IN June 2026, Mandiant reported on a threat actor exploiting a zero-day vulnerability (CVE-2026-20245) in the Cisco Catalyst SD-WAN Manager. This vulnerability allowed the attacker to escalate privileges from a compromised admin account to root access by uploading a malicious CSV file. The actor maintained low visibility by employing anti-forensic techniques, such as altering and restoring system files.
Key observations included unauthorized peering for initial access, manipulation of administrative credentials, and extensive cleanup efforts to erase traces of their activities. The findings highlight vulnerabilities in SD-WAN infrastructure, emphasizing the need for immediate patching and hardening of security protocols to prevent similar intrusions in the future.