CVE-2026-20245: 5 things to know about the Cisco SD-WAN zero-day nobody caught in time

On June 25, 2026, new details emerged about the active exploitation of CVE-2026-20245, a command injection flaw in Cisco Catalyst SD-WAN Manager that was used as a zero-day at least two months before Cisco publicly disclosed it. According to The Hacker News, the attacker gained root access on a service provider’s SD-WAN management infrastructure, created a rogue account named “troot” with unrestricted shell access, and then ran scripts specifically designed to erase the evidence of the intrusion. This is the seventh Cisco SD-WAN vulnerability exploited in 2026.

⚠️ Attackers exploited a #Cisco SD-WAN flaw before it was public.

Mandiant says CVE-2026-20245 was used as a zero-day to turn admin access into root control.

They also restored configs, deleted traces, and hid a rogue “troot” account.

Read 🠖 https://t.co/SdjpqWXxPs

— The Hacker News (@TheHackersNews) June 25, 2026

1. What CVE-2026-20245 actually is

CVE-2026-20245 is a command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart) and Validator (vBond). The flaw exists because the file upload feature fails to properly validate user-supplied input, allowing an authenticated attacker with netadmin privileges to execute arbitrary commands as root by uploading a crafted file. The exploit payload used in the confirmed attack was a CSV file named evil_tenant.csv, which abused a legitimate management function to write entries directly to the system’s /etc/passwd and /etc/shadow files and create an unauthorised root account.

Cisco rates the vulnerability CVSS 7.8 High. That score undersells the operational impact: SD-WAN Manager sits at the management plane of an SD-WAN deployment, meaning successful exploitation allows configuration changes to be pushed to all downstream edge devices across the network, not just the compromised management node.

2. How the attack worked, step by step

Mandiant’s investigation, detailed in a Google Cloud blog post, found two distinct phases of activity targeting the same service provider’s SD-WAN environment, beginning as early as late 2025.

In the first phase, the threat actor established unauthorised SD-WAN peering connections, likely exploiting CVE-2026-20127 or CVE-2026-20182, two previously disclosed SD-WAN zero-days. Peering in SD-WAN is the cryptographic handshake between network components that establishes mutual trust. Creating rogue peering connections gave the attacker a foothold that looked like a legitimate network peer rather than an external intrusion.

In the second phase, in March 2026, the attacker authenticated to the SD-WAN Manager instance via SSH using the vmanage-admin account, changed the default administrator password to lock out defenders, uploaded evil_tenant.csv to trigger CVE-2026-20245, escalated privileges to root and created the troot account with unrestricted shell access.

3. The attacker ran scripts to erase the evidence

This is the detail that distinguishes CVE-2026-20245 from a standard vulnerability exploitation. Throughout the intrusion, the attacker backed up configuration files before modifying them and then restored them after exploitation, deleted files they had created, reversed configuration changes, and ran scripts specifically designed to verify that forensic evidence had been eliminated. Mandiant described the attacker as demonstrating considerable operational maturity and noted that these anti-forensic measures significantly restricted investigators’ ability to reconstruct the full scope of the compromise or determine the attacker’s ultimate objectives.

The practical consequence for incident response teams is that the absence of evidence is not evidence of absence here. If your SD-WAN infrastructure was in scope during the March to June 2026 window, a clean log review does not confirm you were not affected. The attacker specifically designed their cleanup to produce exactly that result.

4. This is the seventh Cisco SD-WAN exploit of 2026

CVE-2026-20245 is not an isolated event. It is the seventh Cisco SD-WAN product vulnerability whose active exploitation came to light in 2026, following CVE-2026-20127, CVE-2026-20182 and four others disclosed earlier in the year. The attack chain Mandiant documented chains multiple Cisco SD-WAN vulnerabilities together: the initial peering access likely came from one of the two previously disclosed zero-days, and CVE-2026-20245 was used specifically for privilege escalation once inside.

The pattern matters more than any individual CVE. An attacker who has invested in developing and chaining multiple SD-WAN zero-days against service provider infrastructure is running a sustained campaign, not an opportunistic scan. CISA added CVE-2026-20245 to its Known Exploited Vulnerabilities catalog on June 4 and gave Federal Civilian Executive Branch agencies a June 23 deadline to patch or stop using affected systems.

5. What to do right now

The immediate priority list is straightforward:

• Apply the Cisco patch immediately if you have not already. The CISA KEV deadline has passed for federal agencies. Every day without the patch is a day the exploit remains available.
• Audit SD-WAN Manager access logs for SSH authentication using the vmanage-admin account between November 2025 and June 2026, noting that the attacker’s cleanup specifically targeted these logs. Look for password change events on the admin account and any new user account creation events, particularly accounts named troot or any unfamiliar account with root-level shell access.
• Check for unauthorised peering connections on your SD-WAN Manager instances. The initial access vector in both phases of this attack was rogue peering rather than a direct external exploit, which means the foothold looks like a trusted network peer rather than an incoming attack.
• Review configurations pushed to edge devices during the exposure window. Mandiant confirmed that successful exploitation of the management plane resulted in configuration changes being pushed downstream to edge devices. The blast radius of this vulnerability extends beyond the compromised management node.
• Treat clean logs as inconclusive rather than as confirmation of no compromise. The attacker ran verification scripts specifically to produce clean forensic outputs. If you have reason to believe you were in scope, commission an independent forensic investigation rather than relying on internal log review alone.

The broader lesson from CVE-2026-20245 is the same one the six preceding Cisco SD-WAN exploits of 2026 have been teaching: network management infrastructure is now primary target territory for sophisticated threat actors, and the assumption that management plane access requires physical proximity or deep internal access is no longer operationally valid.

CybelAngel’s Attack Surface Management platform monitors externally exposed management interfaces and network infrastructure continuously, alerting security teams when vulnerable versions of network management software are reachable from the internet before an attacker finds them.