Mandiant Traces March 2026 Root Escalation via Unpatched Cisco CVE-2026-20245 in SD-WAN Manager

The actor obtained initial SSH access to the SD-WAN orchestrator at a service provider, changed the admin password to maintain persistence, then leveraged specially crafted CLI files to escalate to root. Post-exploitation cleanup deleted attack artifacts and restored configurations, consistent with living-off-the-edge tradecraft targeting network control planes. Evidence includes Mandiant's endpoint telemetry showing the exact sequence of file writes and process spawns tied to the vmanage-admin session. Mandiant previously observed the same infrastructure targeted via CVE-2026-20127 and CVE-2026-20182 while both remained zero-days, indicating repeated focus on SD-WAN management interfaces. This pattern aligns with seven disclosed SD-WAN flaws exploited in 2026 and Cisco's history of multi-month patch lags on orchestrator components. Procurement records show SD-WAN deployments often bypass standard EDR coverage, extending attacker dwell times. Independent technical indicators from Mandiant's telemetry diverge from Cisco's initial statement that exploitation could not be confirmed as of 24 June. The discrepancy highlights reliance on vendor self-reporting versus third-party incident data. Contractual SLAs for SD-WAN often omit zero-day response timelines, leaving operators exposed. Expect continued targeting of SD-WAN controllers through year-end as more unpatched instances remain in production; operators should audit default account usage and monitor for anomalous CLI file activity within 30 days of any new Cisco advisory.