CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 24, 2026

Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level Access

Cybersecurity News Archived Jun 24, 2026 ✓ Full text saved

A sophisticated threat actor is actively targeting SD-WAN infrastructure at a major service provider. The campaign culminated in the exploitation of a zero-day privilege escalation vulnerability, now tracked as CVE-2026-20245 (CVSS 7.8), in Cisco Catalyst SD-WAN Manager, enabling attackers to silently escalate from a compromised administrative account to full root-level access. CVE-2026-20245 resides in the […] The post Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Lev

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level Access By Guru Baran June 24, 2026 A sophisticated threat actor is actively targeting SD-WAN infrastructure at a major service provider. The campaign culminated in the exploitation of a zero-day privilege escalation vulnerability, now tracked as CVE-2026-20245 (CVSS 7.8), in Cisco Catalyst SD-WAN Manager, enabling attackers to silently escalate from a compromised administrative account to full root-level access. CVE-2026-20245 resides in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers and is classified as CWE-116 (Improper Encoding or Escaping of Output). The flaw stems from the device’s file upload feature failing to properly validate or filter user-supplied input before it is processed by privileged shell helpers. An authenticated attacker with netadmin-level privileges can upload a specially crafted CSV file, triggering command injection and achieving arbitrary command execution as root. The vulnerability affects all deployment types, including On-Prem, Cisco SD-WAN Cloud, Cloud-Pro, and FedRAMP government environments. The intrusion unfolded in two distinct phases. From late 2025 to January 2026, Mandiant observed multiple unauthorized peering connections to the victim’s SD-WAN Manager devices, likely exploiting the companion authentication bypass flaws CVE-2026-20127 (CVSS 10.0) and CVE-2026-20182 (CVSS 10.0), both of which allow unauthenticated remote attackers to obtain administrative privileges. These vulnerabilities were undisclosed and unpatched during this window, providing the threat actor an unchallenged entry point. Beginning in March 2026, the threat actor established fresh rogue peer connections and authenticated to SD-WAN Manager via SSH using the vmanage-admin default account. Once inside, they changed the default admin account password, logged directly into the SD-WAN Manager web interface, and exfiltrated device configurations, including edge device templates and running configurations. Critically, the password was then reverted to its original state to avoid triggering administrator suspicion during routine operations. Zero-Day Exploitation via Malicious CSV Upload After establishing an SSH session with the admin account, the attacker executed a targeted file upload command to deliver a file named evil_tenant.csv. The exploit payload embedded within this file manipulated the system’s /etc/passwd and /etc/shadow files, injecting a new user account named troot with full UID 0 root privileges. The threat actor then escalated to this account via the su (substitute user) command, achieving complete control of the management plane. To maintain operational security, the threat actor executed a validation script to systematically verify and purge all forensic artifacts. This included deleting evil_tenant.csv, restoring the original vbond_vsmart_tenant_list configuration, reverting /etc/passwd and /etc/shadow to their backed-up states, and confirming the removal of the troot account a methodical cleanup designed to eliminate all indicators of compromise. Mitigations Organizations running Cisco Catalyst SD-WAN Manager should act immediately: Upgrade immediately to fixed releases: versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2, or later. Run request admin-tech on all control-plane components to collect logs and perform IOC sweeps. Review /var/log/scripts.log for suspicious file upload commands or unauthorized configuration changes. Contact Cisco TAC immediately if any confirmed indicators of compromise are identified. Follow the Cisco Catalyst SD-WAN Hardening Guide for defense-in-depth across management, control, and data planes. This campaign exemplifies the “living off the edge” paradigm increasingly favored by state-sponsored actors targeting network appliances that function as black boxes with limited telemetry, while serving as the central nervous system of enterprise connectivity. Google Threat Intelligence Group (GTIG) has tracked a consistent year-over-year rise in zero-day exploitation of edge devices, and this three-CVE arc against Cisco SD-WAN’s management plane represents a structural failure, not an isolated bug. Organizations operating distributed SD-WAN environments must treat the management plane as a Tier-1 attack surface and enforce strict access controls, continuous monitoring, and an aggressive patching cadence. IoCs Description Indicator IP address connecting as rogue device and exploiting CVE-2026-20245 126.51.108[.]152 IP address connecting as rogue device 76.92.245[.]217 IP address connecting as rogue device 207.190.37[.]94 IP address connecting as rogue device 23.245.7[.]178 IP address connecting as rogue device 153.186.231[.]233 IP address connecting as rogue device 167.179.79[.]189 IP address connecting as rogue device 45.32.38[.]160 IP address connecting as rogue device 209.137.225[.]101 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Abuse Third-Party Okendo Reviews Script to Spread SmartApeSG Malware Campaign Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors Hackers Abuse Claude.ai Shared Chat Feature to Host the ClickFix Social Engineering Instructions DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants – 1M+ Apps Impacted Evilginx AiTM Attack Captures Microsoft Credentials, MFA Tokens, and Authenticated Sessions Latest News Cyber Security News Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users Cyber Security News PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability Cyber Security News Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vulnerability Cyber Security News Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User Cyber Security News White House Orders Federal Agencies to Migrate Systems to Post-Quantum Cryptography
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