Intelligence / TIPublic intelligence

Cisco SD-WAN Manager zero-day enabled root escalation

CVE-2026-20245 exploitation, root-account creation, cleanup activity, and review guidance for Cisco Catalyst SD-WAN environments.

Published
2026-07-14
Reading time
4 min read

Operational layer / Use first

Detection & hunt kit

Deployable logic, required telemetry, and review state. Expand an artifact without leaving the intelligence report.

01 / DetectionCisco SD-WAN Tenant List Upload from a CLI PathDetects the Cisco SD-WAN tenant-list upload script receiving a CLI file path and VPN argument, an event observed during exploitation of CVE-2026-20245.high / experimentalView detailsMinimize
Use
Detection
Confidence state
experimental
Priority
high
ATT&CK
T1068

Required telemetry

product
linux
service
syslog
Sigma sourceInline / YAML
title: Cisco SD-WAN Tenant List Upload from a CLI Path
id: 2fc248b2-0829-4d0d-be9d-62b07472f709
status: experimental
author: FRAME ZERO
date: 2026-07-14
description: Detects the Cisco SD-WAN tenant-list upload script receiving a CLI file path and VPN argument, an event observed during exploitation of CVE-2026-20245.
references:
  - https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager/
logsource:
  product: linux
  service: syslog
detection:
  selection:
    message|contains|all:
      - 'vconfd_script_upload_tenant_list.sh'
      - '-cli path'
      - 'vpn'
  condition: selection
falsepositives:
  - Authorized Cisco SD-WAN tenant-list administration using a reviewed local file
level: high
tags:
  - attack.privilege-escalation
  - attack.t1068
telemetry_assumptions:
  - Cisco SD-WAN script logs are forwarded off-device and normalized into a message field.
  - Authentication, rollback, and command-history data are retained for validation.
related_publication: cisco-sd-wan-manager-zero-day-root-escalation
02 / Threat huntCisco SD-WAN Manager Post-Exploitation ActivityHunts Cisco SD-WAN Manager logs for privilege changes, rogue peering, configuration access, and cleanup behavior reported around exploitation of CVE-2026-20245.medium / experimentalView detailsMinimize
Use
Threat hunt
Confidence state
experimental
Priority
medium
Review after
2026-08-13

Required telemetry

product
cisco
service
sd_wan

ATT&CK / T1136.001 / T1552.004 / T1070

Sigma sourceInline / YAML
title: Cisco SD-WAN Manager Post-Exploitation Activity
id: 65669fac-243d-449c-89c7-defdb087a8d8
status: experimental
author: FRAME ZERO
date: 2026-07-14
description: Hunts Cisco SD-WAN Manager logs for privilege changes, rogue peering, configuration access, and cleanup behavior reported around exploitation of CVE-2026-20245.
references:
  - https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager/
  - https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/226014-remediate-catalyst-sd-wan-security.html
logsource:
  product: cisco
  service: sd_wan
detection:
  selection_root_account:
    message|contains|all:
      - 'troot'
      - 'root'
  selection_privilege_change:
    message|contains|all:
      - 'su'
      - 'admin'
  selection_default_account_change:
    message|contains|all:
      - 'admin'
      - 'password'
  selection_configuration_access:
    message|contains:
      - 'attached-template'
      - 'running-configuration'
      - 'device configuration'
      - 'controller details'
  selection_rogue_peering:
    message|contains:
      - 'unauthorized peering'
      - 'rogue peering'
      - 'certificate authentication'
  selection_cleanup:
    message|contains:
      - '/etc/passwd'
      - '/etc/shadow'
      - 'tenant-list configuration'
      - 'restore'
  condition: 1 of selection_*
falsepositives:
  - Authorized password changes, privilege checks, configuration exports, certificate operations, or tenant administration
  - Cisco TAC diagnostics and admin-tech collection during an approved investigation
  - Planned rollback or restoration activity recorded during maintenance
level: medium
tags:
  - attack.privilege-escalation
  - attack.t1136.001
  - attack.collection
  - attack.t1552.004
  - attack.defense-evasion
  - attack.t1070
telemetry_assumptions:
  - Authentication, script, rollback, web, API, command-history, peering, and configuration logs are forwarded off-device into a searchable message field.
  - Analysts correlate matches by account, session, device, and change window instead of treating one message as confirmed exploitation.
  - Vendor-native fields should replace the generic message field only after local mapping and validation.
related_publication: cisco-sd-wan-manager-zero-day-root-escalation

Analysis

CVE-2026-20245 allows an authenticated administrator to gain root access on Cisco Catalyst SD-WAN Manager. Mandiant identified exploitation of the vulnerability during an investigation at a service provider in early 2026. The actor had already reached the SD-WAN environment before using the zero-day, then created a root account, collected configuration data, and removed evidence from the appliance.

