Google’s Mandiant team has revealed that a Cisco Catalyst SD-WAN vulnerability was exploited as a zero-day months before Cisco disclosed and patched it. Tracked as CVE-2026-20245, it’s the seventh Cisco SD-WAN flaw to be exploited in the wild this year.
The vulnerability affects the CLI of Cisco Catalyst SD-WAN Manager. An authenticated local attacker can execute arbitrary commands with root privileges using specially crafted files. Cisco disclosed it in early June and released patches about a week later.
Mandiant’s investigation began after spotting an unidentified threat actor targeting SD-WAN infrastructure at a service provider. The attacker first gained access via SSH in March 2026 using the default ‘vmanage-admin’ account, then changed the admin password to lock out legitimate administrators — then changed it back before disconnecting to avoid detection.
Once they had admin access, the attacker exploited CVE-2026-20245 to escalate to root. They then deleted all files created during the attack, restored altered configurations, and ran a cleanup script to erase evidence.
Mandiant called the campaign an example of the “living off the edge” paradigm, where attackers target network appliances to bypass traditional security perimeters. As software-defined networking grows, the orchestrators managing these environments become prime targets.
The same victim’s systems were previously targeted through other zero-day vulnerabilities — CVE-2026-20127 and CVE-2026-20182 — which were also exploited before disclosure.
