INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Cisco Catalyst SD-WAN Zero-Day Exploited Months Before Disclosure

| 2026-06-25 09:17 CRITICAL HIGH
JSON
Executive Summary AI-generated
The exploitation of a zero-day vulnerability in Cisco Catalyst SD-WAN has been reported months before its official disclosure, with hackers taking advantage of previously disclosed vulnerabilities like CVE-2026-20182 and CVE-2026-20127 to gain privileged command execution. This would require valid credentials or the exploitation of these known flaws. The threat actor exploited a zero-day vulnerability in Cisco Catalyst SD-WAN to escalate privileges from an administrative account to root-level access, ultimately gaining unauthorized connections after establishing an SSH session with the admin account.
Technical Mitigations AI-generated
* Input Validation: Implement robust input validation and sanitization mechanisms to prevent attackers from exploiting vulnerabilities by crafting malicious files or data. * Secure Configuration Management: Regularly update and patch Cisco Catalyst SD-WAN configurations, including network devices, firewalls, and other related systems, to ensure that known vulnerabilities are addressed promptly. * Network Segmentation: Implement robust network segmentation techniques to isolate sensitive areas of the network from non-essential traffic, reducing the attack surface for attackers exploiting vulnerable devices or services. * Monitoring and Incident Response: Establish a comprehensive incident response plan and continuously monitor Cisco Catalyst SD-WAN systems for signs of exploitation, enabling swift action when vulnerabilities are discovered. * Employee Education and Awareness: Educate employees on security best practices, including safe file upload policies, secure password management, and awareness of phishing attacks that could compromise system access.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20182CVE-2026-20182 CVE-2026-20127CVE-2026-20127 CVE-2026-20245CVE-2026-20245
Target & Sectors
Global Scope technologytechnology
Incident Timeline
‎between late 2025
Threat actors exploited a zero-day CVE-2026-00245 in Cisco Catalyst SD-WAN.
‎January 2026
Threat actors exploited CVE-2026-00245 in Cisco Catalyst SD-WAN devices between late 2025 and January 2026.
‎March 2026
Threat actors exploited CVE-2026-20245 to establish unauthorized connections and upload a file named evil_tenant.csv.
vulnerability CVE-2026-20127
Then in March 2026, a second wave of rogue peering connections targeted a device running a newer software version that was patched against CVE-2026-20127.
organisation new rogue peer connections
Beginning in March 2026, the threat actor established new rogue peer connections and authenticated to affected SD-WAN Manager devices using the vmanage-admin account.
organisation CVE-2026-20245
“After establishing an SSH session with the  admin  account, the threat actor exploited CVE-2026-20245 by executing the following command to upload a file named  evil_tenant.csv : request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0″ continues Mandiant.
organisation evil_tenant.csv
“After establishing an SSH session with the  admin  account, the threat actor exploited CVE-2026-20245 by executing the following command to upload a file named  evil_tenant.csv : request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0″ continues Mandiant.
organisation SSH
“After establishing an SSH session with the  admin  account, the threat actor exploited CVE-2026-20245 by executing the following command to upload a file named  evil_tenant.csv : request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0″ continues Mandiant.
organisation Cisco SD-WAN
The first activity likely exploited two then-unknown Cisco SD-WAN authentication bypass flaws, tracked as CVE-2026-20127  and  CVE-2026-20182 , to establish unauthorized connections.
organisation SecurityAffairs
“As organizations increasingly adopt software-defined networking, the orchestrators managing these environments become primary targets.” Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Cisco Catalyst)
‎2026/06/24
Threat actors used a previously disclosed zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN devices to gain access.
vulnerability CVE-2026-20245
New exploitation details emerge In a report published today, Mandiant revealed that CVE-2026-20245 was exploited as a privilege-escalation vulnerability after attackers had already gained access to targeted SD-WAN devices.
organisation SD-WAN
New exploitation details emerge In a report published today, Mandiant revealed that CVE-2026-20245 was exploited as a privilege-escalation vulnerability after attackers had already gained access to targeted SD-WAN devices.
‎Jun 25, 2026
Threat actors exploited a previously unknown zero-day vulnerability in Cisco's Catalyst SD-WAN series, CVE-2026-00245.
‎2026/06/25
Hackers exploited a recently disclosed high-severity security flaw in Cisco Catalyst SD-WAN as a zero-day at least two months before it was publicly disclosed.
organisation Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245
Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited Months Before Disclosure.
organisation Cisco Catalyst SD-WAN
Before Disclosure Hackers exploited Cisco Catalyst SD-WAN flaw CVE-2026-20245 as a zero-day months before disclosure, enabling privileged command execution.
New details have been revealed on how hackers exploited a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in zero-day attacks to create rogue root accounts on targeted devices.
