⚠️ Cisco Catalyst SD-WAN – Authenticated Privilege Escalation to Root (CVSS 7.8, CISA KEV)  CISA has added CVE-2026-20245 to its KEV catalogue following evidence of active exploitation. A command injection flaw in the CLI of Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond), caused by insufficient validation of user-supplied input. By uploading a crafted file, an authenticated local attacker with netadmin privileges can execute arbitrary commands and elevate to root.  Affected: Cisco Catalyst SD-WAN Controller, Manager, and Validator, regardless of device configuration.  Mitigation: Cisco recommends upgrading to the fixed software documented in the Catalyst SD-WAN Security Advisory, and verifying the configuration of edge devices. Before upgrading, run request admin-tech on each control component to preserve potential indicators of compromise, then monitor per Cisco's advisory.  Modat Magnify Query: product="Cisco Catalyst SD-WAN Manager" OR product="Cisco Catalyst SD-WAN Controller"  The platform: magnify.modat.io/  Reference: sec.cloudapps.cisco.com/secu…  #threatintel #vulnerability #CVE202620245 #Cisco #SDWAN #PrivEsc #infosec #ModatMagnify

Newest: CVE-2026-20245, June 4, authenticated command injection in Catalyst SD-WAN Manager, root via crafted file upload, reported by Mandiant, exploited in the wild. It chains: CVE-2026-20182 (CVSS 10.0) to netadmin, then 20245 to root.

Welcome to our “Say Hello To” series — introducing the people behind the scenes at Netadmin. Meet Mudassar Majeed, our new System Architect 👋 Passionate about help shape the next generation of Netadmin Nine. Say Hello to Mudassar: hubs.ly/Q04kRWG50

🚨 GÜVENLİK BÜLTENİ: Cisco Catalyst SD-WAN'da Yetki Yükseltme Zafiyeti (CVE-2026-20245) Merhaba #Brolyz 📌 Zafiyetin Özeti: CVE-2026-20245, Cisco Catalyst SD-WAN Controller, Manager ve Validator ürünlerinin komut satırı arayüzünde (CLI) bulunan bir girdi doğrulama eksikliğidir. "netadmin" yetkisiyle sisteme erişen yerel bir saldırgan, özel hazırlanmış bir dosyayı yükleyerek güvenlik önlemlerini atlatabilmektedir. ⚠️ Etki ve Risk (CVSS 3.1: 7.8 - Yüksek Risk): Bu açık, saldırganın komut enjeksiyonu yapmasına ve işletim sisteminde "root" yetkileriyle rastgele komut çalıştırmasına imkan tanır. En kritik durum; Cisco, bu zafiyetin uç cihazlara (edge devices) yetkisiz konfigürasyon göndermek için sahada kullanıldığını doğrulamıştır. Saldırganlar genellikle geçerli kimlik bilgilerine ihtiyaç duyar veya farklı zafiyetleri zincirleyerek sisteme sızar. 🛠️ Çözüm ve Öneriler: Cisco SD-WAN mimarisi kullanıyorsanız şu aksiyonları acilen alın: 1️⃣ Yama: Cisco'nun yayınladığı güncel yazılım sürümlerine derhal geçiş yapın. 2️⃣ Denetim: Sistemlerdeki "netadmin" yetkili tüm hesapları inceleyin, şüpheli oturumları kapatın. 3️⃣ Kontrol: Ağınızdaki uç cihazlara iletilen son konfigürasyon değişikliklerini yetkisiz müdahalelere karşı doğrulayın. 🔗 Detaylar: cve.org/CVERecord?id=CVE-... Yamalarınızı gecikmeden geçmeyi unutmayın. Güvenli haftalar dilerim! 🛡️

