Cisco customers encounter another SD-WAN zero-day under attack | CyberScoop<\/title> <meta name=\"description\" content=\"The defect marks the seventh actively exploited zero-day in Cisco SD-WANs this year, and the vendor has yet to release a patch.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Cisco customers encounter another SD-WAN zero-day under attack\"> <meta property=\"og:description\" content=\"The defect marks the seventh actively exploited zero-day in Cisco SD-WANs this year, and the vendor has yet to release a patch.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-06-09T14:03:30+00:00\"> <meta property=\"article:modified_time\" content=\"2026-06-09T14:03:33+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1778775768g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1780427069g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1775068334g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/89334\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=89334\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisco-sdwan-zero-day-vulnerability-exploited-cve202620245%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisco-sdwan-zero-day-vulnerability-exploited-cve202620245%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-89334 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.094674556213\">\n<div class=\"single-article__header-content\" readability=\"35.34036939314\">\n<p> The defect marks the seventh actively exploited zero-day in Cisco SD-WANs this year, and the vendor has yet to release a patch. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/89334\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> The Cisco Systems logo is displayed at the Mobile World Congress (MWC) in Barcelona on February 25, 2019. (GABRIEL BOUYS \/ AFP) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"30.070269487105\"><body readability=\"61.940654843111\"><\/p>\n<p>Cisco customers are confronting yet another actively exploited zero-day vulnerability affecting the vendor\u2019s SD-WAN management software, reinforcing pressure on organizations that have experienced rare breaks from active threats this year.<\/p>\n<p>The vulnerability \u2014 <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-20245\">CVE-2026-20245<\/a> \u2014 marks the seventh actively exploited zero-day in Cisco SD-WANs this year.<\/p>\n<p>Cisco said it first became aware of active exploitation of the latest defect in the network management software earlier this month. The company disclosed the vulnerability, which was first spotted by Mandiant, on Thursday and warned that a security patch is not yet available and there are no workarounds to mitigate the defect in the meantime.<\/p>\n<p>\u201cA patch for this vulnerability will be provided on a future date,\u201d a company spokesperson said in a statement. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Cisco did not attribute the attacks to any specific group, describe the objectives of those attacks or share how many organizations have already been impacted.<\/p>\n<p>The validation error defect affecting the Cisco Catalyst SD-WAN Manager allows authenticated or local attackers to execute commands as root, resulting in command-injection attacks on an affected system, the company said.<\/p>\n<p>Yet, the scope of potential impact may be limited because exploitation requires valid credentials or privileged access through other means. Cisco said exploitation of a pair of zero-days it disclosed earlier this year \u2014 <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-20182\">CVE-2026-20182<\/a> or <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-20127\">CVE-2026-20127<\/a> \u2014 could allow attackers the access required to exploit the new vulnerability. <\/p>\n<p>The company said it is \u201cnot aware of successful exploitation by other means,\u201d adding that it \u201cobserved limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.\u201d<\/p>\n<p>Landon Rice, senior exploit developer at VulnCheck, said the need for existing privileges \u201cmakes an attacker heavily reliant on previous vulnerabilities, or a net-new initial access vector, in order to be able to reach the privilege escalation path.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Cisco advised customers to upgrade to fixed software released in May as <a href=\"https:\/\/cyberscoop.com\/cisco-sd-wan-zero-day-exploited\/\">part of its response to CVE-2026-20182<\/a> as a protective measure. <\/p>\n<p>Absent a patch that would provide organizations more protection against the new vulnerability, Cisco provided some indicators of compromise but noted that those same log entries may occur during standard operations. The company encouraged customers that need help distinguishing between legitimate and malicious activity to contact Cisco Technical Assistance Centers.<\/p>\n<p>Cisco isn\u2019t the only security vendor facing an onslaught of attacks on its customers, but it is <a href=\"https:\/\/cyberscoop.com\/cisco-firewall-sd-wan-vulnerabilities-exploited\/\">among the most heavily targeted<\/a>. The Cybersecurity and Infrastructure Security Agency has added seven vulnerabilities affecting <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog?search=&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=&f%5B0%5D=vendor_project%3A801\">Cisco SD-WANs and firewalls<\/a> to its known exploited vulnerabilities catalog this year, not including CVE-2026-20245, which has yet to be added to the catalog.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.457528957529\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cisco customers encounter another SD-WAN zero-day under attack | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1764,78,452,99,288,4136,643,2281,1544,1170],"tags":[1769,86,454,103,294,4140,645,2283,1545,1171],"class_list":["post-8729","post","type-post","status-publish","format-standard","hentry","category-cisco","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-sd-wan","category-threats","category-vulncheck","category-vulnerabilities","category-vulnerability","category-zero-day","category-zero-days","tag-cisco","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-sd-wan","tag-threats","tag-vulncheck","tag-vulnerabilities","tag-vulnerability","tag-zero-day","tag-zero-days"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisco\/\" rel=\"category tag\">Cisco<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sd-wan\/\" rel=\"category tag\">SD-WAN<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulncheck\/\" rel=\"category tag\">VulnCheck<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability\/\" rel=\"category tag\">vulnerability<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zero-day\/\" rel=\"category tag\">Zero-day<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zero-days\/\" rel=\"category tag\">zero-days<\/a>","tag_info":"zero-days","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8729"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8729\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8729,"date":"2026-06-09T09:03:30","date_gmt":"2026-06-09T14:03:30","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=89334"},"modified":"2026-06-09T09:03:30","modified_gmt":"2026-06-09T14:03:30","slug":"cisco-customers-encounter-another-sd-wan-zero-day-under-attack","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/06\/09\/cisco-customers-encounter-another-sd-wan-zero-day-under-attack\/","title":{"rendered":"Cisco customers encounter another SD-WAN zero-day under attack"},"content":{"rendered":"