Skip to content
CVECritical InfrastructurevulnerabilityVulnerability Research

Eight Cisco SD-WAN zero-days in one year: Mandiant's root-cause report

3 min read
Share

Eight Cisco SD-WAN zero-days in one year: Mandiant's root-cause report

If you run Cisco Catalyst SD-WAN infrastructure, you have been living through a remarkably bad year. CVE-2026-20245 is the eighth confirmed Cisco SD-WAN exploitation disclosed in 2026. The first was in January. We are not yet through July.

Mandiant documented the campaign that led to this disclosure, and the technical details are worth reading carefully.

How the attack worked

The intrusion Mandiant investigated started at a telecom service provider. In March 2026, analysts noticed unauthorized SD-WAN peering connections appearing on the provider's infrastructure. A threat actor had authenticated to the SD-WAN Manager (vManage) using the vmanage-admin account and established rogue peer connections.

From there, the attacker exploited CVE-2026-20245, a command injection flaw in the SD-WAN Manager's tenant-upload feature. The exploit is simple in concept: upload a crafted CSV file, the server processes it without sufficient validation, and you get arbitrary command execution as root.

The attacker's first actions on root were methodical: back up /etc/passwd and /etc/shadow, then create a new account named "troot" with root-level privileges. Classic persistence before doing anything noisy.

What makes this particularly bad

There is no patch for CVE-2026-20245. Cisco's advisory for this CVE points customers to the mitigations from an earlier vulnerability, CVE-2026-20182, patched in May. That is not a patch for this vulnerability; it is a partial mitigation.

The exploitation began in March. The disclosure came later. That gap between exploitation and disclosure is not unusual for sophisticated intrusions, but it means affected organizations have been running compromised infrastructure for months.

The rogue SD-WAN peering mechanism is also worth noting. SD-WAN peering is a trusted relationship. A malicious peer connection that goes undetected could intercept or modify routed traffic. The attacker's motivation for establishing peering connections at a telecom provider should be taken seriously.

What to do

Cisco's current guidance: upgrade to the version that addresses CVE-2026-20182. That is not a full fix, but it reduces the attack surface while a proper patch for CVE-2026-20245 is pending.

Beyond patching, review your vManage authentication logs for unfamiliar accounts (look specifically for "troot" and other newly created admin accounts), audit your SD-WAN peer connections for any you did not configure, and restrict vManage access to management plane networks only.

Eight CVEs in seven months

The accumulation of Cisco SD-WAN exploitation this year suggests either a structural weakness in this product's security posture or concentrated threat actor interest in SD-WAN infrastructure as a target class. Probably both. Organizations running Cisco SD-WAN at scale should treat this as an active threat, not a patch cycle.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you manage Cisco infrastructure and want to discuss network security hardening.