Cisco patched CVE-2026-20230 in June, yet attackers exploited it over the weekend

Cisco’s security patch timetable is colliding with attacker reality, and the receipts are ugly. CVE-2026-20230, a server-side request forgery flaw in Cisco Unified Communications Manager, was patched in early June. But Defused says it observed miscreants exploiting CVE-2026-20230 over the weekend.

Defused also described the abuse chain in detail: the attackers leveraged WebDialer SSRF to deploy a rogue Apache Axis service, then used that service to write a first-stage JSP file-writer, and finally dropped a second-stage command-execution shell under /platform-services/axis2-web/. The end result is what makes this more than a headline for security teams. Cisco described that a properly targeted exploit could be used to gain root privileges on a compromised device, and the reported chain shows attackers already know how to turn the bug into system-level control.

If you manage infrastructure, this is the part that should keep you awake: the timeline matters. Patching early June is not the same thing as erasing attacker capability. In practice, once an exploit exists, adversaries can test, refine, and operationalize it quietly. The fact pattern here suggests CVE-2026-20230 moved from “patched” to “in the wild” fast enough to matter, and it raises the obvious operational question: how many organizations are exposed due to patch lag, shadow deployments, or brittle change windows?

Then there is the separate, bigger-scope problem in Cisco Catalyst SD-WAN. Mandiant’s advisory says CVE-2026-20245 was exploited much earlier than initially disclosed, including at a communications service provider where attackers elevated from a compromised admin account to full root-level access. Mandiant noted it cannot assess the full scope of the intruders’ post-compromise activity. But even partial compromise of SD-WAN infrastructure is often catastrophic, because SD-WAN sits in the traffic path and can become a leverage point for visibility across corporate internet communications.

Cisco had issued an advisory for CVE-2026-20245 in early June, admitting that attackers had a head start on abusing the security hole. The vendor’s statement in that June advisory was specific: “In June 2026, the Cisco PSIRT became aware of exploitation of this vulnerability.” But Mandiant’s Wednesday report pushes exploitation earlier than that awareness window. Mandiant threat hunters Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan wrote that in early 2026 it identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited CVE-2026-20245 to escalate privileges from a compromised administrative account to root.

The access path is also notable because it ties network trust mechanics to endpoint takeover. Mandiant said the attacker gained initial access via an unauthorized peering connection, abusing the SD-WAN fabric to authenticate between network components and facilitate Secure Shell (SSH) access. In this case, the attacker authenticated to the SD-WAN manager device via SSH using the vmanage-admin account on the same victim devices. They then changed the default password on the admin account, authenticated to the SD-WAN Manager web application interface using the admin account, and exfiltrated SD-WAN fabric configurations. After that, the attacker changed the admin account password back to its original value before terminating the active session, likely to cover tracks.

Here is the part that matters for governance and incident response. Mandiant says neither the vmanage-admin nor the admin accounts on Cisco Catalyst SD-WAN controllers have root shell access. So root-level access required the exploit itself. Mandiant explains that the attacker supplied a crafted file to execute arbitrary commands as root. They uploaded a file named evil_tenant.csv containing the exploit payload. Upon execution, the attackers created a user account named troot with full root privileges, and later accessed this new troot account from the admin account using the substitute user command.

Put together, CVE-2026-20230 and CVE-2026-20245 point to the same uncomfortable pattern: network-critical vendors patch, but exploitation chains move faster than enterprise tooling and processes. For boards and executives, the second-order risk is not just operational downtime. It is the chance that the compromise window extends past disclosure. If attackers can exploit weeks or months before awareness, they can also harvest configurations, persist through credentials or created accounts, and establish visibility across traffic. In SD-WAN, that visibility angle is especially sensitive for government-sponsored spying, which the source notes is a common driver for long-term snooping.

Cisco is working on response to the reports. The Register reached out to Cisco about the reported exploitation of CVE-2026-20230, and also to Cisco regarding Mandiant’s investigation into CVE-2026-20245, with Cisco pointing to its June advisory for the latter matter. For organizations running Cisco Unified Communications Manager or Cisco Catalyst SD-WAN, the immediate action is clear. The strategic takeaway for everyone else is harder: assume exploit code eventually lands in the hands of people with patience, and assume your patch date is not the same as your actual protection date.