Cisco Under Fire: SSRF and 0-Day in SD-WAN Actively Exploited

What happened?

Two critical vulnerabilities in Cisco products are being actively exploited. The first, CVE-2026-20230, is a server-side request forgery (SSRF) in Cisco Unified Communications Manager (CUCM). Cisco patched the flaw in early June and a proof-of-concept already existed. Now, threat intelligence firm Defused has confirmed that attackers are using that exploit to deploy a malicious Apache Axis service, write a first-stage JSP, and ultimately a command execution shell in /platform-services/axis2-web/. The attacker gains root privileges on the compromised device.

The second, CVE-2026-20245, is a 0-day in Cisco Catalyst SD-WAN that allows a locally authenticated attacker to execute arbitrary commands as root via a crafted file. Cisco disclosed it in June, but Mandiant discovered that exploitation began much earlier, in early 2026. In an incident with a communications service provider, the attacker gained initial access through an unauthorized peering connection, abused the SD-WAN fabric to authenticate via SSH, changed the admin account password, exfiltrated configurations, and then, to avoid detection, restored the original password. To escalate to root, they uploaded a file named evil_tenant.csv containing the exploit payload, creating a troot account with full privileges.

Why is it important?

These vulnerabilities pose a serious threat to critical infrastructures. CUCM is the heart of unified communications in many enterprises; a compromise allows call interception, configuration changes, and lateral movement. SD-WAN, on the other hand, manages network traffic for an entire organization. As Mandiant notes, an attacker with root access to the SD-WAN controller has total visibility of corporate traffic, making it a prime target for state-sponsored groups seeking persistent access for long-term espionage. Cisco has already reported six SD-WAN vulnerabilities under attack since the start of the year, and this is the second 0-day in two months.

Consequences and context

The case of CVE-2026-20245 is particularly concerning because it shows attackers exploiting flaws before Cisco knows about them, and managing to maintain access undetected for months. The technique of changing the password and then restoring it indicates a high degree of sophistication and knowledge of the victim's operations. For enterprises, this means patches are not enough; active monitoring of anomalous behavior on network devices is required, especially on administrative accounts and management traffic.

Additionally, the exploitation chain of CVE-2026-20230 shows how attackers combine multiple techniques (SSRF, malicious service deployment, file writing) to achieve a persistent backdoor. Organizations using CUCM should verify they have applied the June patch and review logs for suspicious activity on the mentioned endpoints.

What should readers know?

• Patch immediately: Cisco has released updates for both vulnerabilities. If not applied, do so urgently.
• Monitor indicators of compromise: Look for files like evil_tenant.csv or similar, accounts like troot, and unusual activity in /platform-services/axis2-web/.
• Review administrative accounts: Change default passwords and audit SSH and web access to SD-WAN and CUCM devices.
• Segment networks: Limit unauthorized peering and restrict management interface access to trusted IP addresses only.
• Prepare for more: The trend of attacks on SD-WAN will continue. Consider intrusion detection solutions specific to these devices.

“The attacker exploited CVE-2026-20245 to escalate to root and created an account named troot with full privileges. They then restored the original password to avoid raising suspicion,” Mandiant details in its report.

In summary, we are facing a critical situation requiring immediate action. The combination of an actively exploited SSRF and a 0-day in SD-WAN with early use underscores the need for a proactive security posture beyond simple patch application.