CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: Mandiant reconstructs the full zero-day chain

Mandiant (GTIG) published the first complete TTP chain on 06-24 for the Catalyst SD-WAN Manager zero-day activity, observed at a service provider: a peering/authentication bypass (CVE-2026-20127, CVE-2026-20182) leading to credential manipulation, then local privilege escalation to root via a malicious CSV upload (CVE-2026-20245) to plant a root backdoor. NCSC-CH posted on it, giving it direct Swiss relevance. Telco and public-sector SD-WAN operators should hunt for unexpected file writes under the web-UI service account and root-owned artefacts post-dating the patch.