How the actor reached the manager

The earliest activity involved unauthorized peering connections between late 2025 and January 2026. Mandiant considered CVE-2026-20127 and CVE-2026-20182 as possible access paths, but could not confirm either vulnerability in those connections.

Further rogue peering appeared in March. The affected release was not vulnerable to CVE-2026-20127, and Cisco confirmed that CVE-2026-20182 was not used. Mandiant reported that certificate material stolen during an earlier compromise could have enabled the connection. The available evidence does not establish whether one actor conducted both sets of peering activity.

During the March intrusion, the actor connected over SSH with the default vmanage-admin account and changed the password for the default admin account. The new credentials provided access to the SD-WAN Manager web interface. Requests from that session retrieved device and controller details and attached-template configuration. An attempt to retrieve running-configuration data returned an HTTP 400 response.

Before ending the session, the actor restored the original admin password. This administrative access provided the starting point for the later exploitation of CVE-2026-20245. The public reporting does not identify the original source of the credentials or certificate material.

How CVE-2026-20245 produced root access

The actor returned in April through an admin SSH session. From the SD-WAN Manager command line, the actor called the tenant-list upload function with a crafted CSV file. The vulnerable function processed content that appended entries to /etc/passwd and /etc/shadow, creating a user named troot with root privileges. Mandiant then observed a successful su from admin to troot.

Before making the changes, the actor copied the existing tenant-list configuration and backed up the password and shadow files.

SD-WAN Manager stores information about the fabric, its devices, and their configuration. The actor accessed configuration data during the intrusion. Cisco advises organizations investigating suspected compromise to examine every control component and relevant edge-device configuration.

What the actor removed and restored

After gaining root, the actor deleted the crafted CSV and other files created during exploitation, then restored the tenant-list configuration, /etc/passwd, and /etc/shadow. The actor also ran a validation script that checked whether the upload, backup files, troot account, and tenant-list file remained on the system.

These actions can leave the current filesystem looking unchanged. Authentication logs, script logs, configuration rollback records, web requests, command history, diagnostic archives, and logs forwarded from the appliance may still record the activity.

Logs and review points

Review /var/log/auth.log for external SSH access to default administrative accounts, password changes followed by restoration, and successful su events involving unapproved users. Files under /var/confd/rollback/ may contain configuration changes involving account passwords. Web and API logs can show device, controller, and configuration requests made during an administrative session.

Execution of the tenant-list upload script can appear in /var/log/scripts.log with a CLI-supplied file path and VPN arguments. Cisco notes that administrators also use the underlying command for legitimate work. Review the path, initiating account, approved change record, nearby authentication events, and role of the affected device before treating a match as exploitation.

The included Sigma rule detects this script-log pattern when appliance logs are forwarded and normalized into a searchable message field. It provides a review point for suspicious tenant-list uploads. Confirmation still requires supporting authentication, account, and filesystem evidence.

The accompanying experimental hunt searches the wider device-log record for root-account or privilege changes, default-account password activity, configuration access, rogue peering, and cleanup. The selections use a generic message field because public reporting does not define a reusable vendor schema. Analysts must map the terms to local device fields and correlate them by account, session, device, and approved change window.

Remediation

Cisco has released fixed versions across the supported trains, including 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2. No workaround is available for CVE-2026-20245.

When compromise is suspected, Cisco recommends collecting admin-tech data from all control components before making changes. This includes managers, controllers, validators, cluster members, and disaster-recovery peers. Cisco TAC can review the resulting collections.

After evidence collection, upgrade affected systems to a fixed release. The investigation should also cover administrative credentials, certificates, trust relationships, fabric configuration, and changes sent to edge devices. This review establishes whether the actor retained another route into the environment or used the access to modify the wider fabric.

Scope and limitations

The published investigation confirms exploitation of CVE-2026-20245, creation of the troot account, access to configuration data, and cleanup on the investigated system. The initial compromise path and the relationship between the separate rogue peering events remain unconfirmed.

The public infrastructure and file indicators lack a precise observation date for every value, so they are excluded from the detection content. The Sigma rule also depends on script-log collection and field normalization. Environments without forwarded appliance logs will need device-native review and preserved admin-tech data to investigate the activity.

Sources

Evidence register
  1. Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Managerresearch
  2. Remediate Catalyst SD-WAN Security Advisory - June 2026primary