When Cisco disclosed CVE-2026-20245 earlier this month, the company acknowledged that it was already aware of exploitation. Now Mandiant has revealed the full scope: attackers had been using the vulnerability as a zero-day for at least two months before it was publicly disclosed.
The incident targeted an unspecified communications service provider. The attackers escalated a compromised admin account to full root-level access. They created a hidden user account. They covered their tracks. And they stayed inside the network for months.
The Vulnerability: CVE-2026-20245
The vulnerability, tracked as CVE-2026-20245, carries a CVSS score of 7.8. It allows an authenticated, local attacker to execute arbitrary commands with elevated privileges by supplying a crafted file to the affected system.
The vulnerability exists because the device does not sufficiently validate user-supplied input.
According to Cisco's advisory, a malicious actor must have netadmin privileges on an affected system to pull off a successful attack. In other words, the attacker was already in place prior to exploiting this vulnerability.
Two Waves of Unauthorized Activity
Mandiant discovered two separate waves of unauthorized activity:
First wave (late 2025 to January 2026):
The victim saw unauthorized peering connections which were possibly due to one of two authentication bypass bugs in Cisco Catalyst SD-WAN controllers. Both vulnerabilities were still unknown zero-day at this stage.
Second wave (March 2026):
A second wave of rogue peering connections targeted a device running a newer software version. This device had been patched against the earlier vulnerabilities. Cisco confirmed that the second wave did not leverage the known authentication bypasses.
This raises the possibility that the attacker used stolen certificates from a prior breach of the same device to obtain initial access. The attacker may or may not have been the same as the one behind the first wave.
Description of Attack
The strategy that the attacker followed was systematic and deliberate.
Here is how the attack proceeded:
Step 1: Access. The attacker accessed through unauthorized peering connections. During the second wave, he probably accessed through the stealing of certificates following an earlier breach.
Step 2: Changes in credentials. The attacker changed the admin credentials. The aim was to prevent genuine admins from accessing while still in control.
Step 3: Exploitation of zero-day. The attacker loaded an evil csv file called evil_tenant.csv in order to exploit CVE-2026-20245. It helped the attacker elevate to root level.
Step 4: Creation of rogue account. The attacker created a clandestine user account named troot in the /etc/{passwd} and /etc/{shadow} files. This account provided total shell access at root level.
Step 5: Extraction of configuration. The attacker extracted the configuration of the SD-WAN fabric, which provided him with a map of the entire network.
Step 6: Hiding one’s tracks. The attacker rolled back the password change to restore the original password for the admin user. In addition, all traces left behind were removed.
The operation was surgical. The attacker wanted persistent access without detection.
Anti-Forensic Techniques
Throughout the attack process, the attacker always used anti-forensic methods to ensure operation security.
1. Selective deletion. The attacker deleted configuration files which have been modified by him during the attack.
2. Configuration restoration. The attacker returned modified configuration files back to its initial condition.
3. Validation scripts. The attacker ran scripts to check that traces of his activity have been deleted.
The goal was to limit defenders' ability to assess the full extent of the compromise. If the victim had not had Mandiant's assistance, they might never have known the attacker was there.
Why SD-WAN Devices Are Targeted
Google pointed out that the activity once again highlights the "continuing trend" of bad actors weaponizing zero-days in edge devices like SD-WAN.
Network devices lack the telemetry needed for deep forensic analysis. They are not natively supported by EDR solutions. A foothold in those systems can facilitate persistent visibility into internal traffic across the fabric.
Once an attacker compromises an SD-WAN controller, they can see everything. They can monitor traffic. They can manipulate routing. They can move laterally without detection.
The Bigger Picture
The Cisco SD-WAN zero-day exploitation is not an isolated incident. It fits a pattern that Mandiant CTO Charles Carmakal highlighted: "Advanced adversaries continue to primarily target and exploit network devices and other systems that don't natively support EDR solutions."
The same playbook has been used in other campaigns. Attackers target the infrastructure that defenders cannot see. They use zero-days to gain access. They create hidden accounts. They cover their tracks.
And they stay inside for months.
What to Do
If you run Cisco Catalyst SD-WAN devices, take these steps:
1. Patch immediately. Vulnerability CVE-2026-20245 has been patched. Ensure that you patch it in case you haven’t done it.
2. Check for any unauthorized accounts. Find unknown user in /etc/{passwd} and /etc/{shadow}. The unknown users will have names troot.
3. Look at your peering connections. Look out for unknown peering connection which is not correct.
4. Check the configuration changes. Be careful about the unknown CSV file upload and configuration change.
5. Look out for any outbound exfiltration. In this attack, the attacker exfiltrated the SD-WAN fabric configuration.
6. If you were using vulnerable versions at any point in time, consider your devices to be compromised. The attacker operated in the time range between late 2025 and March 2026.
The Bottom Line
The Cisco SD-WAN zero-day exploit shows how an attacker can wait for months for the perfect opportunity. They target devices with no visibility. They make use of anti-forensic techniques to cover their tracks. They create hidden accounts that remain undiscovered for years.
The patch is available. The exploit details are public. Attackers are already scanning.
Check your SD-WAN devices. Look for troot. And assume that if you weren't patched, someone may have already been inside.
FAQ Section
What is CVE-2026-20245?
CVE-2026-20245 is a vulnerability in Cisco Catalyst SD-WAN that allows an authenticated, local attacker to execute arbitrary commands with elevated privileges by uploading a crafted file.
How was the exploit performed?
The attackers used the flaw to upload a malicious CSV file that gave them privilege escalation from netadmin to root. They created a stealthy account called troot.
How long has the exploit been going on without discovery?
The attackers operated in the period from December 2025 until March 2026, which is when the vulnerability was announced. The exploit lasted at least two months.
Which company was affected?
Some unnamed communications service provider was hacked via the Cisco SD-WAN zero-day exploit.
How did the attackers cover their tracks?
To cover their traces, the attackers utilized various anti-forensics techniques, such as deleting some files selectively, restoring passwords and running validation scripts.
What should I do if I work with Cisco Catalyst SD-WAN?
You should urgently install the patch and search for suspicious accounts (like troot). Check peering connections and configuration changes. Assume compromise if your devices weren’t patched during the time of the exploit.
