Sophia
Hart

CVE-2026-20245: Cisco SD-WAN Zero-Day Attacks Gained Root Access

Sophia Hart

Jun 29, 2026

7 min read

cve-2026-20245

TL; DR

  • Mandiant observed exploitation of CVE-2026-20245 against Cisco Catalyst SD-WAN Manager after unauthorized SD-WAN peering and administrative access.
  • The flaw allowed an authenticated local attacker with netadmin privileges to execute commands as root by supplying a crafted file through the CLI.
  • The attacker used a malicious CSV upload to create a root-level account named troot, then removed the account, payloads and temporary files.
  • Security teams should collect diagnostics before upgrading, review peering and admin activity, and assess possible exposure of configuration data or certificates.

CVE-2026-20245 has moved from a Cisco advisory entry to a clearer incident story. Mandiant’s latest analysis shows how attackers moved from unauthorized SD-WAN peering and administrative access to root-level control on Cisco Catalyst SD-WAN Manager using a crafted tenant-upload file and cleanup routines.

Cisco had already warned that the high-severity flaw was exploited in a limited number of attacks, released fixed software, and stated that no workarounds address the vulnerability. Mandiant’s report adds the operational detail: the vulnerability was not the first step. It was used after the attacker had access to SD-WAN Manager and could execute the vulnerable command-line workflow.

That distinction matters. This was not only a patching issue. It was also a control-plane trust issue involving peering history, administrator accounts, device configuration data, and anti-forensic behavior that could reduce visibility after compromise.

Detect and contain threats using Hexnode XDR

What the Disclosure Changes

The latest reporting gives defenders a more useful sequence than the advisory alone. Cisco disclosed a command-injection vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, Controller, and Validator. Mandiant’s findings show how that weakness fits into a broader intrusion against SD-WAN infrastructure at a service provider.

Key details changed the response picture:

  • The observed activity included rogue peering before the CVE-2026-20245 exploitation.
  • Mandiant saw unauthorized peering connections and later SSH authentication to SD-WAN Manager using the vmanage-admin account.
  • The attacker changed the default admin account password, accessed the web interface, and extracted SD-WAN configuration data.
  • Mandiant noted that unauthorized peering from late 2025 to January 2026 may have involved CVE-2026-20127 or CVE-2026-20182.
  • Cisco told Mandiant the March connections did not use CVE-2026-20182 and could have involved certificate material stolen during a previous compromise of the same device.

That uncertainty should shape the response. Teams should avoid assuming that patching CVE-2026-20245 alone explains every unauthorized control-plane event.

How Root Access Was Reached

The exploit path centered on a tenant-upload function in the Cisco Catalyst SD-WAN command-line interface. After the attacker had administrative access, Mandiant observed the use of a crafted CSV file named evil_tenant.csv.

The root-access sequence followed a clear pattern:

  • The crafted CSV file triggered command injection during processing.
  • The payload backed up sensitive files, including /etc/passwd and /etc/shadow.
  • The attacker appended entries that created a root-privileged account named troot.
  • Mandiant reported that the attacker used su to switch from the compromised administrative account to the rogue root account.
  • The activity gave the attacker root-level access on the affected SD-WAN Manager device.

This is the core Cisco Catalyst SD-WAN root access risk. Once root access is reached on a controller-class device, the concern extends beyond the appliance itself. SD-WAN control components may hold configuration, templates, edge relationships, and certificate-based trust context.

Why the Control Plane Became the Target

The incident highlights a broader SD-WAN security problem: centralized orchestration creates high operational value for defenders and high strategic value for attackers.

A compromised SD-WAN control plane may expose:

  • device inventory and controller relationships
  • branch connectivity context
  • edge-device and template configuration
  • certificate or trust relationships between components
  • information that could support follow-on activity

Traffic interception or broad network manipulation has not been publicly confirmed in this disclosure. Confirmed concerns include root access, SD-WAN configuration extraction, anti-forensic cleanup, and, in limited Cisco-observed cases, configuration changes pushed to edge devices.

The reported behavior also shows operational discipline. Mandiant said the attacker restored modified values, deleted malicious files, removed traces of the rogue account, and executed validation logic to confirm that visible indicators had been cleared. That makes timeline reconstruction harder and increases the importance of preserved diagnostics, peering records, and authentication logs.

