Mandiant reported that a threat actor compromised a service provider’s Cisco Catalyst SD-WAN environment by exploiting the zero-day vulnerability CVE-2026-20245 in Cisco Catalyst SD-WAN Manager. The flaw in the platform’s file upload functionality was abused through a malicious CSV upload, allowing the attacker to create a root-level account and take full control of the controller. After gaining SSH access through the vmanage-admin account, the actor changed the default admin password, logged into the web interface, and exfiltrated SD-WAN fabric configuration data.
The intrusion followed earlier unauthorized rogue peering activity observed from late 2025 into early 2026, which Mandiant assessed may have involved the then-undisclosed Cisco vulnerabilities CVE-2026-20127 or CVE-2026-20182. Additional peering activity in March 2026 may have relied on certificate material stolen during a prior compromise. Investigators said the attacker used extensive anti-forensic measures, including deleting malicious files, restoring altered system files, and checking that indicators of compromise had been removed, underscoring the risk posed by centralized SD-WAN controllers that manage trusted connections across distributed enterprise networks.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
Gurucul published eight IP address indicators, five file-path indicators, and three TDIR detection queries tied to the early-2026 exploitation of Cisco Catalyst SD-WAN Manager flaw CVE-2026-20245. The notice attributed the activity details to a Google Cloud threat intelligence blog post and provided defender-focused detection guidance.
Cisco released fixed software versions to remediate CVE-2026-20245 in Cisco Catalyst SD-WAN Manager. Mandiant and Cisco also advised organizations to hunt for indicators, collect admin-tech logs, and contact Cisco TAC if compromise is suspected.
Mandiant assessed that later peering activity in March 2026 may have relied on certificate material stolen during a prior compromise. This represented a subsequent phase of the broader intrusion activity against the Cisco SD-WAN environment.
After obtaining SSH access via the vmanage-admin account, the actor changed the default admin password, authenticated to the web interface, and exfiltrated SD-WAN fabric configurations. The intrusion also included anti-forensic actions such as deleting malicious files, restoring modified system files, and checking that indicators had been removed.
In an early 2026 intrusion, a threat actor exploited the zero-day vulnerability CVE-2026-20245 in Cisco Catalyst SD-WAN Manager’s file upload functionality. By uploading a malicious CSV, the actor created a root-level account and gained full control of the device.
Mandiant assessed that unauthorized peering activity targeting a service provider’s Cisco Catalyst SD-WAN infrastructure occurred from late 2025 through January 2026. The activity may have involved the then-undisclosed Cisco vulnerabilities CVE-2026-20127 or CVE-2026-20182.
CISA added Cisco Catalyst SD-WAN flaw CVE-2026-20245 to its Known Exploited Vulnerabilities catalog on 2026-06-04. It ordered Federal Civilian Executive Branch agencies to remediate or discontinue affected systems by 2026-06-23.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
11 references tracked. Mallory keeps watching after this page renders.
thecyberexpress.com
Open sourcesecurityaffairs.com
Open sourcesecurityweek.com
Open sourcethehackernews.com
Open sourcemalware.news
Open sourcebleepingcomputer.com
Open sourcedarkreading.com
Open sourcecloud.google.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.