Two Months Inside: What the Cisco SD-WAN Zero-Day Reminds Us About Quiet Intrusions
For at least two months, attackers were operating inside Cisco Catalyst SD-WAN environments before the vulnerability was public. There was no patch yet, and nothing pointing defenders toward where to look. Cisco has since confirmed attackers were exploiting CVE-2026-20245 in the wild, using it to gain privileged access and stay resident.
Another zero-day isn't really the story, because those come around regularly. The part we keep coming back to is the two months. For that entire window, the activity would have looked like a normal Tuesday to anyone watching from inside.
That's worth sitting with, and not as a knock on anyone. The teams running that gear were doing the job, but there simply wasn't an obvious tell. No smoking gun, no ransom note, no server on fire. It's the reality all of us in this work share: keeping people out is one part of it, and noticing when someone is already in and behaving themselves is the other.
The compromises that matter most rarely look like the movies. A lot of the mental picture around attacks involves something loud, with alarms going off and screens flashing red. The quiet ones are harder to see, and they often show up as:
- A new admin account that looks like every other admin account
- A configuration change that's technically valid
- Activity that sits comfortably inside what the environment considers expected
None of it trips a rule, because on paper none of it is wrong.
Modern tooling is genuinely good at the mechanical parts, like collecting telemetry, correlating events, and cutting the noise down so analysts aren't drowning in it. What tooling can't do on its own is decide whether something that's allowed actually makes sense for a given environment on a given day. A SIEM doesn't know that nobody on the team stands up a new admin at 2am on a Sunday, but a person does.
That's where we like to spend our energy. It means not just clearing an alert and reaching for the next one, but asking the follow-up questions:
- Who created this account?
- Was that change approved by someone, or did it just happen?
A lot of the time, those questions surface more than the alert that kicked them off ever would.
It's also why we stay committed to keeping humans in the lead, and none of this is anti-automation. AI and automation have made detection, enrichment, and response faster than they've ever been, and they belong in any serious security program. They just do their best work when they're pointed at good analysts rather than standing in for them. The instinct to notice that something is odd and pull the thread is still a human one. Software doesn't get suspicious.
For anyone running affected Catalyst SD-WAN gear, the near-term steps are straightforward:
- Apply Cisco's updates
- Review the environment against the published indicators
It's worth doing sooner than later.
The bigger reflection is one we sit with too. An intruder who holds quiet, privileged access and breaks nothing is one of the hardest things in this field to catch, for any of us. That's not a gap to feel bad about. It's the whole reason patient, human-led detection exists, and it's the work we're glad to do alongside the teams we partner with.
