general · TheHackerNews
According to Mandiant research, a high-severity vulnerability in Cisco Catalyst SD-WAN (CVE-2026-20245, CVSS 7.8) was exploited as a zero-day for at least two months before public disclosure. The flaw allows an authenticated local attacker with netadmin privileges to execute arbitrary commands with elevated privileges through a crafted file upload. The attack targeted a communications service provider, with two distinct intrusion periods detected: one between late 2025 and January 2026, and another in March 2026. During the first wave, attackers leveraged authentication bypass vulnerabilities (CVE-2026-20127 or CVE-2026-20182) to establish unauthorized peering connections. In the second wave, they used a malicious CSV file to exploit CVE-2026-20245, escalating to root access and creating a hidden user account named "troot." Attackers employed anti-forensic techniques throughout, deleting modified files and restoring configurations to avoid detection.
For Omniware's clients, this incident underscores critical risks in SD-WAN and edge device deployments. Defense contractors managing classified or controlled unclassified information (CUI) should audit SD-WAN controller access controls and patching cadences, as CMMC and NIST 800-171 require inventory and rapid remediation of known vulnerabilities. SaaS platforms and healthcare providers relying on SD-WAN for data fabric security should verify credential rotation policies and implement detection for suspicious admin activity and unexpected peering connections. The attack's use of zero-days in devices lacking native endpoint detection emphasizes why SOC2 Type II audits and HIPAA risk assessments must address network infrastructure hardening. An Omniware engagement can scope SD-WAN security posture, access control review, and forensic readiness in detail.
Source: The Hacker News - https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-zero-daySource: TheHackerNewsAll briefings
Source: TheHackerNews
All briefings