The CVE-2026-20245 (CVSS 7.8) vulnerability in Cisco Catalyst SD-WAN was exploited by an unknown attacker at least two months before its public disclosure, reports Mandiant (a Google Cloud division). The target of the attack was a telecommunications provider: the attacker escalated the privileges of a compromised administrator account to full root-level access while using advanced anti-forensics techniques to hide their traces. Organizations using Cisco Catalyst SD-WAN must immediately verify that patches are in place and audit their systems for signs of compromise.
Technical anatomy of the vulnerability
CVE-2026-20245 is a local arbitrary command execution vulnerability with elevated privileges. According to the researchers, the root cause is insufficient validation of user-supplied input: an authenticated attacker with netadmin-level privileges can upload a specially crafted file, leading to command execution with elevated rights. Cisco has confirmed the exploitation of this vulnerability.
In addition to CVE-2026-20245, the investigation uncovered two more authentication bypass vulnerabilities in Cisco Catalyst SD-WAN controllers — CVE-2026-20127 and CVE-2026-20182 — which at the time of the first attack wave were also undisclosed zero-day vulnerabilities.
Timeline and attack chain
Mandiant recorded two distinct periods of unauthorized activity. Any link between them and whether they are attributable to the same actor has not yet been established.
First wave: late 2025 — January 2026
During the first period of activity, the victim encountered unauthorized peering connections. According to Mandiant’s assessment, to obtain initial access one of the two authentication bypass vulnerabilities — CVE-2026-20127 or CVE-2026-20182 — was presumably used. Both were unknown to the public at that time.
Second wave: March 2026
The second wave of attacks targeted a device running a newer software version that already included the patch for CVE-2026-20127. Cisco confirmed that these connections did not rely on CVE-2026-20182, leaving the initial access vector an open question.
It was in this second wave that CVE-2026-20245 was used as a zero-day vulnerability. The attack chain unfolded as follows:
- The attacker changed the default administrator credentials
- Uploaded a malicious CSV file (
evil_tenant.csv) exploiting CVE-2026-20245 - Escalated privileges and created a hidden
trootaccount with full root access to the command shell - Exfiltrated the SD-WAN fabric configuration
- Reverted the administrator password to its original value so that the legitimate administrator would not notice the changes
Anti-forensics as a key characteristic
A distinctive feature of this campaign was a consistent and methodical approach to erasing evidence. According to Mandiant researchers Chester Sng, Pete Bunyakarn and Logeswaran Nadarajan, throughout the intrusion the attacker deliberately deleted and restored modified system configuration files.
Specific actions taken to conceal activity included:
- Deleting all files created during the attack
- Rolling back configuration changes to their original state
- Running validation scripts to confirm the absence of indicators of compromise
- Resetting the administrator password to its initial value after data exfiltration
This level of operational security significantly limits defenders’ ability to assess the full scope of the compromise and points to a highly skilled attacker.
Strategic context: edge devices as a blind spot
Google emphasized that this incident reflects a persistent trend: attackers are deliberately choosing edge network devices — such as SD-WAN controllers — as footholds. The reasons are obvious: these systems typically do not support EDR-class solutions, provide limited telemetry for in-depth forensic analysis, and at the same time offer visibility into internal traffic across the entire network fabric.
As noted by Charles Carmakal, CTO of Mandiant Consulting, advanced attackers continue to focus primarily on network devices and other systems that do not natively support endpoint detection and response capabilities.
For telecommunications providers, compromise of SD-WAN infrastructure represents a critical threat: once an attacker gains control over the fabric controller, they potentially obtain access to routing and visibility into traffic between all of the organization’s sites.
Response recommendations
- Immediately apply patches for CVE-2026-20245, CVE-2026-20127 and CVE-2026-20182 on all affected Cisco Catalyst SD-WAN devices
- Review accounts on SD-WAN devices: the presence of a
trootaccount or other non-standard entries in/etc/passwdis a direct indicator of compromise - Audit peering connections — unauthorized peering connections to SD-WAN controllers may indicate exploitation of authentication bypass vulnerabilities
- Analyze file upload logs for CSV files with unusual names (in particular,
evil_tenant.csv) - Rotate all credentials for SD-WAN administrators, including certificates, especially if devices were accessible from the internet
- Implement additional monitoring for edge network devices: collect and centrally store logs, monitor the integrity of configuration files, and track changes to system accounts
This incident demonstrates that edge network devices remain a priority target for skilled attackers precisely because of the lack of monitoring and detection capabilities. Organizations operating Cisco Catalyst SD-WAN should not only apply the available patches for the three specified CVEs, but also conduct a retrospective review of activity on controllers dating back to late 2025, paying particular attention to account changes, unusual peering connections, and configuration file modifications.