Mandiant Uncovers Zero-Day CVE-2026-20245 Exploited in Cisco Catalyst SD-WAN Manager Attacks
Mandiant reveals a threat actor exploited CVE-2026-20245, a zero-day privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager, to gain root access after breaching networks via rogue peering connections.
Mandiant has disclosed details of a sophisticated intrusion campaign targeting Cisco Catalyst SD-WAN infrastructure at a service provider, where attackers leveraged a previously unknown privilege escalation vulnerability, CVE-2026-20245, to escalate from a compromised administrative account to full root access on SD-WAN Manager devices.
The flaw resides in the file upload feature of Cisco Catalyst SD-WAN Manager, which fails to properly filter malicious data. By crafting a malicious CSV file, the attacker was able to upload it and trigger privilege escalation, granting root-level control over the management platform. This zero-day was exploited in early 2026, following initial access achieved through unauthorized peering connections.
Mandiant observed multiple rogue peering attempts from late 2025 through March 2026, some of which may have exploited two other critical vulnerabilities in Cisco Catalyst SD-WAN controllers: CVE-2026-20127 and CVE-2026-20182. Both of these flaws affect peering authentication and could allow unauthenticated remote attackers to bypass security and obtain administrative privileges. In at least one case, the attacker used stolen certificate material from a prior compromise.
Once inside, the threat actor authenticated via SSH using the vmanage-admin account, changed the default admin account password, and exfiltrated SD-WAN fabric configurations including device lists and templates. The attacker then exploited CVE-2026-20245 to achieve root access. Throughout the operation, the actor employed anti-forensic techniques—deleting malicious files, reverting configuration changes, and running validation scripts to ensure indicators of compromise were purged.
Cisco has since released patches for CVE-2026-20245, as well as for CVE-2026-20127 and CVE-6-20182. Customers are urged to update their Catalyst SD-WAN Manager and controller software immediately. CISA has not yet added CVE-2026-20245 to its Known Exploited Vulnerabilities catalog, but given active exploitation in the wild, organizations should prioritize patching.
The campaign underscores the growing appeal of SD-WAN infrastructure as a target for advanced threat actors. Because SD-WAN centralizes control of distributed networks, compromising the manager can give attackers visibility and control over traffic across hundreds or thousands of remote sites. The use of stolen certificates, password manipulation, and anti-forensic cleanup indicates a well-resourced and operationally disciplined adversary.
Mandiant noted that while the same threat actor may not be responsible for all observed rogue peering activity, the intrusion chain demonstrates a clear pattern: compromise the SD-WAN fabric through weak peering authentication, escalate privileges via the manager, then cover tracks to maintain persistent access. The full technical analysis is available on Mandiant's blog.