
Zero-Day Exploit in Cisco SD-WAN Manager: Attack Chain and Defenses

This article exposes the real-world tension between the operational convenience of SD-WAN orchestration and the severe security risks introduced when these centralized controllers become targets. A threat actor successfully compromised a service provider’s SD-WAN infrastructure by exploiting a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager, escalating from a compromised admin account to root access. The attack chain highlights how living off the edge—targeting network appliances to bypass traditional perimeters—can give adversaries a stealthy foothold across an entire enterprise network.
The attack unfolded in two phases. First, the threat actor established rogue peering connections using stolen certificate material (likely from previous compromises, since the known CVE-2026-20127/20182 were not exploited in the later March 2026 activity). They then used SSH to log in as vmanage-admin, changed the admin account password, exfiltrated SD-WAN fabric configurations, and reverted the password to avoid detection. Second, they exploited CVE-2026-20245 by uploading a malicious CSV file (evil_tenant.csv) via the command request tenant-upload tenant-list, which appended a new root-privileged user (troot) to /etc/passwd and /etc/shadow. After gaining su troot access, they executed extensive anti-forensic cleanup: deleted their files, restored modified configurations, and ran a validation script to confirm no forensic artifacts remained.
For serious builders, the takeaway is crystal clear: SD-WAN controllers are high-value targets that require aggressive hardening and monitoring. The article provides concrete detection criteria—watch for unauthorized SSH connections as vmanage-admin, rapid password changes in auth.log, su commands to unexpected accounts, and anomalies in /var/log/scripts.log for vconfd_script_upload_tenant_list.sh. Immediate patching to fixed software releases (e.g., 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2) is non-negotiable, and organizations must follow Cisco’s SD-WAN hardening guide. This incident underscores that network orchestrators are no longer just management planes—they are prime real estate for advanced persistent threats.


