# Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager

_Friday, June 26, 2026 at 8:24 PM EDT · Cybersecurity · Latest · Tier 2 — Notable_

![Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager — Primary](https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png)

Mandiant reported June 24, 2026 that a threat actor exploited a zero-day vulnerability tracked as CVE-2026-20245 in Cisco Catalyst SD-WAN Manager. In early 2026 the actor targeted SD-WAN infrastructure at a service provider. After gaining initial access, the actor used the flaw to escalate privileges from a compromised administrative account to root-level access. The vulnerability exists in the command-line interface of Cisco Catalyst SD-WAN Controllers and allows an authenticated local attacker to execute arbitrary commands as root by supplying a crafted file. The actor exploited the issue via a malicious CSV upload named evil_tenant.csv using the command request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0. Mandiant said the vulnerability stems from the device file upload feature lacking the ability to properly filter malicious data. The actor created a root account named troot and performed extensive anti-forensic cleanup including deleting files and restoring modified configurations. Cisco released patches in versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2 and later. The vulnerability was reported to Cisco by Mandiant.

## Sources

- [Google Cloud Blog](https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager)

---
Canonical: https://techandbusiness.org/newswire/X0O85GNlLhBSz1ObTpjWte
Retrieved: 2026-06-27T03:54:02.743Z
Publisher: Tech & Business (techandbusiness.org)