Mandiant reveals how Cisco SD‑WAN zero‑day attacks gained root access

On 24 June 2026, Mandiant released a detailed report exposing how attackers exploited Cisco Catalyst SD‑WAN Manager (vManage), Controller (vSmart), and Validator (vBond) through CVE‑2026‑20245, a high‑severity command‑injection flaw that allows authenticated local users to execute arbitrary commands as root. The flaw is triggered by uploading a crafted CSV file named “evil_tenant.csv” via the tenant‑upload feature in the SD‑WAN CLI, enabling attackers to create a privileged “troot” account and switch to root using the Linux su command. Mandiant traced the intrusion back to March 2026, when threat actors established rogue SD‑WAN peering connections and authenticated to vManage with the vmanage‑admin account, possibly leveraging earlier zero‑day authentication bypasses CVE‑2026‑20127 and CVE‑2026‑20182. After gaining access, the attackers extracted configuration data, restored the original admin password to avoid detection, and performed anti‑forensic cleanup by deleting the malicious CSV payload and restoring configuration files. Cisco confirmed the vulnerability and issued security updates, warning that no workarounds exist and urging customers to upgrade immediately. The report also highlighted that the attackers used anti‑forensic tactics such as backing up system configuration files before modifying them and executing a validation script to erase evidence of compromise. Mandiant provided indicators of compromise, attacker IP addresses, and guidance for organizations to determine if they were affected. The incident underscores the need for rapid patching and monitoring of SD‑WAN devices for unauthorized peering and configuration changes.