CyberBytes Daily

Trending cyberattacks, explained simply.

critical vulnerability

How attackers used a spreadsheet upload to plant a root backdoor inside a company's entire network fabric

A CSV file is one of the most boring objects in enterprise computing: a plain-text list of values, the kind of thing an operations team uploads to provision new tenants. In April 2026, attackers used exactly that mechanism to rewrite the operating system's user database on a Cisco network controller, create a hidden root account, and gain the authority to silently reconfigure every router and edge device the controller managed. The file was named evil_tenant.csv. It was deleted before anyone noticed it existed.

The more alarming detail is what happened after the attacker achieved root access: they put everything back. The backdoor account was removed. The system files were restored. The admin password was reset to its original value. A purpose-built script ran to verify that no forensic trace remained. When Mandiant's investigators arrived, the logs were clean, the system looked untouched, and the full scope of what the attacker did with root access on a network controller managing an entire communications provider's SD-WAN fabric could not be determined. Clean logs, in this case, are not evidence of no compromise. They are evidence of a skilled attacker who planned their exit before they planned their entry.

This is the seventh Cisco SD-WAN zero-day confirmed exploited in 2026. The vulnerability, tracked as CVE-2026-20245, affects every deployment type: on-premises, cloud, and the FedRAMP environment used by U.S. federal agencies. Cisco began releasing patches on June 10, 2026, but the exploitation began in April, two months before public disclosure.

🟡 Level 2

Read the narrative

How the attack unfolded, phase by phase.

6 min read

🔴 Level 3

Go deeper

Technical mechanism, CVE, ATT&CK mapping, primary sources.

3 min read

Narrative · 6 min read

The Context

Software-defined wide area networking (SD-WAN) lets large organizations manage hundreds or thousands of branch office routers from a single control point. Instead of configuring each router individually, a network team makes changes in one place—the SD-WAN Manager—and those changes propagate automatically to every device in the fabric.

Cisco Catalyst SD-WAN Manager (historically called vManage) is one of the most widely deployed SD-WAN platforms in enterprise and government environments. Its authority over the fabric is total: whoever controls the Manager controls the network.

The Attack, Phase by Phase

Phase 1: Rogue Peering and Initial Foothold

From late 2025 through January 2026, the attacker established unauthorized SD-WAN peering connections against the victim communications provider. By abusing the certificate-based peering mechanism—likely through authentication bypass flaws CVE-2026-20127 or CVE-2026-20182—the attacker inserted a rogue peer that the fabric treated as a legitimate network component.

A second wave began in March 2026, targeting a device already patched against those flaws. Cisco's assessment: the attacker reused stolen certificate material from the earlier compromise. The fabric trusted the certificate. The certificate had been stolen. The fabric had no way to know the difference.

ATTACKER ESTABLISHES FABRIC FOOTHOLD🔓1Authentication bypassExploit CVE-2026-20127 or -20182📜2Certificate theftSteal SD-WAN peering certificates🤝3Rogue peer insertedFabric accepts attacker as trusted nodeThe second wave reused stolen certificates on a patched device, bypassing all known CVE mitigations

Phase 2: Credential Manipulation and Fabric Reconnaissance

With a trusted foothold, the attacker authenticated to SD-WAN Manager over SSH using the vmanage-admin account. They changed the admin password—locking out defenders—then accessed the management web interface and exfiltrated the full SD-WAN fabric configuration: every edge device, every controller, every provisioning template. The attacker had a complete network map before making a single change.

ATTACKER MAPS THE ENTIRE FABRIC🔑1SSH login via vmanage-adminDefault credentials used for access🔒2Admin password changedDefenders locked out of the system🗺️3Full fabric config exfiltratedEdge devices, controllers, templates stolenThe attacker held a complete inventory of every managed device before exploiting the zero-day

Phase 3: Zero-Day Exploitation and Root Backdoor Creation

The vmanage-admin account has broad management privileges but not root access to the underlying Linux OS. CVE-2026-20245 closed that gap.

The attacker uploaded a file called evil_tenant.csv using the SD-WAN Manager's tenant file upload feature—designed for legitimate administrative use. The Manager does not properly validate uploaded file contents before processing them.

The payload backed up two critical Linux system files: /etc/passwd (user accounts) and /etc/shadow (stored passwords). It then appended new entries to both, creating a user named troot with UID 0—the numeric identifier Linux uses to designate root. Any account with UID 0 has full root authority regardless of its name. The attacker ran su to switch from vmanage-admin into troot, achieving unrestricted root control over the SD-WAN Manager and, by extension, every downstream edge device in the fabric.

ZERO-DAY EXPLOITED FOR ROOT ACCESS📤1evil_tenant.csv uploadedCLI tenant-upload command used📝2System files modifiedtroot account appended with UID 03su command executedSwitch from vmanage-admin to troot👑4Full root control achievedAuthority over entire SD-WAN fabricPRIVILEGE BOUNDARY CROSSEDUID 0 means root regardless of account name. The troot account was indistinguishable from the system's own root user.

