Skip to content
WhySoGeek.
Cybersecurity

Cisco SD-WAN CVE-2026-20245 Root Zero-Day

Attackers gained root on Cisco Catalyst SD-WAN Manager via a malicious CSV upload months before disclosure. Here is what CVE-2026-20245 means and what to do.

Sam Carter 8 min read
Cover image for Cisco SD-WAN CVE-2026-20245 Root Zero-Day
Photo: USDAgov / flickr (PDM 1.0)

A single crafted CSV file, uploaded through a normal admin feature, was enough to hand attackers a root account on Cisco's SD-WAN management plane. Worse, they had been doing it for months before anyone noticed. If you run Catalyst SD-WAN, this is a drop-everything issue.

Quick answer

CVE-2026-20245 is a command-injection flaw (CVSS 7.8) in Cisco Catalyst SD-WAN Manager, Controller, and Validator that lets an authenticated attacker run commands as root by uploading a crafted file. It was exploited as a zero-day starting around March 2026 via a malicious "evil_tenant.csv" upload that created a rogue root account named "troot." Patch immediately and hunt for that account and rogue peer connections.

Key takeaways

  • CVE-2026-20245 gives an authenticated attacker root on the SD-WAN management plane.
  • It was exploited as a zero-day at least two months before public disclosure.
  • The attack used a malicious CSV upload to create a root account called troot.
  • Exploitation could push configuration changes to downstream edge devices.
  • Patch now, then hunt for the rogue account and unexpected peer connections.

What CVE-2026-20245 is

The flaw lives in the command-line interface of three Cisco Catalyst SD-WAN components: Manager (formerly vManage), Controller (formerly vSmart), and Validator (formerly vBond). Because of insufficient validation of user-supplied input, an authenticated attacker can supply a crafted file and have its contents executed as commands with root privileges.

The CVSS score is 7.8, which sounds moderate, but the number understates the danger. This is the box that manages your entire SD-WAN fabric. Root here means control over every edge device it manages.

To exploit it, the attacker needs netadmin privileges on the appliance. In the observed intrusions, they obtained that either with valid credentials or by chaining other Cisco flaws, then used this bug to jump from admin to root.

How attackers used it

Mandiant reconstructed the real-world attack, and the technique is almost mundane in its simplicity, which is what makes it dangerous.

  1. The attacker authenticated to SD-WAN Manager, in some cases using the built-in vmanage-admin account.
  2. They used the tenant-upload feature in the SD-WAN CLI to submit a malicious file named evil_tenant.csv.
  3. The payload first backed up system files including /etc/passwd and /etc/shadow.
  4. It then created a new account named troot with root-level privileges.
  5. From there they established rogue peer connections and, in limited cases, pushed configuration changes down to edge devices.

Beginning in March 2026, the threat actor was authenticating to affected devices and building this persistence. The bug was only publicly disclosed months later, meaning defenders had no signature or advisory to work from during the entire window.

Network cabling in a data center, representing the SD-WAN fabric managed by the affected Cisco appliance
Photo: Bob Mical / flickr (BY-NC 2.0)

Am I affected

If you operate Cisco Catalyst SD-WAN, assume you are in scope until you confirm otherwise.

ComponentFormer nameAffected
Catalyst SD-WAN ManagervManageYes
Catalyst SD-WAN ControllervSmartYes
Catalyst SD-WAN ValidatorvBondYes

Check your running version against Cisco's advisory (cisco-sa-sdwan-privesc-4uxFrdzx) for the exact fixed releases. Edge devices that are hard to patch and sit on the network perimeter are a recurring theme in 2026, echoing the SonicWall SSLVPN mass exploitation and Check Point VPN auth bypass.

Patch and hunt for compromise

Patching closes the door, but if you were exploited before the fix, the attacker's root account is still there. Do both.

  • Apply the fixed release from Cisco's advisory to Manager, Controller, and Validator.
  • Hunt for the troot account and any other unexpected local users on the appliances.
  • Review peer connections for rogue or unrecognized entries the attacker may have added.
  • Check for backups of /etc/passwd and /etc/shadow created outside your normal maintenance, an indicator of the payload running.
  • Rotate credentials, especially vmanage-admin, and audit any config changes pushed to edge devices since March 2026.

What to do right now

  • Confirm your SD-WAN Manager, Controller, and Validator versions against Cisco's advisory.
  • Schedule and apply the patched release immediately.
  • Search all three components for the troot account and remove it if present.
  • Audit peer connections and downstream device configurations for unauthorized changes.
  • Rotate admin credentials and remove management interfaces from public internet exposure.

Frequently asked questions

Why is a 7.8 CVE this urgent?

The score reflects that authentication is required, but the impact is root on the device that controls your entire SD-WAN fabric. It was also exploited as a zero-day for months, so real-world risk far exceeds what the base score suggests.

What is the clearest sign I was compromised?

A local account named troot on any SD-WAN component, or fresh copies of /etc/passwd and /etc/shadow created outside your maintenance windows. Rogue peer connections added since March 2026 are another strong indicator.

Does patching remove an attacker who already got in?

No. Patching stops new exploitation but does not delete accounts or config changes the attacker already made. You must patch and then hunt for and remove their persistence, and rotate credentials.

How did they get the admin access needed to exploit this?

Either through valid credentials or by chaining other Cisco vulnerabilities to reach netadmin, then using CVE-2026-20245 to escalate to root. This is why credential hygiene and layered patching matter, not just fixing one bug.

#cve#cisco#edge-devices

Sources & further reading

Keep reading