Full Report
An unknown threat actor exploited a recently disclosed high-severity security flaw impacting Cisco Catalyst SD-WAN as a zero-day at least two months before it was publicly disclosed, according to new findings from Google-owned Mandiant. The vulnerability, tracked as CVE-2026-20245 (CVSS score: 7.8), allows an authenticated, local attacker to execute arbitrary commands with elevated privileges
Analysis Summary
# Vulnerability: Cisco Catalyst SD-WAN Privilege Escalation via Malicious File Upload
## CVE Details
- **CVE ID:** CVE-2026-20245
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** Cisco Catalyst SD-WAN (formerly Viptela)
- **Versions:** Affected versions include those released prior to June 2026; specific patch levels are found in the Cisco advisory.
- **Configurations:** Systems where an attacker has obtained "netadmin" privileges (authenticated).
## Vulnerability Description
The vulnerability exists due to insufficient validation of user-supplied input during file uploads. Specifically, the system fails to properly sanitize or validate the contents of CSV files uploaded to the SD-WAN Manager. An authenticated attacker can supply a specially crafted file (e.g., `evil_tenant.csv`) to execute arbitrary commands with elevated (root) privileges on the underlying operating system.
## Exploitation
- **Status:** Exploited in the wild as a zero-day (detected as early as late 2025).
- **Complexity:** Medium (Requires valid administrative credentials).
- **Attack Vector:** Local (Command execution occurs via the management interface after authentication).
## Impact
- **Confidentiality:** High (Full access to system files, including `/etc/shadow` and fabric configurations).
- **Integrity:** High (Ability to create rogue root accounts and modify system files).
- **Availability:** High (Attacker has full shell control and can disrupt services).
## Remediation
### Patches
- Cisco has released software updates to address this vulnerability. Administrators should consult the official Cisco Security Advisory for the specific fixed release matching their deployment branch.
### Workarounds
- There are no documented functional workarounds. Hardening efforts should focus on ensuring strict access control for the `netadmin` role and rotating administrative certificates.
## Detection
- **Indicators of Compromise:**
- Presence of unauthorized local accounts, specifically an account named `troot`.
- Evidence of unauthorized modifications to `/etc/passwd` and `/etc/shadow`.
- Presence of unusual CSV files in upload directories (e.g., `evil_tenant.csv`).
- Log entries showing "netadmin" password changes followed by immediate reverts to original values.
- **Detection Methods:**
- Monitor for unauthorized peering connections from unknown controllers.
- Audit file system integrity for the creation and subsequent deletion of hidden scripts or validation tools.
- Review fabric configuration exfiltration logs.
## References
- Cisco Security Advisory: hxxps[://]trust[.]cisco[.]com/
- Mandiant/Google Cloud Blog: hxxps[://]cloud[.]google[.]com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager
- The Hacker News: hxxps[://]thehackernews[.]com/2026/06/cisco-catalyst-sd-wan-zero-day-cve-2026.html