

In early 2026, Mandiant, the threat intelligence arm of Google Cloud, was called in to investigate a security incident at a service provider. What the investigation uncovered was a zero-day exploitation of a vulnerability in Cisco Catalyst SD-WAN infrastructure. The vulnerability, now tracked as CVE-2026-20245, had been exploited at least two months before Cisco publicly disclosed it and before any patch existed. The attacker had used a malicious file upload to escalate from a compromised administrative account to root-level shell access across Cisco Catalyst SD-WAN Manager, Controller, and Validator components. Mandiant's full account of the intrusion reveals a methodical operation that combined technical exploitation with anti-forensic tradecraft designed to survive incident response investigation.
The investigation began when an anomaly in the service provider's environment attracted attention. Mandiant's analysis traced the activity to the Cisco Catalyst SD-WAN infrastructure and identified that the attacker had gained root access through a vulnerability that, at the time, had no public documentation or patch. The two-month window between first exploitation and public disclosure means the intrusion was active and undetectable by any signature-based approach that depended on known vulnerability databases: organisations monitoring for patched CVEs would have had no visibility into an attack that exploited a vulnerability Cisco had not yet identified or disclosed.
The timeline is significant in two directions. It means that exploitation preceded detection, which is expected in zero-day scenarios. But it also means that the attacker had access to the service provider's SD-WAN infrastructure for an extended period before the investigation was triggered. During that window, the attacker had root-level access to the management plane of the SD-WAN deployment, the component responsible for routing policies, device configurations, and potentially credentials for managed network devices downstream.
CVE-2026-20245 is a command injection vulnerability in the file upload feature of Cisco Catalyst SD-WAN Manager, also known as vManage. The vulnerability carries a CVSS score of 7.8 and is rated high severity by Cisco. The vulnerability also affects the Cisco Catalyst SD-WAN Controller (vSmart) and Validator (vBond) components, which together form the management and orchestration layer of the Catalyst SD-WAN platform.
The root cause is that the file upload feature failed to properly validate and sanitise the data in uploaded files before processing it. When a file containing specially crafted content was uploaded through the interface, the malicious data was passed to an underlying system command without adequate filtering. The command injection flaw allowed attacker-controlled strings in the uploaded file to escape their expected context and execute as operating system commands, with the privileges of the process handling the upload.
The vulnerability requires the attacker to already have access to an administrative account on the SD-WAN Manager interface. This is a meaningful pre-requisite: it means the attack begins with a compromised admin credential rather than with unauthenticated access. In the incident Mandiant investigated, the method by which the attacker initially obtained the administrative account is not fully documented in the public disclosure. What is documented is what they did with it once they had it.
The specific upload that Mandiant documented was a file named evil_tenant.csv. The CSV format is used in SD-WAN Manager for importing tenant configuration data, a routine administrative operation. By crafting a CSV file whose contents included command injection payloads, the attacker was able to trigger operating system command execution as a side effect of what appeared to be a normal administrative import operation.
The choice of a CSV file for the attack vector is operationally significant. CSV imports are a standard administrator task in SD-WAN management. An attacker who has compromised an administrative account and who wants to minimise the detection risk of their privilege escalation would benefit from using an import operation that blends into routine administrative activity in logs. A security operations team reviewing logs for suspicious activity is more likely to flag unusual process spawning or outbound connections than a CSV import operation performed from an authenticated admin session.
Once the command injection payload executed, the attacker had the ability to run arbitrary operating system commands with elevated privileges. The next step was converting that code execution capability into a persistent, stable access mechanism.
The attacker used their elevated access to create a rogue user account on the SD-WAN Manager system. The account was named troot, an identifier chosen to be similar enough to legitimate system account naming conventions to avoid standing out in a quick scan of user account lists. The account was granted root-level shell access.
Creating a named account as a persistence mechanism is a deliberate choice. A named account persists across system restarts, can be used to re-establish access if the initial exploit path is closed, and does not require the attacker to maintain a running process or implant that might be detected by endpoint security tools. It also allows the attacker to access the system through normal authentication channels rather than through the exploit path, which reduces the forensic trail compared to repeated exploitation.
The name troot reflects the attacker's awareness that account names attract scrutiny during incident response. By choosing a name that resembles a plausible technical account rather than an obviously malicious one, the attacker increased the likelihood that a first-pass review of system accounts would not immediately flag the account as suspicious. Incident responders who did not have a complete prior inventory of legitimate system accounts would need additional context to distinguish the rogue account from a legitimate technical account created by an administrator.
