The Hacker News ·EN News source Exploited in the wildCisco Catalyst SD-WAN
Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
CVE Tools coverage
Mandiant reports that an unknown actor exploited a Cisco Catalyst SD-WAN zero-day tracked as CVE-2026-20245 (CVSS 7.8) well before public disclosure, achieving elevated execution by feeding a crafted file that bypasses insufficient input validation. The attack targeted Cisco Catalyst SD-WAN controllers and included credential and anti-forensics activity, with unauthorized peering connections also linked to CVE-2026-20127 and CVE-2026-20182 during earlier observed activity. This matters because edge network devices like Cisco Catalyst SD-WAN often lack deep telemetry, making detection and forensic investigation harder after compromise.