米国CISAが悪用を確認した脆弱性 #KEV をカタログに追加しました。（6/9追加） 🛡 No.1616 CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability ===================================== ✅概要 ・深刻度：注意 6.8 (CVSS Base) / Arista Networks (CNA) ・種別：複数の要素を考慮しない不完全な比較 (CWE-1023) ・CVSS:CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N Arista EOS のトンネルデカプセル化処理において、トンネルプロトコル種別の検証が不十分な脆弱性です。 VXLAN、decap-groups、GRE トンネルインターフェースなどのデカプセル化設定が存在する場合、設定されたデカプセル化 IP 宛ての想定外のトンネルパケットがデカプセル化され、転送される可能性があります。 ✅ChatGPTによる脆弱性評価 ・国内影響度：中 ・悪用難易度：中 ✅攻撃前提条件 ・影響を受ける Arista EOS ベース製品を使用している ・VXLAN VTEP、GRE トンネルエンドポイント、ip decap-group などのデカプセル化 IP が構成されている ・対象機器が想定外のトンネルプロトコルのパケットを受信可能である ・修正済みバージョンまたは ACL 等の緩和策が適用されていない ✅悪用時影響 ・想定外のトンネルパケットがデカプセル化される ・内部ネットワークセグメントへ意図しないトラフィックが転送される ・トンネル種別による通信制御を回避される可能性がある ・ネットワーク分離や経路制御の前提が崩れる可能性がある ✅悪用事例等に関する公開情報 ・PoC/Exploit：一部公開（技術情報のみ） ・ITW：確認済み（Arista Networks） Arista Networks は、脆弱性が実環境で悪用されたと報告。 ✅関連情報 ・nvd.nist.gov/vuln/detail/CVE… ・arista.com/en/support/adviso… 🛡 No.1617 CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability ===================================== ✅概要 ・深刻度：重要 8.8 (CVSS Base) / CISA-ADP ・種別：境界外読み取り (CWE-125)、境界外書き込み (CWE-787) ・CVSS:CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Google Chrome の V8 に存在する境界外読み取りおよび境界外書き込みの脆弱性です。 Google Chrome 149.0.7827.103 より前のバージョンでは、リモートの攻撃者が細工した HTML ページを介して、サンドボックス内で任意コードを実行できる可能性があります。 ✅ChatGPTによる脆弱性評価 ・国内影響度：高 ・悪用難易度：中 ✅攻撃前提条件 ・Google Chrome 149.0.7827.103 より前のバージョンを使用している ・攻撃者が細工した HTML ページをユーザーに開かせる ・V8 による当該コンテンツの処理が行われる ・修正済みバージョンが適用されていない ✅悪用時影響 ・サンドボックス内で任意コードを実行される ・メモリ破壊を引き起こされる ・ブラウザ内の情報へ不正アクセスされる可能性がある ・他の脆弱性と組み合わせた追加侵害につながる可能性がある ✅悪用事例等に関する公開情報 ・PoC/Exploit：公開情報確認できず ・ITW：確認済み（Google） Googleは、Exploit が存在することを認識しているとアドバイザリに記載。 ✅関連情報 ・nvd.nist.gov/vuln/detail/CVE… ・chromereleases.googleblog.co… 🛡 No.1618 CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability ===================================== ✅概要 ・深刻度：重要 7.8 (CVSS Base) / Cisco Systems, Inc. (CNA) ・種別：不適切なエンコード、または出力のエスケープ (CWE-116) ・CVSS:CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Cisco Catalyst SD-WAN Controller、Catalyst SD-WAN Manager、Catalyst SD-WAN Validator の CLI に存在する脆弱性です。 認証済みのローカル攻撃者が細工したファイルを対象システムにアップロードすることで、root として任意コマンドを実行できる可能性があります。 ✅ChatGPTによる脆弱性評価 ・国内影響度：高 ・悪用難易度：高 ✅攻撃前提条件 ・影響を受ける Cisco Catalyst SD-WAN Controller、Manager、Validator を使用している ・攻撃者が対象システム上で netadmin 権限を持っている ・攻撃者が細工したファイルを対象システムへアップロードできる ・修正済みソフトウェアが適用されていない ✅悪用時影響 ・root 権限で任意コマンドを実行される ・対象 SD-WAN 管理基盤上で権限昇格される ・edge device へ不正な設定変更を push される可能性がある ・SD-WAN 環境の制御や運用に影響が生じる可能性がある 悪用事例等に関する公開情報 ・PoC/Exploit：公開情報確認できず ・ITW：確認済み（Cisco Systems, Inc.） Cisco は、限定的な事例を観測していると公表。 ✅関連情報 ・nvd.nist.gov/vuln/detail/CVE… ・sec.cloudapps.cisco.com/secu… cisa.gov/news-events/alerts/… #vulnerability

The attack chain: gain netadmin access via stolen creds or by chaining earlier SD-WAN CVEs, then push arbitrary config changes to edge devices across the entire fabric. Exploitation was occurring before the advisory was published.

