Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access
Summary
Mandiant has disclosed details about zero-day attacks exploiting a Cisco Catalyst SD-WAN vulnerability, tracked as CVE-2026-20245. Attackers used this flaw to establish unauthorized root access on compromised devices, creating rogue root accounts.
IFF Assessment
The exploitation of a zero-day vulnerability to gain root access on network devices represents a significant security compromise and a threat to network integrity.
Severity
The CVSS score of 9.8 reflects a critical severity, considering the potential for unauthorized root access (high impact on confidentiality, integrity, and availability) with a likely low attack complexity and widespread availability of exploit information.
CISA KEV: Listed as actively exploited. Federal patch due: June 23, 2026. Known ransomware use: Unknown.
Defender Context
This article highlights the ongoing threat of sophisticated zero-day exploits targeting critical network infrastructure. Defenders should prioritize timely patching and implement robust monitoring to detect unusual activity on SD-WAN devices, especially in the aftermath of such disclosures.