Lab Journal / 2026-07-14
Cisco SD-WAN Manager zero-day enabled root escalation
Analysis of CVE-2026-20245 exploitation, rogue peering, configuration theft, and anti-forensic cleanup on an enterprise network control plane.
- Published
- 2026-07-14
- Reading time
- 4 min read
- Topics
- threat-intelligence / active-exploitation / network / vulnerability-research / defense-evasion
Cisco SD-WAN Manager zero-day enabled root escalation
Mandiant reports that a threat actor exploited CVE-2026-20245 in Cisco Catalyst SD-WAN Manager during a service-provider intrusion in early 2026. The actor entered through an already compromised administrative context, uploaded a crafted CSV file, and gained root-level access. The same investigation found unauthorized peering, configuration extraction, default-account password manipulation, and deliberate restoration or deletion of modified files [source-d2fd2edad7ca639d].
The target was an enterprise network control plane. SD-WAN Manager coordinates distributed routers, trust relationships, and secure tunnels. Access at this layer can provide configuration intelligence and a position outside much of the endpoint telemetry used for routine investigations [source-d2fd2edad7ca639d].
Evidence from the intrusion
Mandiant observed unauthorized peering connections from late 2025 into January 2026. The source says those connections might have involved two separate authentication-bypass vulnerabilities, CVE-2026-20127 or CVE-2026-20182, but neither exploitation path was confirmed. New rogue peering appeared in March on a version unaffected by CVE-2026-20127, and Cisco confirmed that activity did not exploit CVE-2026-20182. Stolen certificate material from an earlier compromise remained a possible explanation. The report also leaves open whether the earlier and March activity came from the same actor [source-d2fd2edad7ca639d].
In March, the actor authenticated over SSH as vmanage-admin, changed the default admin account password, entered the web interface, and retrieved device and running-configuration data. The actor later restored the original password before ending the session, reducing the chance that routine administrator access would expose the change [source-d2fd2edad7ca639d].
In April, the actor used the admin SSH session to execute a tenant-list upload with a crafted CSV file. CVE-2026-20245 allowed the file contents to append entries to /etc/passwd and /etc/shadow, creating a troot account with root privileges. Mandiant then observed a successful su transition from admin to that account [source-d2fd2edad7ca639d].
Cleanup was part of the operation
The actor backed up configuration and account files before modifying them, then removed the malicious CSV and restored altered system state. A validation script checked whether the upload, backups, root account, and modified tenant-list file were still present. This behavior indicates that file absence alone cannot close an investigation. Authentication logs, script logs, rollback data, command history, diagnostic archives, and off-device log forwarding are more durable evidence sources [source-d2fd2edad7ca639d].
The behavior supports Exploitation for Privilege Escalation (T1068), Account Manipulation (T1098), Create Account: Local Account (T1136.001), Indicator Removal: File Deletion (T1070.004), and Network Device Configuration Discovery (T1016.001). These mappings are analyst mappings to the reported actions. The source directly establishes the actions, while the ATT&CK labels provide a defensive classification.
Patching and telemetry priorities
The source identifies fixed Cisco Catalyst SD-WAN Manager releases as 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2, or later. Operators should validate current Cisco guidance for their supported train through established patch-management channels and preserve diagnostic data before remediation when compromise is suspected [source-d2fd2edad7ca639d].
Defenders should review /var/log/auth.log for unexpected external SSH access to default administrative accounts, password changes followed by restoration, and successful su events into unauthorized users. Cisco rollback files under /var/confd/rollback/ can retain configuration deltas involving account passwords. /var/log/scripts.log and Viptela CLI history can expose tenant-list uploads even when the payload is later deleted [source-d2fd2edad7ca639d].
The included Sigma rule is a portable starting point for normalized copies of the reported script-log event. It looks for the tenant-list upload script, a CLI-supplied path, and VPN arguments in the same message. Legitimate administrative uploads can match. Triage must confirm the initiating account, file origin, change approval, adjacent SSH activity, password changes, and evidence of root-account creation.
Limitations
The bundle contains one original incident-response source. It directly supports exploitation of CVE-2026-20245 in the investigated environment, but it does not prove the initial access method or common ownership of every rogue peering event. The report includes infrastructure and file indicators without precise observation dates for each value, so they are omitted from this publication and no time-bound indicator hunt is supplied. The Sigma rule depends on collection and normalization of device script logs; environments without that telemetry will need device-native review.
Source
- Mandiant and Google Threat Intelligence Group, "Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager," published 24 June 2026 [source-d2fd2edad7ca639d].
Detection artifacts
Sources
Evidence register- source-d2fd2edad7ca639dZero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Managerresearch