Cisco: CVE-2026-20245 Added to CISA KEV Under Active Exploitation

Key findings

• CISA added Cisco vulnerability CVE-2026-20245 to its Known Exploited Vulnerabilities catalog on June 9, 2026.
• The vulnerability is confirmed to be actively exploited in the wild by unidentified threat actors.
• There is currently no official association between CVE-2026-20245 and active ransomware campaigns.
• Federal agencies must remediate this vulnerability in accordance with CISA's established KEV deadlines.

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding a security flaw affecting Cisco Systems, Inc. software. Identified as CVE-2026-20245, the vulnerability is now confirmed to be under active exploitation by threat actors, prompting urgent remediation calls for federal agencies and private sector organizations alike.

While specific technical details regarding the exploitation vectors are often closely guarded during initial KEV additions, CVE-2026-20245 represents a significant risk to affected Cisco infrastructure. Threat actors exploiting this vulnerability can potentially gain unauthorized access, compromise system integrity, or disrupt critical network operations depending on the deployment environment.

At this time, CISA has not associated CVE-2026-20245 with any specific ransomware campaigns. However, the active exploitation of network infrastructure vulnerabilities remains a primary entry point for sophisticated threat actors, including state-sponsored groups and initial access brokers who sell access to ransomware affiliates later.

In accordance with Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies are required to apply the necessary updates or workarounds provided by Cisco to secure their networks. Security teams should immediately inventory their Cisco assets, identify vulnerable instances, and apply the vendor's official patches to mitigate the risk of compromise.