Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager

MITRE Techniques

• [T1133 ] External Remote Services – The attacker gained access through unauthorized peering connections that facilitated remote SSH access (‘unauthorized peering connections to facilitate SSH access’).
• [T1078 ] Valid Accounts – The actor authenticated using legitimate default accounts vmanage-admin and admin to access the SD-WAN Manager (‘successfully authenticated to the SD-WAN Manager device via SSH using the vmanage-admin account’ and ‘authenticated directly … using the admin account’).
• [T1098 ] Account Manipulation – The attacker changed the admin password and later reverted it to hide activity (‘execute commands to change the password of the default admin account’ and ‘change the password … back to its original state’).
• [T1106 ] Native API – The actor used SD-WAN web and CLI interfaces to issue administrative requests and retrieve configuration data (‘POST /j_security_check’ and ‘GET /dataservice/…’).
• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The attacker executed shell commands to modify files, create backups, and add the troot account (‘grep’, ‘cp -a’, ‘echo … >> /etc/passwd’).
• [T1068 ] Exploitation for Privilege Escalation – CVE-2026-20245 was exploited to escalate from a compromised administrative account to root (‘allow an authenticated, local attacker to execute arbitrary commands as root’).
• [T1110 ] Brute Force – No brute force is described; not included.
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – The attacker used anti-forensic cleanup to delete files, restore configurations, and run validation checks to reduce detection (‘deleted all files they created’ and ‘restored any system configurations they modified’).
• [T1070.004 ] Indicator Removal: File Deletion – The actor deleted evil_tenant.csv and other temporary or backup files (‘deleted all files they created’).
• [T1070.009 ] Indicator Removal: Clear Persistence – The actor removed malicious persistence-related artifacts by restoring configuration and account-related changes (‘restored any system configurations they modified’).
• [T1036 ] Masquerading – The account name troot was created to resemble a root-level identity (‘Created a user account named troot with full root privileges’).
• [T1005 ] Data from Local System – The attacker exfiltrated configuration data from the SD-WAN fabric (‘exfiltrated configurations of the SD-WAN fabric’).