One of the most operationally sophisticated aspects of the intrusion that Mandiant documented is the attacker's consistent use of anti-forensic techniques. Throughout the intrusion, the attacker selectively deleted and restored system configuration files that had been modified during their activities. The goal was to reduce the forensic footprint of the intrusion: by restoring modified files to their original state after using them, the attacker aimed to prevent post-incident analysis from identifying the specific changes made during the access window.
This technique requires that the attacker maintain copies of the original file contents before modifying them, apply their modifications, use the modified configuration for their purposes, and then restore the original to overwrite the evidence of the change. It is more operationally complex than simply leaving modified files in place, which suggests the attacker was prepared for the possibility of an incident response investigation and had planned to survive it.
For defenders, this anti-forensic behaviour has an implication for detection strategy. Log-based detection that records the state of configuration files at points in time will be more resilient to this technique than detection that relies solely on identifying the current state of the filesystem. If the attacker restores a file to its original hash after modifying it, a point-in-time filesystem hash comparison will show nothing unusual. A temporal log of access events and intermediate file states will show the modification and restoration.
The fact that CVE-2026-20245 was exploited at least two months before Cisco disclosed it places this incident in the category of weaponised zero-days used by sophisticated actors who invest in vulnerability research or who acquire vulnerabilities through channels separate from the public security community. Zero-days of this type are typically not exploited opportunistically against many targets simultaneously: each use risks burning the vulnerability, because investigation of the intrusion may lead to discovery of the underlying flaw and its subsequent patching.
The implication for organisations running Cisco Catalyst SD-WAN is that the period between when this attacker began using the vulnerability and when Cisco released a patch was a window in which the vulnerability existed, was known to at least one threat actor, and was undetectable by any defence that depended on patch status or published CVE data. This is the structural challenge that threat intelligence addresses by monitoring for behavioural indicators of intrusion rather than relying solely on signature-based detection of known vulnerabilities.
Cisco released fixes for CVE-2026-20245 on 12 June 2026. The patched versions are 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2, or later versions within each release train. Organisations running Cisco Catalyst SD-WAN Manager, Controller, or Validator on versions prior to these should treat the upgrade as urgent given the confirmed exploitation of the vulnerability in the wild prior to the patch release.
Cisco's security advisory provides the complete affected version matrix and upgrade paths. The advisory also notes that there are no workarounds that address the vulnerability: the file upload feature that contains the flaw is a core administrative function that cannot be disabled without affecting normal SD-WAN management operations. Upgrading to a fixed version is the only complete remediation.
The targeting of SD-WAN management infrastructure reflects a strategic logic that security teams should understand. SD-WAN manager components are the control plane for network routing and policy across an organisation's entire wide-area network. An attacker with root access to the SD-WAN Manager can potentially observe all traffic policies, modify routing behaviour, inject configuration changes that redirect traffic, and access credentials used by network devices managed through the platform.
For a service provider, as in the incident Mandiant investigated, the SD-WAN management plane may control the network configurations of multiple customer organisations simultaneously. Compromise of the management plane at a service provider therefore potentially reaches all customers whose networks are managed through that platform, creating a multiplier effect where a single intrusion has downstream consequences across an entire managed service portfolio. This makes SD-WAN management infrastructure a high-value target precisely because of its centrality and reach within the networks it controls. Understanding the full attack surface of SD-WAN deployments requires accounting for the management plane as a distinct and high-priority target, not merely the data plane that carries traffic.
The involvement of a managed service provider in the Mandiant investigation is not incidental. Providers who manage SD-WAN infrastructure on behalf of multiple customers occupy a structurally attractive position for sophisticated threat actors because a single intrusion into the management plane provides simultaneous visibility into the network configurations, routing policies, and management credentials of every customer environment managed through that plane. The intelligence yield scales with the provider's customer count rather than with the complexity of the attack.
This multiplier logic is well understood by nation-state actors who prioritise high-yield persistent access over opportunistic intrusion. Compromising a provider's SD-WAN Manager means the attacker does not need to attack each customer organisation individually. Routing policies, VPN configurations, and the credentials used by downstream network devices are all accessible through the single compromised management instance. For an intelligence operation targeting a government agency, a defence contractor, or a financial institution, the managed service provider is the most efficient path to sustained network visibility across an entire portfolio of targets from one foothold.
