




















A sophisticated threat actor is actively targeting SD-WAN infrastructure at a major service provider. The campaign culminated in the exploitation of a zero-day privilege escalation vulnerability, now tracked as CVE-2026-20245 (CVSS 7.8), in Cisco Catalyst SD-WAN Manager, enabling attackers to silently escalate from a compromised administrative account to full root-level access.
CVE-2026-20245 resides in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers and is classified as CWE-116 (Improper Encoding or Escaping of Output).
The flaw stems from the device’s file upload feature failing to properly validate or filter user-supplied input before it is processed by privileged shell helpers. An authenticated attacker with netadmin-level privileges can upload a specially crafted CSV file, triggering command injection and achieving arbitrary command execution as root.
The vulnerability affects all deployment types, including On-Prem, Cisco SD-WAN Cloud, Cloud-Pro, and FedRAMP government environments.
The intrusion unfolded in two distinct phases. From late 2025 to January 2026, Mandiant observed multiple unauthorized peering connections to the victim’s SD-WAN Manager devices, likely exploiting the companion authentication bypass flaws CVE-2026-20127 (CVSS 10.0) and CVE-2026-20182 (CVSS 10.0), both of which allow unauthenticated remote attackers to obtain administrative privileges. These vulnerabilities were undisclosed and unpatched during this window, providing the threat actor an unchallenged entry point.
Beginning in March 2026, the threat actor established fresh rogue peer connections and authenticated to SD-WAN Manager via SSH using the vmanage-admin default account.
Once inside, they changed the default admin account password, logged directly into the SD-WAN Manager web interface, and exfiltrated device configurations, including edge device templates and running configurations.
Critically, the password was then reverted to its original state to avoid triggering administrator suspicion during routine operations.
After establishing an SSH session with the admin account, the attacker executed a targeted file upload command to deliver a file named evil_tenant.csv.
The exploit payload embedded within this file manipulated the system’s /etc/passwd and /etc/shadow files, injecting a new user account named troot with full UID 0 root privileges. The threat actor then escalated to this account via the su (substitute user) command, achieving complete control of the management plane.
To maintain operational security, the threat actor executed a validation script to systematically verify and purge all forensic artifacts. This included deleting evil_tenant.csv, restoring the original vbond_vsmart_tenant_list configuration, reverting /etc/passwd and /etc/shadow to their backed-up states, and confirming the removal of the troot account a methodical cleanup designed to eliminate all indicators of compromise.
Organizations running Cisco Catalyst SD-WAN Manager should act immediately:
request admin-tech on all control-plane components to collect logs and perform IOC sweeps./var/log/scripts.log for suspicious file upload commands or unauthorized configuration changes.This campaign exemplifies the “living off the edge” paradigm increasingly favored by state-sponsored actors targeting network appliances that function as black boxes with limited telemetry, while serving as the central nervous system of enterprise connectivity.
Google Threat Intelligence Group (GTIG) has tracked a consistent year-over-year rise in zero-day exploitation of edge devices, and this three-CVE arc against Cisco SD-WAN’s management plane represents a structural failure, not an isolated bug.
Organizations operating distributed SD-WAN environments must treat the management plane as a Tier-1 attack surface and enforce strict access controls, continuous monitoring, and an aggressive patching cadence.
| Description | Indicator |
| IP address connecting as rogue device and exploiting CVE-2026-20245 | 126.51.108[.]152 |
| IP address connecting as rogue device | 76.92.245[.]217 |
| IP address connecting as rogue device | 207.190.37[.]94 |
| IP address connecting as rogue device | 23.245.7[.]178 |
| IP address connecting as rogue device | 153.186.231[.]233 |
| IP address connecting as rogue device | 167.179.79[.]189 |
| IP address connecting as rogue device | 45.32.38[.]160 |
| IP address connecting as rogue device | 209.137.225[.]101 |
[.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。