Mandiant has published new details on how attackers exploited a critical Cisco SD-WAN vulnerability — tracked as CVE-2026-20245 — to gain root access on targeted devices in what are believed to be targeted intrusions against service providers.
The flaw is a high-severity command injection in Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond). It lets an attacker with authenticated access execute any command as root simply by uploading a crafted file. When Cisco disclosed it earlier this month, the company warned it had been exploited in the wild but didn’t say how. Now Mandiant has filled in the gaps.
The attack chain started around March 2026 with unauthorized SD-WAN peering connections showing up on a service provider’s infrastructure. Mandiant thinks the threat actor created these rogue peering links, possibly by taking advantage of two other known Cisco bugs — CVE-2026-20127 and CVE-2026-20182 — both authentication bypasses that had been exploited as zero-days since 2023.
Once inside, the attackers changed the default admin password, logged into the SD-WAN Manager web interface, and pulled configurations for edge devices, controllers, and templates. Then they quietly restored the original password — likely to avoid detection.
The actual exploitation of CVE-2026-20245 came through a tenant-upload feature in the SD-WAN command-line interface. The attackers uploaded a malicious CSV file named “evil_tenant.csv.” The payload first backed up critical system files like /etc/passwd and /etc/shadow, then created a new account called “troot” with full root privileges. A simple “su troot” command gave them complete control.
The anti-forensic tactics were thorough. They cleaned up the deleted CSV, removed temporary files, erased traces of the rogue account, and even ran a validation script to confirm every trace was gone before disconnecting.
Cisco told Mandiant the breach didn’t involve CVE-2026-20182 and suggested stolen certificates might have been the entry point. If you’re running Cisco SD-WAN gear, patch immediately and check for unauthorized peering connections. Mandiant has published indicators of compromise to help organizations determine if they were targeted.
