CVE-2026-20245 — a high-severity command-injection flaw in Cisco Catalyst SD‑WAN — was used in active attacks that created a rogue root account and gave attackers full control of targeted devices.
How the vulnerability worked and what attackers did
The flaw tracked as CVE-2026-20245 affects Cisco Catalyst SD‑WAN Manager (vManage), Controller (vSmart), and Validator (vBond). Cisco attributed the root cause to insufficient validation of user-supplied input and warned the vulnerability could be exploited by an authenticated attacker with local access to affected devices. Mandiant reported that, in the observed intrusions, attackers exploited the issue through a tenant-upload feature in the SD‑WAN command-line interface (CLI).
According to Mandiant, the threat actor uploaded a malicious CSV file named "evil_tenant.csv." The payload backed up system configuration files — including /etc/passwd and /etc/shadow — then created a new account named "troot" with root-level privileges. The attackers used the Linux "su" command to switch from the compromised administrative account to the newly created root account and thereby obtained full control of the device.
Intrusion timeline: rogue peering, credential use, and quiet cleanup
Mandiant traces the intrusion activity to unauthorized SD‑WAN peering connections first observed on a service provider's infrastructure beginning in March 2026. The actor established new rogue peer connections and authenticated to affected SD‑WAN Manager devices using the vmanage-admin account. Once inside, the attackers changed the default admin account password, accessed the SD‑WAN Manager web interface, and extracted configuration information for edge devices, controllers, and SD‑WAN templates.
After completing their extraction and escalation steps, Mandiant notes the intruders restored the admin account to its original password — an action the researchers say was likely intended to reduce detection. They also deleted the malicious CSV payload, removed temporary files, and erased traces of the rogue root account. Mandiant observed execution of a validation script that confirmed traces of the compromise had been removed from the device.
Connection to earlier SD‑WAN flaws and a note about certificates
Mandiant believes the initial rogue peering may have been created by exploiting previously disclosed Cisco SD‑WAN authentication bypass zero-days, CVE-2026-20127 and CVE-2026-20182, though the exact method remains unclear. Cisco told Mandiant that the breach did not involve CVE-2026-20182 and offered that attackers may have reused certificates stolen during an earlier compromise to regain access to devices.
Mandiant’s anti-forensic findings and published guidance
Mandiant highlighted the attackers’ heavy reliance on anti-forensic tactics: creating backups of configuration files before modification and restoring them after exploitation, deleting the uploaded malicious CSV, removing temporary artifacts, and running a validation script to ensure no remaining traces. Those procedures, Mandiant says, were used to hide the addition of the "troot" root account and other changes.
To help organizations determine whether they were affected, Mandiant published indicators of compromise (IoCs), attacker IP addresses, and guidance. The researchers recommended collecting diagnostic data from SD‑WAN devices and checking for signs of unauthorized peering connections.
What this means for service providers, enterprise security teams, and Cisco customers
- Service providers: Review peering configurations and logs for unauthorized peer relationships, especially activity dating to March 2026 when Mandiant observed the first rogue peering.
- Enterprise security teams: Collect diagnostic data from SD‑WAN appliances, search for the IoCs and attacker IPs published by Mandiant, and verify whether administrative account passwords or templates were changed or exfiltrated.
- Cisco customers and procurement teams: Prioritize application of Cisco’s released security updates; Cisco stated no workarounds are available and urged customers to upgrade to fixed software versions.
Response, vendor action, and a pointed takeaway
Cisco disclosed CVE-2026-20245 earlier in June and released security updates while warning the vulnerability had been exploited in a limited number of attacks. Cisco also said that successful exploitation allowed attackers to gain root privileges and that some incidents involved unauthorized configuration changes being pushed to edge devices. Mandiant reported the sequence of actions that turned an authenticated local file upload into complete device takeover, and provided IoCs and guidance to aid response.
The attackers’ pattern — establishing rogue peering, using vmanage-admin credentials, creating and then erasing a root account, and restoring changed passwords — underscores a calculus focused on persistent access while minimizing immediate detection. Cisco’s note that stolen certificates may have been reused raises a separate question about credential and key hygiene that organizations with SD‑WAN deployments will need to address alongside patching.
