Mandiant has published new details on a Cisco Catalyst SD-WAN intrusion in which an attacker moved from unauthorized peering activity to root-level access on SD-WAN Manager, using a malicious CSV upload tied to CVE-2026-20245 and then cleaning up evidence afterward.
The Google Cloud-owned incident response firm described the case on June 24, saying it identified a threat actor targeting SD-WAN infrastructure at a service provider in early 2026. The report adds important operational detail to Cisco’s June advisories: this was not only a vulnerability disclosure, but a real intrusion against the control layer that manages how distributed networks connect.
For Cisco customers, the key point is that the SD-WAN Manager, formerly vManage, sits in a privileged position. It does not just run another appliance. It orchestrates edge devices, controllers, policies, routes, and trusted relationships across branch networks, service-provider environments, cloud links, and data centers. When that control plane is compromised, the impact can reach beyond the management node itself.
What Mandiant says happened
Mandiant observed unauthorized peering connections to the victim’s SD-WAN Manager devices from late 2025 into January 2026. Those connections may have involved two earlier Cisco Catalyst SD-WAN controller authentication bypass flaws, CVE-2026-20127 or CVE-2026-20182, both of which were undisclosed and unpatched during at least part of the observed activity.
In March 2026, the attacker established new rogue peering connections and authenticated to the SD-WAN Manager device over SSH using the vmanage-admin account, according to Mandiant. From there, the actor changed the password of the default admin account, logged into the SD-WAN Manager web interface, and extracted SD-WAN fabric configuration data.
The password manipulation appears to have been designed to hide in ordinary administration. Mandiant says the actor later changed the admin password back before ending the session, reducing the chance that an administrator would notice something wrong during routine login.
The escalation came through CVE-2026-20245, a vulnerability in the command-line interface of Cisco Catalyst SD-WAN control components. Cisco describes it as an authenticated local privilege-escalation flaw that can allow arbitrary commands to run as root when an attacker supplies a crafted file to an affected system. Mandiant says the attacker used a malicious file named evil_tenant.csv to create a new root-level account named troot.
That detail matters because it turns the issue from a narrow privilege bug into a broader compromise story. An attacker who can add a root account to a controller can alter files, inspect sensitive configuration, preserve access, and potentially influence downstream SD-WAN behavior. Mandiant also saw deliberate cleanup: files were deleted, modified system configuration was restored, and a validation script checked whether traces of the actor’s activity had been removed.
Why this is not just another patch item
Cisco’s own remediation guidance makes the same point in quieter operational language. In a June 22 remediation document, Cisco tells customers to collect admin-tech files from all control components before upgrades or configuration changes so evidence is preserved for review. The company recommends opening a TAC case, uploading log bundles from controllers, managers, and validators, and waiting for Cisco’s assessment of possible indicators of compromise.
Cisco also says the June SD-WAN issues involve two advisories: CVE-2026-20245, the privilege-escalation flaw, and CVE-2026-20262, an arbitrary file-write vulnerability in SD-WAN Manager. Known unauthenticated paths to the needed credentials include exploitation of the earlier CVE-2026-20182 or CVE-2026-20127 authentication bypass flaws, though valid stolen credentials remain a separate risk.
The practical sequencing is important. If a device was already compromised through earlier SD-WAN bugs, patching the June flaws may close one door while leaving behind stolen certificates, altered accounts, pushed configuration changes, or other residue. Cisco says an upgrade alone does not resolve a confirmed compromise, and users should follow TAC guidance if indicators are found.
What administrators should check first
For network teams, the immediate work is a mix of patch management and incident response. Cisco lists fixed releases for affected SD-WAN trains, and Mandiant names versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2, or later as the relevant targets for CVE-2026-20245 remediation. Teams should verify the correct release path against Cisco’s advisory and compatibility documentation before touching production control components.
Before upgrading, preserve logs and diagnostic bundles. That is especially important because the activity Mandiant described was built to look temporary: password changes were reverted, exploit files were removed, and system files were restored. A rushed upgrade can wipe or rotate evidence that would help determine whether the environment was actually touched.
Useful review areas include unauthorized peering events, unexpected SSH access to SD-WAN Manager, unusual authentication by default administrative accounts, log entries associated with tenant-list uploads, configuration exports, unexplained changes pushed to edge devices, and any evidence of unexpected local accounts. Cisco notes that some log entries can resemble legitimate administrative actions, so the review has to be compared against the organization’s normal SD-WAN posture rather than treated as a simple keyword search.
Teams that previously patched for CVE-2026-20127 and CVE-2026-20182 should not assume they are finished. The new Mandiant report describes activity that may involve earlier compromise, stolen certificate material, or valid credentials. That makes credential rotation, certificate review, management-plane exposure checks, and edge-device configuration validation part of the response, not optional cleanup.
The larger SD-WAN lesson
The Cisco case is a reminder that SD-WAN security is now control-plane security. Attackers do not need to compromise every branch router if they can reach the system that defines trust, routing, policy, and device relationships across the fabric. That is why rogue peering, certificates, default administrative accounts, and configuration exports deserve the same seriousness as malware on an endpoint.
It also shows why vulnerability response for network infrastructure has to look different from desktop patching. A control-plane appliance may need evidence preservation before remediation, vendor-assisted review, careful upgrade sequencing, and post-patch validation of downstream devices. Treating it as a routine maintenance window can miss the part that matters most: whether an attacker already used the management layer to change the network.
For organizations running Cisco Catalyst SD-WAN, the safest reading of the Mandiant report is straightforward. Patch to fixed releases, but first preserve evidence. Review control-plane logs. Validate peering and certificates. Check whether edge configurations were changed. And if indicators appear, handle the environment as a suspected SD-WAN compromise rather than a closed CVE ticket.
