CVE-2026-20245 — a previously unknown privilege-escalation zero-day in Cisco Catalyst SD-WAN Manager — was exploited in March to create a rogue “troot” account that granted full root-level control, Mandiant reported.
What happened and when
Google-owned cybersecurity firm Mandiant said an attacker exploited that Cisco zero-day earlier this year to infiltrate an unnamed communications service provider and gain the highest level of access possible. The intrusion unfolded in two observed waves. From late 2025 into early 2026 the attacker used one of two then-unpatched vulnerabilities (CVE-2026-20127 or CVE-2026-20182) to make unauthorized “peering” connections to the provider’s SD-WAN Manager devices, a digital handshake the intruder used to verify identity and trust and then to manipulate default account passwords in hopes of avoiding detection.
In March, the attacker exploited CVE-2026-20245 in Cisco Catalyst SD-WAN Manager and created a rogue user account named “troot,” which Mandiant said gave full root-level control. Cisco published a security advisory about that privilege escalation vulnerability on June 4, 2026 and has since released fixed software; a Cisco spokesperson said, “Cisco strongly recommends customers upgrade to a fixed software release as outlined in the advisory.”
How the compromise worked and why it mattered
Mandiant warned that with root-level access an attacker could obtain “broad and undetected visibility into the internal traffic throughout the provider’s entire corporate network.” The company also cautioned that investigators could not fully assess how far the compromise went because the perpetrators had “cleverly” hidden their activity and deleted evidence.
Mandiant framed the campaign as an example of what it calls the “living off the edge paradigm, where threat actors prioritize the compromise of network appliances to bypass traditional security perimeters.” The firm added: “These devices offer a black box environment for threat actors: they often lack the telemetry required for deep forensic analysis, and their role as a central control plane provides a stealthy platform for persistent, wide-scale access to internal enterprise traffic.”
Edge devices, SD‑WAN controllers, and the telemetry problem
The attack highlights the concentration of control in SD‑WAN management platforms used to orchestrate distributed networks. Mandiant’s description stresses two technical affordances that made the environment attractive to attackers: the platforms’ ability to centralize traffic control and their frequent lack of detailed telemetry, which hampers forensic analysis and detection.
That combination — control plane centrality plus limited visibility — allowed the intruder both to expand access (through account manipulation and the rogue “troot” user) and to limit the forensic footprint investigators could reliably trace afterwards.
What this means for technologists, the Cybersecurity and Infrastructure Agency, and affected enterprises
- Technologists and security teams: Expect heightened scrutiny of SD‑WAN manager telemetry and account hygiene. The attack used “peering” connections and changed default account passwords; teams will need to verify that controllers are patched, that privileged accounts are monitored for unexpected creation or changes, and that peering or trust relationships are validated.
- The Cybersecurity and Infrastructure Agency (CISA): Mandiant noted that attacks on edge devices have been very common and that CISA has already directed federal agencies to give such devices special attention this year — a policy signal amplified by this incident’s demonstration of what attackers can achieve when an SD‑WAN controller is compromised.
- Affected enterprises and procurement leaders: Communications service providers and other organizations that rely on SD‑WAN orchestration should prioritize installing the fixed software releases Cisco identified and reevaluate assumptions about visibility into controller platforms, including whether existing logging and telemetry are sufficient for forensic needs.
What Mandiant and others warned — and what was left uncertain
Mandiant declined to attribute the activity to a specific threat group, noting that the attackers’ anti‑forensic steps and evidence deletion limited assessment. Kelli Vanderlee, senior manager for Google Threat Intelligence Group, told CyberScoop that “exploiting zero day vulnerabilities in edge devices and the extensive anti-forensic activities are consistent with previously documented cyber espionage threat actor behavior.”
While Cisco has released a patch and urged customers to upgrade, Mandiant’s account underscores that detection and post‑incident analysis remain difficult once control-plane devices are subverted — a reality that complicates both incident response and public accounting of the full scope of compromise.
For defenders and policymakers alike, the episode is a practical reminder that the devices used to steer modern networks can be both powerful and perilous. Cisco’s patching advice is clear; whether visibility and telemetry on SD‑WAN managers are improved — and whether organizations can reliably detect similarly stealthy intrusions in the future — remains the immediate operational challenge.
