Cisco SD-WAN Zero-Day Exploited Months Before Patch Release

Post Views: 17

A cybersecurity research team has uncovered the use of a Cisco SD-WAN vulnerability that was exploited as a zero-day months before its public disclosure.

Vulnerability Details

The flaw, designated CVE-2026-20245, impacts the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager and enables an authenticated local attacker to execute arbitrary commands with root-level permissions through manipulated files.

CVE-2026-20245 Overview

This marks the seventh SD-WAN-related vulnerability exploited in 2026. Cisco disclosed the issue in early June, with patches issued approximately one week later.

Attack Timeline

Investigations by the team began in early 2026 after detecting an unknown threat actor targeting SD-WAN infrastructure at a service provider. The attacker gained initial access to an SD-WAN Manager instance via SSH in March 2026 and leveraged CVE-2026-20245 to escalate privileges to root.

March 2026 Attack Details

The same organization’s SD-WAN Manager systems had previously been targeted, potentially by the same or another group, through exploitation of other undisclosed vulnerabilities, including CVE-2026-20127 and CVE-2026-20182, which were also zero-days at the time.

Exploitation Strategy

During the March attack, hackers accessed the SD-WAN Manager using the ‘vmanage-admin’ account via SSH and altered the default admin account’s password. They later reverted the password to its original state before ending the session, likely to minimize detection risks for administrators monitoring the device.

The research team emphasized that this campaign exemplifies the “living off the edge” strategy, where adversaries target network appliances to bypass conventional security defenses.

Additional Vulnerabilities

Separately, a cybersecurity firm reported observing attacks leveraging CVE-2026-20230, a Cisco Unified CM vulnerability addressed in early June. However, Cisco has not confirmed active exploitation of this flaw as of June 24.

Conclusion and Recommendations

The incident highlights the urgency of proactive vulnerability management and the risks associated with zero-day exploits in critical infrastructure. Organizations are advised to apply patches promptly and monitor for signs of unauthorized access to SD-WAN systems.