Based on reporting by The Hacker News →
Introduction
A high-severity zero-day in Cisco Catalyst SD-WAN was quietly exploited by an unknown threat actor for at least two months before the vendor had a chance to patch it. This is a stark reminder that network edge devices, often deployed and forgotten, remain prime targets for attackers seeking persistent, privileged access.
The problem
According to a recent report by The Hacker News, citing new findings from Google-owned Mandiant, an unidentified threat actor exploited a previously undisclosed vulnerability in Cisco Catalyst SD-WAN software as a zero-day. The flaw, tracked as CVE-2026-20245 with a CVSS score of 7.8, allows an authenticated attacker with local access to execute arbitrary commands with elevated, root-level privileges. The exploit activity occurred at least two months before Cisco publicly disclosed the vulnerability and released a patch.
Consequences
An attacker who successfully exploits this vulnerability gains root access on the SD-WAN device. This means they can fully control the network edge appliance — intercepting, modifying, or redirecting traffic, installing persistent backdoors, and pivoting deeper into the corporate network. Because SD-WAN devices often sit at the boundary between branch offices and central data centers, a compromise can undermine the integrity of all traffic flowing through that point, including VPN tunnels and critical business applications.