Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager
Mandiant identified a threat actor exploiting zero-day CVE-2026-20245 in Cisco Catalyst SD-WAN Manager to escalate privileges from a compromised administrative account to root-level access via a malicious CSV file upload. The intrusion began with rogue peering connections, potentially leveraging CVE-2026-20127 or CVE-2026-20182, followed by SSH access using the vmanage-admin account, password manipulation of the admin account, and ultimately root access through a crafted evil_tenant.csv payload that modified /etc/passwd and /etc/shadow. The threat actor employed extensive anti-forensic techniques including file deletion, configuration restoration, and validation script execution to purge indicators.
- ip126[.]51[.]108[.]152Threat actor control plane IP used for rogue device connection and exploitation of CVE-2026-20245
- ip153[.]186[.]231[.]233IP address connecting as rogue device to SD-WAN Manager
- ip167[.]179[.]79[.]189IP address connecting as rogue device to SD-WAN Manager
- ip207[.]190[.]37[.]94IP address connecting as rogue device to SD-WAN Manager
- ip209[.]137[.]225[.]101IP address connecting as rogue device to SD-WAN Manager
- ip23[.]245[.]7[.]178IP address connecting as rogue device to SD-WAN Manager
- ip45[.]32[.]38[.]160IP address connecting as rogue device to SD-WAN Manager
- ip76[.]92[.]245[.]217IP address connecting as rogue device to SD-WAN Manager
- sha256b82936f37648518425c7d3cf9e09eaffa41d7cdb3840f6a40287e3a108880f7bSHA256 hash of evil_tenant.csv, the malicious CSV payload file used to exploit CVE-2026-20245 for privilege escalation to root
Detection / Hunteropenrouter
What Happened
A sophisticated hacker targeted network management software called Cisco Catalyst SD-WAN Manager, which organizations use to manage their wide-area networks across multiple locations. The attacker first gained access by making unauthorized connections to the network devices, then exploited a previously unknown software flaw (tracked as CVE-2026-20245) to gain full control of the system by uploading a disguised malicious file. They changed administrator passwords to log in, stole network configuration data, and then carefully cleaned up all evidence of their activity to avoid detection. Organizations using Cisco Catalyst SD-WAN Manager should immediately update to the latest software versions, check for signs of compromise using the indicators provided in the report, and follow Cisco's security hardening guidelines. If suspicious activity is found, it should be reported to Cisco's support team for assistance.
Key Takeaways
- Threat actor exploited zero-day CVE-2026-20245 in Cisco Catalyst SD-WAN Manager to escalate from admin-level to root access via a malicious CSV file upload
- Initial access was achieved through rogue peering connections, potentially leveraging CVE-2026-20127 or CVE-2026-20182, or stolen certificate material
- Threat actor manipulated default account passwords (vmanage-admin, admin) to authenticate via SSH and the web interface, then reverted changes to evade detection
- Extensive anti-forensic techniques were employed including deleting malicious files, restoring system configurations, and running validation scripts to confirm cleanup
- Multiple rogue device IP addresses identified across the intrusion campaign spanning late 2025 to April 2026
Affected Systems
- Cisco Catalyst SD-WAN Manager (versions prior to 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2)
- Cisco Catalyst SD-WAN Controllers (affected by CVE-2026-20127 and CVE-2026-20182 peering authentication vulnerabilities)
Vulnerabilities (CVEs)
- CVE-2026-20245 - Zero-day privilege escalation in Cisco Catalyst SD-WAN Manager CLI allowing authenticated local attacker to execute arbitrary commands as root via crafted file upload; fixed in versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2 or later
- CVE-2026-20127 - Critical vulnerability in peering authentication mechanism for Cisco Catalyst SD-WAN controllers allowing unauthenticated remote attacker to bypass authentication and obtain administrative privileges
- CVE-2026-20182 - Critical vulnerability in peering authentication mechanism for Cisco Catalyst SD-WAN controllers allowing unauthenticated remote attacker to bypass authentication and obtain administrative privileges
Attack Chain
The threat actor gained initial access through unauthorized rogue peering connections to the victim's SD-WAN Manager devices, potentially exploiting CVE-2026-20127 or CVE-2026-20182, or using stolen certificate material. Using the vmanage-admin account via SSH, the attacker changed the default admin account password, authenticated to the SD-WAN Manager web interface, and exfiltrated network configuration data before reverting the password. The threat actor then exploited CVE-2026-20245 by uploading a malicious CSV file (evil_tenant.csv) via the tenant-upload CLI command, which appended a root-privileged user account (troot) to /etc/passwd and /etc/shadow. After escalating to root via su, the attacker performed extensive anti-forensic cleanup including deleting all created files, restoring original configurations, and executing a validation script to confirm indicator removal.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: Google SecOps (Mandiant Intel Emerging Threats rule pack), Cisco SD-WAN CLI log analysis, Linux auth.log analysis
Google SecOps detections are available under rule names: Privileged Account Append to Passwd Database, Grep Privileged User Account Discovery in Passwd or Shadow, Hidden Backup of Sensitive System Files, and Suspicious Copy from Usr Share to User Hidden Directory. The article also provides log-based hunting guidance using /var/log/auth.log, /var/log/scripts.log, and Viptela CLI show history commands.
