🛡️ BREAKING: ACTIVE ZERO-DAY EXPLOITATION OF CISCO CATALYST SD-WAN MANAGER (CVE-2026-20245)
Published Wednesday, June 24, 2026 at 12:47 PM PT BLUF: Threat actors are actively exploiting a zero-day vulnerability in Cisco Catalyst SD-WAN Manager. Organizations running affected SD-WAN Manager instances should treat this as an active incident. Patch or mitigate immediately. DETAILS CVE-2026-20245 is under active exploitation in Cisco Catalyst SD-WAN Manager, according to Google Threat Intelligence reporting. Specific CVSS score and affected version range are not confirmed in available source material — verify against Cisco’s advisory. Threat actors have demonstrated post-exploitation capability including selectively deleting and restoring system configuration files modified during their activity — a deliberate anti-forensic technique indicating a sophisticated, operationally aware actor. The file manipulation behavior suggests actors are actively attempting to conceal their presence and timeline of access, complicating incident response and forensic reconstruction. A prior related Cisco zero-day (CVE-2026-20230, Unified CM) had a public proof-of-concept available at time of disclosure — whether a PoC exists for CVE-2026-20245 is not confirmed at this time. Attribution of the threat actor has not been confirmed in available reporting. Sophistication of anti-forensic tradecraft is noted. IMPACT Directly affected: Organizations running Cisco Catalyst SD-WAN Manager in their network infrastructure. Scope concern: SD-WAN Manager serves as a centralized control plane for SD-WAN deployments. Compromise may provide adversary visibility into or control over wide-area network routing, policy, and configuration across multiple sites. Secondary risk: Anti-forensic file manipulation means dwell time and scope of access may be significantly underestimated without deep forensic investigation. RECOMMENDED ACTIONS Immediately audit Cisco Catalyst SD-WAN Manager instances for unauthorized access, anomalous configuration changes, or unexpected file deletions and restorations. Apply Cisco patches as soon as available — check Cisco’s Security Advisory portal now for CVE-2026-20245 guidance. Restrict management-plane access to SD-WAN Manager: enforce allowlisting, disable unnecessary external access, require MFA. Preserve forensic artifacts now — given confirmed anti-forensic activity, initiate log preservation and memory capture before further remediation steps. Assume breach posture if your SD-WAN Manager has been internet-exposed or inadequately segmented pending full investigation. SOURCES Google Threat Intelligence — CVE-2026-20245 zero-day exploitation reporting CyberScoop — prior Cisco zero-day exploitation context SecurityWeek — CVE-2026-20230 Cisco Unified CM related reporting ⚠️ NOTE: Specific affected version ranges, CVSS score, and threat actor attribution are not confirmed in available source material at time of publication. Monitor Cisco PSIRT and CISA KEV catalog for updates. ...