Emerging Threats

Google Warns of Cisco Vulnerability Exploited as Zero-Day Months Before Disclosure

Analyst 207||Source: InfoSecMag
Technicians work in a brightly-lit network operations room with a Cisco device on a rack surrounded by generic networking…

"It is unclear if the same threat actor was responsible for the late 2025 to January 2026 and March 2026 rogue peering activity," Mandiant said.

CVE-2026-20245 and the Cisco Catalyst SD‑WAN products it affects

The vulnerability tracked as CVE-2026-20245 carries a CVSS score of 7.8 and originates from “insufficient validation of user-supplied input in the command-line interface (CLI)” of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart). The flaw affects several versions of Cisco Catalyst SD-WAN Manager and related products, including Cisco Catalyst SD-WAN Validator.

Cisco told users that affected versions are vulnerable regardless of deployment model — on-premises, Cloud-Pro, Cloud (Cisco Managed) and Government (FedRAMP). An authenticated, local attacker could exploit the weakness by uploading a crafted file to the system and thereby execute arbitrary commands as root.

Timeline reconstructed by Mandiant and Google Cloud

Mandiant, part of Google Cloud, published its findings on June 24. Cisco disclosed the zero-day on June 4 after observing “limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.” At the time of Cisco’s disclosure there was no patch; fixes began shipping on June 10 in Catalyst SD-WAN Manager updates.

Mandiant traced malicious activity tied to SD‑WAN infrastructure back to late 2025 and continuing through January 2026, when multiple unauthorized peering connections were observed at a service provider. Further unauthorized peering appeared on a device in March 2026. The firm’s timeline links different techniques and vulnerabilities across that window.

Techniques observed: unauthorized peering, credential theft, CSV upload

Mandiant identified several distinct abusive behaviors. From late 2025 to January 2026, attackers established unauthorized peering connections to SD‑WAN Manager devices — activity that could have involved either CVE-2026-20127 or CVE-2026-20182, two critical Cisco disclosures affecting the peering authentication mechanism. Both of those vulnerabilities can allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges.

In March 2026, Mandiant found additional unauthorized peering against a device running software not vulnerable to CVE-2026-20127. Cisco confirmed those connections did not exploit CVE-2026-20182 either; instead they “could instead be using stolen certificate material from a previous compromise of the same device.”

The researchers say the initial peering-based access was used to facilitate Secure Shell (SSH) access, after which actors manipulated default account passwords to evade detection. Separately, a threat actor exploited CVE-2026-20245 — via a malicious CSV upload — to gain root access. That actor then deleted malicious files, reverted configuration changes, and executed a validation script to ensure indicators had been purged.

Living‑off‑the‑edge paradigm and forensic blind spots

Google summed up the campaign as illustrative of a larger trend: it “underscores the living-off-the-edge paradigm, where threat actors prioritize the compromise of network appliances to bypass traditional security perimeters.”

Mandiant expanded on that concern, noting that orchestrators managing edge devices and software‑defined networking appliances “often lack the telemetry required for deep forensic analysis, and their role as a central control plane provides a stealthy platform for persistent, wide‑scale access to internal enterprise traffic.” The report adds a strategic angle: “For state‑sponsored actors, the ability to exploit zero‑day vulnerabilities in these platforms remains a premier vector for long‑term strategic intelligence collection.”

What this means for service providers, security teams, and policymakers

  • Service providers: the campaign targeted SD‑WAN infrastructure at a service provider, demonstrating that provider-managed orchestration points can be used for persistent access and lateral movement. Providers will need to track whether devices were exposed to unauthorized peering and whether stolen certificate material is present.
  • Security teams and technologists: Mandiant’s account highlights two operational problems — exploitation of vulnerabilities before public disclosure and limited telemetry on edge orchestrators. Matei Badanoiu of Pentest-Tools.com noted that “the window has been open for at least two months before the patch and advisory,” meaning defenders may be blind to active exploitation for weeks to months.
  • Policymakers and risk managers: Google and Mandiant emphasize that exploits of SD‑WAN control planes are attractive for long‑term collection and covert access. Where critical control-plane products are centrally managed across enterprises and governments, the implications extend beyond individual systems to systemic exposure of internal traffic flows.

The record assembled by Mandiant and reported by Google Cloud shows a sequence of compromises and techniques — unauthorized peering, certificate misuse, SSH pivoting and a root‑gaining CSV upload — across a period that began in late 2025 and continued into March 2026, with public disclosure and patches arriving in June. Mandiant’s open question about whether the same actor was behind all phases remains the clearest unresolved fact: attribution and the full scope of exposure are still to be determined.

https://www.infosecurity-magazine.com/news/cisco-vulnerability-exploited/

Emerging ThreatsNetwork SecuritySupply ChainZero-DayLocal ExploitationCVE-2026-20245Cisco VulnerabilityCommand-Line InterfaceCisco Catalyst SD-WANAuthenticated Attacks
Related Intelligence

Continue Reading

macOS computer screen with error message box on a cluttered desktop surrounded by icons and folders on a clean desk.

macOS Malware Embeds Fake Errors to Evade AI Analysis

Meet macOS.Gaslight, a sneaky new malware family from a North Korean-linked threat actor that's got a clever trick up its sleeve - embedding 38 fake system messages to throw off AI analysis tools. This tiny 3.5 KB payload is packed with deception, making it a formidable foe for cybersecurity experts.

Analyst 207
Water utility company's outdoor infrastructure with personnel and subtle computer systems.

Iranian Hackers Exploit Credentials in Cal Water Breach

Cal Water swiftly sprang into action when an Iranian-linked group, Handala, claimed to have hacked their system, activating their cybersecurity response plan and launching a thorough investigation. Thankfully, experts from Mandiant found that the breach was limited to third-party accounts, containing no evidence of a larger-scale attack.

Analyst 207
Law enforcement officials gather around a large screen displaying a world map during a briefing on a global sports piracy…

Authorities Disrupt PirloTV Sports Piracy Network, Seize 44 Domains

In a major blow to sports piracy, authorities have shut down PirloTV, a notorious network that illegally streamed live sports to over 950 million visitors worldwide each year. The operation, involving UEFA, UC3, and Mexican authorities, seized 44 domains used to distribute unauthorized streams.

Analyst 207
Laptop on a table in a brightly-lit public area, suggesting internet access.

Bluekit Phishing Kit Enhances Login Theft with Browser-in-the-Middle Tactics

Bluekit's phishing kit just got a sinister upgrade, now using browser-in-the-middle tactics to steal logins in real-time. This move has led to a massive expansion of its infrastructure, with nearly 70 new hostnames appearing in just one week.

Analyst 207