A newly disclosed zero-day vulnerability, CVE-2026-20245, has been exploited by a threat actor targeting Cisco Catalyst SD-WAN Manager. By exploiting a flaw in the platform’s file to upload functionality, the threat actor escalated privileges from a compromised administrative account to root access and used extensive anti-forensic measures to erase evidence of the attack. 

Threat Actor Abused Cisco Catalyst SD-WAN Manager to Gain Root Access 

Mandiant found that the threat actor initially established unauthorized peering connections before accessing Cisco Catalyst SD-WAN Manager over SSH. In March 2026, the attacker authenticated using the default vmanage-admin account, changed the default admin account password, logged into the web interface, and exfiltrated SD-WAN fabric configurations, including device, controller, and template information.  

The original password was then restored to reduce the likelihood of detection. The researchers noted that neither the vmanage-admin nor admin accounts provide root shell access, prompting the attacker to exploit CVE-2026-20245 for privilege escalation. 

CVE-2026-20245 was Exploited Through a Malicious CSV Upload 

The vulnerability exists because Cisco Catalyst SD-WAN Manager fails to properly filter malicious data uploaded through its tenant file upload feature. The threat actor exploited CVE-2026-20245 by uploading a crafted file named evil_tenant.csv using the command: 

request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0 

Reported to Cisco by Mandiant, CVE-2026-20245 affects the command-line interface of Cisco Catalyst SD-WAN Controllers and allows an authenticated local attacker to execute arbitrary commands as root through a specially crafted file. 

The malicious payload backed up configuration files, preserved copies of /etc/passwd and /etc/shadow, and created a new root-level account named troot. Mandiant later observed the threat actor switching from the admin account to troot using the su command.

Rogue Peering Activity Preceded Exploitation 

Mandiant observed multiple unauthorized peering connections between late 2025 and January 2026. Researchers believe these may have exploited CVE-2026-20127 or CVE-2026-20182, two critical Cisco vulnerabilities affecting peering authentication that allow remote attackers to bypass authentication and gain administrative privileges. 

Further rogue peering activity in March 2026 targeted software versions not vulnerable to CVE-2026-20127. Cisco confirmed the activity also did not rely on CVE-2026-20182, suggesting the threat actor may have reused stolen certificate material from an earlier compromise. Mandiant said it remains unclear whether the same group conducted both campaigns. 

To conceal the intrusion, the threat actor deleted evil_tenant.csv, restored modified configuration files, removed temporary artifacts, and executed a validation script to confirm that malicious files, the troot account, and altered configuration files had been removed or restored.

Implications and Mitigation 

Mandiant said the campaign reflects the growing “living off the edge” trend, where attackers target network appliances that often lack detailed forensic visibility while providing centralized control over enterprise environments. Such platforms remain attractive to state-sponsored actors seeking long-term intelligence collection. 

Organizations are advised to collect diagnostic logs using the request admin-tech command, investigate any indicators of compromise, and report confirmed incidents to Cisco TAC. Cisco recommends upgrading Cisco Catalyst SD-WAN Manager to versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2, or later to remediate CVE-2026-20245 and following its SD-WAN hardening guidance. 

Recovered indicators include the malicious evil_tenant.csv file with SHA-256 hash b82936f37648518425c7d3cf9e09eaffa41d7cdb3840f6a40287e3a108880f7b and rogue IP addresses including 126.51.108[.]152, 76.92.245[.]217, 207.190.37[.]94, 23.245.7[.]178, 153.186.231[.]233, 167.179.79[.]189, 45.32.38[.]160, and 209.137.225[.]101.  

Google SecOps also released detections covering behaviors associated with the threat actor, while Mandiant acknowledged Cisco PSIRT for its collaboration during the coordinated disclosure process.