisco Catalyst SD-WAN Manager via CVE-2026-20245. Specific technical details of the exploit chain are attributed to Mandiant’s investigation.
  • Active exploitation confirmed against at least one communications service provider, per CyberScoop reporting. The attacker achieved the highest available access level on targeted systems.
  • CVE-2026-20245 is identified as the primary vulnerability exploited. A separate but related Cisco flaw, CVE-2026-20230 in Cisco Unified CM, is also now being exploited in attacks per BleepingComputer β€” indicating a broader Cisco-focused threat campaign may be underway. Linkage between these two exploitation efforts is unconfirmed.
  • Root access achieved means attackers had full control of affected systems, enabling potential lateral movement, persistent backdoor installation, data exfiltration, and network traffic manipulation.
  • Threat actor attribution is not confirmed in available reporting. Motivation and full scope of targeting remain under investigation.

IMPACT

  • Directly affected: Organizations running Cisco Catalyst SD-WAN Manager
  • Sector at elevated risk: Telecommunications and communications service providers; enterprises using SD-WAN infrastructure
  • Scope: Currently confirmed at minimum one victim organization; broader targeting likely given zero-day status and root-level access achieved
  • Severity: Critical β€” root access on SD-WAN management infrastructure provides adversary visibility into and control over network routing, segmentation, and potentially connected environments
  1. Audit immediately β€” Identify all Cisco Catalyst SD-WAN Manager instances in your environment, including internet-exposed management interfaces.
  2. Apply patches/mitigations β€” Check Cisco’s Security Advisory portal for CVE-2026-20245 patches or workarounds. Apply without delay.
  3. Hunt for indicators β€” Engage threat hunting for anomalous root-level activity, unexpected process execution, or unauthorized configuration changes on SD-WAN infrastructure.
  4. Restrict management access β€” If patching is not immediately possible, restrict SD-WAN Manager access to trusted IPs only and disable external-facing management interfaces.
  5. Review Cisco Unified CM exposure β€” Given concurrent exploitation of CVE-2026-20230, assess and patch Unified CM deployments in parallel.
  6. Escalate to IR β€” Any organization in the telecommunications sector should consider this a high-priority incident requiring immediate investigation.

SOURCES

  • BleepingComputer β€” Mandiant SD-WAN zero-day root access reporting
  • CyberScoop β€” Exploitation at communications service provider
  • Google Threat Intelligence β€” CVE-2026-20245 zero-day exploitation analysis
  • BleepingComputer β€” Cisco Unified CM CVE-2026-20230 active exploitation

⚠️ NOTE: Full technical details of the exploit chain, complete victim scope, and threat actor attribution remain unconfirmed at time of publication. Monitor Cisco PSIRT and Mandiant for updated guidance.