Google-owned Mandiant has published detailed exploitation analysis of CVE-2026-20245, a high-severity command injection flaw in Cisco Catalyst SD-WAN components that was actively exploited as a zero-day for at least two months before Cisco's public disclosure in June 2026. The campaign targeted communications service providers and demonstrated a level of operational sophistication that included active anti-forensic cleanup after exploitation.
Vulnerability Overview
| Field | Detail |
|---|---|
| CVE | CVE-2026-20245 |
| CVSS Score | 7.8 (High) |
| Type | Command Injection |
| Affected Products | Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), Validator (vBond) |
| First Exploitation | Late 2025 — January 2026 (Wave 1) |
| Second Wave | March 2026 |
| Public Disclosure | June 2026 |
| Workaround | None — patch required |
The Full Attack Chain
Mandiant's analysis reveals a multi-stage intrusion process that began well before CVE-2026-20245 was used:
Stage 1 — Initial Access via Companion CVEs
Attackers first exploited authentication bypass vulnerabilities — CVE-2026-20127 or CVE-2026-20182 — to establish unauthorized SD-WAN peering connections. In some cases, stolen certificates from prior breaches were used instead.
Stage 2 — Control Plane Authentication
With peering established, attackers used compromised vmanage-admin credentials to authenticate to the vManage SD-WAN management control plane.
Stage 3 — Configuration Exfiltration
The attackers extracted device configuration data and device templates, enabling reconnaissance of the full SD-WAN fabric and identifying targets for deeper compromise.
Stage 4 — Privilege Escalation via CVE-2026-20245
This is the novel technique at the center of Mandiant's analysis. The attacker uploaded a crafted malicious CSV file named "evil_tenant.csv" through the SD-WAN CLI's tenant-upload feature. The payload executed a multi-step abuse chain:
- Backed up
/etc/passwdand/etc/shadow— the Linux user and password databases - Created a hidden user account named "troot" with full root shell privileges
- Used the
sucommand to execute arbitrary commands as root
The result: persistent, undetected root-level access to compromised infrastructure with a backdoor user that survived normal administrative review.
Stage 5 — Anti-Forensic Cleanup
After achieving their objectives, the attackers demonstrated sophisticated operational security:
- Restored original admin account passwords to their pre-compromise state
- Backed up and then restored modified system configuration files
- Deleted malicious payloads and all temporary files
- Executed custom validation scripts to confirm every trace had been removed
This level of cleanup — including verification automation — is consistent with nation-state or advanced criminal tradecraft.
Who Was Targeted
Mandiant's report indicates the campaign focused on communications service providers running Cisco Catalyst SD-WAN infrastructure. No public attribution to a specific nation-state or threat actor has been made.
Indicators of Compromise
Organizations should hunt for:
- The "troot" user account in
/etc/passwdor/etc/shadow - Anomalous entries in SD-WAN tenant upload logs
- Unauthorized peering connections in vManage, especially from late 2025 onward
- Unusual
sucommand execution in system logs - Evidence of prior exploitation of CVE-2026-20127 or CVE-2026-20182 as precursors
Remediation
There are no workarounds for CVE-2026-20245. Cisco released patches in June 2026. Organizations running Cisco Catalyst SD-WAN should:
- Patch immediately to fixed software versions
- Audit all user accounts on vManage, vSmart, and vBond for unauthorized entries
- Review access logs for unauthorized peering connections dating to late 2025
- Investigate companion CVEs (CVE-2026-20127, CVE-2026-20182) as probable initial access vectors
- Reset all admin credentials as a precautionary measure if compromise is suspected
The two-month gap between first exploitation and public disclosure underscores the importance of network segmentation, behavioral monitoring, and anomaly detection on critical SD-WAN management planes.