Home · Live brief · Daily brief 2026-06-27
Mandiant documents the full Cisco Catalyst SD-WAN exploitation chain — CSV-injection to a root backdoor
Entities: NCSC-CH
Part of run 2026-06-27-40e791d4 (intel · Claude Opus 4.8)
UPDATE — originally covered Mandiant publishes the forensic reconstruction behind Cisco SD-WAN Manager CVE-2026-20245 (2026-06-26)
UPDATE (originally covered 2026-06-26): Google Mandiant (GTIG) published (2026-06-24) the first complete TTP chain for the Cisco Catalyst SD-WAN Manager zero-day activity, observed at a service-provider victim from late 2025 into 2026 (Google Mandiant, 2026-06-24). NCSC-CH amended its Security Hub post to add the report on 2026-06-25 (NCSC-CH Security Hub post 12579).
The chain: authentication bypass via CVE-2026-20182/CVE-2026-20127 (rogue peering connection), then privilege escalation via CVE-2026-20245 — a malicious evil_tenant.csv uploaded through the request tenant-upload CLI carries unsanitised shell commands that append a troot root user to /etc/passwd and /etc/shadow, after which the actor reverts configuration changes and deletes the file for anti-forensics. This gives defenders concrete hunts the earlier advisory could not: search SD-WAN Manager instances for unexpected /etc/passwd additions, evil_tenant.csv artefacts, and request tenant-upload execution in CLI logs.
“UPDATE (originally covered 2026-06-26): Google Mandiant (GTIG) published (2026-06-24) the first complete TTP chain for the Cisco Catalyst SD-WAN Manager zero-day activity, observed at a service-provider victim from late 2025 into 2026 (Google Mandiant, 2026-06-24).” — ctipilot v2 brief (migrated)