Google: Cisco SD-WAN Zero-Day Was Exploited Months Before Public Disclosure

Researchers at Google Cloud’s Mandiant have revealed that threat actors exploited the Cisco Catalyst SD-WAN privilege escalation vulnerability CVE-2026-20245 at least two months before its public disclosure. The flaw allows authenticated attackers to gain root-level access through a malicious file upload, while investigators also observed related attacks involving unauthorized SD-WAN peering connections and compromised credentials targeting Cisco SD-WAN infrastructure. According to the report, attackers used the vulnerability to establish persistent access, modify system configurations, and remove evidence of compromise before patches became available. The findings highlight the growing focus on network edge devices as high-value targets and demonstrate how threat actors can exploit previously unknown vulnerabilities long before defenders have access to security updates.

Reference: infosecurity-magazine.com