Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access

A threat actor exploited a zero-day vulnerability in Cisco Catalyst SD-WAN at least two months prior to its public disclosure, according to Mandiant. The vulnerability, identified as CVE-2026-20245 with a CVSS score of 7.8, allows an authenticated, local attacker to execute arbitrary commands with elevated privileges. Mandiant's analysis indicates that the exploitation occurred between November 2025 and January 2026, with the vulnerability being publicly disclosed on March 18, 2026. This exploit grants the attacker root access to the affected devices. The specific details of the exploit mechanism and the extent of the compromise remain under investigation by Mandiant and Cisco. Cisco has released security advisories and patches to address this critical vulnerability, urging customers to update their systems immediately to mitigate the risk of further exploitation. The incident highlights the persistent threat of zero-day exploits targeting critical network infrastructure and the importance of proactive security monitoring and rapid patching.