A sophisticated, likely state-sponsored threat actor has been actively exploiting a newly disclosed zero-day vulnerability in Cisco Catalyst SD-WAN Manager, escalating from a compromised administrative account to full root-level control over targeted network infrastructure. The zero-day, tracked as CVE-2026-20245 (CVSS 7.8), was uncovered during a Mandiant investigation into an intrusion at a major service provider.
The Zero-Day: Technical Details
CVE-2026-20245 resides in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers and is classified under CWE-116 (Improper Encoding or Escaping of Output). The flaw originates in the device’s file upload feature, which fails to properly validate user-supplied input before processing it through privileged shell helpers.
An authenticated attacker with netadmin-level privileges can upload a specially crafted CSV file to trigger command injection, achieving arbitrary command execution as root. The flaw affects all deployment types: On-Premises, Cisco SD-WAN Cloud, Cloud-Pro, and FedRAMP government environments.
The Intrusion: Two Phases
The attack unfolded in two distinct phases spanning late 2025 through mid-2026. In the first phase, Mandiant observed unauthorized peering connections to the victim’s SD-WAN Manager devices. These exploited two companion authentication bypass flaws — CVE-2026-20127 and CVE-2026-20182, both rated CVSS 10.0 — allowing unauthenticated remote attackers to obtain administrative privileges. Both CVEs were undisclosed and unpatched at the time, providing unchallenged access.
In the second phase (March 2026 onward), the threat actor authenticated via SSH using the vmanage-admin default account, changed the default admin password, accessed the web interface, exfiltrated device configurations, and then reverted the password change to avoid raising alerts.
The Malicious CSV Upload
The most technically sophisticated element was the exploitation of CVE-2026-20245 via file upload. The attacker uploaded a file named evil_tenant.csv that manipulated /etc/passwd and /etc/shadow, injecting a new user account named troot with UID 0 (full root privileges). The attacker then escalated via the su command, achieving complete management plane control.
After exploitation, the attacker executed a systematic cleanup: deleting evil_tenant.csv, restoring original config files, reverting /etc/passwd and /etc/shadow, and confirming removal of troot — a methodical anti-forensics sweep to eliminate all indicators of compromise.
Indicators of Compromise
Key rogue IP addresses observed establishing unauthorized peer connections:
- 126.51.108[.]152
- 76.92.245[.]217
- 207.190.37[.]94
- 23.245.7[.]178
- 153.186.231[.]233
Review /var/log/scripts.log for suspicious file upload commands or unauthorized configuration changes.
Patching and Mitigation
Cisco has released fixed versions. Upgrade immediately to one of the following:
- 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2+
Run request admin-tech on all control-plane components for forensic log collection. Restrict SSH access to trusted IP ranges. Contact Cisco TAC immediately if compromise indicators are found. Consult the Cisco Catalyst SD-WAN Hardening Guide for layered defense recommendations.
The Bigger Picture
Google Threat Intelligence Group (GTIG), tracking this campaign alongside Mandiant, notes a consistent year-over-year rise in zero-day exploitation of edge network devices by nation-state actors. This three-CVE arc against Cisco’s SD-WAN management plane is characterized as a structural attack pattern, not an isolated incident. SD-WAN infrastructure serves as the central nervous system of enterprise connectivity — its compromise enables persistent, high-impact access with limited defender visibility.