A recent cybersecurity incident has revealed a significant vulnerability in Cisco Catalyst SD-WAN Manager, exploited by a sophisticated hacking group. The attackers targeted a service provider’s SD-WAN infrastructure by leveraging a zero-day privilege escalation flaw, identified as CVE-2026-20245, which carries a severity score of 7.8 on the CVSS scale. This breach enabled them to escalate privileges from an administrative account to full root access, posing a grave security risk.
Understanding the Vulnerability
The vulnerability, CVE-2026-20245, is located in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers. It falls under the category of CWE-116, which deals with improper encoding or escaping of output. The flaw arises from inadequate validation in the file upload feature, allowing attackers with netadmin-level privileges to upload malicious CSV files. These files can trigger command injection, enabling execution of arbitrary commands with root privileges.
This issue impacts all deployment scenarios, including On-Prem, Cisco SD-WAN Cloud, Cloud-Pro, and FedRAMP government environments. The exploitation process unfolded in two phases: initially, unauthorized connections were established, exploiting other vulnerabilities like CVE-2026-20127 and CVE-2026-20182. These allowed attackers to gain administrative privileges without detection.
Exploit Techniques and Attack Details
From March 2026, the attackers renewed their efforts by establishing new rogue connections and using default credentials to access the SD-WAN Manager via SSH. They altered the admin account password and accessed the web interface to extract sensitive configuration data. Notably, the password was restored afterward to prevent suspicion.
The core of their strategy involved uploading a file named evil_tenant.csv during an SSH session. This file’s payload modified critical system files like /etc/passwd and /etc/shadow, creating a new user with root-level privileges. The attackers used this account to gain complete control over the management plane, followed by a thorough cleanup to erase any forensic evidence.
Recommended Mitigation Steps
In response to this threat, organizations using Cisco Catalyst SD-WAN Manager should take immediate action. They are advised to upgrade to the latest software versions, such as 20.9.9.2 and higher, which contain necessary security patches. Additionally, conducting log reviews and monitoring for suspicious activity is crucial.
Organizations should follow Cisco’s guidelines for securing their SD-WAN environments, including the administration of strict access controls and regular security sweeps. Contacting Cisco TAC is essential if any signs of compromise are detected, to ensure swift and effective remediation.
This incident underscores the increasing trend of zero-day exploits targeting network appliances. It highlights the need for robust security measures and the treatment of management planes as critical attack surfaces. Continuous monitoring and proactive patch management remain vital to defend against such evolving cyber threats.
