Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access
Jun 26, 2026
Executive Summary
Google-owned Mandiant has disclosed new technical details about how attackers exploited a previously unknown vulnerability in Cisco Catalyst SD-WAN Manager to obtain root-level access within a communications service provider's network.
The attack centered around CVE-2026-20245, a privilege escalation vulnerability affecting Cisco Catalyst SD-WAN Manager. Rather than serving as the initial entry point, the flaw was leveraged after attackers had already obtained administrative privileges. They then abused an insecure file upload mechanism to execute commands as the root user, giving them complete control over the SD-WAN management infrastructure.
At a Glance
Category | Details |
|---|---|
Threat | Cisco Catalyst SD-WAN Zero-Day Privilege Escalation |
Vulnerability | CVE-2026-20245 |
Severity | High (CVSS 7.8) |
Affected Product | Cisco Catalyst SD-WAN Manager |
Attack Type | Privilege Escalation / Command Injection |
Impact | Root-Level Access |
Discovered By | Mandiant |
Exploitation Status | Actively Exploited in the Wild |
Patch Status | Cisco has released security updates |
What Happened?
Mandiant investigated an intrusion targeting a communications service provider and uncovered a sophisticated attack against Cisco Catalyst SD-WAN infrastructure.
The attackers had already gained administrative ("netadmin") access before exploiting CVE-2026-20245. Using a specially crafted file uploaded through the SD-WAN Manager's file upload functionality, they executed arbitrary commands with root privileges.
Once root access was obtained, the threat actor effectively controlled the SD-WAN management platform, allowing them to manipulate network infrastructure at the highest privilege level.
How the Attack Worked
According to Mandiant, the attack followed a multi-stage process:
Initial compromise of Cisco SD-WAN environment.
Administrative ("netadmin") access obtained.
Exploitation of CVE-2026-20245.
Malicious CSV/file uploaded through the vulnerable upload feature.
Command injection executed.
Root account created.
Persistent root-level access established.
Unlike remote code execution vulnerabilities that require no authentication, this attack depended on the attacker already possessing administrative privileges. However, once those privileges existed, the vulnerability enabled complete compromise of the management appliance.
Root Cause of the Vulnerability
The vulnerability exists because Cisco SD-WAN Manager failed to properly validate user-supplied input during file uploads.
A crafted upload allows command injection, enabling attackers to execute arbitrary commands as the Linux root user.
Cisco noted that successful exploitation requires:
Netadmin privileges
Valid administrator credentials or
Prior exploitation of other Cisco SD-WAN vulnerabilities such as:
CVE-2026-20182
CVE-2026-20127
This makes CVE-2026-20245 an ideal privilege escalation vulnerability for attackers who have already established an initial foothold.
Why Root Access Is Dangerous
Root privileges provide unrestricted control over the SD-WAN controller.
An attacker with root access can:
Modify network configurations
Deploy malicious configurations to edge devices
Create persistent backdoors
Steal sensitive configuration data
Disable security monitoring
Maintain long-term persistence inside enterprise networks
Because SD-WAN controllers manage traffic across multiple branch offices and cloud environments, compromising the controller can have organization-wide consequences.
Affected Deployments
Cisco confirmed the vulnerability impacts multiple deployment models, including:
On-premises deployments
Cloud deployments
Cisco Managed Cloud
Cloud-Pro
Government (FedRAMP) deployments
Organizations using Cisco Catalyst SD-WAN Manager should verify they are running updated software versions.
Cisco's Response
Cisco has acknowledged active exploitation of the vulnerability in limited real-world attacks.
Following Mandiant's responsible disclosure, Cisco released security updates addressing CVE-2026-20245 and advised customers to:
Upgrade immediately to patched software
Preserve forensic logs before upgrading
Review Indicators of Compromise (IOCs)
Contact Cisco TAC if compromise is suspected, as patching alone may not remove an existing attacker from a compromised system.
How Organizations Can Protect Themselves
Security teams should:
Apply Cisco's latest SD-WAN security updates immediately.
Audit administrator accounts for unauthorized changes.
Review SD-WAN logs for suspicious file upload activity.
Investigate unexpected configuration pushes to edge devices.
Restrict privileged administrative access.
Enable continuous monitoring for abnormal controller behavior.
Preserve forensic evidence before remediation if compromise is suspected.
Key Takeaways
The Cisco SD-WAN incident demonstrates that attackers continue to target network infrastructure rather than endpoints alone. Even vulnerabilities requiring authenticated access can become highly dangerous when chained with previously exploited flaws or stolen credentials.
Organizations relying on Cisco Catalyst SD-WAN should prioritize patching, review privileged access, and monitor management infrastructure closely. Protecting administrative accounts remains critical, as privilege escalation vulnerabilities like CVE-2026-20245 can quickly transform a limited compromise into full control of enterprise networking environments.
