logo

Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited Months Before Disclosure

ID: c8f48b67-fd10-587c-b83b-2c167887cd67

STIX ID: report--c8f48b67-fd10-587c-b83b-2c167887cd67

Feed Name: Security Affairs

Threat Score
85/100

Date Published: 2026-06-25

Date Updated: 2026-06-25

Author: Pierluigi Paganini

...
...

Mandiant reported that an unknown actor exploited a Cisco Catalyst SD-WAN zero-day (CVE-2026-20245, CVSS 7.8) months before public disclosure to escalate netadmin accounts to root by uploading a crafted file (evil_tenant.csv). The intrusions against a communications service provider involved creating a rogue 'troot' account, anti-forensic cleanup of created files and configuration changes, and possibly reuse of stolen certificates or earlier authentication bypasses (CVE-2026-20127, CVE-2026-20182); Cisco has released fixes and confirmed active exploitation across deployment models.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.