INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Cisco SD-WAN Flaw Exploited Months Before Disclosure
| 2026-06-25 14:15 CRITICAL HIGHExecutive Summary AI-generated
The recent discovery of a severe vulnerability in Cisco Catalyst SD-WAN Manager has exposed the company's edge devices to unauthorized access, potentially leading to catastrophic consequences. This critical flaw was disclosed by Cisco on June 4 after it observed limited cases where exploitation resulted in configuration changes pushed to affected devices. The researchers at Mandiant, part of Google Cloud, identified a threat actor targeting SD-WAN infrastructure as early as late 2025 and noted further unauthorized peering connections were made in January 2026. This malicious activity could be linked to the exploitation of CVE-2026-20127 or CVE-2026-20182, which are also critical vulnerabilities recently disclosed by Cisco affecting the peering authentication mechanism for SD-WAN controllers.
Technical Mitigations AI-generated
* Implement robust input validation and sanitization mechanisms to prevent unauthorized data injection, such as CSV uploads.
* Regularly update and patch operating systems, network devices, and software applications to ensure timely fixes for known vulnerabilities like CVE-2026-20245.
* Use secure protocols (e.g., SSH) for remote access and authentication, and limit the privileges of users with elevated access levels.
* Monitor network traffic and logs for suspicious activity, and implement intrusion detection systems (IDS) or intrusion prevention systems (IPS) to detect potential threats in real-time.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20182CVE-2026-20182
CVE-2026-20127CVE-2026-20127
CVE-2026-20245CVE-2026-20245
CVE-2022-20775CVE-2022-20775
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
FIVE_EYES
FIVE_EYES
technologytechnology
governmentgovernment
Incident Timeline
September 2022
Threat actors exploited CVE-2026-20127 vulnerability in Cisco products before its official disclosure to gain admin rights and access NETCONF.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20127
Cisco said at the time that attackers could exploit CVE-2026-20127 to gain admin rights, access NETCONF, and reconfigure the SD-WAN fabric, before exploiting CVE-2022-20775 (7.8), a path traversal flaw discovered in September 2022, to gain root access.
organisation
CVE-2022-20775
Cisco said at the time that attackers could exploit CVE-2026-20127 to gain admin rights, access NETCONF, and reconfigure the SD-WAN fabric, before exploiting CVE-2022-20775 (7.8), a path traversal flaw discovered in September 2022, to gain root access.
organisation
NETCONF
Cisco said at the time that attackers could exploit CVE-2026-20127 to gain admin rights, access NETCONF, and reconfigure the SD-WAN fabric, before exploiting CVE-2022-20775 (7.8), a path traversal flaw discovered in September 2022, to gain root access.
general_metric
20775 CVE-2022
Cisco said at the time that attackers could exploit CVE-2026-20127 to gain admin rights, access NETCONF, and reconfigure the SD-WAN fabric, before exploiting CVE-2022-20775 (7.8), a path traversal flaw discovered in September 2022, to gain root access.
general_metric
7.8 CVE-2022
Cisco said at the time that attackers could exploit CVE-2026-20127 to gain admin rights, access NETCONF, and reconfigure the SD-WAN fabric, before exploiting CVE-2022-20775 (7.8), a path traversal flaw discovered in September 2022, to gain root access.
at least 2023
Threat actors exploited a previously unknown Cisco vulnerability, UAT-8616, at least as early as 2023.
between late 2025
Threat actors used a previously unknown vulnerability in Cisco's SD-WAN software to target the service provider between late 2025 and January 2026.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20245
In a
blog post
this week, Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said they discovered CVE-2026-20245 when investigating attacks that targeted
SD-WAN infrastructure
at a service provider between late 2025 and January 2026.
organisation
Mandiant
In a
blog post
this week, Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said they discovered CVE-2026-20245 when investigating attacks that targeted
SD-WAN infrastructure
at a service provider between late 2025 and January 2026.
organisation
SD-WAN
In a
blog post
this week, Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said they discovered CVE-2026-20245 when investigating attacks that targeted
SD-WAN infrastructure
at a service provider between late 2025 and January 2026.
late 2025
Threat actors used rogue peering to gain initial access months before the Cisco vulnerability was publicly disclosed.
