π‘οΈ π¨ BREAKING: CVE-2026-20245 β Cisco Catalyst SD-WAN Zero-Day Exploited for Months Prior to Patch; Root Access Achieved at Targeted Organizations
Published Thursday, June 25, 2026 at 12:51 AM PT BLUF: A critical zero-day vulnerability in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) was actively exploited in the wild for an extended period before Cisco disclosed and patched it. Attackers achieved root-level access at affected organizations, including at least one communications service provider. All organizations running Cisco Catalyst SD-WAN Manager must apply available patches immediately. DETAILS CVE-2026-20245 affects Cisco Catalyst SD-WAN Manager and was exploited as a zero-day β meaning no patch was available during the active exploitation window. Exploitation enabled attackers to gain root access to affected systems, according to reporting from Mandiant and Google Threat Intelligence. At least one communications service provider was confirmed as a victim, per CyberScoop reporting; broader targeting scope is not yet fully confirmed. Google Threat Intelligence observed attackers selectively deleting and restoring system configuration files as part of post-exploitation activity, suggesting deliberate operational security tradecraft. This is the 7th Cisco SD-WAN vulnerability exploited in 2026, indicating a sustained and targeted focus on this product line by threat actors. IMPACT Directly affected: Organizations running Cisco Catalyst SD-WAN Manager β particularly enterprises, managed service providers, and communications infrastructure operators. Scope: Root-level compromise allows full system control, potential lateral movement, persistent access, and configuration manipulation. The communications sector appears to be a confirmed target; broader sector targeting is not yet confirmed. Exploitation duration: Months of unpatched exploitation means organizations should assume potential compromise predates any internal detection activity. RECOMMENDED ACTIONS Apply Ciscoβs patch for CVE-2026-20245 immediately if not already done. Verify patch status across all SD-WAN Manager instances. Assume breach posture for any Cisco Catalyst SD-WAN Manager instance exposed prior to patching β initiate forensic review. Hunt for indicators of compromise consistent with root-level access and configuration file manipulation (deletion/restoration patterns flagged by Mandiant). Audit SD-WAN configuration integrity β compare current configurations against known-good baselines. Restrict management-plane access to SD-WAN Manager to trusted IP ranges pending full remediation. Review the six prior Cisco SD-WAN CVEs exploited in 2026 β if your environment was not fully patched across all, treat as potentially compromised. β οΈ UNCERTAINTY FLAGS Full attribution (nation-state vs. criminal) has not been confirmed in available reporting. Complete victim count and sector breadth remain unknown at this time. CVSS score and specific technical vulnerability class (e.g., auth bypass, command injection) are not confirmed in provided source material. SOURCES SecurityWeek β Cisco SD-WAN Zero-Day Exploited Months Before Patching The Hacker News β Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Threat Intelligence β Zero-Day Exploitation of CVE-2026-20245 in Cisco Catalyst SD-WAN Manager CyberScoop β Malicious hackers exploit Cisco zero-day for highest access level at communications service provider BleepingComputer / Mandiant β How Cisco SD-WAN zero-day attacks gained root access