A threat actor exploited three vulnerabilities in Cisco Catalyst SD-WAN software to compromise a service provider network management infrastructure, achieving root-level access and sustaining a covert presence for months before detection, according to threat intelligence published by Mandiant on June 24, 2026.
A Three-Flaw Escalation Chain
The intrusion, documented by Mandiant’s Google Cloud threat intelligence team, combined two critical authentication bypass flaws with a privilege escalation vulnerability to move from unauthenticated network access to full root control of the SD-WAN management plane. The three vulnerabilities, CVE-2026-20127, CVE-2026-20182, and CVE-2026-20245, were exploited in sequence across a campaign that Mandiant assessed began in late 2025 and continued through at least March 2026.
The attack unfolded in distinct phases. During the initial access phase in late 2025 and early 2026, attackers exploited CVE-2026-20127 or CVE-2026-20182, both rated critical, to bypass authentication in Cisco Catalyst SD-WAN peer communications. These flaws allowed the threat actor to establish rogue peering connections using stolen certificate material, gaining the functional equivalent of administrative access to the SD-WAN Manager without possessing valid user credentials.
Advertisement
300 × 250
With that foothold established, the threat actor shifted to credential manipulation during a second phase in March 2026. SSH sessions originating from external IP addresses were authenticated to the vmanage-admin account, a built-in service account with elevated permissions. Admin account passwords were modified and then immediately restored, a deliberate pattern designed to confirm credential control while minimizing the forensic footprint left in audit logs.
Root Escalation via CVE-2026-20245
The final escalation to root privileges relied on CVE-2026-20245, a high-severity command injection flaw in the Cisco Catalyst SD-WAN Manager CLI. According to Mandiant, attackers exploited a legitimate tenant-management function to upload a crafted payload that modified system account files on the underlying operating system, creating a rogue account with root-level privileges. The technique repurposed a standard administrative capability rather than exploiting a memory corruption flaw, allowing it to evade detection by endpoint and behavioral signatures tuned for more conventional exploitation patterns.
Cisco has published fixed versions addressing CVE-2026-20245: SD-WAN Manager 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2 or later. CVE-2026-20127 and CVE-2026-20182 were addressed in the same patching cycle.
Sophisticated Anti-Forensic Cleanup
What elevates this intrusion beyond an opportunistic compromise is the discipline the threat actor applied to erasing evidence of their presence. Mandiant found that before modifying system files, the attackers backed up the originals to temporary hidden directories on the device. After establishing persistence with the rogue root account, the originals were restored, the malicious payload was deleted, and a validation script was executed on the device to confirm that all indicators had been cleared.
The result was a management system that, under standard review, would appear fully intact with no anomalous files, no unexpected accounts in current system state, and no obviously modified configurations. Mandiant notes that this backup-modify-restore-validate operational pattern is consistent with state-sponsored intrusions where sustained access over many months takes priority over the pace of exploitation.
The three targeted components, SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond), collectively form the control plane of Cisco Catalyst SD-WAN. Compromise of this layer grants full visibility into all managed edge devices along with the routing policies, cryptographic keying material, and traffic segmentation rules governing the entire SD-WAN fabric. In a multi-tenant service provider environment, exposure extends to every customer organization whose infrastructure is managed through that control plane.
What It Means for the Security Leader
Cisco Catalyst SD-WAN is widely deployed by telecommunications carriers, managed service providers, and large enterprises to orchestrate distributed WAN connectivity. The compromise of a single service provider SD-WAN control plane carries a blast radius that extends to every tenant whose network is managed through that system. Configuration data, cryptographic material, and traffic visibility are all accessible from a compromised management plane, creating the conditions for downstream espionage, traffic interception, or network manipulation at scale.
The attack pattern in this campaign, unauthenticated access via authentication bypass followed by privilege escalation through a legitimate administrative function, exposes a specific gap in how many organizations govern network management infrastructure. Cloud workloads are increasingly managed under explicit zero-trust policies: continuous verification, least-privilege access, and behavioral monitoring. SD-WAN and other network management planes are frequently excluded from that posture, treated as implicit trust zones because they sit behind perimeters that are themselves managed by the systems an attacker has already compromised.
The anti-forensic sophistication of this campaign also raises the possibility that organizations relying solely on periodic log review or configuration audits may not detect an intrusion that has already occurred. Proactive threat hunting that includes review of authentication events, account lifecycle changes, and CLI usage patterns on SD-WAN management infrastructure is now a necessary complement to patching.
Immediate Defender Actions
Based on Mandiant’s investigation and Cisco guidance, organizations running Cisco Catalyst SD-WAN should take the following steps:
- Patch to fixed versions. Upgrade SD-WAN Manager to 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2 and later to remediate CVE-2026-20245 and the associated authentication bypass flaws.
- Audit SSH authentication logs. Review authentication logs for successful logins to the vmanage-admin account from external or unrecognized IP addresses. Mandiant has published a list of IP addresses associated with rogue device connections observed during this campaign.
- Hunt for admin password changes followed by restores. Search audit logs for admin account password modifications that were applied and then reverted within a short interval, the specific credential-manipulation indicator identified in this intrusion.
- Audit active SD-WAN peering relationships. Verify that all active peering connections originate from devices and addresses associated with legitimate branch infrastructure. Unauthorized peering connections were the initial access vector.
- Review script and CLI execution history. Examine command and script execution logs on SD-WAN Manager for tenant-upload operations that reference files or paths not consistent with normal administrative operations.
- Engage Cisco TAC if indicators are found. If any of the above indicators are present, collect a diagnostic bundle using the admin-tech command and contact Cisco Technical Assistance Center for incident response support.
For additional context on active exploitation of Cisco enterprise infrastructure, CyberTech previously reported on active exploitation of CVE-2026-20230 in Cisco Unified CM WebDialer, reflecting a sustained pattern of threat actor focus on Cisco enterprise platforms.