Phase 4: Anti-Forensic Cleanup and Evidence Destruction

After achieving their objectives, the attacker executed a cleanup sequence Mandiant described as demonstrating considerable operational maturity. evil_tenant.csv was deleted. /etc/passwd and /etc/shadow were restored from the backups the payload had created, removing troot entirely. The admin password was reset to its original value. A validation script then confirmed all forensic indicators had been removed before the attacker terminated the session.

Mandiant could not fully reconstruct what the attacker did with root access. The absence of log evidence, Mandiant noted explicitly, should not be treated as confirmation that nothing happened.

ATTACKER ERASES ALL EVIDENCE🗑️1evil_tenant.csv deletedUpload artifact removed♻️2System files restored/etc/passwd and /etc/shadow reverted🔑3Admin password revertedOriginal credentials restored4Validation script executedAttacker confirms clean exitScope unknownMandiant cannot determine what changed⚠️Clean logs, not clean billAbsence of evidence is not exculpatoryThe attacker planned their exit before their entry. The backup-restore pattern was built into the payload itself.

What Made This Possible

  1. The management plane had no privilege boundary below root. The vmanage-admin account could reach the tenant upload feature. The tenant upload feature could write to system files. There was no additional authentication between a management-level credential and the ability to modify /etc/passwd. The path from "network admin" to "root on the OS" was a single malformed file upload.

  2. The trust model assumed peering certificates were uncompromised. SD-WAN peering works correctly when certificates are secure. When certificates are stolen, the fabric cannot distinguish a rogue peer from a legitimate one. The March 2026 wave succeeded on a patched device because the trust model's core assumption had already been violated.

  3. The management plane generates no endpoint telemetry. EDR tools monitor servers and workstations—not network controllers. An attacker with root on an SD-WAN Manager can modify routing configurations, create accounts, and exfiltrate data without generating a single alert in the tools most organizations rely on.

What Should Have Stopped This

The defenses that would have reduced blast radius share one trait: none depend on the SD-WAN Manager's own integrity to function.

  • Network segmentation for the management plane. The Manager should only be reachable from a dedicated administrative network. If the attacker cannot reach the SSH interface, Phase 2 cannot occur.
  • Multi-factor authentication on management interfaces. A second factor means stolen credentials alone are insufficient. The Phase 2 session relied on a password. MFA would have blocked it.
  • Integrity monitoring on critical system files. An alert on modifications to /etc/passwd or /etc/shadow would have flagged the Phase 3 payload before Phase 4 cleanup could run.
  • Immutable audit logging to an external system. Logs written only locally can be deleted by root. Shipping logs to an external, append-only destination in real time puts them beyond the cleanup script's reach.

The Takeaway

This attack is the same class of failure as the Stryker Intune wipe: a privileged management tool weaponized against the organization it was built to protect. The shared failure: once an attacker holds management-plane credentials, the tool's own capabilities become the weapon, and blast radius is defined by the tool's authority, not the attacker's skill.

The seven Cisco SD-WAN zero-days confirmed exploited in 2026 are evidence of accumulated security debt in a product whose trust model was designed for operational convenience rather than adversarial conditions. Attackers have learned that network management planes offer something endpoints do not: broad authority over infrastructure combined with near-zero forensic visibility.

Patching a vulnerable system and finding clean logs is no longer sufficient to conclude no compromise occurred. If your SD-WAN infrastructure was exposed during the April–June 2026 window, clean logs are not reassurance. They are a reason to commission an independent forensic investigation.

Pattern to remember: A management plane that can modify its own operating system's user database is a management plane that can be turned against itself with a single file upload.

What changed: Attackers now build evidence destruction directly into the exploit payload, so forensic investigation cannot determine what occurred even after the vulnerability is patched and logs appear clean.

Technical Deep Dive · 3 min

The Technical Mechanism

CVE-2026-20245 is a command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, classified under CWE-116 (Improper Encoding or Escaping of Output). The vulnerability exists in the tenant file upload feature, specifically in the handling of user-supplied input passed to the request tenant-upload CLI command.

The attack path requires netadmin privileges on the SD-WAN Manager. This privilege level is obtainable via stolen credentials or by chaining CVE-2026-20182 (an authentication bypass) or CVE-2026-20127 (a separate authentication bypass), both of which were also exploited as zero-days in 2026.

The exploit sequence:

  1. The attacker issues: request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0
  2. The crafted CSV payload executes shell commands due to insufficient input validation, first backing up /etc/passwd and /etc/shadow, then appending a new entry: a user named troot with UID 0 (root) and a known password hash, with /bin/bash as the shell.
  3. The attacker runs su troot from the active session, switching to the newly created root account.
  4. With UID 0, the attacker has unrestricted access to the underlying Linux OS, including the ability to push configuration changes to all downstream SD-WAN components (vSmart controllers, vBond orchestrators, and WAN edge devices).

The CVSS 3.1 base score is 7.8 (High), with the attack vector classified as Local (requiring existing CLI access), low attack complexity, and no user interaction required once the prerequisite access is obtained.

