Active Zero-Day: Cisco Catalyst SD-WAN Targeted in Privilege Escalation Attack
Executive Summary
A critical zero-day vulnerability impacting Software-Defined Wide Area Network (SD-WAN) infrastructure has faced active exploitation by sophisticated threat actors. Cloud intelligence and response teams at Mandiant recently uncovered an active campaign targeting the Cisco Catalyst SD-WAN Manager. Tracked as CVE-2026-20245, the high-severity vulnerability resides in the appliance’s file upload feature. Unauthenticated remote attackers are exploiting the flaw to escalate privileges from a compromised administrative account to root-level access on the underlying operating system. Organizations utilizing Cisco’s SD-WAN controllers are urged to apply vendor patches immediately to block active compromise.
Deep-Dive Technical Analysis
SD-WAN solutions serve as the nervous system for modern corporate networks, orchestrating secure traffic routing and managing connections between distant branches. Because of this strategic role, SD-WAN controllers are high-value targets for state-sponsored espionage groups.
The active zero-day campaign discovered by Mandiant reveals sophisticated, stealthy tradecraft:
1. Initial Access and Password Manipulation: Attackers first establish initial network-level access by exploiting unauthorized peering connections to facilitate direct SSH access to the SD-WAN controller. Once connected, they manipulate default administrative passwords to solidify their foothold.
2. Exploiting CVE-2026-20245 (File Upload Flaw): After gaining administrative command-line interface (CLI) access, the threat actors exploit a critical vulnerability in the SD-WAN Manager’s file upload feature. The system fails to properly validate and filter uploaded files, allowing the attackers to bypass file-type restrictions.
3. Payload Delivery (evil_tenant.csv): The attackers upload a maliciously crafted CSV file, historically named evil_tenant.csv, which contains an exploit payload.
4. Root-Level Privilege Escalation: When the system processes the uploaded CSV file, the embedded payload triggers command execution under root privileges. The script attempts to append malicious administrative entries directly to the system’s /etc/passwd and /etc/shadow files, granting the attacker full, permanent root access to the operating system.
5. Anti-Forensic Techniques: To maintain persistent access and avoid detection by security operations center (SOC) monitors, the threat actors consistently employ advanced anti-forensic techniques, selectively deleting and restoring modified system configuration files.
Industry Impact and Recommendations
A successful root-level compromise of a Cisco Catalyst SD-WAN Manager allows adversaries to completely compromise the corporate network. Attackers can intercept decrypted transit traffic, redirect network flows to malicious endpoints, exfiltrate sensitive cloud storage data, or execute lateral moves to internal servers and Active Directories.
We recommend that all network security teams implement the following immediate controls:
* Apply Official Cisco Patches Immediately: Upgrade all vulnerable Cisco Catalyst SD-WAN Manager appliances to the patched firmware versions released by Cisco addressing CVE-2026-20245.
* Disable Public SSH and Peering Interfaces: Restrict external SSH access to the SD-WAN Manager. Management interfaces should strictly be bound to internal, local networks or secured behind a multi-factor authentication (MFA) VPN gateway with strict IP whitelisting.
* Enforce Strict Password Management: Immediately rotate all administrative and default account passwords on the controller and audit local user accounts for unauthorized additions.
* Implement File Integrity Monitoring (FIM): Deploy FIM tools on the controller host to detect unauthorized modifications to critical system files, specifically /etc/passwd, /etc/shadow, and network routing configuration directories.
References:
* Google Cloud Threat Intelligence (Mandiant)
* Cyber Recaps