A zero-day vulnerability in Cisco Catalyst SD-WAN, identified as CVE-2026-20245, was exploited by hackers months before its public disclosure, allowing privileged command execution. Mandiant reported that an attacker with netadmin privileges could execute arbitrary commands by uploading a crafted file, exploiting insufficient input validation. The flaw, active in multiple deployment models, including on-premises and cloud environments, enables attackers to escalate privileges to root level.
Mandiant documented the intrusion of a service provider's infrastructure between late 2025 and March 2026, highlighting a trend of targeting such vulnerabilities in edge devices for long-term network access. Cisco confirmed awareness of the exploitation and released fixes.