New details have been revealed on how hackers exploited a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in zero-day attacks to create rogue root accounts on targeted devices.
The CVE-2026-20245 vulnerability is a high-severity command injection flaw in Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond) that allows authenticated attackers to execute arbitrary commands as root by uploading a crafted file.
Cisco said the vulnerability stemmed from insufficient validation of user-supplied input and could be exploited by authenticated attackers with local access to affected devices.
When Cisco disclosed the flaw earlier this month, the company warned that it had been exploited in a limited number of attacks but did not provide any details.
Cisco only stated that successful exploitation allowed attackers to gain root privileges and that some incidents involved unauthorized configuration changes being pushed to edge devices.
