Cisco Discloses Two Actively Exploited Vulnerabilities in Unified Communications Manager and SD-WAN
Cisco disclosed two actively exploited vulnerabilities: an SSRF bug in Unified Communications Manager now used in the wild, and an SD-WAN zero-day exploited since early 2026, according to Mandiant.
Cisco has disclosed two serious vulnerabilities that are already being exploited in active attacks, adding to a growing list of security issues for the networking giant. The first flaw, CVE-2026-20230, is a server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM SME. The second, CVE-2026-20245, is a zero-day privilege escalation bug in Cisco Catalyst SD-WAN Manager that Mandiant says was exploited months before Cisco's advisory.
The SSRF vulnerability, CVE-2026-20230, allows an unauthenticated attacker to send crafted HTTP requests to the affected system, potentially leading to arbitrary file writes and root-level compromise. Cisco patched the flaw in early June, but threat intelligence firm Defused reported over the weekend that attackers are now actively exploiting it. According to Defused, the attack chain abuses the WebDialer SSRF to deploy a rogue Apache Axis service, which then writes a first-stage JSP file-writer, followed by a second-stage command-execution shell under /platform-services/axis2-web/. This gives the attacker full root access to the compromised device.
The second vulnerability, CVE-2026-20245, is a zero-day in Cisco Catalyst SD-WAN Manager that allows an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file. Mandiant's investigation revealed that a threat actor exploited this bug as early as early 2026, well before Cisco's June advisory. The attacker gained initial access via an unauthorized peering connection, abusing the SD-WAN fabric to authenticate between network components and facilitate SSH access. They then authenticated to the SD-WAN Manager using the vmanage-admin account, changed the default password, exfiltrated SD-WAN fabric configurations, and changed the password back to cover their tracks.
To escalate privileges to root, the attacker exploited CVE-2026-20245 by uploading a file named evil_tenant.csv containing the exploit payload. This created a user account named 'troot' with full root privileges. Mandiant observed the attacker accessing this new account from the admin account using the substitute user command. The compromise of an SD-WAN device is particularly dangerous because it can give an attacker total visibility across an entire corporation's internet traffic, making such zero-days a prime target for government-sponsored espionage groups.
Cisco's advisory for CVE-2026-20245 acknowledged that exploitation was already occurring, but Mandiant's report shows the timeline was even longer than initially disclosed. This is the sixth SD-WAN vulnerability listed as under attack since the start of the year, and the second zero-day in two months, highlighting the intense focus on Cisco's SD-WAN infrastructure by threat actors. The Register reached out to Cisco for comment but did not receive a response.
The simultaneous disclosure of two actively exploited vulnerabilities underscores the persistent challenges in securing complex enterprise networking equipment. Organizations using Cisco Unified Communications Manager or Catalyst SD-WAN Manager should prioritize applying the available patches and reviewing their network configurations for signs of compromise. The SSRF bug in particular, with a public proof-of-concept exploit now being used in the wild, poses an immediate risk to unpatched systems.