Google’s Mandiant team has detailed the exploitation of a Cisco Catalyst SD-WAN vulnerability that was exploited as a zero-day months prior to its disclosure.
The vulnerability, tracked as CVE-2026-20245, is the 7th Cisco SD-WAN product flaw whose exploitation came to light in 2026.
CVE-2026-20245 affects the CLI of Cisco Catalyst SD-WAN Manager and allows an authenticated local attacker to execute arbitrary commands with root privileges using specially crafted files.
The security hole was disclosed by Cisco in early June, and patches were released roughly one week later.
Mandiant’s investigation began in early 2026 after observing an unidentified threat actor targeting SD-WAN infrastructure at a service provider.