Exposure Signals Security Teams Should Prioritize

Signal to Review Why It Matters What to Verify
Unauthorized peering events May indicate abnormal trust relationships in the SD-WAN fabric Source IPs, timing, device identity, and certificate use
vmanage-admin SSH activity Mandiant observed that this account was used during access External origins, unusual login times, and session history
Admin password changes Attackers reportedly changed and restored account credentials Rapid password changes, password-change history, and account audit records
Tenant-upload command execution CVE-2026-20245 was exploited through this workflow CLI history, script logs, and references to crafted CSV uploads
troot or root-level account traces Mandiant observed the creation of a rogue root account /etc/passwd, /etc/shadow, backups, and forensic remnants
Deleted temporary files Cleanup may remove obvious indicators Diagnostic bundles, recovered remnants, and preserved logs

What Teams Should Verify Beyond the Patch

Security teams must patch affected systems and conduct a broader exposure review. Cisco released software updates and stated that no workarounds address the vulnerability.

Security teams should prioritize four actions:

  • Upgrade affected Cisco Catalyst SD-WAN Manager, Controller, and Validator components, then verify edge-device configurations where teams suspect exposure.
  • Collect admin-tech diagnostics and retain relevant logs before upgrading.
  • Hunt against the tactics, techniques, and indicators described by Mandiant.
  • Escalate suspicious findings to Cisco TAC for admin-tech assessment and involve an incident-response team for deeper forensic investigation where needed.

Credential and certificate review should not be treated as optional. Mandiant’s reporting leaves open the possibility that stolen certificate material may have supported some peering activity. Teams should assess possible exposure of SD-WAN certificates, administrator credentials, templates, or device configuration data, then rotate or reissue trust material where the investigation supports it.

The Cybersecurity Blueprint Mitre Attack Framework
Featured resource

The Cybersecurity Blueprint

A practical blueprint for choosing and implementing the right cybersecurity strategy for your business.

DOWNLOAD

Where Hexnode Fits After SD-WAN Exposure

This is not a direct detection story for Hexnode. The primary activity occurred on Cisco SD-WAN infrastructure and requires Cisco logs, SD-WAN diagnostics, SIEM data, and network telemetry for investigation.

Hexnode UEM can help teams:

  • Use Hexnode UEM device reports and inventory data to identify managed administrator endpoints for post-incident review.
  • Review compliance status across privileged workstations
  • Enforce security policies on devices used for network administration
  • Maintain endpoint inventory and update posture
  • Execute supported remote actions on managed noncompliant administrator endpoints

Hexnode XDR can help teams:

  • Review endpoint posture and agent status on managed Windows endpoints
  • Investigate endpoint incidents and security events on managed administrator workstations
  • Check endpoint action history during post-exposure review
  • Query endpoint telemetry in Hexnode XDR to analyze suspicious activity on managed Windows devices.
  • Verify security policy deployment status across relevant endpoint groups

Conclusion

CVE-2026-20245 shows why security teams must treat SD-WAN controllers as critical control-plane assets, not ordinary infrastructure appliances. Root-level access, rogue peering, and anti-forensic cleanup can leave teams questioning network trust even after they update the vulnerable software.

Security teams should preserve diagnostics, retain relevant logs, upgrade affected systems, validate peering history, review administrator access, rotate exposed trust material where needed, and improve visibility across endpoints used to manage SD-WAN environments.

FAQs

Cisco describes CVE-2026-20245 as requiring authenticated local access. Mandiant reported that the attacker used it after gaining access to affected SD-WAN devices.

Mandiant reported the extraction of configuration information for edge devices, controllers, and templates. Organizations should assess possible exposure of configuration data, administrator credentials, or certificate material in their environment.

Yes. Mandiant published indicators and hunting guidance, including network indicators, file artifacts, and log patterns. Teams should validate indicators against their own SD-WAN topology to reduce false positives.

Share

Sophia Hart

A storyteller for practical people. Breaks down complicated topics into steps, trade-offs, and clear next actions—without the buzzword fog. Known to replace fluff with facts, sharpen the message, and keep things readable—politely.