Mandiant identified a threat actor exploiting zero-day CVE-2026-20245 in Cisco Catalyst SD-WAN Manager to escalate privileges from a compromised administrative account to root-level access via a malicious CSV file upload. The intrusion began with rogue peering connections, potentially leveraging CVE-2026-20127 or CVE-2026-20182, followed by SSH access using the vmanage-admin account, password manipulation of the admin account, and ultimately root access through a crafted evil_tenant.csv payload that modified /etc/passwd and /etc/shadow. The threat actor employed extensive anti-forensic techniques including file deletion, configuration restoration, and validation script execution to purge indicators.