Cyber Threat Brief — June 26 2026
⚠️ This report is AI-generated. Always validate findings.
1. Cisco SD-WAN Zero-Day Exploitation Deep-Dive — CVE-2026-20245
TL;DR: Mandiant published full exploitation analysis June 25 revealing a threat actor used a malicious CSV upload to create a root-equivalent troot account on SD-WAN Manager, exploiting CVE-2026-20245 as a zero-day since March 2026 — two months before disclosure.
What’s New:
- Mandiant blog (June 25) details full attack chain:
request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0injects entries into/etc/passwdand/etc/shadow - Rogue
trootaccount created with full root shell; accessed viasufrom admin - Anti-forensic cleanup: attacker deleted
evil_tenant.csv, restored configs, and ran validation script to verify IOC removal - Attack began March 2026 via rogue peering with
vmanage-admin— unauthorized config pushed to edge devices - GTI Collection IOCs available free for registered Mandiant users
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
evil_tenant.csv in /home/admin/ | File IOC | T1078.003 | SD-WAN Manager filesystem | Hunt |
troot account in /etc/passwd | Account IOC | T1136.001 | SD-WAN Manager auth logs | Hunt |
request tenant-upload CLI with crafted CSV | Exploit command | T1059.004 | /var/log/scripts.log | Detect |
su troot from admin session | Lateral technique | T1078.003 | SD-WAN Manager auth logs | Detect |
Rogue peer connections via vmanage-admin | Network IOC | T1133 | SD-WAN peering logs | Hunt |
| Validation script checking IOC removal | Anti-forensics | T1070.004 | SD-WAN Manager process logs | Hunt |
| Versions < 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2 | Vuln version | T1190 | Asset inventory | Patch |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for SD-WAN Manager tenant-upload abuse or /etc/passwd modification via CLI |
| Elastic | None | No coverage for Cisco SD-WAN Manager exploitation |
| Sigma | None | No rule for troot account creation or evil_tenant.csv patterns |
Sources: Mandiant/Google Cloud Blog · The Hacker News · BleepingComputer
Status Updates
- CVE-2026-34908/34909/34910 (Ubiquiti UniFi OS): CISA KEV federal deadline TODAY June 26. ITW exploitation ongoing with automated rogue admin “John Sim” creation. Patch to UniFi OS 5.0.8+. Original brief.
- CVE-2025-67038 (Lantronix EDS5000): CISA KEV federal deadline TODAY June 26. OT/ICS root RCE via username injection. Patch to firmware 2.2.0.0R1. Original brief.
- CVE-2026-50656 (RoguePlanet/Windows Defender): Still UNPATCHED. Cyderes Howler Cell confirmed behavioral chain survives recompilation. 7th Defender zero-day in 10 weeks. WDAC/AppLocker remains primary mitigation. Original brief.
- CVE-2026-20262 (Cisco SD-WAN Manager): Federal deadline June 29 approaching. 8th SD-WAN CVE of 2026. Original brief.