Cisco faces yet another round of serious security problems. Attackers waste little time once details surface. Two fresh cases highlight the pattern. One hits communications systems. The other strikes wide-area network gear many enterprises rely on daily.
Just weeks after Cisco issued patches, threat actors began exploiting a server-side request forgery flaw in its Unified Communications Manager software. The bug, tracked as CVE-2026-20230, carries a CVSS score of 8.6. It stems from improper input validation on certain HTTP requests. Unauthenticated remote attackers can abuse it when the WebDialer feature remains enabled.
Success lets them write files to the underlying operating system. From there, escalation to root becomes possible. Cisco released fixes in version 14SU6 and 15SU5. It advised disabling WebDialer where feasible. At disclosure in early June, the company reported no known exploitation. That changed fast.
Over the weekend, researchers at Defused observed active attacks. They detailed a chain that starts with the WebDialer SSRF. Attackers deploy a rogue Apache Axis service. They write a first-stage JSP file-writer. Then they drop a second-stage command-execution shell under /platform-services/axis2-web/. Proof-of-concept code circulated quickly after SSD Secure Disclosure published technical specifics. The path to root now sits in plain sight.
SD-WAN Zero-Days Multiply
Meanwhile, a separate privilege-escalation vulnerability in Cisco Catalyst SD-WAN Manager has drawn even sharper concern. Tracked as CVE-2026-20245, the flaw allows arbitrary command execution as root via a crafted file upload. It requires netadmin-level privileges first. Those can come from valid credentials or by chaining with earlier bugs such as the CVSS 10.0 authentication bypasses disclosed earlier this year.
Cisco learned of active exploitation in June 2026. Its PSIRT rushed out an advisory. No patch existed at the time. One is promised in a future release. Yet Google’s Mandiant team revealed the attacks began much earlier. In a detailed analysis published this week, researchers Chester Sng, Pete Boonyakarn and Logeswaran Nadarajan described how a threat actor targeted SD-WAN infrastructure at a communications service provider.
The intruder first established unauthorized peering. They gained SSH access as admin. Passwords were changed temporarily to avoid detection, configurations exfiltrated, then passwords restored. For the final step, the attacker uploaded a malicious file named evil_tenant.csv. This triggered the zero-day and created a user called troot with full root privileges. The move granted total visibility into corporate internet traffic routed through the compromised fabric.
And this marks the seventh SD-WAN vulnerability exploited in the wild during 2026, according to SecurityWeek. Previous cases include CVE-2026-20182, CVE-2026-20127 and several others. Government-sponsored groups favor these bugs. The potential for persistent access and data interception makes them attractive targets.
Security teams at large organizations express growing fatigue. Cisco ships updates frequently. Yet the pace of discovery and exploitation outstrips remediation windows. Enterprises running older SD-WAN deployments or Unified CM instances with WebDialer active sit at highest risk. Many devices remain exposed on management interfaces. Segmentation helps. So does rapid patching. But zero-days leave little margin.
The Register first captured the cumulative pressure in its reporting. It noted the hits keep arriving with little respite. Mandiant’s findings confirm attackers enjoyed a months-long head start on CVE-2026-20245. Cisco’s own advisory acknowledges the gap. “In June 2026, the Cisco PSIRT became aware of exploitation of this vulnerability,” it stated.
Defused, for its part, shared observations on X shortly after spotting the Unified CM campaign. The technical chain they outlined matches what SSD researchers described in their PoC release. File writes lead to webshells. Root follows. The sequence requires no authentication if the feature is on.
Broader trends worry analysts. Cisco products occupy central positions in many networks. A single compromise can expose voice systems, routing policies or sensitive traffic flows. Attackers chain flaws. They move from authentication bypass to command injection to persistence. Patches arrive. But real-world adoption lags, especially in complex environments.
So far, no single campaign ties the two latest bugs together. Their timing, however, reinforces a clear message. Cisco customers cannot afford delay. They must inventory deployments, verify patch levels and restrict unnecessary features. For SD-WAN, that means auditing peering connections and monitoring for rogue devices. For Unified CM, it means confirming WebDialer status and watching logs for suspicious HTTP activity.
The company continues to issue bundled advisories covering dozens of flaws across firewalls, management centers and collaboration tools. Many receive high severity ratings. Some reach critical. Exploitation reports surface regularly. This year’s SD-WAN cluster stands out for its volume and the sophistication of observed activity.
Organizations that treat these incidents as isolated miss the point. The pattern suggests structural challenges in secure-by-design practices for complex networking code. Until that changes, administrators will keep racing to apply fixes while attackers probe for the next unpatched instance. The hits, it seems, have not stopped coming.
WebProNews is an iEntry Publication