CVE Tools
Back to feed
BleepingComputer ·EN-US News source Exploited in the wildCisco Catalyst SD-WAN

Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access

By Lawrence Abrams··3 min read
CVE Tools coverage

Mandiant has detailed how attackers exploited Cisco Catalyst SD-WAN command injection vulnerability CVE-2026-20245 to escalate privileges to root during zero-day attacks. The issue affects Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond), enabling authenticated attackers to execute arbitrary commands as root by uploading a crafted file—leading to actions such as creating a rogue root account, altering credentials, and exfiltrating configuration data. This matters because it demonstrates a reliable path from initial access to full device control, with anti-forensic steps that can make detection and incident response harder.