Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access

An unknown threat actor exploited a recently disclosed high-severity security flaw impacting Cisco Catalyst SD-WAN as a zero-day at least two months before it was publicly disclosed, according to new findings from Google-owned Mandiant. The vulnerability, tracked as CVE-2026-20245 (CVSS score: 7.8), allows an authenticated, local attacker to execute arbitrary commands with elevated privileges

The article reports that CVE-2026-20245, a high-severity command-injection vulnerability (CVSS 7.8) in the CLI of Cisco Catalyst SD-WAN Manager, was exploited as a zero-day months before public disclosure, allowing authenticated attackers with netadmin-level access to execute arbitrary commands as root and push configuration changes to edge devices.[1][2][4][7] Cisco and Mandiant note that exploitation requires valid credentials or prior compromise via other Cisco SD-WAN flaws (e.g., CVE-2026-20182 or CVE-2026-20127), and that all major deployment types—including cloud-managed and FedRAMP—are affected.[1][2][3][4] From a CyberSE.AI perspective, any AI or data workloads that transit or depend on SD-WAN-managed networks inherit this infrastructure risk: a successful attacker with root on SD-WAN Manager could manipulate routing, inspection, or segmentation around AI systems, undermining network-based controls, observability, and data integrity for AI pipelines. Organizations should treat SD-WAN as a critical component in the AI supply chain, ensure SBOM and dependency visibility around Cisco SD-WAN components, and integrate SD-WAN configuration and log telemetry into continuous AI ris