Ethical Hacking News
Researchers have found that threat actors exploited Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 months before its public disclosure, gaining elevated privileges and access into internal network traffic. The incident highlights the growing trend of zero-day vulnerabilities in edge devices like software-defined wide area networks.
Threat actors have exploited zero-day vulnerabilities in edge devices like Cisco Catalyst SD-WAN systems, highlighting the importance of prioritizing security in these environments. The vulnerability CVE-2026-20245 affects various deployment models, including on-premises installations, cloud-pro deployments, and federal risk and adverse management (FedRAMP) environments. Attackers exploited a flaw in user-supplied input validation to gain elevated privileges and carry out command injection attacks. Threat actors can obtain netadmin privileges through stolen credentials or exploiting previously disclosed vulnerabilities. The vulnerability is attributed to insufficient user-supplied input validation in the Cisco Catalyst SD-WAN system. Cisco has confirmed awareness of active exploitation and released fixes, but this incident highlights the need for ongoing vulnerability assessments and robust security protocols.
The world of cybersecurity has witnessed a concerning trend lately, where threat actors have successfully exploited zero-day vulnerabilities in edge devices such as Software-Defined Wide Area Network (SD-WAN) systems. Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 is the latest example of this vulnerability, which was exploited months before its public disclosure by an unknown threat actor.
The vulnerability, categorized under CVE-2026-20245, affects the entire range of deployment models used for Cisco Catalyst SD-WAN systems, including on-premises installations, cloud-pro deployments, and federal risk and adverse management (FedRAMP) environments. This means that a wide array of organizations across various sectors could be at risk due to this vulnerability.
According to Mandiant, Google-owned security firm, the threat actor exploited CVE-2026-20245 as a zero-day, leveraging a flaw in the validation of user-supplied input. Once inside, they were able to gain elevated privileges and carry out command injection attacks on the affected system by using a crafted file named "evil_tenant.csv".
A key point worth noting is that attackers can obtain netadmin privileges through stolen credentials or exploiting previously disclosed vulnerabilities such as CVE-2026-20182 and CVE-2026-20127. Furthermore, even with limited exploitation via these methods, threat actors were still able to gain elevated privileges.
The vulnerability is attributed to insufficient user-supplied input validation in the Cisco Catalyst SD-WAN system. The attack vector involved an attacker uploading a malicious file named "evil_tenant.csv" to the affected system and using it to exploit the vulnerability. This process allowed them to elevate their privileges as the root user, providing long-term access into the organization's internal network traffic.
Mandiant, in its report on the incident, noted that the threat actor consistently employed anti-forensic techniques such as selectively deleting and restoring system configuration files modified during their activities to maintain operational security. This behavior highlights a growing trend of using zero-day vulnerabilities in edge devices like SD-WAN systems.
The agency observed attackers targeting a communications service provider in two separate campaigns between late 2025 and March 2026, escalating compromised administrator accounts to full root access via exploiting the identified vulnerabilities.
Cisco has confirmed awareness of active exploitation of the vulnerability and released fixes. However, this incident serves as a reminder that software-defined networking is becoming increasingly appealing to threat actors due to its wide reach and lack of monitoring capabilities.
In recent years, we have seen numerous instances where zero-day vulnerabilities in edge devices such as SD-WAN systems have been exploited by threat actors. This trend underscores the importance of prioritizing security in these environments.
Furthermore, it highlights the need for organizations to maintain up-to-date patches on their systems and implement robust security protocols. Organizations must also conduct regular vulnerability assessments to identify any weaknesses that could be exploited by malicious actors.
As the landscape of cybersecurity continues to evolve, staying vigilant and proactive will be key for mitigating such risks. Regular updates and awareness campaigns are necessary in order to ensure that organizations equipped with the latest technologies can effectively safeguard their systems from such threats.
In conclusion, the exploitation of Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 by an unknown threat actor months before its public disclosure raises serious concerns about edge devices like software-defined wide area networks. This trend highlights the need for prioritization and robust security measures in these environments, as well as a focus on ongoing vulnerability assessments to prevent similar incidents.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-Catalyst-SD-WAN-Zero-Day-Vulnerability-Exploited-Months-Before-Disclosure-A-Growing-Concern-for-Edge-Devices-ehn.shtml
https://securityaffairs.com/194200/hacking/cisco-catalyst-sd-wan-zero-day-cve-2026-20245-exploited-months-before-disclosure.html
Published: Thu Jun 25 06:27:58 2026 by llama3.2 3B Q4_K_M
