defense · BleepingComputer
Mandiant has disclosed technical details on how attackers exploited CVE-2026-20245, a high-severity command injection flaw in Cisco Catalyst SD-WAN Manager, Controller, and Validator components, to gain root access on targeted devices. The vulnerability allows authenticated attackers to execute arbitrary commands as root by uploading a crafted file. According to Mandiant's report, attackers first established unauthorized SD-WAN peering connections (possibly via previously disclosed authentication-bypass flaws CVE-2026-20127 and CVE-2026-20182), authenticated using the vmanage-admin account, and then exploited CVE-2026-20245 by uploading a malicious CSV file through the tenant-upload CLI feature. The attackers created a rogue root account named "troot," extracted configuration data, and employed anti-forensic tactics including backing up and restoring system files, deleting payloads, and removing logs to evade detection.
For defense contractors and service providers managing SD-WAN infrastructure, this incident underscores the importance of segmented network access controls and privileged account monitoring required under CMMC and NIST 800-171. Organizations must verify they have applied Cisco's security updates and should audit SD-WAN devices for unauthorized peering connections, suspicious account creation, and configuration changes—particularly those involving default or administrative credentials. Given the multi-stage attack pattern and reliance on prior access, detecting compromised authentication mechanisms and monitoring for lateral movement become critical detective controls under these frameworks. An Omniware engagement can scope assessment of SD-WAN architecture, access logging, and incident response procedures in detail.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access/
Source: BleepingComputer
All briefings