Emerging ThreatsMalware & Ransomware

Cisco SD-WAN Zero-Day Exploited in Targeted Attacks

Analyst 207||Source: BleepingComputer
Technicians examine a large router and network diagram in a control room with a map of network topology on a screen.

CVE-2026-20245 — an unpatched, high-severity zero-day in Cisco Catalyst SD-WAN Manager — is being actively exploited to gain root privileges, Cisco warned on Thursday.

CVE-2026-20245: how the flaw works and who it affects

Cisco says the vulnerability stems from "insufficient validation of user-supplied input" and "can allow local attackers with low privileges to execute arbitrary commands as root." The affected product, formerly known as SD‑WAN vManage, is a network management platform that "helps admins monitor and manage up to 6,000 Catalyst SD‑WAN devices from a single dashboard." According to Cisco, the zero-day impacts all deployment types: On‑Prem Deployment, Cisco SD‑WAN Cloud‑Pro, Cisco SD‑WAN Cloud (Cisco Managed), and Cisco SD‑WAN for Government (FedRAMP).

Exploit chain and prerequisites: why this is not a pure remote zero-day

Cisco notes a specific exploitation requirement: "To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of CVE‑2026‑20182 or CVE‑2026‑20127." In plain terms, the active attacks observed so far have involved a local or authenticated foothold followed by the crafted upload that triggers command injection and root privilege escalation. Cisco also said it is "not aware of successful exploitation by other methods."

Mandiant, logs, and observed activity

Cisco's Product Security Incident Response Team (PSIRT) said it became aware of exploitation in June after Google Cloud cybersecurity subsidiary Mandiant reported the flaw. Mandiant supplied indicators of compromise (IOCs) that warned administrators to check their SD‑WAN /var/log/scripts.log file for attempts to upload tenant configuration data to vSmart controllers as part of the privilege escalation. Cisco reproduced the log pattern in its advisory; one example entry reads:

Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0

Cisco added that it has "observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices," a sign that successful exploitation can allow changes to device configuration beyond the controller itself.

Patch status, related CVEs, and Cisco's immediate guidance

At the time of the advisory, security patches for CVE‑2026‑20245 were not yet available. Cisco advised customers to open a case with the Cisco Technical Assistance Center (TAC) for help determining whether a Catalyst SD‑WAN Manager has been compromised and recommended that administrators first generate an admin‑tech file to assist with the review. Separately, Cisco urged customers to upgrade to the software fixed for CVE‑2026‑20182 on May 14; that authentication‑bypass flaw had already been tagged as actively exploited as a zero‑day in the prior month.

The advisory sits on a string of recent SD‑WAN disclosures. Cisco patched an information disclosure flaw (CVE‑2026‑20133) in February that CISA later flagged as actively exploited in late April, and two more flaws (CVE‑2026‑20128 and CVE‑2026‑20122) were warned as being abused two weeks after that. In March, Cisco addressed a critical authentication‑bypass vulnerability (CVE‑2026‑20127) that the company said "has been exploited in zero‑day attacks since at least 2023." Cumulatively, CISA has tagged 90 Cisco vulnerabilities as abused in the wild, including multiple issues in Catalyst SD‑WAN Manager.

What this means for enterprise security teams, procurement leaders, and regulators

  • Technologists and security teams: Expect to triage /var/log/scripts.log for the specific upload attempts highlighted by Mandiant, generate admin‑tech files if asked by Cisco TAC, and prioritize upgrades where fixes for related CVEs (notably CVE‑2026‑20182) are available.
  • Procurement and network operations leaders: This advisory underscores exposure across deployment models — on‑prem, managed cloud, and FedRAMP — so inventory and patching plans must account for all forms of Catalyst SD‑WAN Manager in use.
  • Policymakers and regulators: The advisory documents chained exploitation requiring prior authentication or credential compromise and reinforces the operational impact when controller compromises result in configuration pushes to edge devices.

Cisco's advisory leaves a clear, near‑term question: when will a patch for CVE‑2026‑20245 be released and broadly distributed? Until that patch arrives, the company has provided log‑based IOCs and an escalation path through TAC while urging customers to apply fixes for related, already‑patched authentication flaws. The record in this advisory — a zero‑day enabling command injection and root escalation that is already being used in the wild — makes timely detection and remediation the immediate imperative for anyone operating Catalyst SD‑WAN Manager.

Original story

CiscoEmerging ThreatsZero-DayVulnerability ExploitationArbitrary Code ExecutionSD-WANRoot PrivilegesCVE-2026-20245Network Management
Related Intelligence

Continue Reading

Dimly lit cloud server room with rows of server racks and a single out-of-focus server screen in the foreground.

PCPJack Hijacks Cloud Servers for Covert SMTP Relay Network

Security firm Hunt.io uncovered a sneaky operation where hackers known as PCPJack hijacked cloud servers worldwide, turning them into secret SMTP relays that pumped out spam every five minutes. The stolen servers, found in major cloud platforms like AWS, Google Cloud, and Azure, were quietly converted into spam-spewing machines.

Analyst 207
Concerned person in a brightly-lit office setting with a sense of urgency and accelerated activity.

AI Agents Expose Hidden Risks as Insider Threats Evolve

The alarm bells are ringing: cyberattacks now unfold at breakneck speeds, with malicious actors able to wreak havoc in as little as 10-30 minutes, leaving defenders scrambling to keep up. This accelerated threat landscape is fueled by the growing sophistication of AI agents and their integration into business networks.

Analyst 207
Helpdesk workers surrounded by cubicles, phones, and fluorescent lighting, with an atmosphere of unease and vulnerability.

Ransomware Gang Pink Exploits Helpdesk Calls to Steal Credentials

Meet Pink, a notorious ransomware gang that's exploiting helpdesk calls to steal sensitive credentials using clever tactics like vishing and IT impersonation. They're using these stolen secrets to exfiltrate valuable data from enterprise cloud storage and productivity systems, leaving victims with a tough choice: pay up or face the consequences.

Analyst 207
Windows computer workstation with browser open, surrounded by technical books and office supplies.

Hola Browser Compromised to Deliver Cryptominer in Supply Chain Attack

Hola's CEO, Avi Raz Cohen, assured users that the company has taken swift action to prevent future breaches, rebuilding its distribution pipeline and implementing robust security measures. The move comes after a supply chain attack compromised the Hola Browser, secretly delivering a cryptominer to unsuspecting users.

Analyst 207