← All stories
● Covered by 1 source Β· 1 reportHigh impact

Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited for Root Access

Aggregated by BrevFeed security Β· updated 4d ago
πŸ”– Save

A zero-day vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20245, has been exploited to gain root access by an unknown threat actor. This flaw, identified by Mandiant, allows an authenticated attacker to execute commands by manipulating user input, raising serious security concerns for affected systems.

Key points

Overview of the Vulnerability

CVE-2026-20245 is a high-severity vulnerability impacting Cisco Catalyst SD-WAN. It allows local, authenticated attackers to execute arbitrary commands by submitting crafted files due to insufficient validation of user input. The flaw has a CVSS score of 7.8, indicating its potential impact.

Exploitation and Attack Process

According to Mandiant, the vulnerability was exploited by a threat actor at least two months prior to public disclosure. Successful exploitation requires netadmin privileges, enabling the attacker to gain root access after changing default admin credentials and uploading a malicious CSV file named 'evil_tenant.csv'.

Attack Timeline and Methods

Two distinct waves of unauthorized activities have been identified: one occurring between late 2025 and January 2026, and another in March 2026. The first wave involved unauthorized peering connections exploiting other vulnerabilities, while the second wave targeted a device that had been patched against some exploits, suggesting advanced tactics by the threat actor.

Security Implications

The persistence and sophistication of the attacks highlight the vulnerabilities within Cisco Catalyst SD-WAN systems, particularly the risks associated with privileged access control. The ability of the attacker to use anti-forensic techniques suggests a pressing need for improved security measures in managing admin privileges.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

A zero-day vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20245, has been exploited to gain root access by an unknown threat actor. This flaw, identified by Mandiant, allows an authenticated attacker to execute commands by manipulating user input, raising serious security concerns for affected systems.