Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited Pre-Disclosure for Root Access
Unknown threat actor exploited CVE-2026-20245 as zero-day against Cisco Catalyst SD-WAN at least two months before public disclosure, escalating to root access via malicious CSV upload.
Attack Brief
TargetCisco Catalyst SD-WAN ManagerVectorAuthenticated local arbitrary command execution via insufficient input validation; privilege escalation through crafted file uploadAttributionunattributed
Technical Details
CVE IDsCVE-2026-20245CVE-2026-20127CVE-2026-20182MITRE ATT&CKT1548T1190IoCsevil_tenant.csvtrootAffectedCisco Catalyst SD-WAN; versions prior to patches for CVE-2026-20245; CVE-2026-20127 patched in newer software versions targeted in second wave
Impact
Affected OrganisationsCommunications service provider (unspecified)SectorstelecommunicationsConfirmed DamageUnauthorized peering connections; compromised admin account elevated to root-level access; SD-WAN fabric configuration exfiltrated; rogue user account created with full root shell control
Mitigation
DetectionMonitor for malicious CSV file uploads to Catalyst SD-WAN Manager; detect unauthorized peering connections; audit for creation of unexpected user accounts; review system configuration file modifications and deletions
Context
Previous CampaignsTwo distinct periods of unauthorized activity detected: late 2025–January 2026 (leveraging CVE-2026-20127 or CVE-2026-20182 as zero-days) and March 2026 (potentially using stolen certificates from prior breach)
Source
https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-zero-day-cve-2026.htmlby Mandiant (Google); Chester Sng, Pete Boonyakarn, Logeswaran Nadarajan; Austin Larsenon 2026-06-25T00:00:00Z4 sources