Home · Live brief · Weekly 2026-W27
CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: Mandiant reconstructs the full zero-day chain
Entities: NCSC-CH
Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))
Mandiant (GTIG) published the first complete TTP chain on 06-24 for the Catalyst SD-WAN Manager zero-day activity, observed at a service provider: a peering/authentication bypass (CVE-2026-20127, CVE-2026-20182) leading to credential manipulation, then local privilege escalation to root via a malicious CSV upload (CVE-2026-20245) to plant a root backdoor. NCSC-CH posted on it, giving it direct Swiss relevance. Telco and public-sector SD-WAN operators should hunt for unexpected file writes under the web-UI service account and root-owned artefacts post-dating the patch.
“Mandiant (GTIG) published the first complete TTP chain on 06-24 for the Catalyst SD-WAN Manager zero-day activity, observed at a service provider: a peering/authentication bypass (CVE-2026-20127, CVE-2026-20182) leading to credential manipulation, then local privilege escalation to root via a …” — ctipilot v2 brief (migrated)