Emerging Threats

Cisco SD-WAN Zero-Day Exploited for Root Access

Analyst 207||Source: TheHackerNews
Network operations room with a central controller device on a desk amidst computer equipment.

CVE-2026-20245 was exploited as a zero-day at least two months before it was publicly disclosed, according to new findings from Google-owned Mandiant.

CVE-2026-20245: the zero-day and its technical limits

The vulnerability tracked as CVE-2026-20245 carries a CVSS score of 7.8 and “allows an authenticated, local attacker to execute arbitrary commands with elevated privileges by supplying a crafted file to the affected system,” Mandiant says. Cisco has acknowledged that exploitation requires an account with netadmin privileges on an affected Cisco Catalyst SD‑WAN controller. The exploit vector reported by Mandiant depended on insufficient validation of user-supplied input and was delivered as a malicious CSV file named “evil_tenant.csv.”

Mandiant timeline: two waves of unauthorized activity across late 2025–March 2026

Mandiant’s incident response team detected two distinct periods of unauthorized activity. The first took place between late 2025 and January 2026; the second occurred in March 2026. During the first wave, the victim—an unspecified communications service provider—experienced unauthorized peering connections that “likely exploited” one of two authentication‑bypass flaws in Cisco Catalyst SD‑WAN controllers, CVE‑2026‑20127 or CVE‑2026‑20182, both undisclosed zero‑days at that time.

In March 2026, a second wave of rogue peering connections targeted a device running a newer, patched software version that had been fixed for CVE‑2026‑20127. Cisco has since confirmed those connections did not leverage CVE‑2026‑20182, and Mandiant raised the possibility that stolen certificates from an earlier breach of the same device may have been used for initial access in the second wave. It remains “unclear if these two events are connected and the work of the same threat actor,” Mandiant stated.

Anti-forensics and escalation: how the attacker moved to root

According to Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan, the actor “consistently employed anti‑forensic techniques, selectively deleting and restoring system configuration files that were modified during their activities.” After gaining or using elevated credentials, the actor changed default admin credentials, exploited CVE‑2026‑20245 via the malicious CSV upload, and “create[d] a rogue user account (named 'troot') with full root‑level shell control.”

Google Threat Intelligence Group principal threat analyst Austin Larsen described a chain of actions aimed at hiding traces: “They escalated to root through a malicious CSV upload, created a hidden 'troot' account in /etc/passwd and /etc/shadow, then deleted every file they touched and ran a validation script to confirm their indicators were gone.” Mandiant also reported that the actor exfiltrated the SD‑WAN fabric configuration and temporarily changed the SD‑WAN admin password back to its original value so an administrator would be unlikely to detect anything amiss.

Impact on the communications service provider and SD‑WAN visibility

Mandiant attributes the intrusion to an effort to elevate a compromised admin account to full root‑level access within the targeted communications service provider’s SD‑WAN environment. Google warned that “edge devices like SD‑WAN” lack the telemetry needed for deep forensic analysis and that a foothold in such systems “can facilitate persistent visibility into internal traffic across the fabric.”

Charles Carmakal, chief technology officer of Mandiant Consulting, summarized the operational preference of advanced actors: “Advanced adversaries continue to primarily target and exploit network devices and other systems that don't natively support EDR solutions.” The combination of authentication bypasses, stolen certificates, and a privilege‑escalation zero‑day illustrates how attackers can chain weaknesses at the edge into persistent, high‑level access.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: The incident underscores the need to monitor for unusual peering connections and to track changes to admin credentials and exported fabric configurations. Mandiant’s account highlights specific forensic signals—hidden accounts in /etc/passwd and /etc/shadow, malicious CSV uploads, and scripts that erase indicators—that defenders can look for when investigating SD‑WAN controllers.
  • Procurement leaders and affected enterprises: Devices that “don't natively support EDR solutions,” as Mandiant put it, can become high‑value targets; teams responsible for vendor risk and patch management should note that undisclosed authentication bypass flaws (CVE‑2026‑20127 and CVE‑2026‑20182) played a role in the earlier wave and that even patched devices can be targeted via stolen certificates or reused credentials.
  • Policymakers and regulators: The attack against an unspecified communications service provider highlights a pathway by which attackers can obtain persistent visibility into internal traffic across a provider’s SD‑WAN fabric—an operational risk that may merit attention in continuity and resilience planning for critical communications infrastructure.

The Mandiant findings present a clear operational portrait: an adversary used a sequence of edge‑focused compromises—authentication bypasses, credential manipulation, a CSV‑based privilege escalation zero‑day, and deliberate anti‑forensics—to gain and maintain root control. Whether the two waves represent the same actor remains unresolved, but the incident reinforces Google’s observation of a “continuing trend” of weaponizing zero‑days in network edge devices and the difficulties defenders face when those devices lack deep telemetry.

Original story

CiscoEmerging ThreatsGoogleMandiantNetwork SecurityPrivilege EscalationSupply ChainZero-DaySD-WANCVE-2026-20245
Related Intelligence

Continue Reading

Futuristic tech facility with blurred AI servers and data storage.

Australia's Security Threats Converge as AI Compresses Risk Timeline

When Australia's critical infrastructure is disrupted, it will be a shock, but not a surprise - and with AI supercharging threats, that disruption may come sooner than we think. The warning signs are clear: AI is rapidly expanding the offensive toolkit, making threats more immediate, concurrent, and devastating.

Analyst 207
Technicians in a network equipment room, one concerned technician foreground checking a Cisco SD-WAN Manager device.

Hackers Exploit Cisco Zero-Day for High-Level Access at Telecom Provider

In a chilling cyberattack, hackers exploited a previously unknown Cisco zero-day vulnerability to gain unrestricted access to a major telecom provider's system, creating a rogue admin account with full control. The breach, detected in March, was carried out in two waves, allowing the attackers to infiltrate the provider's SD-WAN Manager devices.

Analyst 207
Industrial setting with machinery and equipment at a power plant or utility facility.

ASIO Disrupts Nation-State Cyber Sabotage Targeting Australian Infrastructure

ASIO director general Mike Burgess revealed that nation-state hackers had infiltrated a critical Australian infrastructure provider's network, gaining login credentials to sabotage it at will. The alarming breach was thwarted thanks to ASIO's swift action and dedicated response.

Analyst 207
Network equipment racks with Cisco device and cables, monitored by IT staff.

Cisco Vulnerabilities Targeted in String of Exploits

Hackers are actively exploiting a recently patched Cisco vulnerability, CVE-2026-20230, using a clever chain of attacks that can grant them root privileges on compromised devices. This alarming exploit activity was uncovered by threat-intel company Defused, highlighting the urgent need for robust security measures.

Analyst 207