Vulnerability and Exploitation
Cisco has confirmed that a high severity security vulnerability in its Catalyst SD WAN Manager is being actively exploited in real world attacks. The flaw, which affects on premises and cloud deployments of the software, allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root. This is achieved by uploading a specially crafted file to the affected system, taking advantage of insufficient input validation.
The vulnerability enables privilege escalation and command injection, giving attackers full control over the system. In some observed incidents, the exploitation led to configuration changes being pushed out to edge devices, indicating the potential for broader network compromise. Cisco has not released a software patch to address the issue as of this writing.
Impact and Scope
Multiple deployment types are affected, including on premises Cisco SD WAN, Cisco SD WAN Cloud Pro, Cisco SD WAN Cloud managed by Cisco, and Cisco SD WAN for Government FedRAMP environments. The vulnerability is closely related to two previous authentication bypass flaws that were also exploited as zero days by a threat cluster tracked as UAT 8616. Researchers from Google Mandiant discovered and reported the latest issue, but the identity of the attackers actively exploiting it remains unknown.
Organizations using the affected software are urged to review their systems for signs of compromise and apply any available mitigations Cisco may provide. With no patch currently available, administrators should limit access to trusted users and monitor for suspicious uploads or command execution.
Source: The Hacker News
