ATLAS · LIVE
ATLAS INDEX
Δ 24H
ACTIVE SOURCES20
HOTSPOTS20
TIME20:41:23 UTC
← All briefs
HIGHCyber IntelligenceThursday, June 25, 2026

Cisco SD-WAN Zero-Day Exploited Two Months Before Disclosure

Mandiant reports unknown threat actor gained root access via CVE-2026-20245, exploiting the flaw as a zero-day before Cisco's public advisory.

An unidentified threat actor exploited a high-severity vulnerability in Cisco Catalyst SD-WAN at least two months before its public disclosure, according to Mandiant. The flaw, designated CVE-2026-20245 and carrying a CVSS score of 7.8, permits authenticated local attackers to execute arbitrary commands with elevated privileges.

The zero-day exploitation window represents a significant operational security failure. Attackers with initial local access could escalate to root-level control, enabling persistent access, lateral movement, and data exfiltration across enterprise SD-WAN deployments. Cisco SD-WAN is widely deployed in corporate networks to manage distributed branch connectivity and cloud access.

Mandiant's attribution remains incomplete. The firm has not publicly linked the activity to a known threat group or nation-state sponsor. The two-month pre-disclosure exploitation period suggests either sophisticated reconnaissance or prior knowledge of the vulnerability through independent discovery or supply chain access.

The rest of this brief is inside the platform

Continue reading. Free.

A free Atlas account unlocks the full briefing, the co-analyst, daily delivery to your inbox, and a sector-personalised feed.

Full brief
Implications, sources, methodology
Co-Analyst
Ask follow-ups on every brief
Sector feed
Briefs filtered to what matters to you
Implications
  • 01Enterprises using Cisco Catalyst SD-WAN face potential compromise if unpatched since April 2026.
  • 02Threat actors demonstrated capability to exploit SD-WAN infrastructure before vendor awareness.
  • 03Network defenders must audit local access logs for anomalous privilege escalation activity.
Source
The Hacker News
https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-zero-day-cve-2026.html
Brief is editorial commentary by Atlas Intelligence based on the cited public reporting. Atlas does not reproduce source text. Verify primary source before action.
#cisco#sd-wan#zero-day#cve-2026-20245#mandiant#privilege escalation
Related Briefs