Cisco customers encounter another SD-WAN zero-day under attack

Cisco Customers Under Threat from New Zero-Day Vulnerability in SD-WAN Software

Cisco disclosed an actively exploited zero-day vulnerability in its SD-WAN management software, indicating the seventh such security defect this year. Known as CVE-2026-20245, the vulnerability allows attackers with authenticated or local access to execute commands as root, enabling root command-injection attacks. Cisco confirmed the existence of active exploitation but stated that a security patch is not yet available. The company attributed limited exploitation instances to cases where attackers leveraged prior vulnerabilities or different initial access methods. As a preventive measure, Cisco urged customers to upgrade to the fixed software released in response to previous vulnerabilities. Although Cisco has shared some indicators of compromise, they can also occur during typical operations, making it difficult to distinguish legitimate activity from attacks. Affected organizations are advised to contact Cisco Technical Assistance Centers for further assistance to navigate potential threats.

Key Points:

Cisco disclosed CVE-2026-20245, marking the seventh zero-day vulnerability exploited in its SD-WAN software this year.
The vulnerability permits attackers with authenticated access or local privileges to execute root commands.
No patch is available yet; Cisco stated that its expertise is focused on developing a solution for the future.
Cisco noted limited exploitation cases but emphasized it might be reliant on prior vulnerabilities or new access methods.
To mitigate risks, Cisco recommended upgrading to the May software release that addressed CVE-2026-20182.