🟠 High | Source: The Hacker News
A high-severity zero-day vulnerability in Cisco Catalyst SD-WAN (CVE-2026-20245) was actively exploited by a threat actor at least two months before Cisco publicly disclosed it, according to Mandiant. The flaw allows an authenticated local attacker to run arbitrary commands with elevated privileges, ultimately enabling root access. The pre-disclosure exploitation window significantly increases the risk for organisations that have not yet patched.
Security Architect’s Take: Patch Cisco Catalyst SD-WAN devices immediately and audit recent command execution logs for anomalous activity, particularly from authenticated local sessions. Given the pre-disclosure exploitation timeline, treat any unpatched SD-WAN appliances as potentially compromised and consider isolating them pending investigation.
Original advisory: Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access