January 2026
Threat actors exploited CVE-2026-20127 to gain initial access via unauthorized peering connections.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20245
In a
blog post
this week, Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said they discovered CVE-2026-20245 when investigating attacks that targeted
SD-WAN infrastructure
at a service provider between late 2025 and January 2026.
organisation
Mandiant
In a
blog post
this week, Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said they discovered CVE-2026-20245 when investigating attacks that targeted
SD-WAN infrastructure
at a service provider between late 2025 and January 2026.
organisation
SD-WAN
In a
blog post
this week, Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said they discovered CVE-2026-20245 when investigating attacks that targeted
SD-WAN infrastructure
at a service provider between late 2025 and January 2026.
organisation
CSV
They also identified that a threat actor exploited what is now known as CVE-2026-20245 in Cisco Catalyst SD-WAN Manager to gain root-level access via a malicious CSV upload.
organisation
SSH
They later found that a threat actor established initial access via unauthorized peering connections to facilitate Secure Shell (SSH) access and then used that access to manipulate default account passwords to evade detection.
March 2026
US agencies were warned to scrap end-of-support for Edge devices due to a known vulnerability exploited months before its official disclosure.
Click on any entity below to view its context and source!
organisation
CVE
"In the case of Cisco and the above CVE, the window has been open for at least two months before the patch and advisory.
June 4
Threat actors exploited the Cisco CVE-2026-20245 vulnerability months before its public disclosure.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20245
Related:
Scope of Salesforce Attacks Expands as Icarus Leaks Data
The US Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-20245 to its catalog of known exploited vulnerabilities on June 4.
source_region
United States
Related:
Scope of Salesforce Attacks Expands as Icarus Leaks Data
The US Cybersecurity and Infrastructure Security Agency (CISA)
added
CVE-2026-20245 to its catalog of known exploited vulnerabilities on June 4.
June 10
Threat actors exploited a previously undisclosed Cisco vulnerability, CVE-2026-20245, in the Catalyst SD-WAN Manager software approximately 30 days before its official release.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20245
The tech giant started releasing Catalyst SD-WAN Manager updates with the CVE-2026-20245 fix on June 10.
organisation
Catalyst SD-WAN
The tech giant started releasing Catalyst SD-WAN Manager updates with the CVE-2026-20245 fix on June 10.
June 12
Threat actors exploited a Privilege Escalation vulnerability in Cisco systems for months before the company publicly disclosed it.
Click on any entity below to view its context and source!
tactic
Privilege Escalation
Privilege Escalation Flaw
Cisco released final fixes for affected versions June 12 after initially disclosing the flaw eight days before, citing limited exploit activity.
June 23
Threat actors exploited a previously undisclosed Cisco vulnerability months before its official disclosure.
Click on any entity below to view its context and source!
organisation
Federal Civilian Executive Branch
The agency gave Federal Civilian Executive Branch (FCEB) a June 23 deadline to address the flaw or to stop using affected systems until they did.
organisation
FCEB
The agency gave Federal Civilian Executive Branch (FCEB) a June 23 deadline to address the flaw or to stop using affected systems until they did.
June 24
Threat actors used a previously undisclosed vulnerability in Cisco's SD-WAN software to target an infrastructure at a service provider.
Click on any entity below to view its context and source!
organisation
Mandiant
In
a new report
published on June 24, security researchers at Mandiant, part of Google Cloud, said they identified a threat actor targeting SD-WAN infrastructure at a service provider in early 2026.
organisation
SD-WAN
In
a new report
published on June 24, security researchers at Mandiant, part of Google Cloud, said they identified a threat actor targeting SD-WAN infrastructure at a service provider in early 2026.
late 2025 to January 2026
Threat actors exploited a previously undisclosed Cisco vulnerability in late 2025 to January 2026.
the late 2025 to January 2026
Threat actors exploited a previously undisclosed Cisco vulnerability in the late 2025 to January 2026 timeframe.
2026/06/25
Threat actors exploited a severe vulnerability in Cisco products, including the SD-WAN Manager and Validator devices, at least two months before its disclosure.
Click on any entity below to view its context and source!
organisation
CLI
Tracked as CVE-2026-20245, this high-severity (CVSS 7.8) privilege escalation vulnerability stems from insufficient validation of user-supplied input in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart.
organisation
Cisco Catalyst SD-WAN Controller
Tracked as CVE-2026-20245, this high-severity (CVSS 7.8) privilege escalation vulnerability stems from insufficient validation of user-supplied input in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart.
The vulnerability stems from insufficient input validation and affects the command line interface of Cisco Catalyst SD-WAN Controller.
organisation
SD-WAN vSmart
Tracked as CVE-2026-20245, this high-severity (CVSS 7.8) privilege escalation vulnerability stems from insufficient validation of user-supplied input in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart.
organisation
Catalyst SD-WAN Controller
The company
described
CVE-2026-20245 as a flaw that attackers could exploit only if they already had valid netadmin privileges, or if they chained the vulnerability with two previously disclosed zero-days in Catalyst SD-WAN Controller —
CVE-2026-20182
or
CVE-2026-20127
.
organisation
Catalyst SD-WAN
They recommended that organizations running the affected devices immediately install Cisco's patches for the different vulnerabilities, implement Cisco's Catalyst SD-WAN hardening and logging guidelines, and scan for known indicators of compromise.
