Zero-Day Privilege Escalation Flaw Exploited in Cisco Catalyst SDWAN Manager

Published Date: June 25, 2026
Category: ShadowOpsIntel
Share:

The FortiBleed campaign is an ongoing, highly scaled cyber operation active since at least February 2026, primarily attributed to a financially motivated Russian Initial Access Broker (IAB). The operation blends automated mass scanning with targeted corporate profiling to compromise edge-networking devices and downstream corporate environments. Notably, its sophisticated targeting of a NATO-aligned defense contractor suggests potential secondary utility or collaboration with state-nexus elements.

Severity: High

Vulnerability Details

  • CVE ID: CVE-2026-20245
  • CVSS Score: 7.8
  • Exploit Status: Active exploitation confirmed
  • CWE-116: The vulnerability exists in the CLI file upload feature of Cisco Catalyst SD-WAN controllers due to insufficient validation of user-supplied input. An attacker with netadmin privileges can upload a crafted file to the system, triggering command injection that executes arbitrary commands as root.

Affected Products & Fixed Versions

  • The vulnerability affects Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager, and Cisco Catalyst SD-WAN Validator, regardless of device configuration.
  • Affected Releases: 20.9.9.1 and earlier; 20.12.7.1 and earlier; 20.15.4.4 and earlier; 20.15.5.2 and earlier; 20.18.3; 26.1.1.1 and earlier
  • Fixed Releases: 20.9.9.2; 20.12.7.2; 20.15.4.5; 20.15.5.3; 20.18.3.1; 26.1.1.2

Intrusion Timeline And Detection Signals

Mandiant documented the following intrusion sequence at a service provider from late 2025 to March 2026. Detection signals are included per phase; validate all findings against the device’s normal activity baseline to minimise false positives.

  1. Rogue Peering (Late 2025 January 2026): Multiple unauthorised peering connections to victim SD-WAN Manager devices, possibly exploiting undisclosed CVE-2026-20127 or CVE-2026-20182. Detection: audit peering logs for connections from unrecognised peer devices or IP addresses not belonging to the expected SD-WAN fabric.
  2. Credential Manipulation (March 2026): Threat actor authenticated via SSH as vmanage-admin from an external IP, changed the admin account password to access the web interface and exfiltrate SD-WAN fabric configurations, then reverted the password before disconnecting. Detection: search /var/log/auth.log for external vmanage-admin SSH logins and paired rapid admin password changes.
  3. CVE-2026-20245 Exploitation (7 March 2026): Threat actor uploaded evil_tenant.csv via the request tenant-upload CLI command, injecting root account troot into /etc/passwd and /etc/shadow. Detection: check /var/log/scripts.log for unexpected vconfd_script_upload_tenant_list.sh executions and CLI history for tenant-upload commands.
  4. Anti-Forensic Cleanup: All attacker-created files deleted, modified configurations restored, and a validation script executed to confirm indicator removal. Detection: audit /var/confd/rollback/ for delta commits targeting admin account passwords and /var/log/auth.log for su executions to troot or other unrecognised accounts.

Adversary Toolkit

ToolLanguageFunction
evil_tenant.csvShell (CSV payload)Crafted CSV payload exploiting CVE-2026-20245 to inject a root account via command injection

Other Notable Cves

a. CVE-2026-20127: Authentication bypass in the Cisco Catalyst SD-WAN peering mechanism; allows an unauthenticated remote attacker to obtain administrative privileges. Possible prerequisite for CVE-2026-20245 exploitation in the late 2025 intrusion wave.
b. CVE-2026-20182: Authentication bypass in the Cisco Catalyst SD-WAN peering mechanism; allows an unauthenticated remote attacker to obtain administrative privileges. Confirmed not exploited in the March 2026 wave but remains a viable initial access vector.

Recommendations

  1. Before patching, run request admin-tech on all SD-WAN control components to capture forensic data; if any indicator of compromise is confirmed, engage Cisco TAC before applying the software upgrade.
  2. Upgrade Cisco Catalyst SD-WAN Manager, Controller, and Validator to a fixed release: 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2 or later.
  3. Search /var/log/scripts.log for unexpected vconfd_script_upload_tenant_list.sh entries and /var/log/auth.log for vmanage-admin SSH logins from unrecognised external IPs.
  4. Audit /etc/passwd and /etc/shadow for unauthorised root accounts (e.g., troot) and check /var/confd/rollback/ for delta commits targeting admin account passwords.
  5. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/d966161b93100fb8905b9b81bd03e57bbc93f21534acee88999e77798e913d5b/iocs

Source:

  • https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

×

7th August 2026

New Delhi, India

Know more
Talk to an expert