CVE Tools
Back to blog

Cisco SD-WAN root access: inside CVE-2026-20245, exploited for months before disclosure

A 7.8 privilege-escalation flaw, used in a chain to seize root on SD-WAN controllers — and quietly cleaned up after

Cisco's Catalyst SD-WAN management plane took another hit. CVE-2026-20245 lets an authenticated attacker who already holds netadmin rights run arbitrary commands as root on SD-WAN Controller (vSmart), Manager (vManage) and Validator (vBond) appliances. On its own it is a 7.8 (HIGH) escalation flaw — but Google's Mandiant caught it being used as a zero-day in real intrusions, as the final step of a chain that started by abusing earlier auth-bypass bugs to get onto the box in the first place.

What CVE-2026-20245 actually is

Per Cisco's advisory, the flaw lives in the command-line interface of the Catalyst SD-WAN appliances and stems from insufficient validation of user-supplied input. An attacker uploads a crafted file through a CLI feature (Mandiant observed a malicious CSV via the tenant-upload function), which is then mishandled and turned into command injection that executes as root. CVSS v3.1 scores it 7.8 / HIGH with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — the Local vector and the netadmin requirement are why it's a 7.8 and not a 9.8: the attacker must already be authenticated with netadmin privileges (valid credentials, or a chained exploit) before this bug applies.

How attackers are actually using it

The real-world picture comes from a Mandiant (Google Threat Intelligence) investigation into intrusions at a communications service provider, reported by researchers Chester Sng, Pete Boonyakarn and Logeswaran Nadarajan. Activity ran in two waves — late 2025 to January 2026, then again in March 2026 — and it's not confirmed whether the same actor is behind both. The observed chain:

  1. Foothold via rogue SD-WAN peering — the attacker established unauthorized peering connections to vManage, likely by exploiting the auth-bypass zero-days CVE-2026-20127 or CVE-2026-20182 (and, in one March case on a patched box, possibly with certificates stolen in a prior breach).
  2. Authenticate and recon — they changed the default admin password, logged into the vManage web UI, and exfiltrated configuration for edge devices, controllers and SD-WAN templates.
  3. Escalate with CVE-2026-20245 — they uploaded a malicious CSV (evil_tenant.csv) through the tenant-upload CLI feature to run commands as root, created a hidden root account (troot) in /etc/passwd and /etc/shadow, then used su to take a full root shell.
  4. Anti-forensics — they restored the admin password to its original value, deleted the malicious payload and temp files, reverted configuration changes, and ran a validation script to confirm their traces were gone. Cisco also saw limited cases where exploitation pushed configuration changes to edge devices.
Advanced adversaries continue to primarily target and exploit network devices and other systems that don't natively support EDR solutions.
— Charles Carmakal, CTO, Mandiant Consulting

Am I affected?

Affected if you operate Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart) or Validator (vBond) — across on-prem and Cisco-managed cloud deployments. There is no workaround; the fix is to upgrade.

ItemDetail
Affected componentsCatalyst SD-WAN Manager (vManage), Controller (vSmart), Validator (vBond)
Deployment typesOn-prem, SD-WAN Cloud-Pro, Cisco-managed Cloud, SD-WAN for Government (FedRAMP)
Access requiredAuthenticated, local, netadmin privileges (often reached by chaining CVE-2026-20127 / CVE-2026-20182, or stolen credentials/certificates)
ImpactArbitrary command execution as root; rogue root account; config changes pushed to edge devices
FixUpgrade to fixed SD-WAN software per Cisco advisory (no workaround). Patch the chained auth-bypass flaws too.
Heightened riskInternet-exposed management interfaces

Detection & hunting

Because the actor scrubbed their tracks, assume the absence of obvious signs is not proof you're clean. Cisco and Mandiant published concrete indicators — hunt for these:

  • /var/log/scripts.log entries showing tenant/serial/chassis file uploads that reference attacker-controlled CSV paths (e.g. files under /home/admin/).
  • Unauthorized peering connections to vManage / SD-WAN Controller devices.
  • A rogue root account (Mandiant observed troot) or unexpected entries in /etc/passwd and /etc/shadow.
  • Admin-password changes that were later reverted, and unexpected configuration pushes to edge devices.
  • Cross-check against Mandiant's published IoCs and attacker IP addresses; collect SD-WAN diagnostic data for forensic review.
# Sample /var/log/scripts.log indicators (Cisco)
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
Jun  5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv
Jun  5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv

What to do now

  1. Upgrade Catalyst SD-WAN Manager / Controller / Validator to the fixed releases in Cisco's advisory — there is no workaround.
  2. Patch the chain. Make sure CVE-2026-20182 (CVSS 10.0 auth bypass) and CVE-2026-20127 are also remediated; this bug is most dangerous as the escalation step after them.
  3. Hunt before you trust the patch — KEV-listed and actively exploited means assume-breach: run the detection checks above and review SD-WAN diagnostic data.
  4. Reduce exposure — restrict and monitor management-interface reachability; treat internet-exposed controllers as priority.
  5. Rotate admin credentials and any device certificates that could have been stolen in a prior compromise; apply Cisco's SD-WAN hardening and logging guidance.

FAQ

Is CVE-2026-20245 being exploited?
Yes. Mandiant confirmed in-the-wild exploitation as a zero-day, beginning as early as March 2026, and CISA added it to the Known Exploited Vulnerabilities catalog in early June 2026.
Is it a remote, unauthenticated RCE?
No. It requires an authenticated attacker with netadmin privileges and local access. In observed attacks, that position was reached by chaining the auth-bypass flaws CVE-2026-20127 or CVE-2026-20182, or with stolen credentials/certificates.
Which products are affected?
Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart) and Validator (vBond), across on-prem and Cisco-managed cloud deployments.
Is there a patch or workaround?
There is no workaround. Upgrade to the fixed software in Cisco's advisory, and patch the chained CVE-2026-20182 / CVE-2026-20127 as well.