A companion vulnerability, CVE-2026-20262, is an arbitrary file write flaw in SD-WAN Manager that shares the same prerequisite access path and was disclosed in the same advisory.

Cisco confirmed that applying the software patch alone is insufficient if the system was already compromised during the exposure window. Verification requires checking scripts.log on each control component for file upload entries. Organizations within the exposure window must engage Cisco TAC for tailored remediation.

CVE-2026-20245 TECHNICAL EXECUTION PATH🔐1netadmin access obtainedVia stolen creds or CVE-2026-20182📤2Malicious CSV uploaded via CLIrequest tenant-upload invoked💉3Shell injection executesCWE-116: input not encoded first📝4/etc/passwd modifiedtroot entry appended with UID 0👑5su troot executedFull root shell obtainedPRIVILEGE ESCALATION BOUNDARYThe CWE-116 classification means the Manager passed user-supplied file content to a shell interpreter without sanitizing it first.

CVE and Advisories

  • CVE-2026-20245: Cisco Catalyst SD-WAN Manager Privilege Escalation Vulnerability. CVSS 7.8 (High). CWE-116.
  • CVE-2026-20262: Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability. Companion flaw disclosed in the same advisory.
  • CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass. Known unauthenticated path to obtain netadmin credentials.
  • CVE-2026-20127: Cisco Catalyst SD-WAN Authentication Bypass. Second known unauthenticated path to obtain netadmin credentials.

Cisco PSIRT advisory: cisco-sa-sdwan-privesc-4uxFrdzx (published June 5, 2026; patches released June 10-12, 2026).

Fixed software versions: 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2.

CISA KEV entry: Added June 4, 2026. Federal remediation deadline: June 23, 2026.

MITRE ATT&CK Mapping

Technique IDATT&CK nameHow it appeared
T1190Exploit Public-Facing ApplicationInitial access via exploitation of CVE-2026-20127 or CVE-2026-20182 against the SD-WAN Manager's authentication interface.
T1078Valid AccountsUse of the vmanage-admin account with stolen or default credentials to authenticate via SSH and the management web interface.
T1068Exploitation for Privilege EscalationExploitation of CVE-2026-20245 via malicious CSV upload to escalate from netadmin to root (UID 0) via the troot backdoor account.
T1136Create AccountCreation of the troot local account with UID 0 by appending entries to /etc/passwd and /etc/shadow.
T1565.001Stored Data ManipulationModification of /etc/passwd and /etc/shadow to insert the backdoor account, then restoration of original file contents to remove forensic evidence.
T1005Data from Local SystemExfiltration of the full SD-WAN fabric configuration including edge device inventories, controller details, and provisioning templates.
T1070Indicator RemovalDeletion of evil_tenant.csv, restoration of modified system files, reversion of admin password, and execution of a validation script to confirm all forensic indicators were purged.
T1485Data DestructionCisco confirmed limited cases where exploitation resulted in unauthorized configuration changes pushed to downstream edge devices.

Indicators of Compromise

Mandiant published attacker IP addresses alongside their June 25, 2026 report. Defenders should consult the Mandiant report directly for the current IOC list, as IP addresses associated with operational relay box (ORB) infrastructure rotate frequently.

Detection guidance from Cisco's remediation documentation:

  • Check scripts.log on each SD-WAN control component (vManage, vSmart, vBond) for entries referencing file upload operations. The presence of tenant-upload entries in this log during the April-June 2026 window is a primary indicator.
  • Review /etc/passwd and /etc/shadow for any accounts with UID 0 other than the default root account.
  • Audit SSH authentication logs for the vmanage-admin account for sessions not initiated from known administrative IP ranges.

Mandiant's explicit caution: the absence of log evidence should not be treated as confirmation of no compromise. The attacker's cleanup sequence was designed to produce clean logs on a compromised system. Organizations within the exposure window should treat clean logs as inconclusive, not exculpatory.

Attribution

Unattributed. Mandiant explicitly declined to attribute the CVE-2026-20245 intrusion to any specific threat group, citing the attacker's anti-forensic cleanup as the primary obstacle to confident attribution. Mandiant framed the campaign as consistent with nation-state espionage objectives, noting that for state-sponsored actors, the ability to exploit zero-days in SD-WAN platforms "remains a premier vector for long-term strategic intelligence collection."

The related vulnerability CVE-2026-20127 was separately attributed by Cisco Talos to UAT-8616, a threat activity cluster assessed with high confidence as a highly capable actor whose infrastructure overlaps with monitored ORB networks. Tenable and other researchers have noted that UAT-8616's ORB network overlap is consistent with China-nexus espionage tradecraft, though no government has formally attributed UAT-8616 to a specific nation-state. Cisco has stated it is unclear whether the late-2025 and March-2026 peering waves were conducted by the same threat actor. UAT-8616's known privilege escalation path uses a software version downgrade technique to re-expose CVE-2022-20775, not CVE-2026-20245.

Primary Sources

  1. 01.
  2. 02.
  3. 03.
  4. 04.
  5. 05.
  6. 06.
  7. 07.