Post by Mandiant (part of Google Cloud)
219,501 followers
šØ NEW THREAT INTEL: Zero-Day Exploitation of vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager. š Details In early 2026, Mandiant identified a highly capable threat actor specifically targeting the SD-WAN infrastructure of a service provider. After establishing initial access via unauthorized peering connections, the attacker exploited the vulnerability to escalate privileges from a compromised administrative account to full root-level access via a malicious CSV file upload. To maintain operational security, the threat actor employed extensive anti-forensic techniques, selectively deleting files and reverting system configurations to minimize their footprint. š Outlook This campaign underscores the "living off the edge" paradigm, as threat actors increasingly target network orchestrators to bypass traditional perimeters and maintain stealthy, wide-scale access. Because these devices often act as a black box with limited telemetry, defenders must prioritize robust logging and proactive hunting to disrupt advanced adversaries. š ļø Remediation & Recommendations Organizations using Cisco Catalyst SD-WAN Manager must prioritize upgrading to fixed software releases immediately to remediate CVE-2026-20245. Before applying any patches, administrators should execute the request admin-tech command on all control-plane components to preserve critical forensic data. We strongly encourage defenders to proactively sweep for the provided IOCs, hunt for the identified TTPs, and implement recommended defense-in-depth hardening strategies. š Get the details, IOCs, and remediation and hardening guidance: https://goo.gle/4eXjDFD
Video Content