Cisco’s Catalyst SD-WAN Manager keeps falling under attack. Sophisticated actors have turned the management plane into a persistent foothold. And the latest example shows exactly how they do it.
Mandiant researchers uncovered active exploitation of CVE-2026-20245. The flaw lets an authenticated local attacker run arbitrary commands as root. They do so by uploading a specially crafted CSV file through the CLI. One malicious upload. Root in minutes.
The discovery, detailed in a Google Cloud blog post published today, paints a picture of careful, evasive operations. The threat actor first established rogue peering connections to the SD-WAN fabric as early as late 2025. Those connections lasted into January 2026 and again in March. Once inside with administrative access, they escalated further.
Here’s how the final step worked. After SSHing in as an admin, the attacker issued a tenant upload command pointing to their crafted file, evil_tenant.csv. That file contained entries designed to append a new user called “troot” to the system’s /etc/passwd and /etc/shadow files. The result? A backdoor account with root privileges. The attacker then switched to troot using the su command and began work.
They exfiltrated configuration data for the entire SD-WAN fabric. They changed the default admin password. They left almost no trace. But they didn’t stop at data theft. The actor pushed configuration changes to edge devices. Such moves suggest broader network control was the goal.
The Attack Chain and Anti-Forensic Cleanup
This privilege escalation did not happen in isolation. The actor almost certainly relied on earlier authentication bypasses to gain that initial admin foothold. Multiple sources tie the activity to a pattern of SD-WAN compromises throughout 2026.
Cisco disclosed CVE-2026-20127 in February. That critical authentication bypass, exploited since at least 2023 by a group Talos calls UAT-8616, let unauthenticated attackers log in as a high-privileged internal user. Tenable’s analysis confirmed exploitation in the wild and linked it to sophisticated espionage.
Then came CVE-2026-20182 in May. Another authentication bypass with a perfect CVSS score of 10.0. It allowed unauthenticated remote attackers to pose as trusted routers and gain administrative access. CyberScoop reported it as the latest in a string of zero-days hitting the same control plane components. Rapid7 researchers called the flaw a “master key.”
By the time attackers reached the CSV upload stage, they already held the keys. CVE-2026-20245 simply removed the last barrier. Cisco’s advisory for the flaw, referenced in SecurityWeek’s coverage, notes it stems from “insufficient validation of user-supplied input.” The company learned of exploitation in June. Mandiant reported it. No patch existed at disclosure. Administrators were told to upgrade to versions fixed in a separate May advisory while waiting for the final code change.
But the real story lies in what happened after root access. The actor showed discipline. They copied original versions of critical files such as passwd, shadow, and tenant lists to hidden backups with names like .orig_passwd. After making changes, they deleted the malicious CSV and the troot entries. Then they restored the originals from those backups. Every created file vanished.
They went further. A custom validation script ran in a loop. It checked for the presence of troot, examined file states in /var/confd/rollback/, and confirmed the cleanup succeeded. Only then did the actor exit. Professional. Thorough. Designed to survive incident response.
Mandiant recovered a remnant of the malicious payload anyway. The SHA256 hash of evil_tenant.csv reads b82936f37648518425c7d3cf9e09eaffa41d7cdb3840f6a40287e3a108880f7b. Network indicators include connections from 126.51.108.152 and other IPs used for rogue peering. Security teams can hunt for these now.
The victim was a service provider. That choice matters. Compromising the manager console gives visibility and control over every customer edge device managed through it. One breach, many victims. Configurations pulled could reveal topologies, policies, even credentials reused elsewhere.
This marks the seventh SD-WAN zero-day exploited in 2026 according to tallies from multiple researchers. The pattern reveals more than isolated bugs. It shows sustained focus on a platform that sits at the heart of modern wide-area networks. Enterprises and providers alike rely on these systems for traffic steering, segmentation, and security policy enforcement. When the manager falls, the whole fabric trembles.
Cisco has released updates addressing many of the earlier flaws. Yet the absence of an immediate patch for CVE-2026-20245 at disclosure time left defenders exposed. The company recommends immediate upgrades to the latest fixed releases and urges customers to review logs for unusual tenant-upload commands, unexpected peering sessions, and changes to admin accounts.
So what should network operators do today? Collect admin-tech outputs. Validate all control plane peerings against expected devices. Scan for the listed IOCs. Assume that any SD-WAN Manager exposed to the internet or managed by a compromised provider may have been touched.
The incident also highlights limits of detection. Anti-forensic steps nearly erased the trail. Without Mandiant’s engagement, the troot user and altered files might have stayed hidden. Organizations need better monitoring of CLI activity, file integrity on controllers, and anomalous configuration pushes to edges.
Threat actors clearly view Cisco’s SD-WAN control plane as high value. They return to it again and again, chaining flaws old and new. UAT-8616 and others like it treat these systems as long-term platforms for espionage and disruption. Defenders cannot treat patches as one-time events. They must assume persistent attempts and build resilience accordingly.
The Google Cloud researchers closed their report with concrete guidance. Review SD-WAN logs for the specific upload command syntax. Look for su transitions to unknown accounts. Check backup files for tampering. And above all, patch.
Because in this environment, the next zero-day probably waits just around the corner. And the actors chasing it already know the path inside.
WebProNews is an iEntry Publication