Cisco disclosed CVE-2026-20245 on June 5, a high-severity vulnerability in the CLI of Cisco Catalyst SD-WAN Manager. The flaw results from insufficient validation of user-supplied input, which allows an authenticated local attacker to pass specially crafted files to the affected CLI component and execute arbitrary operating system commands as root. Cisco confirmed active exploitation in the wild and has published indicators of compromise to help organisations detect potential attacks.
No fixed software version is available at time of writing. CISA added CVE-2026-20245 to the Known Exploited Vulnerabilities catalog on June 5, instructing federal agencies to address it within three days. Rapid7 discovered the vulnerability during analysis of CVE-2026-20127, a related flaw in the same SD-WAN component, and disclosed technical details this week.
CVE-2026-20245 is the seventh Cisco SD-WAN vulnerability confirmed exploited in 2026. The others are CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, CVE-2026-20127, CVE-2026-20182, and CVE-2022-20775, which was first exploited this year despite being patched in 2022. The CISA KEV catalog now lists fifteen Cisco SD-WAN entries in total.
- Apply Cisco’s published indicators of compromise for CVE-2026-20245 to SIEM and endpoint detection rules immediately. The IOCs are available in the Cisco security advisory.
- Restrict CLI access to Cisco Catalyst SD-WAN Manager to named trusted administrators only. Remove any accounts with CLI access that are not operationally required.
- Monitor the Cisco Security Advisories page for the patch release and treat it as a same-day priority when it ships, given active exploitation is confirmed.
Rapid7 published a detailed exploitation timeline for CVE-2026-0257 on June 6. The flaw is an authentication bypass in the PAN-OS GlobalProtect portal and gateway that allows an attacker to establish an unauthorised VPN session when authentication override cookies are enabled with a specific certificate configuration. Palo Alto originally disclosed it on May 13, rating it medium severity and assessing exploitation as less likely.
Rapid7’s incident response telemetry shows the first exploitation wave beginning on May 17, four days after the original disclosure. In this wave, attackers used the cookie authentication bypass to access the local admin account across multiple customer environments, all originating from the hosting provider Vultr. On May 21, a second wave began from a different provider, Dromatics Systems. In this second wave, Rapid7 observed VPN IP assignment following the cookie authentication, confirming that attackers were accessing internal networks through the compromised GlobalProtect gateway.
Palo Alto updated its advisory on May 29 to acknowledge limited exploitation, twelve days after Rapid7’s data shows the first attacks. CISA added CVE-2026-0257 to KEV the same day. This brief first covered the vulnerability in Issue 49 on June 1, when Palo Alto confirmed exploitation. Rapid7’s timeline now pushes the start of exploitation back to May 17.
- Review GlobalProtect VPN logs from May 17 onward for unexpected sessions established via cookie authentication, particularly from Vultr or Dromatics Systems IP ranges. Do not limit the review to post-May 29 activity.
- If not already patched, apply the Palo Alto fix for CVE-2026-0257 or disable authentication override cookies immediately. This is confirmed active exploitation, not a theoretical risk.
- For future high-severity edge infrastructure vulnerabilities, begin log review and compensating control application at the time of original disclosure, not when exploitation is confirmed by the vendor.
Rapid7 published details of CVE-2026-0826 this week, a critical unauthenticated stack overflow vulnerability affecting multiple models of HP Poly conference phones and VoIP devices. The flaw allows a remote unauthenticated attacker to send a specially crafted request to an affected device, overflow a stack buffer, and gain root-level code execution. No user interaction is required. Patches are available for the affected device models, and Rapid7’s disclosure includes the specific models and firmware versions affected.
HP Poly devices are widely deployed as conference room phones, desktop VoIP handsets, and video conferencing endpoints in enterprise environments. Rapid7’s advisory notes that exploitation has not been confirmed in the wild at time of disclosure, but given the severity and the unauthenticated nature of the flaw, organisations should treat patching as urgent rather than routine.
- Identify all HP Poly conference phones and VoIP devices in your environment and check them against the affected model and firmware list in Rapid7’s CVE-2026-0826 advisory.
- Apply the available firmware patches for affected devices. Where immediate patching is not possible, place affected devices on a dedicated voice VLAN with restricted access from the data network.
- Include network-attached VoIP and conferencing devices in your regular vulnerability management scanning scope if they are not already covered.