Cisco Catalyst SD-WAN Manager pre-auth RCE (UAT-8616 prior exploitation, Feb 2026)

cve · CVE-2026-20127

Coverage timeline

first 2026-05-15 → last 2026-06-27

Briefs

7 distinct

Sources cited

42 hosts

Sections touched

—

Co-occurring entities

see Related entities below

Story timeline

2026-06-27CTI Daily Brief — 2026-06-27
2026-06-26CTI Daily Brief — 2026-06-26
2026-06-16CTI Daily Brief — 2026-06-16
2026-06-06CTI Daily Brief — 2026-06-06
2026-05-15CTI Daily Brief — 2026-05-15
2026-W26CTI Weekly Summary — 2026-W26 (Jun 22 – Jun 28, 2026)
2026-W23CTI Weekly Summary — 2026-W23 (1–7 June 2026)

Source distribution

attack.mitre.org12 (16%)
sec.cloudapps.cisco.com7 (9%)
blog.talosintelligence.com7 (9%)
bleepingcomputer.com4 (5%)
thehackernews.com4 (5%)
theregister.com3 (4%)
cloud.google.com2 (3%)
security-hub.ncsc.admin.ch2 (3%)
other36 (47%)

Related entities

Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited)
cveCVE-2026-20182×2
Cisco Catalyst SD-WAN Manager command-injection to root (actively exploited, no patch)
cveCVE-2026-20245×2
Cisco Talos — demo.pdb BadIIS commodity MaaS ISAPI backdoor; lwxat developer alias; builder tool recovered; UAT-8099 / DragonRank link; 1,800+ IIS servers compromised globally
campaignitem:cisco-talos-badiis-demo-pdb-maas-isapi-backdoor-lwxat-dragon×2
Cisco Talos — DICOM-format heap OOB-write attack surface against Orthanc PACS (pydicom/GDCM)
vulnerability-trenditem:talos-dicom-pacs-orthanc-heap-attack-surface×2
Cisco Talos: Windows COM abuse (ITaskService/BITS/WMI/DCOM) as EDR-evasion primitives
campaignresearch:talos-com-abuse-windows-threats×2
NCSC-CH: Booking.com breach feeds WhatsApp hotel-booking phishing (TWINT/bank spoof + booking-channel ATO)
incidentincident:ncsc-ch-booking-hotel-phishing-2026×2
Mandiant M-Trends 2026 — Annual Threat Intelligence Report
annual-reportannual-report:mtrends-2026×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1

External references

NVD · cve.org · CISA KEV

All cited sources (77)

Items in briefs about Cisco Catalyst SD-WAN Manager pre-auth RCE (UAT-8616 prior exploitation, Feb 2026) (2)

UPDATE: Mandiant documents the full Cisco Catalyst SD-WAN exploitation chain — CSV-injection to a root backdoor

From CTI Daily Brief — 2026-06-27 · published 2026-06-27 · view item permalink →

UPDATE (originally covered 2026-06-26): Google Mandiant (GTIG) published (2026-06-24) the first complete TTP chain for the Cisco Catalyst SD-WAN Manager zero-day activity, observed at a service-provider victim from late 2025 into 2026 (Google Mandiant, 2026-06-24). NCSC-CH amended its Security Hub post to add the report on 2026-06-25 (NCSC-CH Security Hub post 12579).

The chain: authentication bypass via CVE-2026-20182/CVE-2026-20127 (rogue peering connection), then privilege escalation via CVE-2026-20245 — a malicious evil_tenant.csv uploaded through the request tenant-upload CLI carries unsanitised shell commands that append a troot root user to /etc/passwd and /etc/shadow, after which the actor reverts configuration changes and deletes the file for anti-forensics. This gives defenders concrete hunts the earlier advisory could not: search SD-WAN Manager instances for unexpected /etc/passwd additions, evil_tenant.csv artefacts, and request tenant-upload execution in CLI logs.

CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: no-patch zero-day chain confirmed to push malicious configs to edge devices

From CTI Weekly Summary — 2026-W23 (1–7 June 2026) · published 2026-06-08 · view item permalink →

If you did nothing this week: attackers with netadmin access to your Catalyst SD-WAN Manager can execute arbitrary commands as root and, per NCSC-CH's 5 June advisory update, push malicious configurations to every downstream edge device. No patch exists.

CVE-2026-20245 is a command injection in SD-WAN Manager's CLI file-upload handler (Cisco PSIRT; daily 2026-06-06). An authenticated attacker with netadmin privileges injects arbitrary OS commands that execute as root (T1059.004). In observed limited incidents, exploitation of CVE-2026-20245 resulted in malicious configurations pushed to downstream edge devices — extending attacker control from the management plane into the forwarding plane (NCSC-CH advisory 12579, updated 2026-06-05). The realistic attack path is a three-CVE chain: CVE-2026-20182 provides unauthenticated management-interface access (T1190), CVE-2026-20127 escalates to netadmin (T1078), and CVE-2026-20245 executes OS commands as root. The first two CVEs are patched in post-14-May SD-WAN Manager builds; CVE-2026-20245 has no fix — Cisco's only guidance is management-plane access restriction.

The forwarding-plane impact is the operationally critical new fact from this week: in transit-mode SD-WAN deployments, attacker-controlled edge-device configurations can cascade into routing-table manipulation, traffic interception, and service disruption across every site managed from the compromised Manager instance. Defender actions: apply the post-14-May SD-WAN Manager builds (patches chain entry points CVE-2026-20182/20127); ACL the management interface to a dedicated management VLAN; enforce MFA for netadmin and rotate Manager credentials; hunt the CLI audit log for anomalous file-upload events; and treat any unscheduled edge-device config-push as a hunting trigger.