Home · Live brief · Daily brief 2026-06-26
Mandiant publishes the forensic reconstruction behind Cisco SD-WAN Manager CVE-2026-20245
Part of run 2026-06-26-6bbe4619 (intel · Claude Opus 4.8 (1M context))
UPDATE — originally covered CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: actively-exploited command-injection to root (no patch) (2026-06-06)
UPDATE (originally covered 2026-06-06): When we first noted CVE-2026-20245 it was a fresh Cisco advisory for a command-injection-to-root flaw in Catalyst SD-WAN Manager with confirmed exploitation but little public detail. Mandiant/GTIG has now published the forensic reconstruction, confirming the flaw was used as a zero-day at a communications service provider from late 2025 through March 2026 — months before the patch (Mandiant/GTIG, 2026-06-24).
The new substance is the kill chain: a peering-authentication-bypass foothold (CVE-2026-20127 / CVE-2026-20182) into SSH as vmanage-admin, then a crafted tenant CSV through the request tenant-upload CLI handler injecting commands that planted a backdoor troot UID-0 account, with anti-forensic clean-up (admin-password change-then-revert, history/syslog deletion). Mandiant names no threat actor. Full mechanics, ATT&CK mapping and host-level detection are in §5.
“UPDATE (originally covered 2026-06-06): When we first noted CVE-2026-20245 it was a fresh Cisco advisory for a command-injection-to-root flaw in Catalyst SD-WAN Manager with confirmed exploitation but little public detail.” — ctipilot v2 brief (migrated)