Emerging Threats

Cisco SD-WANs Hit by Seventh Zero-Day Exploit This Year

Analyst 207||Source: CyberScoop
Technicians check network equipment and cables in a brightly-lit operations room with a prominent router on a rack.

"The vulnerability — CVE-2026-20245 — marks the seventh actively exploited zero-day in Cisco SD-WANs this year."

CVE-2026-20245 and Cisco’s disclosure

Cisco disclosed the new zero-day on Thursday after being alerted earlier this month to active exploitation. Mandiant first spotted the defect, and Cisco said a security patch is not yet available and that there are no workarounds to mitigate the issue in the meantime. In a statement, a company spokesperson said, “A patch for this vulnerability will be provided on a future date.” Cisco also declined to attribute the attacks to any specific group, did not describe the objectives of those attacks and did not say how many organizations have been impacted.

Technical details: validation error, command injection, and required privileges

According to Cisco, the defect is a validation error affecting Cisco Catalyst SD‑WAN Manager that “allows authenticated or local attackers to execute commands as root,” resulting in command‑injection attacks on an affected system. Cisco emphasized that exploitation requires valid credentials or privileged access gained through other means, which may limit the scope of impact. The company noted it is “not aware of successful exploitation by other means,” and said it “observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.”

Connection to earlier SD‑WAN zero‑days: CVE‑2026‑20182 and CVE‑2026‑20127

Cisco warned that exploitation of a pair of zero‑days it disclosed earlier this year — CVE‑2026‑20182 or CVE‑2026‑20127 — could allow attackers the access required to exploit CVE‑2026‑20245. As part of its response to CVE‑2026‑20182, Cisco advised customers to upgrade to fixed software released in May as a protective measure against chained exploitation paths.

How technologists and security teams, policymakers and regulators, and affected enterprises and procurement leaders are responding

  • Technologists and security teams: Analysts in the field have underscored the dependence of this exploit on preexisting privileges. Landon Rice, senior exploit developer at VulnCheck, said the need for existing privileges “makes an attacker heavily reliant on previous vulnerabilities, or a net‑new initial access vector, in order to be able to reach the privilege escalation path.” Defenders are being pointed to Cisco’s indicators of compromise while remaining aware those same log entries “may occur during standard operations.”
  • Policymakers and regulators: The Cybersecurity and Infrastructure Security Agency has already added seven vulnerabilities affecting Cisco SD‑WANs and firewalls to its known exploited vulnerabilities catalog this year; CVE‑2026‑20245 has not yet been added to that catalog.
  • Affected enterprises and procurement leaders: Cisco encouraged customers that need help distinguishing between legitimate and malicious activity to contact Cisco Technical Assistance Centers. Enterprises that have not applied the May fixes for CVE‑2026‑20182 were explicitly advised to upgrade as a protective measure against chained attacks.

Signals for defenders and remaining operational levers

Cisco provided indicators of compromise to help customers detect potential abuse, but cautioned that the same log entries might appear during normal operation, complicating triage. With no patch or workaround currently available, the company’s immediate operational guidance is limited to detection help and contacting Cisco Technical Assistance Centers for support. Cisco also reported only “limited cases” of configuration changes propagated to edge devices from the exploitation it has observed so far.

Two hard facts stand out: this is the seventh actively exploited zero‑day in Cisco SD‑WANs reported this year, and there is no fix available yet for CVE‑2026‑20245. Cisco’s decision to flag the link to earlier CVEs and to recommend May’s fixes for CVE‑2026‑20182 frames the immediate defensive posture as one of patch‑hardening where possible and careful log analysis where not. Cisco has not attributed the activity, nor disclosed the scale of successful exploitation — questions enterprises and regulators will be watching as Cisco releases the promised patch.

Original reporting: https://cyberscoop.com/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245/

CiscoCommand InjectionEmerging ThreatsNetwork SecurityZero-DayVulnerability ExploitationSD-WANCVE-2026-20245
Related Intelligence

Continue Reading

Rows of computer servers and networking equipment in a brightly-lit data center.

ServiceNow Security Incident Exposes Customer Data via API Flaw

ServiceNow recently patched a critical API flaw that allowed attackers to access sensitive customer data, but not before detecting anomalous activity that hinted at a broader intrusion. The company quietly alerted affected customers through a discreet support bulletin and direct outreach.

Analyst 207
Programmers work at desks in an open-plan office, some looking concerned at their computer screens.

Miasma Worm Spreads as Open-Source Toolkit Compromises GitHub Repos

A newly discovered open-source toolkit, known as Miasma Worm, is wreaking havoc on GitHub repositories, allowing attackers to execute a range of malicious activities via stolen credentials. This powerful supply chain attack toolkit can compromise multiple platforms, including PyPI, npm, and RubyGems, and even spread through AI coding tools and SSH-based lateral movement.

Analyst 207
GitHub repository page on a laptop screen in a bright, cluttered office workspace.

Microsoft Probes Miasma Campaign as GitHub Repos Remain Offline

Microsoft swiftly took action to safeguard its customers and the broader ecosystem by temporarily removing some GitHub repositories while investigating a software supply chain intrusion. The company has since restored some, but others remain offline as the probe continues.

Analyst 207
A modern office interior with a laptop and papers, conveying a tech workspace ambiance.

GitHub Disrupts Microsoft Repos Hosting Password-Stealing Malware

In a lightning-fast response, GitHub and Microsoft swiftly contained a malware incident on June 5, removing 73 repositories and restoring disrupted developer workflows in a mere 105 seconds. The quick takedown prevented password-stealing malware from causing further harm, showcasing the companies' commitment to protecting their platforms.

Analyst 207