Source URL: cloud.google.com/blog/topi… Mandiant reported that a threat actor targeting SD-WAN infrastructure at a service provider used a compromised administrative account and then exploited CVE-2026-20245, a zero-day vulnerability in Cisco Catalyst SD-WAN Manager, to escalate privileges to root. The vulnerability stems from insufficient filtering of malicious data in the device’s file-upload functionality, and the actor reportedly used anti-forensic techniques such as selectively deleting and restoring modified configuration files to reduce detection. The issue is particularly relevant for organizations that rely on SD-WAN control planes because compromise of management infrastructure can have broad downstream impact across connectivity, routing, segmentation and service-provider trust boundaries.
Zero-Day Exploitation of Vulnerability CVE-2026-20245 in Cisco Catalyst SD-WAN Manager
Edward Kiledjian
@ekiledjian