Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager
Essential information
- Published
- 25/06/2026 17:21
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cisco catalyst credential manipulation cve-2026-20245 sd-wan zero-day
- Related entities
- 3 vulnerabilities (cve), 9 indicators, 8 observables, 19 techniques (mitre)
Description
In early 2026, a threat actor targeted SD-WAN infrastructure at a service provider, exploiting a zero-day vulnerability in Cisco Catalyst SD-WAN to escalate privileges. The attacker initially gained access through unauthorized peering connections and manipulated default account passwords. They then exploited CVE-2026-20245, a privilege escalation flaw in the file upload feature, by uploading a malicious CSV file to achieve root-level access. The vulnerability allowed the creation of a privileged user account through manipulation of system password files. Throughout the intrusion, the threat actor employed extensive anti-forensic techniques, systematically deleting malicious files, restoring modified system configurations, and executing validation scripts to ensure removal of indicators. This campaign demonstrates the living off the edge paradigm, where adversaries compromise network appliances to bypass traditional security perimeters and maintain persistent access.