Two Months Inside: What the Cisco SD-WAN Zero-Day Reminds Us About Quiet Intrusions
Two Months Inside: What the Cisco SD-WAN Zero-Day Reminds Us About Quiet Intrusions For at least two months, attackers were operating inside Cisco Catalyst SD-WAN environments before the vulnerability was public. There was no patch yet, and nothing pointing defenders toward where to look. Cisco has since confirmed attackers were exploiting CVE-2026-20245 in the wild, using it to gain privileged access and stay resident. Another zero-day isn't really the story, because those come around regularly. The part we keep coming back to is the two months. For that entire window, the activity would have looked like a normal Tuesday to anyone watching from inside. That's worth sitting with, and not as a knock on anyone. The teams running that gear were doing the job, but there simply wasn't an obvious tell. No smoking gun, no ransom note, no server on fire. It's the reality all of us in this work…
