CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 25, 2026

Attackers Hit Cisco SD-WAN Flaw 2 Months Before Disclosure

Dark Reading Archived Jun 25, 2026 ✓ Full text saved

Researchers believe rogue peering was used to connect to the victim's SD-WAN devices to gain admin privileges and root-level access.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES CYBER RISK ENDPOINT SECURITY VULNERABILITIES & THREATS NEWS Attackers Hit Cisco SD-WAN Flaw 2 Months Before Disclosure Researchers believe rogue peering was used to connect to the victim's SD-WAN devices to gain admin privileges and root-level access. Jai Vijayan,Contributing Writer June 24, 2026 3 Min Read SOURCE: MEHANIQ VIA SHUTTERSTOCK Google's Mandiant threat intelligence team reported this week that attackers began exploiting a critical flaw in Cisco Catalyst SD-WAN as early as March, roughly two months before Cisco disclosed the vulnerability in early June. The vulnerability, assigned as CVE-2026-20245, allows an attacker who already has administrator credentials on an affected system to escalate privileges to root-level access. The vulnerability stems from insufficient input validation and affects the command line interface of Cisco Catalyst SD-WAN Controller.  Privilege Escalation Flaw Cisco released final fixes for affected versions June 12 after initially disclosing the flaw eight days before, citing limited exploit activity. The company described CVE-2026-20245 as a flaw that attackers could exploit only if they already had valid netadmin privileges, or if they chained the vulnerability with two previously disclosed zero-days in Catalyst SD-WAN Controller — CVE-2026-20182 or CVE-2026-20127.  Related:Scope of Salesforce Attacks Expands as Icarus Leaks Data The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20245 to its catalog of known exploited vulnerabilities on June 4. The agency gave Federal Civilian Executive Branch (FCEB) a June 23 deadline to address the flaw or to stop using affected systems until they did. In a blog post this week, Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said they discovered CVE-2026-20245 when investigating attacks that targeted SD-WAN infrastructure at a service provider between late 2025 and January 2026.  Initial Access Via Rogue Peering In the attacks, the threat actor gained initial access via "rogue peering connections" to the victim's SD-WAN Manager devices, likely by exploiting either CVE-2026-20127 or CVE-2026-20182, the previously disclosed SD-WAN Controller zero-days. Peering, as Mandiant explained, is when different components in an SD-WAN, such as edge routers and central controls, authenticate each other via cryptographic certificate so they can safely exchange data. Later in March, Mandiant researchers observed more attacks targeting the same service provider's SD-WAN environment. As with the attacks in late 2025 and in January 2026, the threat actor gained initial access via rogue peering. However, this time around, the attacker appears to have established those connections via a different method, likely involving stolen credentials. Once the attacker established the unauthorized peering connection they successfully authenticated to the SD-WAN Manager device and then exploited what later turned out to be CVE-2026-20245 to escalate privileges. Related:FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist The vulnerability, as the researchers found, allowed an "authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system." Extensive Anti-Forensics After achieving their objective, the "threat actor deleted malicious files, reverted configuration changes, and executed a validation script to ensure indicators are purged" in an extensive anti-forensic effort, the researchers said. However, it's unclear if it was the same threat actor behind the attacks that occurred between late 2025 and again in March 2026, they added. For context, CVE-2026-20182, is a maximum severity authentication bypass vulnerability in its SD-WAN Controller that Cisco disclosed after researchers at Rapid7 reported the flaw.  The vulnerability allows a remote, unauthenticated attacker "to become an authenticated peer of the target appliance, and perform privileged operations," according to Rapid7. CVE-2026-20127 is also an authentication bypass vulnerability in SD-WAN Controller that Cisco disclosed in February, crediting the Australian Cyber Security Centre for its discovery. At the time, Cisco said it was aware of attacks targeting the flaw, which the company attributed to UAT-8616, a threat actor that apparently had been exploiting the flaw since at least 2023. Related:Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign A Target of Growing Interest The attacks targeting Cisco's SD-WAN technology highlight growing threat actor interest in Internet-facing network devices and their management interfaces rather than traditional endpoints, Mandiant's researchers said. Network devices can provide an ideal initial access point because they often offer limited visibility for defenders conducting forensic investigations while also enabling discreet long-term access to a victim environment. "These devices offer a black box environment for threat actors: they often lack the telemetry required for deep forensic analysis, and their role as a central control plane provides a stealthy platform for persistent, wide-scale access to internal enterprise traffic," they said. They recommended that organizations running the affected devices immediately install Cisco's patches for the different vulnerabilities, implement Cisco's Catalyst SD-WAN hardening and logging guidelines, and scan for known indicators of compromise. About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.  Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice APPLICATION SECURITY FIFA Bug Exposes World Cup Streams to Remote Takeover byNate Nelson JUN 18, 2026 4 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ CYBER RISK UK Social Media Ban for Minors Has Privacy Experts Worried byRobert Lemos JUN 17, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 25, 2026
    Archived
    Jun 25, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