Cisco warns of active zero-day in SD-WAN Manager
Unpatched vulnerability allows attackers to escalate to root privileges on Catalyst SD-WAN Manager; no fix yet available.
Cisco disclosed Thursday that attackers are actively exploiting a high-severity zero-day vulnerability in its Catalyst SD-WAN Manager platform. Tracked as CVE-2026-20245, the flaw permits authenticated attackers to escalate privileges to root level on affected systems.
The vulnerability resides in the web interface of Cisco Catalyst SD-WAN Manager, a centralized management platform used by enterprises to configure and monitor software-defined wide area networks. Exploitation requires prior authentication, but once inside, an attacker can execute arbitrary commands with root privileges.
Cisco has not yet released a patch. The company confirmed active exploitation in the wild but provided no timeline for remediation. Organizations running Catalyst SD-WAN Manager should assume compromise is feasible for any actor with valid credentials or access to the management interface.
- 01Enterprises using Cisco Catalyst SD-WAN Manager face elevated risk of network compromise until patch release.
- 02Attackers with valid credentials can gain root access, enabling traffic interception and infrastructure reconfiguration.
- 03Managed service providers operating SD-WAN infrastructure for clients should audit access controls immediately.
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.