Attackers Hit Cisco SD-WAN Flaw 2 Months Before Disclosure

Researchers believe rogue peering was used to connect to the victim's SD-WAN devices to gain admin privileges and root-level access.

June 24, 2026

Google's Mandiant threat intelligence team reported this week that attackers began exploiting a critical flaw in Cisco Catalyst SD-WAN as early as March, roughly two months before Cisco disclosed the vulnerability in early June.

The vulnerability, assigned as CVE-2026-20245, allows an attacker who already has administrator credentials on an affected system to escalate privileges to root-level access. The vulnerability stems from insufficient input validation and affects the command line interface of Cisco Catalyst SD-WAN Controller.

Cisco released final fixes for affected versions June 12 after initially disclosing the flaw eight days before, citing limited exploit activity. The company described CVE-2026-20245 as a flaw that attackers could exploit only if they already had valid netadmin privileges, or if they chained the vulnerability with two previously disclosed zero-days in Catalyst SD-WAN Controller — CVE-2026-20182 or CVE-2026-20127.