A zero-day vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20245, has been exploited to gain root access by an unknown threat actor. This flaw, identified by Mandiant, allows an authenticated attacker to execute commands by manipulating user input, raising serious security concerns for affected systems.
CVE-2026-20245 is a high-severity vulnerability impacting Cisco Catalyst SD-WAN. It allows local, authenticated attackers to execute arbitrary commands by submitting crafted files due to insufficient validation of user input. The flaw has a CVSS score of 7.8, indicating its potential impact.
According to Mandiant, the vulnerability was exploited by a threat actor at least two months prior to public disclosure. Successful exploitation requires netadmin privileges, enabling the attacker to gain root access after changing default admin credentials and uploading a malicious CSV file named 'evil_tenant.csv'.
Two distinct waves of unauthorized activities have been identified: one occurring between late 2025 and January 2026, and another in March 2026. The first wave involved unauthorized peering connections exploiting other vulnerabilities, while the second wave targeted a device that had been patched against some exploits, suggesting advanced tactics by the threat actor.
The persistence and sophistication of the attacks highlight the vulnerabilities within Cisco Catalyst SD-WAN systems, particularly the risks associated with privileged access control. The ability of the attacker to use anti-forensic techniques suggests a pressing need for improved security measures in managing admin privileges.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
A zero-day vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20245, has been exploited to gain root access by an unknown threat actor. This flaw, identified by Mandiant, allows an authenticated attacker to execute commands by manipulating user input, raising serious security concerns for affected systems.