GOOGLE'S Mandiant team has disclosed the exploitation of a Cisco Catalyst SD-WAN vulnerability, CVE-2026-20245, which allowed local authenticated attackers to execute arbitrary commands with root privileges. This flaw, the seventh SD-WAN product flaw identified in 2026, was exploited months before it was publicly reported. The attacker gained initial access via SSH in March 2026 and used this access to escalate privileges by manipulating the system's settings.
To avoid detection, the attacker deleted files and restored system configurations post-exploitation. Mandiant highlighted the trend of targeting network appliances as part of a strategy to bypass traditional security measures.