Detection Engineering Assessment
EDR Visibility: Low — Cisco SD-WAN Manager appliances are network infrastructure devices that typically lack traditional EDR agents. Visibility is limited to device-native logs such as /var/log/auth.log, /var/log/scripts.log, and Viptela CLI command history. Network Visibility: Medium — Rogue peering connections and SSH sessions from unexpected external IPs would be visible in network flow data and firewall logs. Web interface access for configuration extraction would appear in HTTP access logs, but the SD-WAN control plane traffic may be encrypted and difficult to inspect. Detection Difficulty: Hard — The threat actor's activities closely mirror legitimate administrative actions (SSH login, password changes, tenant uploads). Anti-forensic techniques including file deletion and configuration restoration further complicate detection. SD-WAN appliances lack deep telemetry, creating a black box environment. Defenders must correlate multiple low-fidelity signals across auth logs, script logs, and network flow data to identify suspicious patterns.
Required Log Sources
- Cisco SD-WAN Manager /var/log/auth.log (SSH authentication, password changes, su executions)
- Cisco SD-WAN Manager /var/log/scripts.log (vconfd_script_upload_tenant_list.sh execution)
- Cisco SD-WAN Manager Viptela CLI show history output
- Cisco SD-WAN Manager web access logs (j_security_check, dataservice API endpoints)
- Cisco SD-WAN Manager /var/confd/rollback/ configuration delta files
- Network flow data and firewall logs for rogue peering connection detection
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for SSH authentication events for the vmanage-admin account originating from IP addresses outside the established administrative management range, which may indicate unauthorized access via rogue peering | Cisco SD-WAN Manager /var/log/auth.log, network firewall logs, SSH session logs | Initial Access | Medium - legitimate administrators may connect from varying locations during troubleshooting or remote work |
| Consider hunting for rapid password change sequences on the admin account where credentials are set and subsequently reverted within a short time window, indicating temporary credential manipulation | Cisco SD-WAN Manager /var/log/auth.log (usermod events), /var/confd/rollback/ configuration delta files | Credential Access | Medium - legitimate password resets during routine maintenance could trigger this pattern |
| Consider hunting for execution of vconfd_script_upload_tenant_list.sh in script logs, particularly when invoked with non-standard file paths under /home/admin/, which may indicate CVE-2026-20245 exploitation | Cisco SD-WAN Manager /var/log/scripts.log, Viptela CLI show history | Privilege Escalation | Low - tenant list uploads are infrequent administrative actions and should be easily validated against change management records |
| Consider hunting for successful su command executions from the admin account to non-standard or unexpected local accounts, particularly accounts with UID 0, which may indicate privilege escalation via a backdoor account | Cisco SD-WAN Manager /var/log/auth.log (su events) | Privilege Escalation | Low - su from admin to non-standard accounts is unusual in normal SD-WAN operations |
| Consider hunting for hidden files created in /home/admin/ with names beginning with .orig_ which may indicate threat actor backup files created before modifying system configurations | Cisco SD-WAN Manager filesystem audit logs, file integrity monitoring | Defense Evasion | Low - creation of hidden backup files with this naming pattern is not associated with normal administrative activity |
Control Gaps
- Traditional EDR solutions do not provide coverage on Cisco SD-WAN network appliances, leaving a visibility gap on endpoint activity
- Network-level encryption of SD-WAN control plane traffic may prevent deep packet inspection of peering and configuration exchanges
- Lack of file integrity monitoring on SD-WAN appliances means modifications to /etc/passwd, /etc/shadow, and configuration files may go undetected
- Default account credentials (vmanage-admin, admin) on SD-WAN controllers may not be monitored for unauthorized password changes if alerting is not configured
- Anti-forensic techniques including file deletion and configuration rollback make post-incident forensic analysis difficult on these black box devices
Key Behavioral Indicators
- SSH authentication for vmanage-admin from unexpected external IP addresses
- Rapid sequence of password changes to admin account followed by reversion
- Execution of request tenant-upload CLI command with file paths under /home/admin/
- vconfd_script_upload_tenant_list.sh execution in /var/log/scripts.log
- Successful su from admin to non-standard accounts (e.g., troot)
