Date: 06/25/2026
Severity: High
Summary
In early 2026, the team uncovered a threat actor targeting a service provider's SD-WAN infrastructure. After securing initial access, the actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN—specifically leveraging an unfiltered file upload feature to escalate privileges from an administrative account to root level. To evade detection, the actor maintained tight operational security by utilizing anti-forensic techniques, selectively deleting and restoring system configuration files altered during the breach.
Indicators of Compromise (IOC) List
IP Address : | 126.51.108.152 76.92.245.217 207.190.37.94 23.245.7.178 153.186.231.233 167.179.79.189 45.32.38.160 209.137.225.101 |
File paths : | /home/admin/.orig_vbond_vsmart_tenant_list /home/admin/.orig_vbond_vsmart_tenant_list.state /home/admin/.orig_passwd /home/admin/.orig_shadow /home/admin/evil_tenant.csv |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("23.245.7.178","45.32.38.160","209.137.225.101","153.186.231.233","167.179.79.189","207.190.37.94","76.92.245.217","126.51.108.152") or srcipaddress IN ("23.245.7.178","45.32.38.160","209.137.225.101","153.186.231.233","167.179.79.189","207.190.37.94","76.92.245.217","126.51.108.152") |
Detection Query 2 : | resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("/home/admin/.orig_vbond_vsmart_tenant_list","/home/admin/.orig_vbond_vsmart_tenant_list.state","/home/admin/.orig_passwd","/home/admin/.orig_shadow","/home/admin/evil_tenant.csv") |
Detection Query 3 : | technologygroup = "EDR" and objectname IN ("/home/admin/.orig_vbond_vsmart_tenant_list","/home/admin/.orig_vbond_vsmart_tenant_list.state","/home/admin/.orig_passwd","/home/admin/.orig_shadow","/home/admin/evil_tenant.csv") |
Reference:
https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager