“The observed chain abuses the WebDialer SSRF to deploy a rogue Apache Axis service, uses that service to write a first-stage JSP file-writer, then drops a second-stage command-execution shell under /platform-services/axis2-web/,” Defused wrote on LinkedIn.
Defused: CVE-2026-20230 exploit activity observed
Cisco disclosed and patched a server-side request forgery (SSRF) bug in Unified Communications Manager tracked as CVE-2026-20230 in early June. Cisco said the comms control platform “doesn’t properly validate some HTTP requests,” and that an attacker could exploit the flaw to gain root privileges on a compromised device. Cisco additionally acknowledged a proof-of-concept exploit was available.
Threat-intel company Defused reported observing active exploitation of CVE-2026-20230 over a weekend following the patch. Defused’s LinkedIn post detailed a multi-stage chain that begins with the WebDialer SSRF, deploys a rogue Apache Axis service, writes a first-stage JSP file-writer and then drops a second-stage command-execution shell under /platform-services/axis2-web/. The firm described those elements as the observed deployment sequence.
Mandiant: CVE-2026-20245 was exploited earlier and at scale risk
Google-owned Mandiant published an advisory describing a separate zero-day in Cisco Catalyst SD-WAN, tracked as CVE-2026-20245, and said exploitation began earlier than Cisco’s public advisory suggested. Mandiant warned the flaw was used to escalate privileges from an administrative account to full root-level access at a communications service provider.
“In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider,” Mandiant threat hunters Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan wrote. After gaining initial access, the attacker used CVE-2026-20245 to gain root. Mandiant said it could not assess the full scope of the intruders’ post-compromise activity.
How the SD‑WAN compromise unfolded, according to Mandiant
Mandiant’s report lays out a sequence of actions the intruder used to move from limited access to a persistent, privileged foothold. The attacker first gained initial access via an unauthorized peering connection, abusing the SD‑WAN fabric to authenticate between network components and to facilitate Secure Shell (SSH) access.
Using the vmanage-admin account on the affected devices, the intruder authenticated via SSH, then changed the default password on that admin account. The actor subsequently authenticated to the SD‑WAN Manager web application interface using an admin account and exfiltrated SD‑WAN fabric configurations. In a likely attempt to cover tracks, Mandiant said the attacker changed the admin account password back to its original value before ending the session.
Because the vmanage-admin and admin accounts do not themselves grant root shell access on Cisco Catalyst SD‑WAN controllers, the intruder exploited CVE-2026-20245 to escalate privileges. Mandiant reported the attacker uploaded a file named evil_tenant.csv that contained the crafted payload; upon execution, the intruder created a user account named troot with full root privileges and later accessed troot from the admin account using the substitute user command.
Why SD‑WAN zero‑days are described as a high-value target
Mandiant’s advisory underscores a strategic risk spelled out in the reporting: an SD‑WAN compromise “could have been dire, potentially giving the attacker total visibility across an entire corporation's internet traffic.” The report also notes this vulnerability was the sixth SD‑WAN issue under active attack since the start of the year, and the second zero‑day targeting Cisco SD‑WAN in two months — a cadence Mandiant links to the attractiveness of SD‑WAN to government-sponsored spies seeking long-term access.
What this means for technologists, communications service providers, and adversaries
- Technologists and security teams: Defused’s observation that a proof-of-concept and an exploit chain are in active use means teams managing Unified Communications Manager should confirm patches for CVE-2026-20230 have been applied and monitor for the specific indicators Defused described.
- Communications service providers and SD‑WAN operators: Mandiant’s finding of early exploitation at a service provider — including exfiltration of SD‑WAN fabric configurations and creation of a root-level account named troot — signals that service providers should treat SD‑WAN controller integrity and inter-component peering controls as urgent priorities.
- Adversaries and state-sponsored actors: The practical example Mandiant documented — initial access via an unauthorized peering connection, credential manipulation of vmanage-admin and admin accounts, followed by a crafted-file escalation to root — demonstrates a repeatable escalation path if SD‑WAN components are reachable and administrative protections are weak.
Cisco issued advisories in early June for both CVE-2026-20230 and CVE-2026-20245; in its advisory for the SD‑WAN zero‑day Cisco stated, “In June 2026, the Cisco PSIRT became aware of exploitation of this vulnerability.” The Register reached out to Cisco about the observed exploitation and Mandiant’s investigation and did not receive a response at the time of reporting.
The immediate record here is concrete: a disclosed SSRF in Unified Communications Manager has a working proof-of-concept that observers say is in live use, and an SD‑WAN zero‑day tracked as CVE-2026-20245 was exploited earlier and with root-creation at a service provider. The unanswered operational question is the breadth of devices affected and the extent of any follow-on activity after root was obtained — the very outcomes Mandiant says it could not fully assess.
Source: The Register — The hits keep on coming for Cisco vulnerabilities
