Ethical Hacking News
Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager: A Threat Actor's Stealthy Infiltration. Mandiant Services detected a threat actor exploiting CVE-2026-20245 to gain root-level access via a malicious CSV file upload. Organizations are advised to prioritize patching and upgrading to fixed software releases to prevent similar attacks.
Identified vulnerability: CVE-2026-20245, which allows for privileged escalation via malicious CSV file upload. Initial attack involved unauthorized peering connections and exploiting default administrative accounts to establish SSH sessions. Malicious CSV payload contained exploit code that attempted to append entries to system configuration files and create a new user account with full root privileges. Attack leveraged zero-day vulnerability in device's file upload feature, allowing arbitrary commands as root. Exploited additional vulnerabilities: CVE-2026-20127 and CVE-2026-20182 in Cisco Catalyst SD-WAN controllers. Mitigation: Upgrading to fixed software releases and implementing security measures such as hardening guidelines and monitoring script logs.
A recent vulnerability, CVE-2026-20245, has been identified as the entry point by a threat actor in an attack against the Cisco Catalyst SD-WAN Manager. This vulnerability allows for privileged escalation via a malicious CSV file upload, making it critical to prioritize patching and upgrading to fixed software releases.
In early 2026, Mandiant Services detected initial unauthorized peering connections on multiple devices running the affected software. Subsequently, threat actors established rogue peer connections to authenticate via SSH using default administrative accounts, including the vmanage-admin account. After establishing an authenticated SSH session, the threat actor exploited CVE-2026-20245 by uploading a file named evil_tenant.csv.
The malicious CSV payload contained exploit code that attempted to append entries to system configuration files and create a new user account with full root privileges. The threat actor used anti-forensic techniques, such as deleting and restoring files, to maintain operational security and avoid detection.
A key observation was the exploitation of a zero-day vulnerability in the device's file upload feature, which lacked proper filtering mechanisms for malicious data. This allowed the threat actor to execute arbitrary commands as root by supplying a crafted file to the affected system.
In addition to exploiting CVE-2026-20245, the threat actor also leveraged CVE-2026-20127 and CVE-2026-20182 vulnerabilities in Cisco Catalyst SD-WAN controllers. These vulnerabilities could allow an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.
To mitigate this attack, organizations are advised to prioritize upgrading to fixed software releases, such as versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or later. Implementing Cisco Catalyst SD-WAN hardening guidelines and monitoring script logs for execution anomalies can also help identify potential security breaches.
Furthermore, defenders should audit terminal command history and system logs for successful switch user executions from the admin account to unauthorized accounts. Additionally, organizations should monitor for suspicious password change events and query active command execution history using show history within the Viptela CLI.
The attack highlights the living off the edge paradigm, where threat actors prioritize compromising network appliances to bypass traditional security perimeters. As organizations increasingly adopt software-defined networking, these devices become a primary target for threat actors. It is crucial for organizations to implement robust security measures and monitor their networks closely to prevent such stealthy infiltrations.
Related Information:
https://www.ethicalhackingnews.com/articles/Zero-Day-Exploitation-of-Vulnerability-CVE-2026-20245-in-Cisco-Catalyst-SD-WAN-Manager-A-Threat-Actors-Stealthy-Infiltration-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager/
https://nvd.nist.gov/vuln/detail/CVE-2026-20245
https://www.cvedetails.com/cve/CVE-2026-20245/
https://nvd.nist.gov/vuln/detail/CVE-2026-20127
https://www.cvedetails.com/cve/CVE-2026-20127/
https://nvd.nist.gov/vuln/detail/CVE-2026-20182
https://www.cvedetails.com/cve/CVE-2026-20182/
Published: Wed Jun 24 09:47:00 2026 by llama3.2 3B Q4_K_M