🔴 SOC OPERATIONS The breach was three alerts. Nobody connected them. Jun 8, 2026 · 6 min read ──────────────────────────────────────── Picture three tickets in your queue, opened over three different weeks, closed by three different analysts who never spoke to each other. The first: an authentication anomaly on an SD-WAN controller. Odd, but it resolved, and the controller kept running. Closed. The second: a new SSH key showed up in an admin account's authorized-keys file. Probably the network team during a maintenance window. Closed. The third: a configuration change pushed out to the edge devices. That's literally what the platform is for. Closed. Each one, on its own, was a shrug. Together, they were a threat actor walking from the open internet to root on your network's management plane — and then pushing their will to every device downstream. ## The chain Cisco documented this month This isn't hypothetical. On June 5, 2026, Cisco disclosed its seventh SD-WAN zero-day of the year. Read the advisories together and they describe an end-to-end path, link by link: • CVE-2026-20127 — get in A maximum-severity authentication bypass on the Catalyst SD-WAN Controller. An unauthenticated, remote attacker sends crafted requests and gains high-privileged internal access. Cisco Talos has tracked a sophisticated actor, UAT-8616, abusing this since at least 2023. • CVE-2026-20182 — get privileged A second authentication bypass lets the attacker become an authenticated peer of the appliance and inject their own public key into the vmanage-admin account's authorized SSH keys. That's the quiet alert in the middle: a key that shouldn't be there. They now hold netadmin. • CVE-2026-20245 — get root With netadmin in hand, a crafted file upload to the SD-WAN Manager CLI runs arbitrary commands as root. Cisco observed exploitation in the wild — discovered by Mandiant — and, in limited cases, a configuration change pushed to edge devices. There is no patch yet and no workaround. Cisco's advisory for that last bug explicitly names the first two as the way to obtain the netadmin precondition. The vendor itself drew the line connecting the dots. The question is whether your SOC would have. A breach is almost never one alert. It's a sequence — across systems, across privilege levels, across time. Attackers think in chains. Most defenses still triage in singletons. ## Why three real alerts read as three non-events None of these links trips a five-alarm fire on its own. The first is an "authentication anomaly" — a category your team sees hundreds of times a week, almost all benign. The second is a configuration-file change on an admin account — indistinguishable, at a glance, from legitimate operations. The third, the root-level one, scores a moderate 7.8 and surfaces as a routine config push, which is the platform's entire job. So they land in different queues. The controller alert goes to whoever owns network infrastructure. The SSH-key change goes to whoever watches identity. The config push may not alert at all. Three people, three contexts, three independent "looks fine to me" decisions. The correlation that turns three shrugs into one breach never happens, because no single human is holding all three at once. This is the coverage gap that volume created. It isn't that analysts are careless — it's that the breach only exists in the relationships between alerts, and human triage is structurally built to look at one alert at a time. ## Totality is the answer to chains You don't close this gap by tuning any single detection to be louder. The controller bypass should be a low-confidence alert in isolation. So should an SSH-key change. Crank them all to critical and you've simply moved alert fatigue, not fixed i... ──────────────────────────────────────── 📰 Full analysis on The Signal: n0limit.com/blog.html#three-… #cybersecurity #threatintel #infosec

As long as you allow NetAdmin root-level access without a full authentication key in hand that allows the op to access the root from these cloud/AI system admin modules, you are going to have infiltration into any internet connected system. That's the problem with cloud security.

【Cisco Catalyst SD-WAN Managerにゼロデイ脆弱性、悪用確認】 Cisco Catalyst SD-WAN Managerに、CVE-2026-20245として権限昇格の脆弱性が公表されました。Security NEXTによると、ゼロデイ攻撃が確認されており、Ciscoは今後のリリースで修正予定としています。 この脆弱性はCLIの入力検証不備に起因し、悪用にはnetadmin権限が必要です。ただし、細工したファイルをアップロードすることでコマンドインジェクションを実行し、root権限を取得できる可能性があります。 日本企業でSD-WAN Managerを運用している場合、netadmin権限の棚卸し、管理画面のアクセス制限、ファイルアップロード履歴、設定変更ログを確認すべきです。認証済み脆弱性は、盗まれた管理者アカウントと組み合わされると影響が大きくなります。 #Cisco #SDWAN #ゼロデイ #CVE #ネットワークセキュリティ #SOC security-next.com/185464

【Cisco SD-WANの未修正ゼロデイが悪用確認】 Cisco Catalyst SD-WAN ManagerのCVE-2026-20245について、実際の攻撃での悪用が報告されています。 この脆弱性は、条件がそろうとroot権限でのコマンド実行につながるもので、SD-WAN管理プレーンを侵害された場合、エッジ機器への設定変更にも波及し得ます。 悪用にはnetadmin権限、または別のSD-WAN脆弱性の組み合わせが必要とされていますが、境界管理製品である点を考えると優先度は高いです。 防御側は、SD-WAN Managerの設定変更履歴、管理者ログイン、`/var/log/scripts.log`、過去のSD-WAN関連CVEへの対応状況を確認してください。 #Cisco #SDWAN #脆弱性 #ゼロデイ #SOC #IncidentResponse bleepingcomputer.com/news/se…

🚨 New Cisco SD-WAN vulnerability under active exploitation. CVE-2026-20245 lets authenticated netadmin attackers run commands as root via crafted file uploads. No patches or mitigations are available. Check /var/log/scripts.log for IoCs. Read: thehackernews.com/2026/06/ci…

Cisco's PSIRT confirmed attackers are exploiting a flaw in Catalyst SD-WAN Manager: an authenticated netadmin uploads a crafted file and runs commands as root. In some cases they pushed config changes to edge devices. No fixed release, no workaround. How are you holding the line?

The "authenticated" precondition is thin: CVE-2026-20182 and CVE-2026-20127 already provide the netadmin foothold. Six Catalyst SD-WAN Manager flaws have been actively exploited in 2026. The management plane is the attack surface.