Service providers managing SD-WAN for high-value customers should treat CVE-2026-20245 as a matter of urgency, not routine patch scheduling. They should also review whether their SD-WAN management interfaces are accessible from the public internet, which administrative accounts have access, and what monitoring exists for anomalous account activity. The creation of the rogue troot account in the Mandiant case is precisely the kind of event that network-level log monitoring and system account auditing should surface immediately. If your organisation does not have a current baseline inventory of legitimate system accounts on SD-WAN management components, creating one is the prerequisite for detecting the next incident of this type.
Upgrading to a patched version of Cisco Catalyst SD-WAN is the immediate priority for any organisation running affected versions. Given the confirmed exploitation history of this vulnerability, treating the patch as routine scheduled maintenance rather than urgent remediation is not an appropriate response. Network operations teams should validate their current SD-WAN Manager, Controller, and Validator versions against the patched version list and schedule upgrades on an accelerated timeline.
Beyond the immediate patch, the incident highlights the value of monitoring administrative access to SD-WAN management interfaces. Reviewing audit logs for unusual file uploads, unexpected account creations, and changes to system configuration files provides the detection surface that the attacker's anti-forensic techniques were designed to defeat. Baseline monitoring of which system accounts should exist on SD-WAN management components, and alerting on the creation of any new system-level account, is a detection control that would have surfaced the troot account creation in the Mandiant incident.
CVE-2026-20245 allows an attacker who already has access to an administrative account on Cisco Catalyst SD-WAN Manager to escalate their privileges to root-level shell access on the underlying operating system. From that position, the attacker can execute arbitrary commands, create persistent accounts, modify system configuration, and access credentials or routing policies managed through the SD-WAN platform. The vulnerability itself does not provide initial access: it converts existing admin-level access into root-level access.
These are separate vulnerabilities with different CVE identifiers and different exploitation methods. CVE-2026-20182 is an authentication bypass that was exploited in a different campaign. CVE-2026-20245 is a privilege escalation via command injection in the file upload feature, exploited by a threat actor investigated by Mandiant. Both affect Cisco Catalyst SD-WAN infrastructure, and organisations running affected software should ensure they have addressed both vulnerabilities in their patch planning.
The name itself is significant primarily as documentation artefact: Mandiant named the malicious CSV file used in the attack. From an operational standpoint, the attacker chose the CSV format because it corresponds to a legitimate administrative operation in SD-WAN Manager, namely importing tenant configuration. The file name is what Mandiant assigned during analysis and would not have been visible to the target's monitoring systems in a way that would trigger detection.
Mandiant was able to establish the timeline by correlating timestamps in the attacker's activity logs with the date Cisco issued its advisory. The attacker's actions in the compromised environment predated the advisory by at least two months. This is consistent with a zero-day scenario where the threat actor discovered or acquired the vulnerability independently of the normal security research and disclosure process, and began using it before the affected vendor was aware of the issue.
The risk is compounded relative to a single-organisation deployment. A service provider's SD-WAN Manager instance typically has visibility into and control over the network configurations of all managed customer environments. An attacker with root access to that management plane can potentially observe routing policies, configuration data, and credentials across the entire customer portfolio. The Mandiant incident involved a service provider, which reflects the strategic value of targeting management infrastructure that controls multiple downstream environments simultaneously.
Yes. The attacker's anti-forensic behaviour in this incident, specifically the deletion and restoration of configuration files, means that point-in-time filesystem integrity checks are insufficient. Continuous logging of file access and modification events, including intermediate states, provides more complete detection. Monitoring SD-WAN Manager logs for unexpected CSV import operations from admin accounts, new system account creation, and outbound network connections from management plane components that do not correspond to known operational patterns are all relevant detection controls.
Restricting administrative access is a sound compensating control regardless of this specific vulnerability. Limiting SD-WAN Manager access to specific source IP addresses, requiring multi-factor authentication for all administrative accounts, and enforcing role separation so that the accounts used for routine management operations do not also have the ability to perform file imports are all measures that reduce the attack surface that CVE-2026-20245 requires. A compromised admin credential is the pre-requisite for exploiting this vulnerability, so reducing the exposure of admin credentials is the most direct preventive measure available before upgrading to a patched version.
Incidents like this one rarely announce themselves through official channels first. Indicators of active exploitation, compromised infrastructure, and stolen credentials circulate in closed forums and private channels well before any public advisory reaches your security team. By the time a vulnerability makes it into a published report, organisations without early visibility are already operating behind the curve.
Defendis gives your security team that early visibility. We monitor the dark web, underground forums, and threat actor channels so your team receives relevant intelligence before it becomes breaking news, with context about emerging threats matched against your organisation's exposure, without requiring your analysts to spend time in places they should not have to go.