Google’s Mandiant team has detailed the exploitation of a Cisco Catalyst SD-WAN vulnerability that was exploited as a zero-day months prior to its disclosure.
The vulnerability, tracked as CVE-2026-20245, is the 7th Cisco SD-WAN product flaw whose exploitation came to light in 2026.
CVE-2026-20245 affects the CLI of Cisco Catalyst SD-WAN Manager and allows an authenticated local attacker to execute arbitrary commands with root privileges using specially crafted files.
The security hole was disclosed by Cisco in early June, and patches were released roughly one week later.
Mandiant’s investigation began in early 2026 after observing an unidentified threat actor targeting SD-WAN infrastructure at a service provider.
The attacker established initial access to an SD-WAN Manager instance via SSH in March 2026. They then exploited CVE-2026-20245 to escalate privileges to root.
According to Mandiant, the same victim’s SD-WAN Manager systems were previously targeted — either by the same or a different threat actor — possibly through the exploitation of other vulnerabilities, CVE-2026-20127 or CVE-2026-20182, which at the time were also zero-days.
In the March attack, the hackers authenticated to the SD-WAN Manager instance via SSH using the ‘vmanage-admin’ account and then used that access to change the default admin account’s password.
“The threat actor subsequently used their active vmanage-admin session to change the password of the admin account back to its original state before terminating their active session. This activity was likely performed to reduce the probability of detection by an administrator trying to log into the device during day-to-day operations,” Mandiant explained.
It added, “The vmanage-admin and admin accounts are default accounts on Cisco Catalyst SD-WAN controllers that have different privileges, but neither possesses root shell access.”
Once they had admin privileges to the targeted system, the attacker exploited CVE-2026-20245 to escalate privileges and achieve full root-level access.
In an effort to evade detection, the threat actor deleted all files created during the attack, restored altered system configurations, and ran a script to ensure no evidence remained.
“This campaign underscores the living off the edge paradigm, where threat actors prioritize the compromise of network appliances to bypass traditional security perimeters. As organizations increasingly adopt software-defined networking, the orchestrators managing these environments become primary targets.” Mandiant said.
Additional technical details and IoCs are available in Mandiant’s blog post.
Separately, a cybersecurity firm has reported seeing attacks exploiting CVE-2026-20230, a Cisco Unified CM vulnerability patched in early June. However, Cisco told SecurityWeek that it cannot confirm in-the-wild exploitation as of June 24.
Related: Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026
Related: Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs
Related: FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances
