threat intelligence

Cisco SD-WAN Root Escalation (CVE-2026-20245): A Zero-Day Exploited Months Before Anyone Knew It Existed

July 1, 2026 CrowdSOC Team 9 min read
Cisco SD-WAN Root Escalation (CVE-2026-20245): A Zero-Day Exploited Months Before Anyone Knew It Existed
← back to insights

If your organization runs Cisco Catalyst SD-WAN to connect branch offices, data centers, or cloud environments, there is a vulnerability you need to know about, and it comes with an unusually uncomfortable backstory. It wasn't just discovered and patched in the normal order of events. It was already being used by attackers, quietly and for months, before anyone outside that attack knew it existed.

In plain terms: a flaw in the software that manages Cisco's SD-WAN network lets someone who has already gained a foothold on that system take complete control of it, the same level of control the system's own administrators have. Google's Mandiant threat intelligence team has now confirmed that this exact technique was used against a real organization, a telecommunications service provider, starting as early as March 2026, roughly two months before Cisco even knew the flaw existed. This matters for executives and boards because SD-WAN systems sit at the center of how many organizations route their network traffic between offices, data centers, and cloud providers; a compromise here isn't a single server going down, it's a foothold into the connective tissue of the whole network.


What is CVE-2026-20245?

CVE-2026-20245 is a privilege escalation vulnerability in the command-line interface of Cisco Catalyst SD-WAN Manager (formerly known as vManage), Cisco Catalyst SD-WAN Controller (formerly vSmart), and Cisco Catalyst SD-WAN Validator (formerly vBond). Cisco tracks the underlying defect as Bug ID CSCwu18563 and published it under advisory ID cisco-sa-sdwan-privesc-4uxFrdzx, alongside the CWE-116 classification (improper encoding or escaping of output).

The root cause is straightforward, at least in concept: the CLI does not properly validate a file that a user uploads to the system. An attacker who already holds "netadmin" privileges, one tier below full root access, can upload a specially crafted file that the backend processes without adequate sanitization. That lets the attacker inject and execute commands as the root user, the highest level of privilege the operating system has.

Cisco has been direct about the practical consequence: successful exploitation lets an authenticated, local attacker run arbitrary commands as root by supplying a crafted file to the system.

Critically, this is not a vulnerability that lets a stranger walk in off the internet with no credentials at all. It requires netadmin-level access first. But that caveat matters less than it sounds, for reasons we'll get to below.


How attackers actually used it

This is where the story becomes unusual, and worth walking through in some detail, because it illustrates exactly why "requires prior access" is not the same thing as "low risk."

According to Mandiant's investigation, an unidentified threat actor targeted SD-WAN infrastructure belonging to a communications service provider across two separate periods of activity: one beginning in late 2025 and running into January 2026, and a second in March 2026. It remains unconfirmed whether the same actor was behind both waves.

Getting in the door. The first wave of activity likely relied on one of two Cisco SD-WAN authentication bypass vulnerabilities, CVE-2026-20127 and CVE-2026-20182, both of which carry the maximum possible CVSS score of 10.0. At the time these were exploited, both were themselves undisclosed zero-days. CVE-2026-20127 has reportedly been exploited by a threat actor Cisco Talos tracks as UAT-8616 since at least 2023; CVE-2026-20182, disclosed by Rapid7 in May 2026, affects the same underlying "vdaemon" peering service and lets a remote, unauthenticated attacker trick the system into treating them as a trusted peer device, ultimately gaining administrative access without ever supplying valid credentials.

Escalating to root. With administrative access secured, the attacker established an SSH session using the default admin account and then exploited CVE-2026-20245 by issuing a CLI command to upload a file named evil_tenant.csv through the system's tenant-upload feature. That file carried the exploit payload. Once processed, it let the attacker create a new, illegitimate account named "troot," configured with full root-level privileges, by directly modifying the system's /etc/passwd and /etc/shadow files. From there, a simple su command moved the attacker from the admin account into the rogue root account, giving them complete control of the device.

Covering their tracks. What stands out most in Mandiant's account is how deliberate the attacker was about erasing evidence. Before exfiltrating configuration data, the attacker changed the default admin account's password, logged in, extracted configuration details for edge devices and templates, and then quietly restored the original password before ending the session, specifically so a returning administrator would notice nothing unusual. After escalating to root, the attacker deleted every file they had created, including the malicious CSV, restored any system configuration files they had modified, and ran a validation script to confirm no trace of the intrusion remained.

A second wave of rogue peering activity, observed in March 2026, targeted a device that had already been patched against CVE-2026-20127. Cisco has since confirmed this second wave did not rely on CVE-2026-20182 either, raising the possibility that the attacker used SSH certificates stolen during an earlier compromise of the same device rather than exploiting a new authentication flaw.


