New particulars have emerged about how hackers exploited a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in a zero-day assault to create a rogue root account on focused units.
CVE-2026-20245 The vulnerability is a high-severity command injection flaw in Cisco Catalyst SD-WAN Supervisor (vManage), Controller (vSmart), and Validator (vBond) that permits an authenticated attacker to execute arbitrary instructions as root by importing a crafted file.
Cisco stated the vulnerability may very well be exploited by an authenticated attacker with native entry to an affected machine attributable to inadequate validation of user-supplied enter.
When Cisco disclosed the flaw earlier this month, the corporate warned that it had been exploited in a restricted variety of assaults, however didn’t present particulars.
Cisco stated solely {that a} profitable exploit may permit the attacker to achieve root privileges, and that some incidents concerned pushing unauthorized configuration adjustments to edge units.
The corporate launched a safety replace, saying there was no workaround and urging prospects to improve to a hard and fast software program model.
New exploit particulars revealed
In a report revealed right now, Mandiant revealed that CVE-2026-20245 was exploited as an elevation of privilege vulnerability after an attacker had already gained entry to the focused SD-WAN machine.
In line with researchers, the intrusion started with an unauthorized SD-WAN peering connection noticed on a service supplier’s infrastructure.
Beginning in March 2026, risk actors established new rogue peer connections and authenticated affected SD-WAN supervisor units. vmanage-admin account.
Mandiant believes the rogue peering could have been created by exploiting the beforehand disclosed Cisco SD-WAN Authentication Bypass Zero-Day, CVE-2026-20127 and CVE-2026-20182, however the precise technique stays unclear.
After gaining entry, the attacker modified the default administrator account password, logged into the SD-WAN Supervisor internet interface, and extracted configuration data for edge units, controllers, and SD-WAN templates.
Mandiant stated detections are possible decreased as a result of the attackers modified the administrator account again to its authentic password after finishing the operation.
In line with researchers, the attacker then exploited CVE-2026-20245 by means of the SD-WAN command-line interface’s tenant add function by importing a malicious CSV file named “evil_tenant.csv.”
“The vulnerability CVE-2026-20245, reported to Cisco by Mandiant, exists within the command-line interface (CLI) of Cisco Catalyst SD-WAN controllers. This vulnerability may permit an authenticated, native attacker to execute arbitrary instructions as root by offering a crafted file to an affected system,” Mandiant defined.
Mandiant stated the malicious payload first created a backup of system configuration recordsdata, together with: /and so on/passwd and /and so on/shadowEarlier than creating a brand new account named “”troot” Has root stage privileges.
The attackers then used Linux.su” command to change from the compromised administrative account to the newly created root account, giving it full management of the machine.
Mandiant stated the attackers relied closely on anti-forensic ways to keep away from detection.
This contains backing up configuration recordsdata earlier than altering them and restoring them after exploitation. We additionally cleaned up all traces of exploitation by eradicating the malicious CSV payload, deleting short-term recordsdata created throughout the assault, and erasing proof of the rogue root account.
The researchers additionally noticed the execution of a validation script to make sure that all traces of compromise have been faraway from the machine.
A few of the fraudulent peering exercise noticed in March 2026 occurred on programs that weren’t weak to any of the beforehand disclosed authentication bypass flaws, Mandiant stated.
Cisco informed researchers that CVE-2026-20182 was not concerned on this newest breach, and that the attackers could have used certificates stolen throughout a earlier breach to regain entry to the units.
Mandiant publishes indicators of compromise, attacker IP addresses, and steering to assist organizations decide if they’ve been compromised.
Organizations ought to acquire diagnostic information from SD-WAN units, examine for indicators of incorrect peering connections, and improve to the newest software program releases in the event that they haven’t already completed so.
Safety groups doc 54% of profitable assaults and challenge a warning on solely 14%. The remainder strikes invisibly by means of the setting.
Picus’ whitepaper reveals learn how to take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
