π‘οΈ π¨ BREAKING SECURITY ALERT β CISCO SD-WAN ZERO-DAY: ROOT ACCESS ACHIEVED IN ACTIVE EXPLOITATION
Published Wednesday, June 24, 2026 at 06:48 PM PT BLUF: Threat actors have actively exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager to gain root-level access. At least one confirmed victim is a communications service provider. Organizations running Cisco Catalyst SD-WAN Manager must treat this as a priority incident and apply mitigations immediately. DETAILS Mandiant has published technical analysis revealing the exploitation mechanism used to achieve root access on Cisco Catalyst SD-WAN Manager via CVE-2026-20245. Specific technical details of the exploit chain are attributed to Mandiantβs investigation. Active exploitation confirmed against at least one communications service provider, per CyberScoop reporting. The attacker achieved the highest available access level on targeted systems. CVE-2026-20245 is identified as the primary vulnerability exploited. A separate but related Cisco flaw, CVE-2026-20230 in Cisco Unified CM, is also now being exploited in attacks per BleepingComputer β indicating a broader Cisco-focused threat campaign may be underway. Linkage between these two exploitation efforts is unconfirmed. Root access achieved means attackers had full control of affected systems, enabling potential lateral movement, persistent backdoor installation, data exfiltration, and network traffic manipulation. Threat actor attribution is not confirmed in available reporting. Motivation and full scope of targeting remain under investigation. IMPACT Directly affected: Organizations running Cisco Catalyst SD-WAN Manager Sector at elevated risk: Telecommunications and communications service providers; enterprises using SD-WAN infrastructure Scope: Currently confirmed at minimum one victim organization; broader targeting likely given zero-day status and root-level access achieved Severity: Critical β root access on SD-WAN management infrastructure provides adversary visibility into and control over network routing, segmentation, and potentially connected environments RECOMMENDED ACTIONS Audit immediately β Identify all Cisco Catalyst SD-WAN Manager instances in your environment, including internet-exposed management interfaces. Apply patches/mitigations β Check Ciscoβs Security Advisory portal for CVE-2026-20245 patches or workarounds. Apply without delay. Hunt for indicators β Engage threat hunting for anomalous root-level activity, unexpected process execution, or unauthorized configuration changes on SD-WAN infrastructure. Restrict management access β If patching is not immediately possible, restrict SD-WAN Manager access to trusted IPs only and disable external-facing management interfaces. Review Cisco Unified CM exposure β Given concurrent exploitation of CVE-2026-20230, assess and patch Unified CM deployments in parallel. Escalate to IR β Any organization in the telecommunications sector should consider this a high-priority incident requiring immediate investigation. SOURCES BleepingComputer β Mandiant SD-WAN zero-day root access reporting CyberScoop β Exploitation at communications service provider Google Threat Intelligence β CVE-2026-20245 zero-day exploitation analysis BleepingComputer β Cisco Unified CM CVE-2026-20230 active exploitation β οΈ NOTE: Full technical details of the exploit chain, complete victim scope, and threat actor attribution remain unconfirmed at time of publication. Monitor Cisco PSIRT and Mandiant for updated guidance.