Fast answer: what changed today
The Hacker News reported on June 25, 2026 that a Cisco Catalyst SD-WAN zero-day, tracked in public reporting as CVE-2026-20245, has been exploited to gain root access. For anyone running affected Cisco SD-WAN infrastructure, this is not a normal antivirus story. The first line of defense is vendor patching, configuration review and management-plane lockdown. Security suites matter after that because compromised edge devices can lead to stolen credentials, malicious scripts on administrator workstations, lateral movement and phishing against IT staff.
If you are a home user reading this because your workplace uses Cisco, do not panic-buy software. Make sure your work laptop is managed, keep your password manager and MFA clean, and avoid logging into admin portals from unmanaged devices. If you are a small business or MSP, treat this as a network-edge incident: verify exposure, patch immediately, rotate secrets, inspect logs and add endpoint monitoring on every machine used to administer SD-WAN.
Immediate response checklist
1. Confirm exposure
List every Catalyst SD-WAN controller, edge device and management interface. Confirm versions against Cisco’s official advisory and check whether any management plane is reachable from the public internet or broad internal networks.
2. Patch or isolate
Apply vendor fixes as soon as possible. If a fix is not available for your exact build, restrict access using ACLs, VPN-only administration, jump hosts and emergency firewall rules until remediation is complete.
3. Rotate credentials
Change administrator passwords, API tokens, SSH keys and VPN credentials after you have cleaned administrator endpoints. Prioritize accounts that can modify routing, certificates, templates or identity provider settings.
4. Hunt for follow-on activity
Review authentication logs, configuration changes, unexpected local accounts, new scheduled tasks, unfamiliar outbound connections and downloaded scripts. Edge compromise is dangerous because it can hide behind legitimate network traffic.
Best security products for the aftermath
No antivirus product can patch a Cisco zero-day by itself. The right product helps with the second-order problems: malware on admin laptops, credential-stealing browser extensions, malicious scripts, suspicious remote-access tools, phishing pages that target IT staff and dark-web exposure after credential theft. Below are five practical picks for different environments.
1. Bitdefender GravityZone / Bitdefender Total Security — Best overall detection layer
Rating: 4.8/5 · Price: consumer plans often start around $3–$5 per month on annual promotions; GravityZone business pricing varies by seat.
- Strong independent lab performance for malware and exploit protection.
- Business tiers support centralized policy and endpoint visibility.
- Good fit for mixed Windows and Mac admin workstations.
- Consumer VPN allowance can be limited unless upgraded.
- Business console requires setup discipline.
- Does not replace network-device patching or log review.
Choose Bitdefender if you need a dependable endpoint protection layer while you patch Cisco infrastructure. It is especially useful for small teams that have a few administrator laptops and want strong malware, phishing and ransomware defense without building a full enterprise SOC.
2. Malwarebytes ThreatDown / Malwarebytes Premium — Best cleanup and suspicious-tool detection
Rating: 4.6/5 · Price: Premium consumer plans commonly start around $3–$5 per month; business endpoint pricing varies.
- Good at finding adware, trojans and unwanted remote-access tools.
- Simple workflow for emergency scans on suspect machines.
- Business option adds endpoint management for small organizations.
- Less of an all-in-one identity and VPN bundle.
- Advanced incident response still requires log analysis.
- May overlap with existing EDR in larger companies.
Use Malwarebytes when you suspect an administrator workstation may have been used as a beachhead. It is not the whole response, but it is a strong second opinion when you are checking machines that accessed SD-WAN portals, password vaults or network management tools.
3. ESET Home Security / ESET Protect — Best lightweight protection for technical users
Rating: 4.5/5 · Price: consumer plans usually start around $3–$5 per month depending on device count and term.
- Light system impact and quiet day-to-day operation.
- Strong exploit, script and phishing controls.
- Good choice for technical households and lean IT teams.
- Fewer bundled identity extras than Norton or Aura.
- Business setup is more valuable than one-off installs.
- Requires careful configuration for maximum visibility.
ESET is a smart pick if your admin devices are older or you dislike heavy security suites. During a zero-day response, low friction matters: people actually keep the agent installed, scans run quietly and protection does not get disabled because it slows down emergency work.
4. Norton 360 Deluxe — Best consumer bundle for IT staff at home
Rating: 4.4/5 · Price: promotional annual plans often land around $4–$8 per month equivalent.
- Strong malware protection plus password manager, VPN and cloud backup.
- Dark-web monitoring can help flag exposed personal credentials.
- Good for families where work and personal devices share a network.
- Heavier than minimalist products during scans.
- Renewal pricing needs careful review.
- Not designed as a network-device incident response platform.
