Cisco SD-WAN flaw exploited as zero-day, grants admin access
Critical authentication bypass in Catalyst SD-WAN Controller allowed attackers to seize administrative control before patch release, Cisco confirms.
Cisco has disclosed that a critical vulnerability in its Catalyst SD-WAN Controller was exploited in the wild before a fix became available. Tracked as CVE-2026-20182, the flaw permits unauthenticated attackers to bypass authentication mechanisms and gain full administrative privileges on affected devices.
The vulnerability resides in the authentication subsystem of the SD-WAN Controller, which enterprises use to centrally manage distributed network infrastructure. Exploitation requires network access to the management interface but does not depend on user interaction or prior credentials. Cisco has not disclosed the scale of exploitation or attributed the activity to specific threat actors.
A patch was released concurrent with the advisory. Cisco rates the flaw 9.8 on the CVSS scale. Organizations using Catalyst SD-WAN Controller in production environments—particularly those exposing management interfaces to untrusted networks—face immediate risk. No workaround exists short of applying the update or isolating the controller from external access.
- 01Enterprises running unpatched Catalyst SD-WAN Controllers risk full network compromise via admin takeover
- 02Threat actors may have mapped vulnerable instances during zero-day window; retroactive log review essential
- 03SD-WAN attack surface expanding as adoption grows; centralized control plane now persistent adversary objective
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.