- Hidden files with .orig_ prefix in /home/admin/ directory
- New entries with UID 0 in /etc/passwd
- Rogue peering connections from unrecognized IP addresses
- Web interface access to /dataservice/system/device/ and /dataservice/template/config/ endpoints from unexpected IPs
False Positive Assessment
- Medium - several threat actor activities closely resemble legitimate administrative actions including SSH login, password changes, and tenant list uploads. Rogue peering connections may also occur during legitimate network expansion. Defenders must correlate multiple signals and assess against established network posture to minimize false positives.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider collecting diagnostic data from all SD-WAN control-plane components using the 'request admin-tech' command and scanning for known IOCs including the rogue device IPs and evil_tenant.csv hash
- If applicable to your environment, prioritize upgrading Cisco Catalyst SD-WAN Manager to fixed software releases (20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2, or later) to remediate CVE-2026-20245
- Consider reviewing /var/log/auth.log on all SD-WAN Manager devices for SSH logins as vmanage-admin from unexpected IP addresses and for suspicious password change sequences on the admin account
- If suspicious activity is confirmed, consider forwarding indicators to Cisco Technical Assistance Center (TAC) for comprehensive review and remediation assistance as recommended by Cisco
Infrastructure Hardening
- Consider implementing the Cisco Catalyst SD-WAN Hardening Guide recommendations across all SD-WAN components including management, control, and data planes
- Evaluate whether network access controls can restrict SSH and web interface access to SD-WAN Manager devices to only known administrative IP ranges
- Consider enabling centralized logging from SD-WAN appliances to a SIEM or log aggregation platform for continuous monitoring of authentication events and configuration changes
- If supported by your infrastructure, consider implementing certificate-based authentication for SD-WAN peering and rotating certificates if compromise is suspected
User Protection
- Consider changing default account credentials (vmanage-admin, admin) on all Cisco Catalyst SD-WAN controllers if they have not been rotated recently
- Evaluate whether multi-factor authentication can be enabled for SD-WAN Manager web interface access where supported
- Consider monitoring for and alerting on any new local accounts created with UID 0 on SD-WAN appliances
Security Awareness
- Consider briefing network operations teams on the indicators and TTPs described in this report so they can recognize suspicious activity during routine SD-WAN management
- If applicable to your awareness program, consider incorporating guidance on verifying the legitimacy of peering connection requests and tenant upload operations
- Consider establishing a process for network administrators to report unexpected password change prompts or authentication failures on SD-WAN devices
MITRE ATT&CK Mapping
- T1078 - Valid Accounts
- T1078.003 - Local Accounts
- T1068 - Exploitation for Privilege Escalation
- T1003.008 - OS Credential Dumping: /etc/passwd and /etc/shadow
- T1070 - Indicator Removal
- T1070.004 - File Deletion
- T1552 - Unsecured Credentials
- T1098 - Account Manipulation
Additional IOCs
- File Paths:
/home/admin/evil_tenant.csv- Malicious CSV file uploaded by threat actor containing exploit payload for CVE-2026-20245; backed up and deleted during anti-forensic cleanup/home/admin/.orig_vbond_vsmart_tenant_list- Backup of original vbond_vsmart_tenant_list configuration file created by threat actor for later restoration/home/admin/.orig_vbond_vsmart_tenant_list.state- State file tracking whether original tenant list configuration was present or absent before modification/home/admin/.orig_passwd- Backup of original /etc/passwd file created by threat actor before appending malicious troot user entry/home/admin/.orig_shadow- Backup of original /etc/shadow file created by threat actor before appending malicious troot user entry
- Command Lines:
- Purpose: Upload malicious CSV file to exploit CVE-2026-20245 for privilege escalation to root | Tools:
Cisco SD-WAN CLI,request tenant-upload| Stage: Privilege Escalation |request tenant-upload tenant-list <filepath> vpn 0 - Purpose: Switch from admin account to newly created troot root-privileged account | Tools:
su| Stage: Privilege Escalation |su <username>
- Purpose: Upload malicious CSV file to exploit CVE-2026-20245 for privilege escalation to root | Tools:
- Other:
troot- Malicious user account with UID 0 (root privileges) created by appending entries to /etc/passwd and /etc/shadow via the evil_tenant.csv exploit payload