Why this happened out of the normal order

Most of the vulnerabilities we cover follow a familiar sequence: a researcher finds a flaw, reports it privately, a vendor issues a patch, and the details become public more or less at the same time defenders get their fix. That is not what happened here.

Mandiant identified this activity during an investigation, reported CVE-2026-20245 to Cisco, and Cisco disclosed the vulnerability and released fixed software in early-to-mid June 2026, roughly a week apart. By that point, according to Mandiant's telemetry, the vulnerability had already been actively exploited in the wild for at least two months, and quite possibly since late 2025. There was no public proof-of-concept exploit at the time of disclosure; the vulnerability's use in the wild was discovered through incident response, not through a researcher's independent write-up appearing online first.

This is what security researchers sometimes call the "living off the edge" pattern: rather than targeting endpoint devices that run detection and response software, sophisticated attackers increasingly aim at the network appliances that sit at the edge of an organization's infrastructure, precisely because those appliances often lack the same depth of logging and monitoring. A foothold in an SD-WAN controller doesn't just compromise one machine; it can offer visibility into traffic flowing across an entire network fabric.


How this fits into 2026's broader Cisco SD-WAN pattern

CVE-2026-20245 is not an isolated event. It is at least the seventh Cisco Catalyst SD-WAN vulnerability confirmed to have been exploited in 2026, following a string of earlier disclosures targeting the same product family. Two of those, summarized below, form the entry point for the attack chain Mandiant described.

CVE CVSS Type Summary
CVE-2026-20127 10.0 Authentication bypass (vdaemon/DTLS) Unauthenticated remote attacker gains administrative access; exploited by UAT-8616 since at least 2023
CVE-2026-20182 10.0 Authentication bypass (vdaemon/DTLS) Separate flaw in the same peering service; lets an unauthenticated attacker inject an SSH key into the vmanage-admin account for persistent NETCONF access
CVE-2026-20245 7.8 Privilege escalation (CLI file upload) Authenticated netadmin-level attacker escalates to full root via a crafted file upload

Individually, each of these is serious. Chained together, they form a path from zero prior access to complete root-level control of core SD-WAN infrastructure, without the attacker ever needing legitimate credentials at any point in the chain. Cisco has stated it is not aware of CVE-2026-20245 being exploited through any method other than prior netadmin access, but that access itself has repeatedly proven obtainable through the authentication bypass flaws above, or simply through stolen credentials.


Who is affected?

CVE-2026-20245 affects Cisco Catalyst SD-WAN Manager, Controller, and Validator across every deployment model Cisco offers: on-premises installations, Cisco SD-WAN Cloud and Cloud-Pro deployments, Cisco-managed cloud environments, and FedRAMP-authorized government systems. There is no configuration-dependent exemption; if you are running an affected release of the software, the vulnerable code path is present regardless of how the deployment is hosted.

Organizations at the highest practical risk are those that:

  • Have internet-exposed SD-WAN Controller or Validator interfaces, which increases exposure to the authentication bypass flaws that provide the initial foothold this vulnerability depends on.
  • Have not yet patched against CVE-2026-20127 or CVE-2026-20182, both of which remain viable paths to the netadmin-level access this vulnerability requires.
  • Operate as, or provide services to, telecommunications and service-provider environments, which is the sector Mandiant observed being targeted in this specific case, though there is no indication the technique is limited to that sector.

Active exploitation: what we know

CISA added CVE-2026-20245 to its Known Exploited Vulnerabilities (KEV) catalog on June 9, 2026, with a remediation deadline of June 23, 2026, for U.S. federal civilian agencies. Cisco's own advisory acknowledges limited real-world exploitation, including cases where successful attacks resulted in unauthorized configuration changes being pushed to SD-WAN edge devices.

Mandiant's June 24, 2026, report is the most detailed public account of how the vulnerability has actually been used, and it describes a patient, capable actor rather than opportunistic scanning. The anti-forensic discipline on display, password restoration, configuration rollback, validation scripts to confirm cleanup, is consistent with an operator focused on long-term, undetected access rather than smash-and-grab disruption.


What should you do?

1. Determine your current software version

Check the version running on every Cisco Catalyst SD-WAN Manager, Controller, and Validator instance in your environment, including clusters, standby nodes, disaster recovery pairs, and any lab or test appliances that share production credentials.

show version

2. Patch; there is no workaround

Cisco has confirmed there is no configuration-based mitigation for CVE-2026-20245. The only remediation is upgrading to a fixed software release. Public reporting and Mandiant's own remediation guidance point to the following fixed versions or later:

Train Fixed version
20.9 20.9.9.2
20.10 / 20.11 / 20.12 20.12.7.2
20.15 20.15.4.5 or 20.15.5.3
20.18 20.18.3.1
26.1 26.1.1.2

Treat Cisco's official security advisory as the authoritative source for your specific train and deployment type, since guidance can be updated after initial publication. Consult the Cisco Security Advisory directly for the complete matrix.

3. Patch the earlier authentication bypass flaws too

Because CVE-2026-20245 depends on netadmin-level access to be exploitable, and CVE-2026-20127 and CVE-2026-20182 are two well-documented ways attackers have obtained that access without any credentials at all, patching CVE-2026-20245 in isolation leaves the door open. If you have not already remediated CVE-2026-20127 and CVE-2026-20182 on every relevant control-plane component, treat that as equally urgent.

4. Assume compromise is possible before you patch, if evidence supports it

If any of your SD-WAN devices have previously been vulnerable to CVE-2026-20127 or CVE-2026-20182, or if you cannot rule out that they were exposed during the window before you applied those patches, do not assume a clean upgrade to CVE-2026-20245's fixed release fully remediates the system. Mandiant recommends collecting diagnostic data from every control-plane component before upgrading, using:

request admin-tech

Preserve this data before making changes, particularly if you have any reason to suspect prior compromise. A software upgrade alone will not remove a rogue account or reverse changes an attacker already made; if compromise is confirmed or suspected, engage Cisco TAC directly rather than relying on the upgrade alone.

5. Review logs for indicators of compromise

Mandiant and Cisco have published indicators tied to this specific attack chain. Worth checking:

For CVE-2026-20245 exploitation, review scripts.log in /var/log/ for unexpected file uploads or command executions, particularly entries referencing vconfd_script_upload_tenant_list.sh or unfamiliar uploaded filenames.

grep -i "tenant" /var/log/scripts.log

For CVE-2026-20182 exploitation (a common entry point into this chain), review authentication logs for SSH key acceptances tied to the vmanage-admin account originating from unrecognized IP addresses.

grep "Accepted publickey for vmanage-admin" /var/log/auth.log

Because these log entries reflect what look like legitimate commands and logins, correlate any findings against known maintenance windows, authorized IP ranges, and your organization's normal SD-WAN topology before concluding you have found evidence of an intrusion.

Check for the rogue account pattern directly. Given how this specific attack behaved, review /etc/passwd and /etc/shadow for unfamiliar account names, and review command history for unexpected use of su shortly after a session authenticated as admin or vmanage-admin.

6. Review unusual peering connections

Since the authentication bypass flaws that precede this vulnerability in the attack chain rely on establishing unauthorized SD-WAN peer connections, review your control connection logs for peering events that occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with your actual architecture. Cisco's guidance places particular emphasis on scrutinizing vmanage-type peering events.


A note on detection difficulty

Unlike some of the memory-corruption and kernel-level flaws we've covered previously, this vulnerability leaves a real trail if you know where to look; nothing about the exploitation technique hides at the syscall level or bypasses file integrity checks. The difficulty here is different: the attacker behind this specific campaign was skilled enough to actively erase that trail as they went, restoring passwords and configuration files to their original state and running cleanup scripts to verify nothing remained. That is a meaningfully higher bar for defenders than an attacker who simply doesn't bother covering their tracks, and it's a reminder that absence of obvious evidence in your logs is not the same thing as confirmation that a system was never touched.


Summary

CVE CVE-2026-20245
CVSS Score 7.8 (High)
Type Privilege Escalation (CLI command injection via crafted file upload)
Component Cisco Catalyst SD-WAN Manager, Controller, and Validator (CLI)
CWE CWE-116 (Improper Encoding or Escaping of Output)
Prerequisite Netadmin-level access, obtainable via valid credentials or via CVE-2026-20127 / CVE-2026-20182
Discovered by Mandiant (Google Cloud), reported to Cisco
Disclosed Early June 2026
Fixed software released Mid-June 2026
Exploited as zero-day since At least March 2026; possibly late 2025
Public PoC at disclosure? No
Active exploitation confirmed? Yes — Mandiant, June 24, 2026
CISA KEV added June 9, 2026 (federal deadline June 23, 2026)
Workaround available? No — patch is the only fix
Related CVEs in the same attack chain CVE-2026-20127 (CVSS 10.0), CVE-2026-20182 (CVSS 10.0)

If you need help determining whether your Cisco Catalyst SD-WAN environment shows signs of this attack chain, prioritizing patch rollout across your control-plane components, or reviewing SD-WAN peering logs for signs of unauthorized access, get in touch. A vulnerability that was already being exploited for months before its disclosure deserves a response that starts with "were we already hit," not just "how fast can we patch."

← all insights
CrowdSOC Team · July 1, 2026