Security researchers have disclosed new insights into the exploitation of CVE-2026-20245, a high-severity command injection vulnerability affecting Cisco Catalyst SD-WAN components, including vManage, vSmart, and vBond controllers. According to Mandiant, attackers used the flaw as a privilege-escalation mechanism after already gaining access to targeted environments, enabling them to execute arbitrary commands with root privileges and maintain control over critical network infrastructure.
The attacks reportedly began with the establishment of unauthorized SD-WAN peering connections observed on a service provider’s network. Investigators believe the threat actors may have initially gained access through previously disclosed Cisco authentication bypass vulnerabilities or by leveraging certificates stolen during earlier compromises. Once inside, the attackers authenticated using administrative accounts, harvested configuration data from controllers and edge devices, and carefully restored modified credentials afterward to reduce the likelihood of detection.
To achieve full system compromise, the attackers exploited CVE-2026-20245 through a tenant-upload feature within the SD-WAN command-line interface. By uploading a specially crafted CSV file, they executed commands that backed up critical system files, modified authentication databases, and created a rogue root-level account named “troot.” This allowed them to switch from administrative access to unrestricted root control of the affected devices. The operation demonstrated a high level of sophistication, combining privilege escalation with extensive reconnaissance and infrastructure manipulation.
Researchers also documented significant anti-forensic measures used throughout the campaign. Attackers restored altered configuration files, deleted malicious payloads and temporary artifacts, removed evidence of the rogue root account, and even executed validation scripts to confirm their tracks had been erased. Mandiant warns that some affected systems showed signs of unauthorized activity despite not being vulnerable to previously disclosed authentication flaws, raising concerns that stolen credentials or certificates may continue to be used for re-entry. Organizations running Cisco SD-WAN deployments are urged to review peering configurations, investigate indicators of compromise, collect diagnostic data, and immediately apply Cisco’s latest security updates.
