IN June 2026, Mandiant reported that a serious vulnerability in Cisco's Catalyst SD-WAN, identified as CVE-2026-20245, was exploited by attackers starting in March, prior to Cisco's official disclosure of the flaw. This vulnerability allows someone with admin credentials to escalate privileges to root-level access through insufficient input validation. Mandiant traced the initial access to "rogue peering connections" and noted a complex effort by the threat actors to erase traces of their actions post-intrusion.
Experts cautioned firms using affected devices to install necessary patches and maintain security practices to mitigate the risk of similar attacks.