The hits keep on coming for Cisco vulnerabilities

Jump to main content

Search

REG AD

Security

The hits keep on coming for Cisco vulnerabilities

CVE-2026-20230 under exploitation, while an earlier SD-WAN 0-day looks even worse than we thought

Jessica Lyons

Jessica<br>Lyons

Published<br>wed 24 Jun 2026 // 23:27 UTC

It’s looking like another tough week (month? year?) for Switchzilla amid reports of new serious vulnerabilities under attack.<br>First up is a server-side request forgery bug in its Unified Communications Manager tracked as CVE-2026-20230.<br>Cisco disclosed and patched this flaw in early June. The comms control platform doesn’t properly validate some HTTP requests, and an attacker could exploit this bug to gain root privileges on a compromised device.

REG AD

At the time, Cisco said that a proof-of-concept exploit was available – and now it seems unknown miscreants are putting that exploit code to use, with threat intel company Defused warning that it observed miscreants exploiting CVE-2026-20230 over the weekend.

REG AD

“The observed chain abuses the WebDialer SSRF to deploy a rogue Apache Axis service, uses that service to write a first-stage JSP file-writer, then drops a second-stage command-execution shell under /platform-services/axis2-web/,” the firm noted on LinkedIn.<br>Cisco Catalyst SD-WAN zero day<br>Then, a Mandiant advisory on Wednesday warned that a Cisco SD-WAN zero-day tracked as CVE-2026-20245 was exploited much earlier than initially disclosed, including at a communications service provider where the attacker elevated a compromised admin account to full root-level access.<br>"Mandiant suspected it might be a zero-day during its initial investigation, but deeper forensic analysis was required to confirm the exploit of a new flaw. The June date in Cisco’s advisory reflects when the vulnerability was officially validated, patched, and publicly disclosed," Pete Boonyakarn, Senior Cyber Security Consultant, Mandiant - Google Cloud, told The Register.<br>While the Google-owned threat hunting biz said it can't assess the full scope of the intruders' post-compromise activity, this SD-WAN device compromise could have been dire, potentially giving the attacker total visibility across an entire corporation's internet traffic. This is what makes SD-WAN zero-days such a hot target for government-sponsored spies looking to set up shop for long-term snooping activities.<br>It also explains the rash of attackers battering Cisco SD-WAN devices since the start of the year.

MORE CONTEXT

Cisco adds another SD-WAN box to max-severity bug advisory

Yet another Cisco SD-WAN 0-day under attack, and no patch in sight

Cisco serves up yet another perfect 10 bug with Secure Workload admin flaw

More Cisco SD-WAN bugs battered in attacks

Cisco had issued an advisory for CVE-2026-20245 in early June, admitting that attackers had a head start on abusing this security hole. “In June 2026, the Cisco PSIRT became aware of exploitation of this vulnerability,” the vendor said at the time.

REG AD

In a Wednesday report, however, Google’s Mandiant incident response and consulting biz reported that exploitation of this bug – Cisco’s sixth SD-WAN vulnerability listed as under attack since the start of the year, and the second zero-day in two months – began much earlier.<br>“In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider,” Mandiant threat hunters Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan wrote. “After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access.”<br>The attacker gained initial access via an unauthorized peering connection, abusing the SD-WAN fabric to authenticate between network components and facilitate Secure Shell (SSH) access. In this case, they authenticated to the SD-WAN manager device via SSH using the vmanage-admin account on the same victim devices.<br>Then, they changed the default password on the admin account, authenticated directly to the SD-WAN Manager web application interface using the admin account, and exfiltrated SD-WAN fabric configurations.<br>Likely in an effort to cover their tracks and not get caught, the attacker changed the password of the admin account back to its original one before terminating their active session.<br>Neither the vmanage-admin nor the admin accounts on Cisco Catalyst SD-WAN controllers possess root shell access, however. To gain root access, the attacker exploited CVE-2026-20245, which allows an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the vulnerable system.<br>The attacker uploaded a file named evil_tenant.csv that contained the exploit payload. Upon execution, the digital intruder created a user account named troot with full root privileges. Mandiant says it later observed the miscreant accessing this new troot...