Attackers have been quietly turning Cisco's network controllers into a launch pad. Researchers at Mandiant say a threat actor exploited a previously unknown zero-day in Cisco Catalyst SD-WAN Manager, now tracked as CVE-2026-20245, to escalate from a hijacked admin account all the way to root on a service provider's infrastructure. Mandiant detailed the intrusion in its report with the Google Threat Intelligence Group (GTIG), and Cisco has shipped fixes.
SD-WAN Manager is the central dashboard that orchestrates an entire software-defined network, the kind of system banks, retailers, healthcare providers, and other distributed organizations use to connect branch offices to cloud services. Compromising it gives an attacker a quiet, high-value vantage point over internal traffic, which is exactly why edge and management appliances keep drawing targeted intrusions. This is the third Cisco Catalyst SD-WAN weakness we have covered in short order, after the mass exploitation of CVE-2026-20127 and the webshell campaign against CVE-2026-20182, both flagged in CISA's known-exploited catalog.
How the attack works
The intrusion unfolded in stages. From late 2025 into 2026, Mandiant saw the actor establish rogue peering connections, the trusted handshake SD-WAN devices use to recognize one another, possibly by abusing the separately disclosed authentication-bypass bugs CVE-2026-20127 and CVE-2026-20182 or by reusing stolen certificate material. With SSH access through the built-in vmanage-admin account, the attacker changed the default admin password, logged into the web interface, exfiltrated the network's configuration, then quietly reverted the password to avoid tipping off administrators.
The new zero-day, CVE-2026-20245, is what turned that access into full control. The bug lives in the controller's command-line tenant-upload feature, which fails to properly filter uploaded files. By uploading a malicious CSV named evil_tenant.csv, the actor appended a hidden root user named troot to the system's /etc/passwd and /etc/shadow files, then switched to it for unrestricted root access. The actor was careful: it backed up the files it would overwrite, deleted every artifact afterward, and even ran a validation script to confirm its tracks were erased.
What is affected and how to fix it
Organizations should patch Cisco Catalyst SD-WAN Manager urgently. Cisco's fixed releases are versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2, or later. Because the attacker scrubbed its activity, patching alone is not enough: collect device logs with the request admin-tech command and hunt for the telltale signs Mandiant published, including SSH logins to vmanage-admin from unexpected IPs, rapid back-to-back admin password changes, the creation of a troot account, and su commands switching to it. Confirmed indicators should be forwarded to Cisco's technical assistance center.
Selected indicators
Rogue-device IP addresses linked to the activity include 126[.]51[.]108[.]152 (also used to exploit the flaw), 76[.]92[.]245[.]217, 207[.]190[.]37[.]94, 23[.]245[.]7[.]178, and 45[.]32[.]38[.]160. A recovered remnant of the malicious CSV payload carries SHA-256 b82936f37648518425c7d3cf9e09eaffa41d7cdb3840f6a40287e3a108880f7b.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.