Cisco SD-WAN Zero-Day Exploited to Gain Root Access, Mandiant Warns

Hackers exploited a zero-day flaw in Cisco Catalyst SD-WAN Manager to move from administrative access to root-level control, according to a new Mandiant investigation. The vulnerability is tracked as CVE-2026-20245 and affects the SD-WAN control plane, which manages how distributed enterprise networks connect and route traffic.

The issue has a CVSS score of 7.8 and sits in the command-line interface of Cisco Catalyst SD-WAN control components. The Cisco security advisory says an authenticated local attacker with netadmin privileges can upload a crafted file and execute arbitrary commands as root.

That makes the flaw serious even though it requires prior access. Cisco and Mandiant say the attacker first gained administrative access through rogue peering activity and then used CVE-2026-20245 to fully control the management plane.

What happened in the Cisco SD-WAN attack

Mandiant says it identified the intrusion in early 2026 while investigating attacks against SD-WAN infrastructure at a service provider. The attacker established unauthorized peering connections, authenticated through SSH, changed an admin password, accessed the SD-WAN Manager web interface, and downloaded configuration data.

The stolen data included device templates and running configurations. Those files can give attackers a detailed view of the SD-WAN environment, including how branch sites, controllers, and edge devices operate.

The attacker then changed the password back to its original value. This step likely aimed to avoid raising suspicion during normal administrator activity, according to the Google Cloud threat intelligence report.

Vulnerability	Product area	Risk	Attack requirement
CVE-2026-20245	Cisco Catalyst SD-WAN control components	Command execution as root	Netadmin privileges or prior compromise
CVE-2026-20127	SD-WAN peering authentication	Administrative access through authentication bypass	Unauthenticated remote access
CVE-2026-20182	SD-WAN peering authentication	Administrative access through authentication bypass	Unauthenticated remote access

How CVE-2026-20245 gives attackers root access

The vulnerability exists because the affected software does not properly validate user-supplied input before processing a crafted file. The NVD entry for CVE-2026-20245 describes it as a command injection issue that can let an attacker elevate privileges to the root user.

In the observed case, the attacker uploaded a malicious CSV file named evil_tenant.csv through a tenant upload command. The payload modified the system’s passwd and shadow files and created a new root-level user account named troot.

After creating that account, the attacker used the su command to switch from the admin account to troot. That gave the attacker root-level access to the SD-WAN control component.

• The attacker needed administrative access before exploiting the flaw.
• The malicious file upload triggered command execution.
• The payload created a root-level account.
• The attacker used anti-forensic cleanup to remove traces.
• Cisco says exploitation can also lead to configuration changes pushed to edge devices.

Rogue peering and earlier Cisco flaws may have enabled access

Mandiant observed unauthorized peering connections from late 2025 through January 2026. The company said those connections may have involved CVE-2026-20127 or CVE-2026-20182, two critical Cisco SD-WAN authentication bypass vulnerabilities that were not yet disclosed or patched during that earlier window.

Cisco’s remediation workflow says the known unauthenticated paths to obtain the required privileges for CVE-2026-20245 involve CVE-2026-20127, CVE-2026-20182, or valid credentials. The same guidance says fixed releases and IOC review reduce known exposure, but they do not remove risk if an attacker already holds valid credentials.

The March 2026 activity may have used stolen certificate material from an earlier compromise, according to Mandiant. That detail matters because it shows how SD-WAN intrusions can continue even after one vulnerability gets patched, especially if attackers already stole trusted material.

Fixed Cisco SD-WAN versions are now available

Cisco has released fixed software for affected release trains. The company says organizations should collect admin-tech files from control components before upgrading, open a Cisco TAC case, and let TAC assess potential indicators of compromise.

The fixed versions listed in the Cisco remediation guide include 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2. Cisco says no workarounds are available, so upgrading remains the main remediation path.

The official Cisco advisory also states that the flaw affects Cisco Catalyst SD-WAN Controller, Manager, and Validator control components. That broad scope means administrators should avoid checking only vManage and should review all control-plane systems.

Current version range	Fixed version
20.9.9.1 and earlier	20.9.9.2
20.12.7.1 and earlier	20.12.7.2
20.15.4.4 and earlier	20.15.4.5
20.15.5.2 and earlier	20.15.5.3
20.16, 20.17, and 20.18.x	20.18.3.1
26.1	26.1.1.2

Signs of compromise administrators should check

Administrators should look for suspicious file upload commands, unexpected SSH access, unauthorized peering events, password changes that were quickly reverted, and evidence of unexpected root-level accounts. The CVE record also notes that Cisco has observed limited cases where exploitation led to configuration changes being pushed to edge devices.

Mandiant reported several network indicators linked to rogue device activity, including 126.51.108[.]152, 76.92.245[.]217, 207.190.37[.]94, 23.245.7[.]178, 153.186.231[.]233, 167.179.79[.]189, 45.32.38[.]160, and 209.137.225[.]101.

Security teams should treat those indicators as starting points, not final proof of compromise. Shared infrastructure, log retention limits, and normal administrative activity can complicate investigations, so Cisco recommends TAC review when suspicious entries appear.

• Collect admin-tech logs from vManage, vSmart, and vBond before making changes.
• Review /var/log/scripts.log for unusual tenant upload activity.
• Check /var/log/auth.log for unexpected SSH logins as vmanage-admin or admin.
• Look for admin password changes that occur close together.
• Search for unexpected su activity to accounts such as troot.
• Review edge device configuration for unauthorized changes.
• Rotate credentials and secrets stored in SD-WAN configurations after suspected compromise.

Why this attack matters

This campaign shows why SD-WAN managers and controllers need the same security priority as domain controllers, identity systems, and cloud management consoles. A compromised SD-WAN control plane can give attackers deep visibility into enterprise connectivity and may let them push changes across distributed networks.

It also highlights a broader shift in attacker behavior. Instead of only targeting laptops and servers, advanced groups increasingly attack edge and network appliances because those systems often produce limited forensic telemetry and sit at critical points in the enterprise environment.

For organizations that run Cisco Catalyst SD-WAN, the immediate priority is clear. Upgrade to fixed releases, preserve logs before remediation, engage Cisco TAC if indicators appear, and review the entire control plane for signs of unauthorized access.

FAQ