Cisco SD-WAN Zero-Day Exploited Months Before Disclosure, Mandiant Reveals

Cisco faces renewed scrutiny as Mandiant reveals that a zero-day vulnerability in its Catalyst SD-WAN software, tracked as CVE-2026-20245, was exploited months before the vendor disclosed it in June 2026. The attacks targeted a communications service provider, with the threat actor using an unauthorized peering connection to gain initial access and then escalating privileges to root level.

Mandiant's report, published Wednesday, details how the attacker first established an unauthorized peering connection to the victim's SD-WAN fabric. This allowed them to authenticate to the SD-WAN manager device via SSH using the vmanage-admin account. After changing the default password, they accessed the web interface, exfiltrated fabric configurations, and then restored the original password to avoid detection. However, neither the vmanage-admin nor the admin accounts have root shell access, so the attacker exploited CVE-2026-20245 to achieve full root privileges.

Exploitation Chain and Root Access

The zero-day vulnerability, which allows an authenticated local attacker to execute arbitrary commands as root, was triggered by uploading a crafted file named evil_tenant.csv. Upon execution, the attacker created a new user account called 'troot' with full root privileges. Mandiant observed the intruder later accessing this account from the admin account using the substitute user command. The full scope of post-compromise activity remains unknown, but the potential for total network visibility across the service provider's traffic is significant.

• CVE-2026-20245 is a privilege escalation flaw in Cisco Catalyst SD-WAN controllers.
• Exploitation began in early 2026, months before Cisco's June advisory.
• The attacker used an unauthorized peering connection to gain initial access.
• A crafted CSV file was used to trigger the vulnerability and create a rogue root account.
• This is the sixth SD-WAN vulnerability Cisco has reported as under attack in 2026.

Broader Implications for SD-WAN Security

The incident underscores the high value attackers place on SD-WAN devices, which can provide visibility into an entire organization's internet traffic. Government-sponsored espionage groups are particularly interested in these systems for long-term surveillance. The early exploitation of CVE-2026-20245, before a patch was available, highlights the challenge of defending against zero-days in widely deployed network infrastructure. Cisco has issued a security advisory for the flaw, but the damage may already be done for affected organizations.

In a separate but related development, Cisco also patched CVE-2026-20230, a server-side request forgery bug in its Unified Communications Manager, which is now being actively exploited in the wild. Threat intelligence firm Defused observed attackers chaining the SSRF with a rogue Apache Axis service to deploy a two-stage web shell. The cumulative pressure on Cisco's security team is mounting as attackers continue to probe for weaknesses in the company's vast product portfolio.