UPDATE: Mandiant publishes the forensic reconstruction behind Cisco SD-WAN Manager CVE-2026-20245

UPDATE (originally covered 2026-06-06): When we first noted CVE-2026-20245 it was a fresh Cisco advisory for a command-injection-to-root flaw in Catalyst SD-WAN Manager with confirmed exploitation but little public detail. Mandiant/GTIG has now published the forensic reconstruction, confirming the flaw was used as a zero-day at a communications service provider from late 2025 through March 2026 — months before the patch (Mandiant/GTIG, 2026-06-24).

The new substance is the kill chain: a peering-authentication-bypass foothold (CVE-2026-20127 / CVE-2026-20182) into SSH as vmanage-admin, then a crafted tenant CSV through the request tenant-upload CLI handler injecting commands that planted a backdoor troot UID-0 account, with anti-forensic clean-up (admin-password change-then-revert, history/syslog deletion). Mandiant names no threat actor. Full mechanics, ATT&CK mapping and host-level detection are in §5.