An unknown threat actor exploited a recently disclosed high-severity security flaw impacting Cisco Catalyst SD-WAN as a zero-day at least two months before it was publicly disclosed, according to new findings from Google-owned Mandiant.
The vulnerability, tracked as CVE-2026-20245 (CVSS score: 7.8), allows an authenticated, local attacker to execute arbitrary commands with elevated privileges by supplying a crafted file to the affected system by taking advantage of the device’s insufficient validation of user-supplied input.
Earlier this month, Cisco acknowledged that it became aware of exploitation of this vulnerability, adding that a malicious actor must have netadmin privileges on an affected system to pull off a successful attack.
“Throughout the intrusion, to maintain operational security and avoid detection, the threat actor consistently employed anti-forensic techniques, selectively deleting and restoring system configuration files that were modified during their activities,” Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said.
The incident, the tech giant’s incident response and threat intelligence arm added, targeted an unspecified communications service provider to elevate a compromised admin account to full root-level access.
Two distinct periods of unauthorized activity have been detected, one taking place between late 2025 and January 2026 and the other in March 2026. At this stage, it’s unclear if these two events are connected and the work of the same threat actor.
During the first wave, the victim is said to have experienced unauthorized peering connections that likely exploited one of two authentication bypass flaws in Cisco Catalyst SD-WAN controllers (CVE-2026-20127 or CVE-2026-20182). It’s worth noting that both the security vulnerabilities were undisclosed zero-days at that point.
Then in March 2026, a second wave of rogue peering connections targeted a device running a newer software version that was patched against CVE-2026-20127. Cisco has since confirmed that these connections did not leverage CVE-2026-20182, raising the possibility that the attacker, who may or may not have been behind the previous unauthorized peering connections, relied on stolen certificates from a prior breach of the same device to obtain initial access.
“The attacker then changed default admin credentials before exploiting CVE-2026-20245 as a zero-day via a malicious CSV file upload (evil_tenant.csv),” Mandiant said. “This exploit allowed them to escalate privileges and create a rogue user account (named ‘troot’) with full root-level shell control.”
The attackers have also been found to consistently cover their tracks by deleting files created by them, reversing configuration changes, and running scripts to ensure that no evidence was left behind and limit defenders’ ability to assess the full extent of the compromise.
“After changing the default admin password and exfiltrating the SD-WAN fabric configuration, the actor changed the password back to its original value so an administrator logging in would not notice anything was off,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), said.
“They escalated to root through a malicious CSV upload, created a hidden “troot” account in /etc/passwd and /etc/shadow, then deleted every file they touched and ran a validation script to confirm their indicators were gone.”
Google pointed out that the activity once again highlights the “continuing trend” of bad actors weaponizing zero-days in edge devices like SD-WAN, as they lack the telemetry needed for deep forensic analysis, and a foothold in those systems can facilitate persistent visibility into internal traffic across the fabric.
“Advanced adversaries continue to primarily target and exploit network devices and other systems that don’t natively support EDR solutions,” Charles Carmakal, chief technology officer of Mandiant Consulting, said in a post on LinkedIn.
