The flaw, tracked as CVE-2026-20245, affects Cisco Catalyst SD-WAN Controller, Catalyst SD-WAN Manager and Catalyst SD-WAN Validator, formerly known as vSmart, vManage and vBond. It allows an authenticated local attacker to execute arbitrary commands with root privileges by uploading a specially crafted file through the command-line interface. Cisco rated the vulnerability high severity, with a CVSS score of 7.8.
Google’s Mandiant researchers said exploitation was observed during an intrusion into SD-WAN infrastructure at a service provider. The attacker first gained access to the environment, then used the vulnerability to move from an administrative account to root-level control. The activity was traced to March, while Cisco’s public advisory was issued on 4 June and later updated with fixed release information.
The case adds to a growing pattern in which attackers focus on edge and network-management devices rather than conventional endpoints. Such systems often sit at privileged points in enterprise architecture and may have weaker telemetry than servers or laptops, making stealthy access harder to detect. SD-WAN managers are particularly sensitive because they control routing, policy and connectivity across distributed networks.
Investigators found that the attacker created unauthorised peering connections, used Secure Shell access, manipulated default account passwords and accessed the SD-WAN Manager web interface. Configuration details of the SD-WAN fabric were extracted. The attacker later restored account settings, an apparent attempt to avoid raising suspicion during normal administrative activity.
The vulnerability was exploited in April through a malicious CSV upload. The payload altered system files, created backups and added a root-level user account named “troot”. The attacker then used that account to gain full control. After completing the operation, the intruder deleted files, restored modified configurations and ran a validation script to check whether traces of the activity had been removed.
Cisco said exploitation requires an attacker to already hold network administrator privileges on the affected system. That access could be obtained through valid credentials or through prior exploitation of other Cisco Catalyst SD-WAN flaws, including CVE-2026-20182 and CVE-2026-20127. Both relate to authentication and peering mechanisms and have heightened scrutiny of SD-WAN management infrastructure.
The chronology has sharpened concerns among defenders because unauthorised peering activity was seen from late 2025 to January 2026, before further activity emerged in March. Researchers have not confirmed that all phases were conducted by the same actor. Cisco separately linked earlier SD-WAN exploitation to a threat group tracked as UAT-8616, which had targeted vulnerable controller infrastructure.
Cisco initially said there were no workarounds for CVE-2026-20245 and urged customers to upgrade to fixed software and verify edge-device configurations. Its updated advisory listed fixed releases, including 20.15.4.5 and 20.15.5.3, and advised administrators to review logs for signs of unauthorised access, unexpected peering connections and suspicious command execution.
The attack chain shows why credential security alone may not be sufficient. Once an attacker reaches an administrative account, privilege escalation can turn limited management access into system-level control. From there, changes to routes, policies and connected edge devices can give intruders a powerful vantage point inside corporate networks.
The affected technology is widely used by large, distributed organisations such as banks, retailers, healthcare groups, technology providers and managed service firms. SD-WAN helps route traffic between offices, data centres and cloud platforms, but the same centralised design can magnify risk when management systems are compromised.
Security teams have been advised to treat SD-WAN controllers as critical assets rather than routine network appliances. That means restricting management access, removing unnecessary internet exposure, enforcing strong administrative controls, checking certificates, reviewing peering relationships and preserving logs that may otherwise be unavailable after attacker cleanup.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
