Threat Research · Vulnerability

A Zero-Day in the Network's Brain: CVE-2026-20245

Attackers turned a routine file upload on Cisco Catalyst SD-WAN Manager into a hidden root account. Here is how the chain works, why the controller is such a prize, and what our sensors do and do not see.

Deception Check | June 2026 | CVE-2026-20245 | CVSS 7.8 High | cisco-sa-sdwan-privesc-4uxFrdzx

The short version CVE-2026-20245 is an authenticated privilege-escalation flaw in the command-line interface of Cisco Catalyst SD-WAN Manager, Controller, and Validator. A user who already has admin-level access can upload a crafted file and have the system run it as root. Mandiant caught it being used as a zero-day against a communications service provider, where the attacker chained it into a hidden root account named troot and then carefully erased their tracks. The takeaway is uncomfortable: the box that runs your entire network can be turned against you from an account that was never supposed to have root.

What the vulnerability is

SD-WAN replaces racks of individually configured routers with a central software brain. The Cisco Catalyst SD-WAN Manager (formerly vManage), Controller (vSmart), and Validator (vBond) orchestrate the whole fabric from one place. That central role is exactly what makes them worth attacking, and it is what CVE-2026-20245 undermines.

7.8

CVSS, High

root

privilege gained

zero-day

exploited before the fix

The flaw, classified as CWE-116 insufficient validation of user-supplied input, lives in a CLI file-upload feature. An authenticated attacker with netadmin privileges supplies a crafted file, and the system fails to filter it, allowing command injection that executes as the root user. Cisco published the advisory on June 4, 2026 and confirmed limited cases where exploitation pushed a configuration change all the way down to edge devices. There are no workarounds. The only fix is to patch.

One important nuance: this is a privilege-escalation bug, not a remote-code-execution-from-nowhere bug. The attacker needs valid netadmin credentials first, which they can get with stolen credentials or by chaining two companion authentication-bypass flaws in the same platform, CVE-2026-20127 and CVE-2026-20182. That is what makes the credential-abuse pressure we measure every day so relevant.

How the real attack unfolded

Mandiant's account of the intrusion is a clean, almost surgical chain. It is worth reading as a sequence, because each step is designed to leave as little trace as possible.

CVE-2026-20245 attack chain — The CVE-2026-20245 kill chain, from rogue peering to a hidden root account and cleanup.

The attacker established rogue peering connections to the SD-WAN Manager, likely using either the companion auth-bypass flaws or stolen certificate material, then logged in over SSH using the default vmanage-admin account. From there they changed the password of the admin account, logged into the web interface, and exfiltrated the configurations of the entire SD-WAN fabric, before quietly setting the admin password back to its original value so a real administrator would not notice. Then came the privilege escalation. Logged in over SSH as admin, they ran:

request tenant-upload tenant-list /home/admin/evil_tenant.csv

The crafted CSV contained a shell payload that appended a new account, troot, with user ID 0 (full root) directly into /etc/passwd and /etc/shadow, after backing up the originals. The attacker then simply ran su troot to drop into a root shell. Finally, they deleted every file they had created, restored the configurations they had touched, and executed a validation script that checks whether each indicator, the CSV, the backups, and the troot account, had been cleaned up. This is anti-forensics built into the playbook itself.

Why the controller is the prize

Mandiant calls this "living off the edge." Network appliances like SD-WAN controllers rarely run endpoint detection, rarely produce deep forensic telemetry, and sit at the exact center of an organization's traffic. Compromise one and you can read configurations, reach into the routing of every branch, and push changes to edge devices, all from a platform that is essentially a black box to most defenders. For a well-resourced or state-sponsored actor, a zero-day in that platform is a durable foothold for long-term intelligence collection.

The device that manages your whole network is also the one least likely to tell you when it has been turned against you.

How exposed is this in the wild

The precondition for all of this is reachability. A search of Shodan shows roughly 507 internet-exposed Cisco Catalyst SD-WAN systems, with management and web interfaces (commonly on 8443), SSH, and NETCONF (port 830) reachable from the open internet, concentrated in the United States. Every one of those is a controller that should be behind a management network, not facing the world. Exposure is not compromise, but it is the doorway every step above depends on.

What we see from our sensors

We run a fleet of honeypots, so we went looking for this activity in our own data. We want to be precise about what we found, and what we did not.

We did not see CVE-2026-20245 itself, or SD-WAN-specific targeting: no vmanage-admin logins, no troot account creation, no request tenant-upload, no viptela or vbond strings, and none of the three published Mandiant IOC addresses. That is expected. Our decoys are generic Linux SSH, Telnet, SMB, and HTTP services, not Cisco vManage emulations, so an actor specifically hunting SD-WAN Manager would not find the right surface on our boxes to run the exploit against.

What we do see, constantly, is the credential pressure the campaign rides on. Cisco default and themed credentials are sprayed against our sensors every day.

Cisco credential pressure — Cisco-themed credential attempts against our SSH honeypots. The on-ramp, not the exploit.

Usernames like cisco and netadmin and passwords like cisco, cisco123, and Cisco@123 show up in combinations such as cisco / cisco, admin / cisco, and root / netadmin, and the same patterns recur in the telnet flood. This is broad, opportunistic credential stuffing that bundles Cisco device defaults into its wordlists. It is exactly the kind of default-credential guessing that hands an attacker the netadmin foothold that CVE-2026-20245 then escalates to root.

The honest framing We have not caught CVE-2026-20245, and we will not claim we have. What our data corroborates is the precondition: Cisco default credentials are under constant automated attack, and roughly 507 SD-WAN systems sit exposed to receive it. The credential pressure we measure is the on-ramp that a privilege-escalation zero-day turns into root.

What to do

Fixed releases for CVE-2026-20245

20.9.9.2 20.12.7.2 20.15.4.5 20.15.5.3 20.18.3.1 26.1.1.2 or later

Preserve evidence first. Before upgrading, run request admin-tech on every control-plane component to capture logs, then check those logs for the IOCs below. If the system is confirmed compromised, patching alone will not evict the attacker.
Patch to a fixed release from the list above, and verify edge-device configurations after upgrading, since Cisco observed config changes pushed to the edge.
Get management off the internet. No SD-WAN Manager, Controller, or Validator web, SSH, or NETCONF interface should be reachable from the public internet. Put them behind a management network or bastion.
Rotate and harden default accounts. Change credentials for admin, vmanage-admin, and any default accounts, and enforce phishing-resistant MFA on all administrative access. This is the foothold the whole chain depends on.
Hunt for the indicators below, and address the companion auth-bypass flaws CVE-2026-20127 and CVE-2026-20182 that can supply the required privileges.

Indicators of compromise

Type	Indicator
Rogue device + exploit IP	`126.51.108.152`
Rogue device IP	`76.92.245.217`
Rogue device IP	`207.190.37.94`
Rogue account	`troot` (uid 0 in /etc/passwd and /etc/shadow)
Exploit artifact	`evil_tenant.csv`, `request tenant-upload tenant-list`
Account abuse	`vmanage-admin` SSH, admin password changed then reverted

An honest caveat Our exploitation account follows Mandiant's reporting and Cisco's advisory. Our first-party contribution is the credential-pressure and exposure context from our own sensors, not direct capture of this CVE. If we stand up a vManage-flavored decoy, we can convert that from inference into captured sessions, which is a clear next step.