Three stacked Cisco SD-WAN appliances with red breach indicators overlaid, Capitol building and countdown clock in background

Cisco SD-WAN Has Now Logged Seven Exploited Zero-Days in 2026

Mandiant’s investigation into a communications service provider breach reveals an attacker who had undetected root access for two months — and federal agencies who were supposed to fix it by June 23.

Cisco’s Catalyst SD-WAN platform has now logged seven exploited zero-days in 2026. The latest — a privilege escalation flaw uncovered by Mandiant that gave an attacker undetected root access to a communications service provider for two months before disclosure — came with a federal patch deadline of June 23. That deadline has passed.

The flaw in question, CVE-2026-20245, allows an attacker to execute arbitrary commands with root privilege on Cisco Catalyst SD-WAN Controller, Manager, and Validator deployments. CISA added it to the Known Exploited Vulnerabilities catalog on June 9; federal civilian agencies had two weeks to patch or pull affected systems.

Josh Picolet, VP of Detection and Analysis at threat intelligence firm Team Cymru, said the months-long exploitation window underscores a visibility problem that patches alone can’t solve. Organizations with insight into adversary command infrastructure and scanning activity beyond their own perimeter have a chance to detect staging before it becomes a confirmed incident. “A patch closes the door,” Picolet said. “Intelligence tells you who was already inside.”

“The vulnerability stems from the device’s file upload feature lacking the ability to properly filter malicious data,” explained Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan.

“Throughout the intrusion, to maintain operational security and avoid detection, the threat actor consistently employed anti-forensic techniques, selectively deleting and restoring system configuration files that were modified during their activities.”

According to Cisco, the flaw stems from insufficient validation of user-supplied input. This allows a threat actor to upload a crafted file and execute commands with root privileges on the affected system.

Austin Larsen, principal threat analyst at Google’s Threat Intelligence Group, noted that after the attacker exfiltrated the SD-WAN fabric configuration , they reset the admin password back to its original value — so any administrator who happened to log in during the intrusion would see nothing out of place.

Cisco says that exploiting the flaw requires the attacker to already hold netadmin privileges on the device — either through valid credentials or by chaining with two other Catalyst SD-WAN vulnerabilities. Fortunately for threat actors, CVE-2026-20182 and CVE-2026-20127 allow an unauthenticated remote attacker to bypass authentication and gain administrative access, so problem solved (for the bad guys.) CVE-2026-20127 has been linked to a sustained campaign by threat cluster UAT-8616, which Cisco Talos assesses with high confidence to be a highly sophisticated actor that has been targeting SD-WAN infrastructure since at least 2023.

In the attack examined by the Mandiant team, the threat actor performed the exploit by uploading a malicious CSV file to a vulnerable appliance. From there, they backed up the device’s tenant_list configuration file before overwriting it with their own malicious version, then created a rogue root-level account named “troot.”

Interestingly, the hackers preserved original copies of a number of configuration files and, once persistence was established, covered their tracks by restoring all modified configuration files and logs — then ran a validation script to confirm no forensic traces remained.

While Mandiant did not name any suspects in the attack, such attention to detail is a hallmark of state-sponsored threat actors.

Cisco rated CVE-2026-20245 at CVSS 7.8 (High), though that score understates the operational reach: SD-WAN Manager controls the management plane across the entire network fabric, meaning root access here can push configuration changes to every downstream edge device. Patches are now available; Cisco released fixes on June 12 targeting versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2.

“This campaign underscores the living off the edge paradigm, where threat actors prioritize the compromise of network appliances to bypass traditional security perimeters. As organizations increasingly adopt software-defined networking, the orchestrators managing these environments become primary targets,” the researchers noted.

“These devices offer a black box environment for threat actors: they often lack the telemetry required for deep forensic analysis, and their role as a central control plane provides a stealthy platform for persistent, wide-scale access to internal enterprise traffic.”

Author

  • Shaun Nichols

    Shaun Nichols, Senior Editor at Security Point Break, is a veteran cybersecurity journalist who has spent nearly two decades covering the enterprise tech market—from the era of hard-drive iPods to the rise of Agentic AI. Formerly of The Register and TechTarget, Shaun is known for his sharp wit and deep technical dives into malware, ransomware, and the intersection of government policy and security. Follow him on X: @shaundnichols

Total
0
Shares

Leave a Reply

Previous Article
AI coding tools and code editors on a developer monitor illustrate the challenge of tracking AI-generated code through the AppSec audit trail.

AI Code Is Moving Faster Than AppSec’s Audit Trail

Next Article
Checkmarx AppSec AI Catch-22 Video Interview

AI’s AppSec Catch-22: Faster Code, More Risk and a Shrinking Audit Trail

Related Posts

Discover more from Security Point Break

Subscribe now to keep reading and get access to the full archive.

Continue reading