During the first wave, the victim is said to have experienced unauthorized peering connections that likely exploited one of two authentication bypass flaws in Cisco Catalyst SD-WAN controllers ( CVE-2026-20127 or CVE-2026-20182 ).
organisation Google
Google-owned Mandiant reported that an unknown threat actor exploited Cisco Catalyst SD-WAN vulnerability CVE-2026-20245 (CVSS base score of 7.8) as a zero-day at least two months before it was publicly disclosed.
" Google pointed out that the activity once again highlights the "continuing trend" of bad actors weaponizing zero-days in edge devices like SD-WAN, as they lack the telemetry needed for deep forensic analysis, and a foothold in those systems can facilitate persistent visibility into internal traffic across the fabric.
organisation Mandiant
Google-owned Mandiant reported that an unknown threat actor exploited Cisco Catalyst SD-WAN vulnerability CVE-2026-20245 (CVSS base score of 7.8) as a zero-day at least two months before it was publicly disclosed.
Mandiant believes the rogue peering may have been created by exploiting previously disclosed Cisco SD-WAN authentication bypass zero-days, CVE-2026-20127 and CVE-2026-20182 , though the exact method remains unclear.
organisation CVSS
Google-owned Mandiant reported that an unknown threat actor exploited Cisco Catalyst SD-WAN vulnerability CVE-2026-20245 (CVSS base score of 7.8) as a zero-day at least two months before it was publicly disclosed.
organisation Gain Root Access
Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access.
organisation evil_tenant.csv
"The attacker then changed default admin credentials before exploiting CVE-2026-20245 as a zero-day via a malicious CSV file upload (evil_tenant.csv)," Mandiant said.
The researchers say the attackers then exploited CVE-2026-20245 through a tenant-upload feature in the SD-WAN command-line interface by uploading a malicious CSV file named "evil_tenant.csv." " CVE-2026-20245 , a vulnerability reported to Cisco by Mandiant, exists in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system," explains Mandiant.
organisation CSV
"The attacker then changed default admin credentials before exploiting CVE-2026-20245 as a zero-day via a malicious CSV file upload (evil_tenant.csv)," Mandiant said.
The researchers say the attackers then exploited CVE-2026-20245 through a tenant-upload feature in the SD-WAN command-line interface by uploading a malicious CSV file named "evil_tenant.csv." " CVE-2026-20245 , a vulnerability reported to Cisco by Mandiant, exists in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system," explains Mandiant.
organisation CVE-2026-20245
New details have been revealed on how hackers exploited a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in zero-day attacks to create rogue root accounts on targeted devices.
organisation CLI
The researchers say the attackers then exploited CVE-2026-20245 through a tenant-upload feature in the SD-WAN command-line interface by uploading a malicious CSV file named "evil_tenant.csv." " CVE-2026-20245 , a vulnerability reported to Cisco by Mandiant, exists in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system," explains Mandiant.
organisation Cisco Catalyst SD-WAN Controllers
The researchers say the attackers then exploited CVE-2026-20245 through a tenant-upload feature in the SD-WAN command-line interface by uploading a malicious CSV file named "evil_tenant.csv." " CVE-2026-20245 , a vulnerability reported to Cisco by Mandiant, exists in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system," explains Mandiant.
organisation SD-WAN
" Google pointed out that the activity once again highlights the "continuing trend" of bad actors weaponizing zero-days in edge devices like SD-WAN, as they lack the telemetry needed for deep forensic analysis, and a foothold in those systems can facilitate persistent visibility into internal traffic across the fabric.
organisation Cisco SD-WAN
Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access.
organisation Cisco
Cisco has confirmed awareness of active exploitation and released fixes.
organisation Cisco SD-WAN Cloud-Pro
The vulnerability affects Cisco Catalyst SD-WAN Manager across all deployment models, including on-premises installations, Cisco SD-WAN Cloud-Pro, Cisco-managed cloud deployments, and FedRAMP environments.
organisation EDR
"Advanced adversaries continue to primarily target and exploit network devices and other systems that don't natively support EDR solutions," Charles Carmakal, chief technology officer of Mandiant Consulting, said in a post on LinkedIn.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
organisation Mandiant Consulting
"Advanced adversaries continue to primarily target and exploit network devices and other systems that don't natively support EDR solutions," Charles Carmakal, chief technology officer of Mandiant Consulting, said in a post on LinkedIn.
infrastructure Linux
The attackers then used the Linux " su " command to switch from the compromised administrative account to the newly created root account, giving them full control over the device.
organisation IP
Mandiant has published indicators of compromise, attacker IP addresses, and guidance to help organizations determine whether they were compromised.
‎early 2026
Threat actors exploited CVE-2026-00245 in Cisco Catalyst SD-WAN systems months before its official disclosure.
organisation SD-WAN
“In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider.
Tactical Metrics
Metrics
infrastructure
‎Linux
Affected Product
The attackers then used the Linux " su " command to switch from the compromised administrative account to the newly created root account, giving them full control over the device.
Intelligence Sources
The Hacker News 2026-06-25
BleepingComputer 2026-06-24
Security Affairs 2026-06-25