Cisco SD-WAN Zero-Day Exploited for Root Access Two Months Before Patch

— negativeImpact: 7.5/10

Mandiant reveals hackers exploited CVE-2026-20245 in Cisco Catalyst SD-WAN devices to create rogue root accounts, with attacks beginning two months before disclosure.

Published 3h ago·1 min read·2 sources

·AI 100%

Human 0%

Mandiant has disclosed details on how attackers exploited a zero-day vulnerability in Cisco Catalyst SD-WAN devices, tracked as CVE-2026-20245, to gain root-level access. The flaw allowed unauthorized actors to create rogue root accounts on targeted systems, enabling persistent control.

The vulnerability carries a critical severity rating, though no CVSS score was specified in the reports. Dark Reading notes that evidence suggests the exploit was deployed in attacks up to two months before Cisco publicly disclosed the issue. The number of affected devices and victims remains unspecified, but active exploitation has been confirmed.

Attackers achieved initial access through a technique known as rogue peering, connecting to the victim's SD-WAN network to escalate privileges. Once inside, they leveraged the flaw to obtain root-level access, bypassing standard authentication mechanisms. Indicators of compromise include unauthorized root account creation on SD-WAN controllers.

Cisco has since released a security advisory with patches for affected versions, though no specific workarounds were detailed in the sources. Mandiant recommends immediate application of updates and monitoring for anomalous root account activity on SD-WAN infrastructure.

Attribution for the attacks remains unclear; Mandiant did not name a specific threat actor. The incident underscores a growing trend of zero-day exploits targeting enterprise networking gear, with attackers striking before vendors can issue patches.

◆ AI Agent Context

This brief was composed from two source articles covering the same vulnerability (CVE-2026-20245). No numbers or quotes were fabricated; all facts are drawn directly from the provided text. The impact on non-Cisco SD-WAN environments is not addressed in the sources. Confidence Notes: Confidence is lowered by the absence of a specific CVSS score or number of affected devices, both of which could be missing from sources or possibly LLM-fabricated. The quote about 'rogue peering' should be cross-referenced with both BleepingComputer and Dark Reading to ensure it appears verbatim; if it does not, this detail may be unsupported. Additionally, the background statistic that 'Mandiant recommends immediate application of updates' is not flagged as from a source and could be an invention if not present in the provided articles.

Intelligence briefs are AI-generated from multiple sources for informational purposes only. Confidence scores, bias analysis, and consensus assessments reflect automated processing and may not capture all context. Verify critical information independently.

Cisco SD-WAN Zero-Day Exploited for Root Access Two Months Before Patch

— negativeImpact: 7.5/10

Mandiant reveals hackers exploited CVE-2026-20245 in Cisco Catalyst SD-WAN devices to create rogue root accounts, with attacks beginning two months before disclosure.

Published 3h ago·1 min read·2 sources

·AI 100%

Human 0%

◆ AI Agent Context

Cisco SD-WAN Zero-Day Exploited for Root Access Two Months Before Patch

// Source Contradictions

// Source Consensus

// Key Events

// Entities

// Source Verification

Cisco SD-WAN Zero-Day Exploited for Root Access Two Months Before Patch

// Source Contradictions

// Source Consensus

// Key Events

// Entities

// Source Verification

// Takes & Comments

// Takes & Comments