An unknown attacker was inside Cisco Catalyst SD-WAN systems for at least two months before anyone publicly knew the door was open. According to Google-owned Mandiant, CVE-2026-20245, a high-severity flaw in Cisco's Catalyst SD-WAN, was exploited as a zero-day for roughly two months before Cisco disclosed it on June 4, 2026, after observing limited cases of exploitation. At the time of disclosure there was no patch available; Cisco began releasing Catalyst SD-WAN Manager updates with the fix on June 10. The lesson is not just that another enterprise product had a serious bug. It is that the gap between when attackers find a flaw and when defenders learn it exists can be measured in months, and during that window there is nothing to patch.

  • CVE-2026-20245 is a high-severity vulnerability in Cisco Catalyst SD-WAN, disclosed by Cisco on June 4, 2026.
  • Mandiant found it was exploited as a zero-day at least two months before public disclosure.
  • No patch existed at disclosure; Cisco began shipping Catalyst SD-WAN Manager fixes on June 10.
  • The long silent-exploitation window is the real story: defenders had no signal and no fix while attackers operated freely.

What actually happened

Cisco Catalyst SD-WAN is enterprise networking software that manages how organizations route traffic across their wide-area networks, the kind of infrastructure that sits at the core of a corporate network. On June 4, 2026, Cisco disclosed CVE-2026-20245 after detecting a limited number of exploitation cases. The disclosure came without an available patch, meaning organizations learned they were vulnerable before they had any way to fix it. Cisco started releasing patched versions of Catalyst SD-WAN Manager on June 10. The detail that elevates this from routine to alarming came from Mandiant, Google's threat-intelligence arm, which determined that an unidentified threat actor had been exploiting the flaw as a zero-day for at least two months prior to disclosure. For that entire period, the vulnerability was being actively used while remaining unknown to Cisco, to defenders, and to the public.

RelatedFortiBleed Exposed Credentials for 86,000 Fortinet Firewalls

Why is a two-month silent window so dangerous?

Because in security, the clock that matters is not how fast you patch after disclosure. It is how long an attacker had free rein before disclosure ever happened. A zero-day that is quietly exploited for two months gives the attacker an enormous head start: time to map the network, move laterally, establish persistence, and exfiltrate data, all before any defender knows there is a hole to plug. By the time the CVE is published and the patch ships, the damage at already-compromised organizations may be done, and patching closes the door on an intruder who could already be inside. This is the asymmetry that defines zero-day risk. Defenders are reactive by definition; they cannot patch a flaw they do not know exists, cannot write a detection signature for an unknown technique, and cannot respond to an intrusion they have not detected. Two months of that asymmetry, against core network infrastructure, is a serious head start.

The mechanism most coverage skips

The deeper trend is that the window between vulnerability and exploitation is collapsing at both ends, and infrastructure devices are the favored target. On one side, when flaws are disclosed publicly, attackers now weaponize them in hours rather than days, helped by automated and AI-assisted tooling that turns an advisory into a working exploit faster than ever. On the other side, as this Cisco case shows, sophisticated actors increasingly find and exploit flaws silently, well before disclosure, treating zero-days in enterprise gear as a strategic resource. The common thread is that network edge and management devices, the routers, firewalls, and SD-WAN controllers that sit at the boundary of corporate networks, are prime targets precisely because they are powerful, widely deployed, and often under-monitored. The same month brought a parallel campaign against Fortinet appliances and a record Microsoft patch load, which is not a coincidence. Attackers have concluded that the infrastructure layer is where the leverage is, and they are mining it on both timelines: instant exploitation after disclosure, and patient silent exploitation before it.

Who this affects

Organizations running Cisco Catalyst SD-WAN are the direct exposure, and any that were compromised during the two-month window need to assume patching alone is insufficient and hunt for signs of prior intrusion. Network and security teams everywhere get another reminder that edge and management devices deserve the same scrutiny as servers and endpoints, not less. Cisco faces the reputational cost of a core product being silently exploited, and the pressure to explain how the flaw went undetected for so long. And the broader enterprise gets a case study in why defense cannot rely on patching alone, because the most dangerous flaws are the ones being used before any patch exists. The only counter to silent exploitation is detection and monitoring deep enough to catch the activity even without knowing the specific vulnerability.

RelatedMicrosoft Just Shipped Its Largest Patch Tuesday Ever, and That Is Not Good News

What is next

Watch for indicators of compromise and incident reports from affected organizations, because the practical question now is how many networks were breached during the silent window and what the attacker did inside them. Watch how Cisco communicates the timeline and root cause, since trust depends on transparency about how long the flaw was exploitable. Watch for follow-on exploitation now that the CVE is public, because disclosure typically triggers a second wave from less sophisticated actors using the now-known flaw. And expect continued focus on network infrastructure as a target class, which means SD-WAN, VPN, and firewall devices should be high on every defender's monitoring priority list.

Our take

The patch is the easy part. The hard truth in this disclosure is the two-month head start, and it should reframe how organizations think about risk. Treating security as a patch-management problem assumes you find out about flaws before they hurt you, and this case is a direct refutation of that assumption. The most dangerous vulnerabilities are exploited in silence, before a CVE number exists, which means the real defense is detection: monitoring network behavior closely enough to notice an intruder even when you do not yet know how they got in. Cisco will fix this flaw, and organizations should patch immediately. But the ones that emerge in the best shape will be those that were watching their own networks closely enough to catch unusual activity during those silent two months. Patching is necessary. It is no longer sufficient.

Reporting via Infosecurity Magazine, analysis by GenZTech.