New Report Reveals Early Exploitation of Cisco Vulnerability
A recent report highlights alarming findings regarding a significant vulnerability in Cisco products, demonstrating how threat actors began exploiting the flaw well before it was publicly disclosed. The vulnerability, identified as CVE-2026-20245, has been classified as high-severity, with a CVSS score of 7.8. This serious privilege escalation issue is primarily rooted in inadequate validation of user-supplied input in the command-line interface (CLI) of the Cisco Catalyst SD-WAN Controller, which was previously known as SD-WAN vSmart.
The flaw impacts multiple versions of the Cisco Catalyst SD-WAN Manager, as well as related products like the Catalyst SD-WAN Validator. Notably, no matter the deployment environment—be it on-premises, Cloud-Pro, Cloud (Cisco Managed), or Government (FedRAMP)—affected versions are vulnerable.
According to the report, authenticated local attackers can exploit this vulnerability by uploading a specially crafted file to the system, allowing them to execute arbitrary commands with root-level privileges. The severity of the situation prompted Cisco to disclose the vulnerability on June 4 after detecting “limited instances where the exploitation of this bug resulted in a configuration change pushed to edge devices.” However, at the time of disclosure, no patch was available to address the issue, which led to heightened concerns among users.
Cisco initiated the release of updates for the Catalyst SD-WAN Manager that incorporated the CVE-2026-20245 fix on June 10, just days following the disclosure.
Timeline of Exploitation: March Preceded June Disclosure
According to a deeper investigation carried out by Mandiant, part of Google Cloud, the threat actor’s exploitation of this vulnerability started as early as March, which raises serious questions regarding the security protocols in place. In a new report published on June 24, Mandiant detailed that they had observed the threat actor targeting the SD-WAN infrastructure of a service provider, noting unauthorized peering connections from late 2025 through January 2026.
The researchers underscored that this malicious activity could be directly linked to the exploitation of other significant vulnerabilities—CVE-2026-20127 and CVE-2026-20182—both of which were not disclosed to the public, coupled with a lack of available patches at that time. These vulnerabilities affect the peering authentication mechanism of Cisco Catalyst SD-WAN controllers and could allow unauthenticated remote attackers to bypass authentication and gain administrative privileges.
In March, Mandiant spotted more unauthorized connections to a device operating on a software version that was not adversely affected by CVE-2026-20127, emphasizing the threat posed by stolen certificate material from a past compromise of the same device.
Further investigation revealed that attackers gained initial access to the system through unauthorized peering connections, which facilitated Secure Shell (SSH) access. They leveraged this access to manipulate default account passwords, thereby evading detection. The research team found a stark correlation between this unauthorized access and the exploitation of CVE-2026-20245 in the Cisco Catalyst SD-WAN Manager. The attackers were able to obtain root-level access by executing a malicious CSV upload, during which they deleted harmful files, reverted configuration changes, and ran a validation script to scrub all traces of their activities.
While Mandiant noted that it remains uncertain whether the same threat actor was responsible for both the late 2025 to January 2026 activity and the incidents observed in March, the broader implications are troubling.
The Living-Off-the-Edge Paradigm
Google’s research highlights a worrying trend where threat actors are increasingly adopting the “living-off-the-edge” paradigm. This approach involves compromising network appliances to evade traditional security measures. Mandiant emphasized that those responsible for managing edge devices and software-defined networking appliances often lack the telemetry necessary for in-depth forensic analysis, allowing for a more discreet, persistent access to internal enterprise traffic.
Experts like Matei Badanoiu, lead security researcher at Pentest-Tools.com, add that these findings underline a critical reality: threat actors frequently exploit vulnerabilities long before they are disclosed or patched. "In the case of Cisco and the aforementioned CVE, the exploitation window was open for at least two months prior to the patch release and advisory. During that time, attackers had a clear advantage, leveraging knowledge that defenders did not possess," Badanoiu noted.
This situation raises vital questions about the preparedness and responsiveness of organizations in defending against such vulnerabilities. As cyber threats continue to evolve, the need for proactive measures and enhanced security protocols is more pressing than ever.