Attackers Hit Cisco SD-WAN Flaw 2 Months Before Disclosure
Dark ReadingArchived Jun 25, 2026✓ Full text saved
Researchers believe rogue peering was used to connect to the victim's SD-WAN devices to gain admin privileges and root-level access.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
ENDPOINT SECURITY
VULNERABILITIES & THREATS
NEWS
Attackers Hit Cisco SD-WAN Flaw 2 Months Before Disclosure
Researchers believe rogue peering was used to connect to the victim's SD-WAN devices to gain admin privileges and root-level access.
Jai Vijayan,Contributing Writer
June 24, 2026
3 Min Read
SOURCE: MEHANIQ VIA SHUTTERSTOCK
Google's Mandiant threat intelligence team reported this week that attackers began exploiting a critical flaw in Cisco Catalyst SD-WAN as early as March, roughly two months before Cisco disclosed the vulnerability in early June.
The vulnerability, assigned as CVE-2026-20245, allows an attacker who already has administrator credentials on an affected system to escalate privileges to root-level access. The vulnerability stems from insufficient input validation and affects the command line interface of Cisco Catalyst SD-WAN Controller.
Privilege Escalation Flaw
Cisco released final fixes for affected versions June 12 after initially disclosing the flaw eight days before, citing limited exploit activity. The company described CVE-2026-20245 as a flaw that attackers could exploit only if they already had valid netadmin privileges, or if they chained the vulnerability with two previously disclosed zero-days in Catalyst SD-WAN Controller — CVE-2026-20182 or CVE-2026-20127.
Related:Scope of Salesforce Attacks Expands as Icarus Leaks Data
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20245 to its catalog of known exploited vulnerabilities on June 4. The agency gave Federal Civilian Executive Branch (FCEB) a June 23 deadline to address the flaw or to stop using affected systems until they did.
In a blog post this week, Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said they discovered CVE-2026-20245 when investigating attacks that targeted SD-WAN infrastructure at a service provider between late 2025 and January 2026.
Initial Access Via Rogue Peering
In the attacks, the threat actor gained initial access via "rogue peering connections" to the victim's SD-WAN Manager devices, likely by exploiting either CVE-2026-20127 or CVE-2026-20182, the previously disclosed SD-WAN Controller zero-days. Peering, as Mandiant explained, is when different components in an SD-WAN, such as edge routers and central controls, authenticate each other via cryptographic certificate so they can safely exchange data.
Later in March, Mandiant researchers observed more attacks targeting the same service provider's SD-WAN environment. As with the attacks in late 2025 and in January 2026, the threat actor gained initial access via rogue peering. However, this time around, the attacker appears to have established those connections via a different method, likely involving stolen credentials. Once the attacker established the unauthorized peering connection they successfully authenticated to the SD-WAN Manager device and then exploited what later turned out to be CVE-2026-20245 to escalate privileges.
Related:FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist
The vulnerability, as the researchers found, allowed an "authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system."
Extensive Anti-Forensics
After achieving their objective, the "threat actor deleted malicious files, reverted configuration changes, and executed a validation script to ensure indicators are purged" in an extensive anti-forensic effort, the researchers said. However, it's unclear if it was the same threat actor behind the attacks that occurred between late 2025 and again in March 2026, they added.
For context, CVE-2026-20182, is a maximum severity authentication bypass vulnerability in its SD-WAN Controller that Cisco disclosed after researchers at Rapid7 reported the flaw. The vulnerability allows a remote, unauthenticated attacker "to become an authenticated peer of the target appliance, and perform privileged operations," according to Rapid7.
CVE-2026-20127 is also an authentication bypass vulnerability in SD-WAN Controller that Cisco disclosed in February, crediting the Australian Cyber Security Centre for its discovery. At the time, Cisco said it was aware of attacks targeting the flaw, which the company attributed to UAT-8616, a threat actor that apparently had been exploiting the flaw since at least 2023.
Related:Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign
A Target of Growing Interest
The attacks targeting Cisco's SD-WAN technology highlight growing threat actor interest in Internet-facing network devices and their management interfaces rather than traditional endpoints, Mandiant's researchers said. Network devices can provide an ideal initial access point because they often offer limited visibility for defenders conducting forensic investigations while also enabling discreet long-term access to a victim environment. "These devices offer a black box environment for threat actors: they often lack the telemetry required for deep forensic analysis, and their role as a central control plane provides a stealthy platform for persistent, wide-scale access to internal enterprise traffic," they said.
They recommended that organizations running the affected devices immediately install Cisco's patches for the different vulnerabilities, implement Cisco's Catalyst SD-WAN hardening and logging guidelines, and scan for known indicators of compromise.
About the Author
Jai Vijayan
Contributing Writer
Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.
Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.
Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.
His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Threat Hunting That Gets Big Results Despite Small Budgets
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
APPLICATION SECURITY
FIFA Bug Exposes World Cup Streams to Remote Takeover
byNate Nelson
JUN 18, 2026
4 MIN READ
CYBERSECURITY OPERATIONS
EU Gets a Head Start in Developing 6G Network Security
byNate Nelson
JUN 18, 2026
4 MIN READ
CYBER RISK
UK Social Media Ban for Minors Has Privacy Experts Worried
byRobert Lemos
JUN 17, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS