An unknown threat actor exploited a zero-day vulnerability in Cisco's Catalyst SD-WAN software for at least two months before the company publicly disclosed it, according to an investigation published by Google-owned Mandiant. The prolonged, pre-disclosure campaign highlights the strategic value attackers place on network management infrastructure and challenges the common assumption that vulnerabilities requiring authentication are low-risk.
The flaw, tracked as CVE-2026-20245, carries a CVSS base score of 7.8 according to the source report. It allows an authenticated attacker to execute privileged commands on affected systems. Mandiant's findings confirm the vulnerability was actively exploited as a zero-day before any patch was available.
A critical insight from the investigation is that the authentication requirement significantly underestimates the risk. Attackers frequently obtain legitimate credentials through social engineering, phishing, or credential stuffing, targeting staff with administrative access. Once inside, this vulnerability provides a direct path to full, privileged control over the SD-WAN management plane.
SD-WAN controllers are high-value targets for sophisticated adversaries. They offer a central vantage point for visibility and control over an organization's distributed routing, security policies, and network traffic. Compromising such a system can grant an attacker profound operational insight and disruptive capability, making it a prime objective for both espionage and sabotage.
The two-month gap between the start of exploitation and vendor disclosure underscores a stark reality for defenders: relying solely on vendor patch cycles creates a significant window of exposure. Proactive monitoring for anomalous activity on critical network management systems—such as unexpected logins or configuration changes—is therefore essential for early detection of such threats.
Cisco has now released patches to remediate the vulnerability. The company strongly advises immediate application. Alongside patching, security teams are recommended to harden all credentials associated with SD-WAN administrative access and to conduct thorough log reviews for indicators of compromise.
Neither Cisco nor Mandiant has disclosed the number of organizations impacted, nor has the threat actor been attributed to a known advanced persistent threat group. The motivation behind the campaign remains unknown, leaving defenders to prioritize immediate system hardening without specific threat intelligence.
This incident is part of a growing trend where threat actors increasingly target edge and network infrastructure. For IT and security teams, it reinforces the necessity of a layered defense: combining rigorous patch management, strict access controls, and continuous, vigilant monitoring of core network systems to detect and contain breaches before they escalate.
根據 Google 旗下 Mandiant 發布的調查報告,一名身份不明的威脅行為者在 Cisco 公開披露其 Catalyst SD-WAN 軟件的零日漏洞前,已利用該漏洞至少兩個月。這場長時間的預披露攻擊活動凸顯了攻擊者對網絡管理基礎設施的戰略重視,並挑戰了「需要認證才能利用的漏洞屬於低風險」的普遍假設。
該漏洞被追蹤為 CVE-2026-20245,根據來源報告,其 CVSS 基礎評分為 7.8。它允許已獲認證的攻擊者在受影響系統上執行特權指令。Mandiant 的研究結果證實,該漏洞在補丁發布前已作為零日漏洞被積極利用。
調查的一個關鍵見解是,認證要求顯著低估了風險。攻擊者常透過社交工程、網絡釣魚或憑證填充等手段取得合法憑證,鎖定擁有管理權限的人員。一旦進入系統,此漏洞即提供通往 SD-WAN 管理平面完全特權控制的直接路徑。
SD-WAN 控制器是高等級對手的高價值攻擊目標。它們為組織分散的路由、安全策略和網絡流量提供了中央可視性和控制視角。入侵此類系統可為攻擊者帶來深刻的營運洞察和破壞能力,使其成為間諜和破壞行動的首要目標。
從攻擊開始到廠商披露之間長達兩個月的時間差,凸顯了防禦者面臨的嚴峻現實:僅依賴廠商補丁週期會產生巨大的暴露窗口。因此,針對關鍵網絡管理系統上的異常活動(如未經授權的登入或配置變更)進行主動監控,對於早期偵測此類威脅至關重要。
Cisco 現已發布補丁修復此漏洞。該公司強烈建議立即套用補丁。除套用補丁外,安全團隊亦被建議強化所有與 SD-WAN 管理訪問相關的憑證,並全面審查日誌以尋找入侵跡象。
Cisco 及 Mandiant 均未披露受影響組織的數量,亦未將威脅行為者歸屬於已知的高級持續性威脅組織。此次攻擊活動的動機仍不明確,促使防禦者在缺乏具體威脅情報的情況下,優先立即加強系統防禦。
此事件是威脅行為者日益針對邊緣及網絡基礎設施這一趨勢的一部分。對 IT 和安全團隊而言,這再次強調了分層防禦的必要性:結合嚴格的補丁管理、嚴密的存取控制,以及對核心網絡系統持續、警覺的監控,以在威脅升級前偵測並遏制入侵。