Cisco SD-WAN root access: inside CVE-2026-20245, exploited for months before disclosure
A 7.8 privilege-escalation flaw, used in a chain to seize root on SD-WAN controllers — and quietly cleaned up after
Cisco's Catalyst SD-WAN management plane took another hit. CVE-2026-20245 lets an authenticated attacker who already holds netadmin rights run arbitrary commands as root on SD-WAN Controller (vSmart), Manager (vManage) and Validator (vBond) appliances. On its own it is a 7.8 (HIGH) escalation flaw — but Google's Mandiant caught it being used as a zero-day in real intrusions, as the final step of a chain that started by abusing earlier auth-bypass bugs to get onto the box in the first place.
What CVE-2026-20245 actually is
Per Cisco's advisory, the flaw lives in the command-line interface of the Catalyst SD-WAN appliances and stems from insufficient validation of user-supplied input. An attacker uploads a crafted file through a CLI feature (Mandiant observed a malicious CSV via the tenant-upload function), which is then mishandled and turned into command injection that executes as root. CVSS v3.1 scores it 7.8 / HIGH with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — the Local vector and the netadmin requirement are why it's a 7.8 and not a 9.8: the attacker must already be authenticated with netadmin privileges (valid credentials, or a chained exploit) before this bug applies.
How attackers are actually using it
The real-world picture comes from a Mandiant (Google Threat Intelligence) investigation into intrusions at a communications service provider, reported by researchers Chester Sng, Pete Boonyakarn and Logeswaran Nadarajan. Activity ran in two waves — late 2025 to January 2026, then again in March 2026 — and it's not confirmed whether the same actor is behind both. The observed chain:
- Foothold via rogue SD-WAN peering — the attacker established unauthorized peering connections to vManage, likely by exploiting the auth-bypass zero-days CVE-2026-20127 or CVE-2026-20182 (and, in one March case on a patched box, possibly with certificates stolen in a prior breach).
- Authenticate and recon — they changed the default admin password, logged into the vManage web UI, and exfiltrated configuration for edge devices, controllers and SD-WAN templates.
- Escalate with CVE-2026-20245 — they uploaded a malicious CSV (
evil_tenant.csv) through the tenant-upload CLI feature to run commands as root, created a hidden root account (troot) in/etc/passwdand/etc/shadow, then usedsuto take a full root shell. - Anti-forensics — they restored the admin password to its original value, deleted the malicious payload and temp files, reverted configuration changes, and ran a validation script to confirm their traces were gone. Cisco also saw limited cases where exploitation pushed configuration changes to edge devices.
Advanced adversaries continue to primarily target and exploit network devices and other systems that don't natively support EDR solutions.
Am I affected?
Affected if you operate Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart) or Validator (vBond) — across on-prem and Cisco-managed cloud deployments. There is no workaround; the fix is to upgrade.
| Item | Detail |
|---|---|
| Affected components | Catalyst SD-WAN Manager (vManage), Controller (vSmart), Validator (vBond) |
| Deployment types | On-prem, SD-WAN Cloud-Pro, Cisco-managed Cloud, SD-WAN for Government (FedRAMP) |
| Access required | Authenticated, local, netadmin privileges (often reached by chaining CVE-2026-20127 / CVE-2026-20182, or stolen credentials/certificates) |
| Impact | Arbitrary command execution as root; rogue root account; config changes pushed to edge devices |
| Fix | Upgrade to fixed SD-WAN software per Cisco advisory (no workaround). Patch the chained auth-bypass flaws too. |
| Heightened risk | Internet-exposed management interfaces |
Detection & hunting
Because the actor scrubbed their tracks, assume the absence of obvious signs is not proof you're clean. Cisco and Mandiant published concrete indicators — hunt for these:
/var/log/scripts.logentries showing tenant/serial/chassis file uploads that reference attacker-controlled CSV paths (e.g. files under/home/admin/).- Unauthorized peering connections to vManage / SD-WAN Controller devices.
- A rogue root account (Mandiant observed
troot) or unexpected entries in/etc/passwdand/etc/shadow. - Admin-password changes that were later reverted, and unexpected configuration pushes to edge devices.
- Cross-check against Mandiant's published IoCs and attacker IP addresses; collect SD-WAN diagnostic data for forensic review.
# Sample /var/log/scripts.log indicators (Cisco)
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
Jun 5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv
Jun 5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csvWhat to do now
- Upgrade Catalyst SD-WAN Manager / Controller / Validator to the fixed releases in Cisco's advisory — there is no workaround.
- Patch the chain. Make sure CVE-2026-20182 (CVSS 10.0 auth bypass) and CVE-2026-20127 are also remediated; this bug is most dangerous as the escalation step after them.
- Hunt before you trust the patch — KEV-listed and actively exploited means assume-breach: run the detection checks above and review SD-WAN diagnostic data.
- Reduce exposure — restrict and monitor management-interface reachability; treat internet-exposed controllers as priority.
- Rotate admin credentials and any device certificates that could have been stolen in a prior compromise; apply Cisco's SD-WAN hardening and logging guidance.