GoKawiilNew details have been revealed on how hackers exploited a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in zero-day attacks to create rogue root accounts on targeted devices.
The CVE-2026-20245 vulnerability is a high-severity command injection flaw in Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond) that allows authenticated attackers to execute arbitrary commands as root by uploading a crafted file.
Cisco said the vulnerability stemmed from insufficient validation of user-supplied input and could be exploited by authenticated attackers with local access to affected devices.
When Cisco disclosed the flaw earlier this month, the company warned that it had been exploited in a limited number of attacks but did not provide any details.
Cisco only stated that successful exploitation allowed attackers to gain root privileges and that some incidents involved unauthorized configuration changes being pushed to edge devices.
The company released security updates and urged customers to upgrade to fixed software versions, stating that no workarounds were available.
New exploitation details emerge
In a report published today, Mandiant revealed that CVE-2026-20245 was exploited as a privilege-escalation vulnerability after attackers had already gained access to targeted SD-WAN devices.
According to the researchers, the intrusion began with unauthorized SD-WAN peering connections observed on a service provider's infrastructure.
Beginning in March 2026, the threat actor established new rogue peer connections and authenticated to affected SD-WAN Manager devices using the vmanage-admin account.
... continue reading