A critical zero-day vulnerability in Cisco's SD-WAN solution, identified as CVE-2026-20245, has been exploited by attackers to gain root access on targeted devices, according to Mandiant's findings1. This flaw allows hackers to create rogue root accounts, giving them unrestricted control over the compromised systems. The vulnerability is specifically found in Cisco Catalyst SD-WAN devices, which are widely used in enterprise networks. The exploitation of CVE-2026-20245 enables attackers to bypass security mechanisms and establish a persistent presence on the network. As the vulnerability is still under active discussion, its exploitation status will determine the necessary course of action, whether it be immediate patching or continued monitoring. This vulnerability poses a significant risk to organizations relying on Cisco SD-WAN solutions, so practitioners should prioritize patching or monitoring to prevent potential attacks.
Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access
⚠️ Critical Alert
Why This Matters
CVE-2026-20245 is in active discussion involving Mandiant — exploitation status determines whether this is patch-now or monitor.
References
- BleepingComputer. (2026, June 24). Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access. *BleepingComputer*. https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access/
Original Source
BleepingComputer
Read original →