Mandiant has detailed how attackers exploited a Cisco Catalyst SD-WAN vulnerability (CVE-2026-20245) in zero-day attacks to gain root access and establish rogue administrator accounts on compromised devices.
Security researchers at Mandiant have released technical analysis of how the Cisco SD-WAN vulnerability was weaponized in active attacks. The flaw allowed threat actors to bypass authentication mechanisms and achieve root-level privileges on Catalyst SD-WAN edge devices.
The zero-day attacks resulted in the creation of unauthorized root accounts, granting attackers persistent administrative access to affected infrastructure. This level of access enables complete device control, including the ability to intercept traffic, modify configurations, and establish persistent footholds within enterprise networks.
SD-WAN (Software-Defined Wide Area Network) devices are critical infrastructure components used by organizations to manage branch office connectivity. Compromise of these devices poses significant risk to network security and data integrity.
Cisco has released patches to address CVE-2026-20245. The company urged customers to apply updates immediately, particularly organizations running vulnerable versions of Catalyst SD-WAN software.
Mandiant's disclosure includes technical details on the exploitation chain, helping organizations understand the attack methodology and validate their remediation efforts. The firm noted that the vulnerability required no user interaction and could be exploited remotely by unauthenticated attackers.
Organizations should prioritize patching SD-WAN devices, review access logs for suspicious account creation, and audit administrative accounts for unauthorized activity. Security teams should also consider isolating affected devices from production networks until patches are verified and deployed.
This vulnerability adds to a growing list of critical infrastructure flaws discovered in networking equipment. Mandiant recommends organizations implement network segmentation and monitor SD-WAN devices for anomalous behavior as interim defensive measures.
A malicious Microsoft Edge extension called 'Edgecution' has been exploited to bypass browser security and install a Python-based backdoor. The attack demonstrates how native messaging can serve as a bridge from browser extensions to system-level malware.
A new website is tracking which major companies have adopted passkeys, revealing that 24% of the world's most popular websites still lack support for the passwordless authentication method.
Law enforcement agencies worldwide have simultaneously disrupted two widely used cybercrime platforms in a coordinated operation dubbed "Operation Endgame," striking at the infrastructure supporting criminal activity online.
Anthropic has accused Alibaba of orchestrating large-scale unauthorized access to its Claude AI model through approximately 25,000 fraudulent accounts, according to a letter sent to US officials. The Chinese tech giant allegedly accessed Claude 28.8 million times between April and June.