Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level Access

A sophisticated threat actor is actively targeting SD-WAN infrastructure at a major service provider. The campaign culminated in the exploitation of a zero-day privilege escalation vulnerability, now tracked as CVE-2026-20245 (CVSS 7.8), in Cisco Catalyst SD-WAN Manager, enabling attackers to silently escalate from a compromised administrative account to full root-level access.

CVE-2026-20245 resides in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers and is classified as CWE-116 (Improper Encoding or Escaping of Output).

The flaw stems from the device’s file upload feature failing to properly validate or filter user-supplied input before it is processed by privileged shell helpers. An authenticated attacker with netadmin-level privileges can upload a specially crafted CSV file, triggering command injection and achieving arbitrary command execution as root.

The vulnerability affects all deployment types, including On-Prem, Cisco SD-WAN Cloud, Cloud-Pro, and FedRAMP government environments.

The intrusion unfolded in two distinct phases. From late 2025 to January 2026, Mandiant observed multiple unauthorized peering connections to the victim’s SD-WAN Manager devices, likely exploiting the companion authentication bypass flaws CVE-2026-20127 (CVSS 10.0) and CVE-2026-20182 (CVSS 10.0), both of which allow unauthenticated remote attackers to obtain administrative privileges. These vulnerabilities were undisclosed and unpatched during this window, providing the threat actor an unchallenged entry point.

Beginning in March 2026, the threat actor established fresh rogue peer connections and authenticated to SD-WAN Manager via SSH using the vmanage-admin default account.

Once inside, they changed the default admin account password, logged directly into the SD-WAN Manager web interface, and exfiltrated device configurations, including edge device templates and running configurations.

Critically, the password was then reverted to its original state to avoid triggering administrator suspicion during routine operations.

Zero-Day Exploitation via Malicious CSV Upload

After establishing an SSH session with the admin account, the attacker executed a targeted file upload command to deliver a file named evil_tenant.csv.

The exploit payload embedded within this file manipulated the system’s /etc/passwd and /etc/shadow files, injecting a new user account named troot with full UID 0 root privileges. The threat actor then escalated to this account via the su (substitute user) command, achieving complete control of the management plane.

To maintain operational security, the threat actor executed a validation script to systematically verify and purge all forensic artifacts. This included deleting evil_tenant.csv, restoring the original vbond_vsmart_tenant_list configuration, reverting /etc/passwd and /etc/shadow to their backed-up states, and confirming the removal of the troot account a methodical cleanup designed to eliminate all indicators of compromise.

Mitigations

Organizations running Cisco Catalyst SD-WAN Manager should act immediately:

• Upgrade immediately to fixed releases: versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2, or later.
• Run request admin-tech on all control-plane components to collect logs and perform IOC sweeps.
• Review /var/log/scripts.log for suspicious file upload commands or unauthorized configuration changes.
• Contact Cisco TAC immediately if any confirmed indicators of compromise are identified.
• Follow the Cisco Catalyst SD-WAN Hardening Guide for defense-in-depth across management, control, and data planes.

This campaign exemplifies the “living off the edge” paradigm increasingly favored by state-sponsored actors targeting network appliances that function as black boxes with limited telemetry, while serving as the central nervous system of enterprise connectivity.

Google Threat Intelligence Group (GTIG) has tracked a consistent year-over-year rise in zero-day exploitation of edge devices, and this three-CVE arc against Cisco SD-WAN’s management plane represents a structural failure, not an isolated bug.

Organizations operating distributed SD-WAN environments must treat the management plane as a Tier-1 attack surface and enforce strict access controls, continuous monitoring, and an aggressive patching cadence.

IoCs