Google’s Mandiant threat intelligence team reported this week that attackers began exploiting a critical flaw in Cisco Catalyst SD-WAN as early as March, roughly two months before Cisco disclosed the vulnerability in early June.

The vulnerability, assigned as CVE-2026-20245, allows an attacker who already has administrator credentials on an affected system to escalate privileges to root-level access. The vulnerability stems from insufficient input validation and affects the command line interface of Cisco Catalyst SD-WAN Controller. 

Privilege Escalation Flaw

Cisco released final fixes for affected versions June 12 after initially disclosing the flaw eight days before, citing limited exploit activity. The company described CVE-2026-20245 as a flaw that attackers could exploit only if they already had valid netadmin privileges, or if they chained the vulnerability with two previously disclosed zero-days in Catalyst SD-WAN Controller — CVE-2026-20182 or CVE-2026-20127

Related:Scope of Salesforce Attacks Expands as Icarus Leaks Data

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20245 to its catalog of known exploited vulnerabilities on June 4. The agency gave Federal Civilian Executive Branch (FCEB) a June 23 deadline to address the flaw or to stop using affected systems until they did.

In a blog post this week, Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said they discovered CVE-2026-20245 when investigating attacks that targeted SD-WAN infrastructure at a service provider between late 2025 and January 2026. 

Initial Access Via Rogue Peering

In the attacks, the threat actor gained initial access via “rogue peering connections” to the victim’s SD-WAN Manager devices, likely by exploiting either CVE-2026-20127 or CVE-2026-20182, the previously disclosed SD-WAN Controller zero-days. Peering, as Mandiant explained, is when different components in an SD-WAN, such as edge routers and central controls, authenticate each other via cryptographic certificate so they can safely exchange data.

Later in March, Mandiant researchers observed more attacks targeting the same service provider’s SD-WAN environment. As with the attacks in late 2025 and in January 2026, the threat actor gained initial access via rogue peering. However, this time around, the attacker appears to have established those connections via a different method, likely involving stolen credentials. Once the attacker established the unauthorized peering connection they successfully authenticated to the SD-WAN Manager device and then exploited what later turned out to be CVE-2026-20245 to escalate privileges.

Related:FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist

The vulnerability, as the researchers found, allowed an “authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.”

Extensive Anti-Forensics

After achieving their objective, the “threat actor deleted malicious files, reverted configuration changes, and executed a validation script to ensure indicators are purged” in an extensive anti-forensic effort, the researchers said. However, it’s unclear if it was the same threat actor behind the attacks that occurred between late 2025 and again in March 2026, they added.

For context, CVE-2026-20182, is a maximum severity authentication bypass vulnerability in its SD-WAN Controller that Cisco disclosed after researchers at Rapid7 reported the flaw.  The vulnerability allows a remote, unauthenticated attacker “to become an authenticated peer of the target appliance, and perform privileged operations,” according to Rapid7.

CVE-2026-20127 is also an authentication bypass vulnerability in SD-WAN Controller that Cisco disclosed in February, crediting the Australian Cyber Security Centre for its discovery. At the time, Cisco said it was aware of attacks targeting the flaw, which the company attributed to UAT-8616, a threat actor that apparently had been exploiting the flaw since at least 2023.

Related:Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign

A Target of Growing Interest

The attacks targeting Cisco’s SD-WAN technology highlight growing threat actor interest in Internet-facing network devices and their management interfaces rather than traditional endpoints, Mandiant’s researchers said. Network devices can provide an ideal initial access point because they often offer limited visibility for defenders conducting forensic investigations while also enabling discreet long-term access to a victim environment. “These devices offer a black box environment for threat actors: they often lack the telemetry required for deep forensic analysis, and their role as a central control plane provides a stealthy platform for persistent, wide-scale access to internal enterprise traffic,” they said.

They recommended that organizations running the affected devices immediately install Cisco’s patches for the different vulnerabilities, implement Cisco’s Catalyst SD-WAN hardening and logging guidelines, and scan for known indicators of compromise.





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *