Mandiant Details CVE-2026-20245 Exploitation Chain in Cisco SD-WAN Zero-Day Attacks
Cisco Catalyst SD-WAN vulnerability CVE-2026-20245 exploited post-compromise to escalate privileges and create rogue root accounts via malicious file upload.
Attack Brief
TargetCisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), Validator (vBond)VectorCommand injection via crafted file upload in tenant-upload CLI feature; privilege escalation requiring prior authenticated accessAttributionMandiant disclosure; threat actor unattributed
Technical Details
CVE IDsCVE-2026-20245CVE-2026-20127CVE-2026-20182MITRE ATT&CKT1548T1190IoCsevil_tenant.csvAffectedCisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), Validator (vBond); authenticated local access required
Impact
Confirmed DamageRoot privilege escalation; creation of rogue root accounts; unauthorized configuration changes pushed to edge devices; extraction of SD-WAN configuration data including edge device, controller, and template information
Mitigation
PatchesCisco security updates for CVE-2026-20245 released; customers urged to upgrade to fixed software versionsWorkaroundsNo workarounds available per Cisco
Context
Previous CampaignsIntrusion activity observed beginning March 2026 on service provider infrastructure; rogue SD-WAN peering connections established; vmanage-admin account compromisedSimilar AttacksExploitation chain likely preceded by CVE-2026-20127 and CVE-2026-20182 authentication bypass vulnerabilities to establish initial access
Source
https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access/by Mandianton 2026-06-24T00:00:00Z4 sources