Cisco SD-WAN Zero-Day Exploited Two Months Before Disclosure
Mandiant reports unknown threat actor gained root access via CVE-2026-20245, exploiting the flaw as a zero-day before Cisco's public advisory.
An unidentified threat actor exploited a high-severity vulnerability in Cisco Catalyst SD-WAN at least two months before its public disclosure, according to Mandiant. The flaw, designated CVE-2026-20245 and carrying a CVSS score of 7.8, permits authenticated local attackers to execute arbitrary commands with elevated privileges.
The zero-day exploitation window represents a significant operational security failure. Attackers with initial local access could escalate to root-level control, enabling persistent access, lateral movement, and data exfiltration across enterprise SD-WAN deployments. Cisco SD-WAN is widely deployed in corporate networks to manage distributed branch connectivity and cloud access.
Mandiant's attribution remains incomplete. The firm has not publicly linked the activity to a known threat group or nation-state sponsor. The two-month pre-disclosure exploitation period suggests either sophisticated reconnaissance or prior knowledge of the vulnerability through independent discovery or supply chain access.
- 01Enterprises using Cisco Catalyst SD-WAN face potential compromise if unpatched since April 2026.
- 02Threat actors demonstrated capability to exploit SD-WAN infrastructure before vendor awareness.
- 03Network defenders must audit local access logs for anomalous privilege escalation activity.
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.