Norton is not what you install on a Cisco appliance. It is what an admin may install on personal or family devices when they also handle sensitive credentials at home. If work-from-home administration is part of your risk model, a bundle with VPN, backup and monitoring can reduce adjacent account-takeover risk.
5. Surfshark One — Best low-cost VPN plus antivirus bundle
Rating: 4.2/5 · Price: long-term promotional plans can be around $2–$4 per month, with pricing changing frequently.
- Combines VPN, antivirus and breach alerts at a low entry price.
- Useful for travel or remote staff on untrusted Wi-Fi.
- Simple consumer setup for nontechnical users.
- Not an enterprise EDR or SIEM replacement.
- Antivirus depth is not as mature as Bitdefender or ESET.
- Long-term deals require checking renewal terms.
Surfshark One is best for remote workers who need a safer baseline quickly: encrypted traffic on hostile networks, malware scans on laptops and breach alerts for reused emails. It is not enough for the Cisco side of the incident, but it can reduce opportunistic compromise around the people doing the response.
Comparison table
| Product | Best for | Score | Key strengths | Typical limitation |
|---|---|---|---|---|
| Bitdefender | Small-business endpoint protection | 4.8/5 | Malware, exploit and ransomware defense | Console setup takes time |
| Malwarebytes | Cleanup and second-opinion scans | 4.6/5 | Suspicious tools, trojans, unwanted apps | Less bundled identity coverage |
| ESET | Lightweight technical setups | 4.5/5 | Low impact, script and phishing controls | Fewer extras |
| Norton 360 | Consumer/family admin devices | 4.4/5 | Security bundle, VPN, backup, dark-web alerts | Renewal pricing and system impact |
| Surfshark One | Remote workers needing VPN plus AV | 4.2/5 | VPN, breach alerts, simple malware protection | Not enterprise response tooling |
How to decide what you actually need
If your company already runs Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, Sophos or another managed EDR, do not install a consumer suite on top of it without IT approval. Layering multiple real-time engines can break performance and hide alerts. Instead, focus on whether the EDR is deployed to every administrator device, whether tamper protection is enabled, whether alerts are routed to a human and whether the team can search for suspicious scripts, browser credential theft and remote-access tools.
If you are a smaller office without managed endpoint security, start with Bitdefender or Malwarebytes business plans before buying individual consumer licenses. Central visibility matters after a network-edge vulnerability because you need to know whether all admin laptops were scanned, whether any detections were ignored and whether risky machines are still connecting to the management network.
For households, freelancers and IT staff who simply want to reduce personal exposure, Norton, ESET or Surfshark One are easier choices. Pair them with a dedicated password manager, unique passwords for every admin portal, hardware-backed MFA where available and a separate browser profile for privileged network administration. The biggest mistake is treating a Cisco zero-day as only a Cisco problem; the appliance may be the entry point, but stolen credentials and compromised laptops often become the persistence layer.
Related Omellody guides
Monitoring plan for the next 72 hours
After the emergency patch window, keep watching for delayed abuse. Review successful and failed administrator logins, new SSH keys, configuration exports, certificate changes, unusual DNS lookups, fresh remote-management tools and outbound traffic to infrastructure you do not recognize. Ask every administrator to confirm which device they used, when they logged in and whether they copied credentials into scripts or browser profiles. This short follow-up window often catches the real business risk: not only the exploited Cisco device, but the credential and endpoint trail around it.
Document what you changed, which versions were patched, which credentials were rotated and which endpoints were scanned. That record helps with insurance, customer questions and future audits, and it keeps the response from becoming tribal knowledge.
FAQ
What is CVE-2026-20245?
Public reporting describes CVE-2026-20245 as a Cisco Catalyst SD-WAN zero-day exploitation case involving root-level access. Confirm the exact affected versions, mitigations and fixes through Cisco’s official advisory before making production changes.
Can antivirus fix the Cisco Catalyst SD-WAN zero-day?
No. Antivirus cannot patch a network appliance vulnerability. It helps detect malware, credential theft and suspicious activity on the workstations and servers around the affected infrastructure.
What should I do in the first hour?
Verify whether your versions are affected, restrict management access, apply available fixes or mitigations, preserve logs, rotate high-risk credentials and monitor administrator endpoints for compromise.
Should I rotate my password manager credentials?
Rotate credentials that were used to administer affected systems, especially if they were entered from machines that may be compromised. Do this after scanning and cleaning endpoints so new secrets are not captured again.
Which product is best for a small business?
Bitdefender GravityZone is the strongest default choice for managed endpoint protection, while Malwarebytes ThreatDown is useful for cleanup and second-opinion scans. If you already have a managed EDR, tune and verify that platform first.