CISA, researchers warn of escalating attacks using Cisco Catalyst SD-WAN flaws
CISA, researchers warn of escalating attacks using Cisco Catalyst SD-WAN flaws
https://www.cybersecuritydive.com/news/cisa-zero-day-cisco-catalyst-vulnerabilities/822494/
Publish Date: 2026-06-10 11:53:00
Source Domain: www.cybersecuritydive.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
The Cybersecurity and Infrastructure Security Agency on Tuesday added a zero-day flaw in the Cisco Catalyst SD-WAN product line to its Known Exploited Vulnerabilities catalog.
The flaw, tracked as CVE-2026-20245, could allow an attacker to execute arbitrary commands as root. The vulnerability, which has a severity score of 7.8, could enable an attacker to conduct command injection attacks on a targeted system.
Cisco on Thursday said it had observed limited cases where the flaw was exploited in order to push configuration changes to edge devices. Cisco said in order to exploit the vulnerability, an attacker needs to have network adminstrator privileges on an affected system.
In order to launch these attacks, a hacker would require valid credentials or have previously exploited CVE-2026-20182 or CVE-2026-20127.
Escalating threat
Cisco disclosed CVE-2026-20182 in May. The authentication bypass vulnerability has a severity score of 10, the highest level on the scale.
Researchers at Rapid7 told Cybersecurity Dive the activity fits a pattern of exploitation seen in SD-WAN products.
“The authentication bypasses are the front door, and once threat actors are through they chain additional vulnerabilities to deepen their access,” said Jonah Burgess, senior security researcher at Rapid7.
Cisco Talos researchers linked the May threat activity to a cluster tracked as UAT-8616.
CISA in May issued an updated advisory noting the exploitation of vulnerabilities in Cisco SD-WAN has been an ongoing issue. The agency warned that threat actors have been exploiting CVE-2026-20127 to gain initial access, and then used CVE-2022-20775 to escalate privileges and gain long-term persistence in Cisco SD-WAN systems.
In coordination with another federal agency, CISA found evidence of exploitation of CVE-2026-20182 starting in April.
Cisco on Friday said customers should upgrade to the fixed software release issued in May in response to CVE-2026-20182. The company is still working on a patch to address the newly disclosed vulnerability, CVE-2026-20245.
