Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
Summary
An unknown threat actor exploited a zero-day vulnerability in Cisco Catalyst SD-WAN, identified as CVE-2026-20245, at least two months before its public disclosure. This flaw allows authenticated local attackers to execute arbitrary commands with elevated privileges.
IFF Assessment
The exploitation of a zero-day vulnerability by a threat actor represents a direct compromise and potential risk to the security of affected systems.
Severity
The CVSS score of 7.8 indicates a high-severity vulnerability that allows for arbitrary command execution with elevated privileges by an authenticated local attacker.
CISA KEV: Listed as actively exploited. Federal patch due: June 23, 2026. Known ransomware use: Unknown.
Defender Context
This incident highlights the critical importance of prompt patching and robust monitoring for authenticated local access. Defenders should be particularly vigilant regarding Cisco SD-WAN devices and ensure they are running the latest security updates, even before public advisories are widely distributed, as zero-days can be exploited rapidly.