Cisco SD-WAN CVSS 10.0 Zero-Day: Unauthenticated Attackers Can Compromise Your Entire Wide-Area Network

What Happened

Cisco disclosed a maximum-severity (CVSS 10.0) vulnerability in its Catalyst SD-WAN Manager that had been actively exploited before a patch was available. An unauthenticated attacker who can reach the Catalyst SD-WAN Manager over a network can bypass authentication entirely and take full administrative control of the SD-WAN management system.

With management system access, attackers can register fake SD-WAN routers into your network and configure them to silently copy all traffic flowing across your organisation’s wide-area network — including internal communications, database traffic, file transfers, and encrypted tunnels where the attacker controls the key exchange. This is the equivalent of an attacker physically inserting a wiretap device between every office and data centre your organisation operates.

Business Impact

SD-WAN is the technology most large enterprises use to connect their offices, factories, retail locations, and data centres. A compromise of the SD-WAN management plane provides an attacker with:

• Total WAN visibility: All traffic between sites, including internal business communications, may be intercepted.
• Traffic manipulation: An attacker can reroute traffic, drop specific packets, or create denial-of-service conditions affecting any or all WAN sites.
• Long-term persistence: Rogue devices injected into the SD-WAN fabric can persist after the initial vulnerability is patched, since the malicious device appears as a legitimate registered router.

The active exploitation pattern observed by Cisco targeted financial services and government sector organisations — suggesting intelligence collection as the primary objective.

Regulatory Implications

For organisations under NIS2 (as operators of essential services) or DORA (financial entities), confirmed exploitation of this vulnerability constitutes a major ICT-related incident. NIS2 requires early warning to the relevant national CSIRT within 24 hours of becoming aware of a significant incident. DORA Article 19 requires notification to the relevant competent authority within four hours for critical incidents. If your SD-WAN infrastructure was potentially exposed before patching, assess whether the notification threshold has been met.

Board-Ready Summary

• A critical flaw in the system that manages your organisation’s wide-area network allowed attackers to gain full access without a password, and was being exploited before the fix was available.
• If your organisation runs Cisco Catalyst SD-WAN and the management system was accessible before patching, assume your WAN traffic may have been intercepted.
• Authorise emergency patching and a threat hunt for rogue devices in the SD-WAN fabric today.

Recommended Actions

1. Immediate (0–24 hours): Patch Cisco Catalyst SD-WAN Manager to version 20.12.4 or later. Simultaneously restrict network access to the management interface to a tightly controlled management network — it must not be accessible from the internet or untrusted segments.
2. Threat hunt: Audit all registered SD-WAN devices in the management console. Any device that cannot be reconciled to physical hardware with a change control record should be removed and investigated.
3. Log review: Extract Catalyst SD-WAN Manager audit logs for the period before patching. Look for unauthenticated API calls, device registration events, and logins from unexpected source IPs.
4. Regulatory assessment: Determine whether the vulnerability exposure period and potential exploitation constitute a reportable incident under NIS2, DORA, or sector-specific frameworks. Document the assessment.
5. Ongoing: Subscribe to Cisco PSIRT notifications and implement a policy that Cisco Critical advisories trigger 24-hour patching windows, not standard change control cycles.