The single dashboard that makes SD-WAN easy to run has become the thing attackers most want to own. Googleβs Mandiant team has published a detailed account of one such intrusion. A threat actor exploited a zero-day in Cisco Catalyst SD-WAN Manager, tracked as CVE-2026-20245. The flaw let it escalate from a compromised admin account to full root access, then reach into the devices the controller manages.
The flaw sits in the command-line interface of SD-WAN Manager, formerly vManage, the management plane for the whole SD-WAN fabric. Ciscoβs design splits the networkβs management and control logic from the hardware. A central software controller then orchestrates every branch site from one console. That is the operational appeal of SD-WAN. It is also why a compromise here does not stay put. Cisco confirmed that exploitation in this case pushed configuration changes down to edge devices.
How the Cisco Catalyst SD-WAN Manager attack worked
Mandiant traced the activity to a service provider. Unauthorised peering connections to the victimβs SD-WAN Manager devices began there as early as late 2025. The decisive stage came in March 2026. The attacker reached an SD-WAN Manager instance over SSH and authenticated with the default vmanage-admin account. It then changed the admin account password and quietly reverted it to dodge detection. Mandiant said it could not confirm that one actor ran both the earlier and later activity.
From that foothold, the attacker exploited CVE-2026-20245 to escalate to root. The mechanism is mundane, and that is the point. The controllerβs file-upload feature failed to filter malicious input. A crafted CSV, uploaded through a tenant-upload command, triggered command injection. The payload created a new root-level account named troot. The attacker then entered it from the admin account using the su command. Cisco rates the flaw 7.8 on the CVSS scale. An attacker needs netadmin privileges first, gained through stolen credentials or by chaining earlier SD-WAN bugs.
The cleanup is what stands out. The actor deleted every file it created and restored the configuration it had altered. A validation script then confirmed that nothing remained. Mandiant calls this a βliving off the edgeβ approach. Attackers compromise network appliances precisely because those devices sit beyond the reach of traditional security tooling.
Why management-plane compromise is a connectivity problem, not just a security one
For network and IT teams, the blast radius is the real story. SD-WAN Manager defines routing policy, traffic-steering rules and security configuration for every site in the fabric. Root access to that controller is not a server-level incident. It is a network-level one. An attacker in that seat can reroute branch-to-branch traffic and insert routing policies. It can also change security settings and alter how edge devices behave across hundreds of sites at once.
This is the seventh Cisco Catalyst SD-WAN flaw flagged as actively exploited in 2026. A run of authentication-bypass and privilege-escalation bugs ran through the spring. Several of them touch overlapping parts of the controllerβs codebase. That points less to isolated bugs than to accumulated security debt. The weak spots are the components that handle inter-device trust and administrative input. The pattern is the uncomfortable flip side of software-defined networking. As the orchestrator becomes the network, it also becomes the prize.
That tension ran through end-user talk at InfoComm 2026. One question kept surfacing: is a vendorβs kit safe to put on a corporate network? Nyere Hollingsworth, Managing Director of Endpoints and Workplace Experience Technologies at law firm Winston Taylor, told UC Today that the duty runs both ways between buyer and manufacturer:
You have to be thoughtful and strategic about how you deploy systems, what systems you actually buy and purchase, and the things that you do to secure and configure them on your network.
Hollingsworthβs point lands harder against a controller-level breach than against any single endpoint. Ciscoβs Espen LΓΈberg made the case at InfoComm for folding networks, devices and management into one intelligent layer. That same convergence raises the stakes when the layer itself comes under attack.
What Cisco Catalyst SD-WAN customers should do now
Cisco disclosed the vulnerability on 5 June and shipped fixes about a week later. The patched releases are 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1 and 26.1.1.2. Every deployment type is affected, including on-premises, Cloud-Pro, Cisco-managed cloud and FedRAMP environments. Internet-exposed Manager instances carry the highest risk.
One caveat matters for teams that patched earlier flaws in May. The releases that fixed the precursor authentication-bypass do not fix this one, so a separate upgrade is needed. Cisco also warns that the fix alone will not secure an environment where logs already show signs of abuse. The cleanup was thorough. Teams should reconcile every edge device that may have taken configuration from a suspect controller against their change-management records. Anyone who suspects a compromise should collect admin-tech bundles before upgrading and call Ciscoβs Technical Assistance Center for recovery.
