Zero-Day CVE-2026-20245 Exploited in Cisco Catalyst SD-WAN Manager for Root Access Escalation
A newly identified zero-day vulnerability, designated CVE-2026-20245, has been exploited by malicious actors targeting the Cisco Catalyst SD-WAN Manager. This vulnerability arises from a flaw in the platform’s file upload functionality, allowing attackers to escalate privileges from a compromised administrative account to root access. The attackers employed sophisticated anti-forensic techniques to erase traces of their intrusion, raising significant concerns about the security of network management systems.
Exploitation of Cisco Catalyst SD-WAN Manager
Mandiant’s investigation revealed that the threat actor initially established unauthorized peering connections before gaining access to the Cisco Catalyst SD-WAN Manager via SSH. In March 2026, the attacker authenticated using the default vmanage-admin account, subsequently changing the default password and logging into the web interface. This access enabled the exfiltration of critical SD-WAN fabric configurations, including device, controller, and template information.
To minimize detection, the attacker restored the original password after making changes. Researchers noted that neither the vmanage-admin nor the admin accounts provided root shell access. This limitation prompted the exploitation of CVE-2026-20245 for privilege escalation.
Mechanism of the Attack: Malicious CSV Upload
The vulnerability exists due to the Cisco Catalyst SD-WAN Manager’s failure to adequately filter malicious data uploaded through its tenant file upload feature. The threat actor exploited CVE-2026-20245 by uploading a specially crafted file named evil_tenant.csv using the command:
request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0
This vulnerability affects the command-line interface of Cisco Catalyst SD-WAN Controllers, allowing an authenticated local attacker to execute arbitrary commands as root through the crafted file. The malicious payload not only backed up configuration files but also preserved copies of /etc/passwd and /etc/shadow, and created a new root-level account named troot. Mandiant later observed the threat actor switching from the admin account to troot using the su command.
Preceding Rogue Peering Activity
Mandiant identified multiple unauthorized peering connections occurring between late 2025 and January 2026. Researchers suspect these activities may have exploited CVE-2026-20127 or CVE-2026-20182, two critical vulnerabilities affecting peering authentication that enable remote attackers to bypass authentication and gain administrative privileges.
Further rogue peering activity in March 2026 targeted software versions that were not vulnerable to CVE-2026-20127. Cisco confirmed that this activity did not rely on CVE-2026-20182, suggesting that the threat actor may have reused stolen certificate material from an earlier compromise. Mandiant has not yet determined whether the same group conducted both campaigns.
To cover their tracks, the threat actor deleted the evil_tenant.csv file, restored modified configuration files, removed temporary artifacts, and executed a validation script to ensure that malicious files, the troot account, and altered configuration files had been removed or restored.
Implications and Mitigation Strategies
Mandiant’s findings highlight a growing trend termed “living off the edge,” where attackers target network appliances that often lack detailed forensic visibility while providing centralized control over enterprise environments. These platforms remain attractive to state-sponsored actors seeking long-term intelligence collection.
Organizations are advised to collect diagnostic logs using the request admin-tech command, investigate any indicators of compromise, and report confirmed incidents to Cisco TAC. Cisco recommends upgrading the Cisco Catalyst SD-WAN Manager to versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2, or later to remediate CVE-2026-20245 and to follow its SD-WAN hardening guidance.
Indicators of compromise include the malicious evil_tenant.csv file with a SHA-256 hash of b82936f37648518425c7d3cf9e09eaffa41d7cdb3840f6a40287e3a108880f7b and rogue IP addresses such as 126.51.108[.]152, 76.92.245[.]217, 207.190.37[.]94, 23.245.7[.]178, 153.186.231[.]233, 167.179.79[.]189, 45.32.38[.]160, and 209.137.225[.]101.
Google SecOps has also released detections covering behaviors associated with the threat actor, while Mandiant acknowledged Cisco PSIRT for its collaboration during the coordinated disclosure process.
For further details, refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
