ctipilot.ch

Home · Live brief · Weekly 2026-W27

CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: Mandiant reconstructs the full zero-day chain

notable vulnerability discovered 2026-06-29 00:20 UTC

Entities: NCSC-CH

Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))

Mandiant (GTIG) published the first complete TTP chain on 06-24 for the Catalyst SD-WAN Manager zero-day activity, observed at a service provider: a peering/authentication bypass (CVE-2026-20127, CVE-2026-20182) leading to credential manipulation, then local privilege escalation to root via a malicious CSV upload (CVE-2026-20245) to plant a root backdoor. NCSC-CH posted on it, giving it direct Swiss relevance. Telco and public-sector SD-WAN operators should hunt for unexpected file writes under the web-UI service account and root-owned artefacts post-dating the patch.

“Mandiant (GTIG) published the first complete TTP chain on 06-24 for the Catalyst SD-WAN Manager zero-day activity, observed at a service provider: a peering/authentication bypass (CVE-2026-20127, CVE-2026-20182) leading to credential manipulation, then local privilege escalation to root via a …” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited priv-esc rce patch-available global switzerland CVE-2026-20245