What happened
Attackers were actively exploiting a critical vulnerability in Cisco Catalyst SD-WAN technology nearly two months before it was publicly disclosed, according to new findings from Google’s Mandiant threat intelligence team.
The vulnerability, tracked as CVE-2026-20245, is a privilege escalation flaw that allows an attacker with administrator-level access to gain root privileges on affected Cisco Catalyst SD-WAN Controller systems. Cisco disclosed the issue in early June and released final patches on June 12.
Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan uncovered the vulnerability while investigating attacks targeting a service provider’s SD-WAN infrastructure. Their analysis showed that threat actors had been exploiting the flaw as early as March 2026.
The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog and directed federal agencies to address the issue by June 23 or discontinue use of affected systems.
Who is affected
Organizations running vulnerable versions of Cisco Catalyst SD-WAN Controller are at risk.
According to Mandiant, attackers first gained access through unauthorized or “rogue” peering connections to SD-WAN Manager devices. In some cases, they likely exploited previously disclosed authentication bypass vulnerabilities, CVE-2026-20127 and CVE-2026-20182. In later attacks, stolen credentials may have been used to establish unauthorized connections before the privilege escalation flaw was leveraged.
Once authenticated, attackers could execute arbitrary commands with root-level privileges, giving them extensive control over the targeted environment.
Why CISOs should care
The attacks highlight a growing trend in which threat actors focus on Internet-facing network infrastructure rather than traditional endpoints.
SD-WAN controllers often serve as central management platforms for enterprise networks. A successful compromise can provide attackers with broad visibility and access across an organization’s environment.
Mandiant also observed extensive anti-forensic activity. Attackers deleted malicious files, reverted configuration changes, and ran validation scripts designed to remove evidence of their presence. These actions can make detection and investigation significantly more difficult.
The incident serves as another reminder that network management systems remain attractive targets because they can offer both persistence and privileged access while generating limited forensic visibility.
3 practical actions
- Immediately apply Cisco’s security updates for CVE-2026-20245 and related SD-WAN vulnerabilities.
- Review SD-WAN peering relationships, administrative accounts, and credential security to identify unauthorized access paths.
- Enable recommended logging, follow Cisco’s SD-WAN hardening guidance, and scan environments for indicators of compromise.
