Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited Months Before Disclosure
ID: c8f48b67-fd10-587c-b83b-2c167887cd67
STIX ID: report--c8f48b67-fd10-587c-b83b-2c167887cd67
Feed Name: Security Affairs
Mandiant reported that an unknown actor exploited a Cisco Catalyst SD-WAN zero-day (CVE-2026-20245, CVSS 7.8) months before public disclosure to escalate netadmin accounts to root by uploading a crafted file (evil_tenant.csv). The intrusions against a communications service provider involved creating a rogue 'troot' account, anti-forensic cleanup of created files and configuration changes, and possibly reuse of stolen certificates or earlier authentication bypasses (CVE-2026-20127, CVE-2026-20182); Cisco has released fixes and confirmed active exploitation across deployment models.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
