Hackers exploited Cisco Catalyst SD-WAN flaw CVE-2026-20245 as a zero-day months before disclosure, enabling privileged command execution.Google-owned Mandiant reported that an unknown threat actor exploited Cisco Catalyst SD-WAN vulnerability CVE-2026-20245 (CVSS base score of 7.8) as a zero-day at least two months before it was publicly disclosed. The flaw allows an authenticated attacker with netadmin privileges to execute arbitrary commands with elevated rights by using a crafted file. Cisco has confirmed awareness of active exploitation and released fixes.An authenticated local attacker can trigger the vulnerability to run arbitrary commands as root. The mechanics are straightforward: bad input validation. Although the flaw requires netadmin privileges, attackers can obtain them using stolen credentials or by exploiting previously disclosed vulnerabilities such as CVE-2026-20182 and CVE-2026-20127.“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.” reads the advisory. “To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.”The vulnerability affects Cisco Catalyst SD-WAN Manager across all deployment models, including on-premises installations, Cisco SD-WAN Cloud-Pro, Cisco-managed cloud deployments, and FedRAMP environments.“In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access.” reads the report published by Mandiant. “Throughout the intrusion, to maintain operational security and avoid detection, the threat actor consistently employed anti-forensic techniques, selectively deleting and restoring system configuration files that were modified during their activities.”Mandiant observed attackers targeting a communications service provider in two separate campaigns between late 2025 and March 2026, ultimately escalating a compromised administrator account to full root access. The first activity likely exploited two then-unknown Cisco SD-WAN authentication bypass flaws, tracked as CVE-2026-20127 and CVE-2026-20182, to establish unauthorized connections. A later intrusion targeted a patched device and may have relied on certificates stolen during an earlier compromise, though investigators have not confirmed whether the same threat actor was responsible for both incidents.“After establishing an SSH session with the admin account, the threat actor exploited CVE-2026-20245 by executing the following command to upload a file named evil_tenant.csv:request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0″ continues Mandiant. “The evil_tenant.csv file contains the exploit payload.”The exploit enabled attackers to gain elevated privileges and create a rogue “troot” account with full root-level access to the system. The threat actor then accessed this new troot account from the admin account via the su (substitute user) command.The attackers systematically erased evidence by deleting files, undoing configuration changes, and running cleanup scripts to hinder forensic investigations. “Mandiant identified that the threat actor deleted all files they created, including evil_tenant.csv, and restored any system configurations they modified. These deletion and modifications were done to minimize their forensic footprint.” continues the report.According to Google, the case highlights a growing trend of threat actors exploiting zero-day vulnerabilities in edge devices such as SD-WAN systems, which often lack sufficient logging and monitoring capabilities. Compromising these devices can provide long-term access and visibility into an organization’s internal network traffic.“This campaign underscores the living off the edge paradigm, where threat actors prioritize the compromise of network appliances to bypass traditional security perimeters.” Mandiant concludes. “As organizations increasingly adopt software-defined networking, the orchestrators managing these environments become primary targets.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Cisco Catalyst)