Skip to main content
root@rebel:~$ cd /news/threats/cve-2026-20245-zero-day-root-privilege-escalation-in-cisco-sd-wan_
[TIMESTAMP: 2026-06-25 09:21 UTC] [AUTHOR: Runtime Rebel Intel] [SEVERITY: CRITICAL]

CVE-2026-20245: Zero-Day Root Privilege Escalation in Cisco SD-WAN

CRITICAL Vulnerabilities #CVE-2026-20245#Cisco Catalyst#SD-WAN
AI-Assisted Analysis
READ_TIME: 3 min read
// executive briefing tl;dr
  • [01] Immediate impact: Attackers can escalate to root privileges on Cisco SD-WAN Manager controllers after gaining administrative access via rogue peering connections.
  • [02] Affected systems: Cisco Catalyst SD-WAN Manager versions prior to 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2 are vulnerable.
  • [03] Remediation: Organizations must immediately upgrade to the fixed software releases and perform an indicator of compromise sweep using the request admin-tech command.

In early 2026, security researchers identified the active exploitation of a Zero-Day vulnerability tracked as CVE-2026-20245 targeting Cisco Catalyst SD-WAN infrastructure. According to Google Cloud, a threat actor successfully leveraged this flaw to achieve root-level Privilege Escalation on compromised SD-WAN Manager devices. This campaign highlights a growing trend of actors targeting network orchestrators to maintain stealthy, persistent access to enterprise traffic.

Technical Analysis of CVE-2026-20245 Exploitation

The vulnerability exists in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers. It stems from a failure to properly filter malicious data during file upload operations. An authenticated attacker can supply a crafted file to the system to execute arbitrary commands with root privileges.

In observed attacks, the threat actor first gained initial access by establishing rogue peering connections. This was likely achieved by exploiting earlier vulnerabilities in the peering authentication mechanism, such as CVE-2026-20127 or CVE-2026-20182. Once the rogue peering was established, the attacker used SSH access to change the password of the default admin account, which lacks root shell access by default.

How to Detect CVE-2026-20245 Exploit

To move from the admin account to root, the attacker executed the command request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0. The file evil_tenant.csv contained a payload designed to append a new user, troot, to the system’s /etc/passwd and /etc/shadow files with a User ID (UID) of 0. This granted the attacker full root access via the su command.

Defenders should monitor /var/log/scripts.log for anomalies involving vconfd_script_upload_tenant_list.sh. Additionally, auditing /var/log/auth.log for successful su executions from the admin account to unauthorized users is a primary method for identifying successful exploitation.

Anti-Forensic Techniques and Operational Security

The threat actor demonstrated high operational maturity by employing rigorous anti-forensic measures. After achieving their objectives, they deleted the malicious CSV files and restored the original /etc/passwd and /etc/shadow configurations. They even executed a validation script to confirm that all IoC markers had been removed.

This behavior makes detection difficult for a standard SOC using only basic telemetry. The actor also manipulated the admin account password back to its original state before terminating their session to avoid alerting legitimate administrators of a lockout.

Cisco Catalyst SD-WAN Manager Patch Guidance

Organizations must prioritize upgrading affected systems to mitigate the risk of root compromise. The following versions contain the necessary fixes for CVE-2026-20245:

  • 20.9.9.2
  • 20.12.7.2
  • 20.15.4.5
  • 20.15.5.3
  • 20.18.3.1
  • 26.1.1.2 or later

In addition to patching, defenders should focus on mitigating rogue peering in SD-WAN environments by following the Cisco Catalyst SD-WAN Hardening Guide. This includes implementing certificate-based authentication and restricting management access to known, trusted network segments.

Actionable Recommendations for Defenders

  1. Immediate Log Review: Collect diagnostic data using the request admin-tech command and scan for unauthorized SSH connections originating from unexpected external IP addresses.
  2. Configuration Audit: Inspect rollback files in /var/confd/rollback/ for unexpected configuration delta commits, particularly those targeting user passwords or AAA settings.
  3. Threat Hunting: Conduct proactive hunts for the TTP of appending privileged users to the password database or suspicious file copies from /usr/share/ to hidden user directories.

Advertisement