The update comes weeks after Cisco
disclosed another zero-day
affecting Catalyst SD-WAN, suggesting that it had been exploited for at least a week at the time.
organisation
Initial Access Via Rogue
Initial Access Via Rogue Peering
In the attacks, the threat actor gained initial access via "rogue peering connections" to the victim's SD-WAN Manager devices, likely by exploiting either CVE-2026-20127 or CVE-2026-20182, the previously disclosed SD-WAN Controller zero-days.
organisation
the Australian Cyber Security Centre
CVE-2026-20127 is also an authentication bypass vulnerability in SD-WAN Controller that Cisco disclosed in February, crediting the Australian Cyber Security Centre for its discovery.
organisation
SD-WAN Controller
For context, CVE-2026-20182, is a
maximum severity authentication bypass vulnerability
in its SD-WAN Controller that Cisco disclosed after researchers at Rapid7 reported the flaw.
Customers should not have to make any new changes, provided that they upgraded their software to a fixed version across all systems when the advisory was first published in February, not just SD-WAN Controller and SD-WAN Manager.
organisation
Cisco Vulnerability Exploited
Cisco Vulnerability Exploited Months Before Disclosure, Google Warns.
organisation
Google
A threat actor started exploiting a severe vulnerability in Cisco products at least two months before the flaw was disclosed, a new Google report warned.
organisation
Cisco Catalyst SD-WAN
It affects several versions of Cisco Catalyst SD-WAN Manager as well as related products like Cisco Catalyst SD-WAN Validator.
Ollie Whitehouse, NCSC-UK's CTO, said at the time: "Our new alert makes clear that organizations using Cisco Catalyst SD-WAN products should urgently investigate their exposure to network compromise and hunt for malicious activity, making use of the new threat hunting advice produced with our international partners to identify evidence of compromise.
organisation
Cisco Catalyst SD-WAN Validator
It affects several versions of Cisco Catalyst SD-WAN Manager as well as related products like Cisco Catalyst SD-WAN Validator.
Switchzilla made a small amendment to the original
advisory
on Tuesday evening, noting that Cisco Catalyst SD-WAN Validator, formerly vBond, was also among the boxes attackers could pop open.
organisation
CTO
Ollie Whitehouse, NCSC-UK's CTO, said at the time: "Our new alert makes clear that organizations using Cisco Catalyst SD-WAN products should urgently investigate their exposure to network compromise and hunt for malicious activity, making use of the new threat hunting advice produced with our international partners to identify evidence of compromise.
organisation
Vulnerability Disclosure
Vulnerability Disclosure in June, Exploitation in March
organisation
SD-WAN
Cisco adds another SD-WAN box to max-severity bug advisory.
organisation
NCSC
"UK organizations are strongly advised to report compromises to the NCSC, and to apply vendor updates and hardening guidance as soon as practicable to reduce the risk of exploitation.
organisation
The Register
"
The Register
asked Cisco for more information, but it did not immediately respond.
early 2026
Threat actors used a previously unknown vulnerability in Cisco's SD-WAN software to target an infrastructure at a service provider.
Click on any entity below to view its context and source!
organisation
Mandiant
In
a new report
published on June 24, security researchers at Mandiant, part of Google Cloud, said they identified a threat actor targeting SD-WAN infrastructure at a service provider in early 2026.
organisation
SD-WAN
In
a new report
published on June 24, security researchers at Mandiant, part of Google Cloud, said they identified a threat actor targeting SD-WAN infrastructure at a service provider in early 2026.
Intelligence Sources
The Register - Cybercrime
2026-06-17
Cisco adds another SD-WAN box to max-severity bug advisory
The Register - Cybercrime
Dark Reading
2026-06-24
Infosecurity-Magazine
2026-06-25
Cisco Vulnerability Exploited Months Before Disclosure, Google Warns
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:24
Comprehensive Tactical Telemetry
Highly Correlated Entities
26x
organisation
Identified Entity
CLI
entity
15x
timeline
Temporal Reference
June 10
date
4x
vulnerability
Exploited CVE
CVE-2026-20245
cve
2x
target region
Target Country
United States
country
2x
industry
Targeted Sector
Government
sector
2x
tactic
Cyber Operation Type
Privilege Escalation
tactic
2x
attribution
Attributing Entity
The US Cybersecurity and Infrastructure Security Agency
authority
2x
general metric
Cve-2022
20,775
cve-2022
Contextual Telemetry
Context Block
3 METRICS
vulnerability
CVSS Score
8
score
source region
Origin Country
United States
country
target region
Target Region
FIVE_EYES
region
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.