Published Thursday, June 25, 2026 at 12:51 AM PT

BLUF: A critical zero-day vulnerability in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) was actively exploited in the wild for an extended period before Cisco disclosed and patched it. Attackers achieved root-level access at affected organizations, including at least one communications service provider. All organizations running Cisco Catalyst SD-WAN Manager must apply available patches immediately.

DETAILS

  • CVE-2026-20245 affects Cisco Catalyst SD-WAN Manager and was exploited as a zero-day β€” meaning no patch was available during the active exploitation window.
  • Exploitation enabled attackers to gain root access to affected systems, according to reporting from Mandiant and Google Threat Intelligence.
  • At least one communications service provider was confirmed as a victim, per CyberScoop reporting; broader targeting scope is not yet fully confirmed.
  • Google Threat Intelligence observed attackers selectively deleting and restoring system configuration files as part of post-exploitation activity, suggesting deliberate operational security tradecraft.
  • This is the 7th Cisco SD-WAN vulnerability exploited in 2026, indicating a sustained and targeted focus on this product line by threat actors.

IMPACT

  • Directly affected: Organizations running Cisco Catalyst SD-WAN Manager β€” particularly enterprises, managed service providers, and communications infrastructure operators.
  • Scope: Root-level compromise allows full system control, potential lateral movement, persistent access, and configuration manipulation. The communications sector appears to be a confirmed target; broader sector targeting is not yet confirmed.
  • Exploitation duration: Months of unpatched exploitation means organizations should assume potential compromise predates any internal detection activity.
  1. Apply Cisco’s patch for CVE-2026-20245 immediately if not already done. Verify patch status across all SD-WAN Manager instances.
  2. Assume breach posture for any Cisco Catalyst SD-WAN Manager instance exposed prior to patching β€” initiate forensic review.
  3. Hunt for indicators of compromise consistent with root-level access and configuration file manipulation (deletion/restoration patterns flagged by Mandiant).
  4. Audit SD-WAN configuration integrity β€” compare current configurations against known-good baselines.
  5. Restrict management-plane access to SD-WAN Manager to trusted IP ranges pending full remediation.
  6. Review the six prior Cisco SD-WAN CVEs exploited in 2026 β€” if your environment was not fully patched across all, treat as potentially compromised.

⚠️ UNCERTAINTY FLAGS

  • Full attribution (nation-state vs. criminal) has not been confirmed in available reporting.
  • Complete victim count and sector breadth remain unknown at this time.
  • CVSS score and specific technical vulnerability class (e.g., auth bypass, command injection) are not confirmed in provided source material.

SOURCES

  • SecurityWeek β€” Cisco SD-WAN Zero-Day Exploited Months Before Patching
  • The Hacker News β€” Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
  • Google Threat Intelligence β€” Zero-Day Exploitation of CVE-2026-20245 in Cisco Catalyst SD-WAN Manager
  • CyberScoop β€” Malicious hackers exploit Cisco zero-day for highest access level at communications service provider
  • BleepingComputer / Mandiant β€” How Cisco SD-WAN zero-day attacks gained root access