ctipilot.ch

Home · Live brief · Daily brief 2026-06-27

Mandiant documents the full Cisco Catalyst SD-WAN exploitation chain — CSV-injection to a root backdoor

notable vulnerability discovered 2026-06-27 05:17 UTC

Entities: NCSC-CH

Part of run 2026-06-27-40e791d4 (intel · Claude Opus 4.8)

UPDATE — originally covered Mandiant publishes the forensic reconstruction behind Cisco SD-WAN Manager CVE-2026-20245 (2026-06-26)

UPDATE (originally covered 2026-06-26): Google Mandiant (GTIG) published (2026-06-24) the first complete TTP chain for the Cisco Catalyst SD-WAN Manager zero-day activity, observed at a service-provider victim from late 2025 into 2026 (Google Mandiant, 2026-06-24). NCSC-CH amended its Security Hub post to add the report on 2026-06-25 (NCSC-CH Security Hub post 12579).

The chain: authentication bypass via CVE-2026-20182/CVE-2026-20127 (rogue peering connection), then privilege escalation via CVE-2026-20245 — a malicious evil_tenant.csv uploaded through the request tenant-upload CLI carries unsanitised shell commands that append a troot root user to /etc/passwd and /etc/shadow, after which the actor reverts configuration changes and deletes the file for anti-forensics. This gives defenders concrete hunts the earlier advisory could not: search SD-WAN Manager instances for unexpected /etc/passwd additions, evil_tenant.csv artefacts, and request tenant-upload execution in CLI logs.

“UPDATE (originally covered 2026-06-26): Google Mandiant (GTIG) published (2026-06-24) the first complete TTP chain for the Cisco Catalyst SD-WAN Manager zero-day activity, observed at a service-provider victim from late 2025 into 2026 (Google Mandiant, 2026-06-24).” — ctipilot v2 brief (migrated)

Update chain

vulnerabilities actively-exploited auth-bypass priv-esc global switzerland CVE-2026-20127 CVE-2026-20182 CVE-2026-20245