Cisco Catalyst SD-WAN Zero-Day (CVE-2026-20245) Was Exploited Months Prior to Public Disclosure

Cybercriminals took advantage of a vulnerability in Cisco Catalyst SD‑WAN tracked as CVE‑2026‑20245 months before it became publicly known, using it as a zero‑day to run privileged system commands.

Security firm Mandiant, part of Google, revealed that an unidentified threat actor had been exploiting this flaw rated 7.8 on the CVSS scale for at least two months prior to disclosure. Cisco has since acknowledged the issue, confirmed instances of active exploitation, and released security patches.

The vulnerability stems from improper validation of user-supplied input. It enables an authenticated attacker with netadmin-level access to upload a specially crafted file and execute arbitrary commands with root privileges. While the attack requires elevated permissions, adversaries can obtain them through credential theft or by abusing other known flaws such as CVE‑2026‑20182 and CVE‑2026‑20127.

According to Cisco, the issue arises because the system does not sufficiently verify user input. By uploading a malicious file, an attacker can inject commands and ultimately escalate privileges to the root user. Exploitation requires valid netadmin credentials, whether legitimately obtained or gained through other vulnerabilities. Cisco noted limited observed cases where attackers used this flaw to push unauthorized configuration changes to edge devices.

The vulnerability impacts all deployment types of Cisco Catalyst SD‑WAN Manager, including on‑premises setups, Cisco SD‑WAN Cloud‑Pro, Cisco‑managed cloud environments, and FedRAMP-authorized systems.

Mandiant’s investigation traced the attacks back to early 2026, when a threat actor targeted SD‑WAN infrastructure at a service provider. After gaining an initial foothold, the attacker leveraged CVE‑2026‑20245 to escalate privileges from an administrative account to full root access. Throughout the operation, the attacker used anti‑forensic techniques to evade detection, such as selectively modifying, deleting, and restoring system configuration files.

Researchers observed two separate attack campaigns against a communications provider between late 2025 and March 2026. In both cases, attackers ultimately elevated access from a compromised admin account to root-level control.

In the earlier campaign, attackers likely exploited two then-unknown authentication bypass vulnerabilities (CVE‑2026‑20127 and CVE‑2026‑20182) to gain unauthorized system access. A later intrusion targeted a system that had already been patched, suggesting the attackers may have used stolen certificates obtained during the earlier breach. However, investigators have not confirmed if both incidents were carried out by the same actor.

Once inside, the attacker initiated an SSH session using an administrative account and exploited CVE‑2026‑20245 by uploading a malicious file named evil_tenant.csv via a specific command. This file contained the exploit payload necessary to gain elevated privileges.

With root access achieved, the attacker created a backdoor account named “troot,” granting persistent full system control. They then switched to this account using the su command from the compromised admin account.

To minimize detection and hinder forensic analysis, the attackers removed all traces of their activity. This included deleting the malicious file, reversing configuration changes, and executing cleanup scripts to eliminate evidence of compromise.

Mandiant emphasized that the attackers carefully erased artifacts they created and restored altered configurations, demonstrating a deliberate effort to reduce their forensic footprint.

The incident highlights a broader trend noted by Google: threat actors increasingly focus on exploiting zero‑day flaws in edge infrastructure devices such as SD‑WAN systems. These devices often lack robust logging and monitoring, making them attractive targets. Once compromised, they can provide attackers with long-term access and deep visibility into internal network traffic.

Mandiant concluded that this campaign exemplifies the “living off the edge” strategy, where attackers prioritize infiltrating network appliances to bypass traditional defenses. As organizations continue to adopt software‑defined networking, the management systems controlling these environments are becoming high‑value targets for sophisticated threat actors.