Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Mandiant Reveals How Cisco SD-WAN Zero-Day CVE-2026-20245 Gained Root Access
Mandiant Reveals How Cisco SD-WAN Zero-Day CVE-2026-20245 Gained Root Access
NEWS

Mandiant Reveals How Cisco SD-WAN Zero-Day CVE-2026-20245 Gained Root Access

Mandiant's post-incident analysis exposes a sophisticated multi-stage attack chain that exploited CVE-2026-20245 to plant a hidden root account on Cisco...

Dylan H.

News Desk

June 25, 2026
3 min read

Google-owned Mandiant has published detailed exploitation analysis of CVE-2026-20245, a high-severity command injection flaw in Cisco Catalyst SD-WAN components that was actively exploited as a zero-day for at least two months before Cisco's public disclosure in June 2026. The campaign targeted communications service providers and demonstrated a level of operational sophistication that included active anti-forensic cleanup after exploitation.

Vulnerability Overview

FieldDetail
CVECVE-2026-20245
CVSS Score7.8 (High)
TypeCommand Injection
Affected ProductsCisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), Validator (vBond)
First ExploitationLate 2025 — January 2026 (Wave 1)
Second WaveMarch 2026
Public DisclosureJune 2026
WorkaroundNone — patch required

The Full Attack Chain

Mandiant's analysis reveals a multi-stage intrusion process that began well before CVE-2026-20245 was used:

Stage 1 — Initial Access via Companion CVEs

Attackers first exploited authentication bypass vulnerabilities — CVE-2026-20127 or CVE-2026-20182 — to establish unauthorized SD-WAN peering connections. In some cases, stolen certificates from prior breaches were used instead.

Stage 2 — Control Plane Authentication

With peering established, attackers used compromised vmanage-admin credentials to authenticate to the vManage SD-WAN management control plane.

Stage 3 — Configuration Exfiltration

The attackers extracted device configuration data and device templates, enabling reconnaissance of the full SD-WAN fabric and identifying targets for deeper compromise.

Stage 4 — Privilege Escalation via CVE-2026-20245

This is the novel technique at the center of Mandiant's analysis. The attacker uploaded a crafted malicious CSV file named "evil_tenant.csv" through the SD-WAN CLI's tenant-upload feature. The payload executed a multi-step abuse chain:

  1. Backed up /etc/passwd and /etc/shadow — the Linux user and password databases
  2. Created a hidden user account named "troot" with full root shell privileges
  3. Used the su command to execute arbitrary commands as root

The result: persistent, undetected root-level access to compromised infrastructure with a backdoor user that survived normal administrative review.

Stage 5 — Anti-Forensic Cleanup

After achieving their objectives, the attackers demonstrated sophisticated operational security:

  • Restored original admin account passwords to their pre-compromise state
  • Backed up and then restored modified system configuration files
  • Deleted malicious payloads and all temporary files
  • Executed custom validation scripts to confirm every trace had been removed

This level of cleanup — including verification automation — is consistent with nation-state or advanced criminal tradecraft.

Who Was Targeted

Mandiant's report indicates the campaign focused on communications service providers running Cisco Catalyst SD-WAN infrastructure. No public attribution to a specific nation-state or threat actor has been made.

Indicators of Compromise

Organizations should hunt for:

  • The "troot" user account in /etc/passwd or /etc/shadow
  • Anomalous entries in SD-WAN tenant upload logs
  • Unauthorized peering connections in vManage, especially from late 2025 onward
  • Unusual su command execution in system logs
  • Evidence of prior exploitation of CVE-2026-20127 or CVE-2026-20182 as precursors

Remediation

There are no workarounds for CVE-2026-20245. Cisco released patches in June 2026. Organizations running Cisco Catalyst SD-WAN should:

  1. Patch immediately to fixed software versions
  2. Audit all user accounts on vManage, vSmart, and vBond for unauthorized entries
  3. Review access logs for unauthorized peering connections dating to late 2025
  4. Investigate companion CVEs (CVE-2026-20127, CVE-2026-20182) as probable initial access vectors
  5. Reset all admin credentials as a precautionary measure if compromise is suspected

The two-month gap between first exploitation and public disclosure underscores the importance of network segmentation, behavioral monitoring, and anomaly detection on critical SD-WAN management planes.

#Zero-Day#Vulnerability#CVE#Cisco#Mandiant

Related Articles

Cisco Warns of Unpatched SD-WAN Zero-Day Exploited in Attacks

Cisco has issued an emergency warning about an actively exploited, unpatched zero-day in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) that enables root…

4 min read

Interlock Ransomware Exploited Cisco FMC Zero-Day for 36

CVE-2026-20131, a maximum-severity CVSS 10.0 insecure deserialization flaw in Cisco Firepower Management Center, was exploited by Interlock ransomware as...

4 min read

Interlock Ransomware Has Been Exploiting Cisco FMC Zero-Day

The Interlock ransomware gang has been actively exploiting a CVSS 10.0 insecure deserialization flaw in Cisco Secure Firewall Management Center since late...

7 min read
Back to all News