Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access

An unknown malicious actor exploited a newly disclosed critical security flaw affecting Cisco Catalyst SD-WAN as a zero-day at least two months before it was publicly disclosed, according to new findings from Google-owned Mandiant.
The vulnerability, tracked as CVE-2026-20245 (CVSS score: 7.8), allows an authorized local attacker to execute arbitrary commands with elevated privileges by issuing a crafted file to an affected system by using insufficient device authentication for user-supplied input.
Earlier this month, Cisco acknowledged that it had become aware of an exploit for this vulnerability, adding that a malicious actor must have netadmin privileges on the affected system to launch a successful attack.
“Throughout the intervention, in order to maintain operational security and avoid detection, the threat actor used anti-criminal techniques, selectively deleting and restoring system configuration files that were modified during their operations,” said Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan.
The incident, the tech giant’s incident response and threat intelligence arm added, directed an unnamed communications service provider to escalate the compromised administrator’s account to full-level access.
Two separate periods of unauthorized activity were detected, one occurring between the end of 2025 and January 2026 and the other in March 2026. At the moment, it is not clear if these two events are connected and the activity of a single threat actor.
During the first wave, the victim allegedly encountered unauthorized peer-to-peer connections that may have exploited one of two authentication bypass flaws in Cisco Catalyst SD-WAN controllers (CVE-2026-20127 or CVE-2026-20182). It is important to note that both security vulnerabilities were not disclosed for zero days at the time.
Then in March 2026, a second wave of malicious links targeted devices running a new software version that was patched to CVE-2026-20127. Cisco has confirmed that this connection did not exploit CVE-2026-20182, which makes it possible that an attacker, who may or may not have been behind the previous unauthorized connection, relied on stolen certificates from a previous breach of the same device to gain initial access.
“The attacker then changed the default administrative credentials before using CVE-2026-20245 as a zero-day by uploading a malicious CSV file (evil_tenant.csv),” Mandiant said. “This exploit allowed them to escalate privileges and create a rogue user account (named ‘troot’) with full root-level shell control.”
Attackers have also been found to consistently cover their tracks by deleting files they created, rolling back configuration changes, and using scripts to ensure no evidence is left behind and limit defenders’ ability to assess the full extent of the compromise.
“After changing the administrator’s password and configuring the SD-WAN fabric, the actor changed the password back to its original value so that the logged-in administrator was unaware that something was locked,” said Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG).
“They climbed to root with a malicious CSV upload, created a hidden “troot” account in /etc/passwd and /etc/shadow, then deleted every file they touched and ran a verification script to make sure their directories weren’t there.”
Google stated that this work also highlights the “continuing practice” of bad actors using zero days on edge devices such as SD-WAN, as they lack the telemetry required for deep analysis of scientific research, and standing in those systems can help continuous visibility of internal traffic across the fabric.
“Advanced adversaries continue to target and exploit network devices and other systems that do not support EDR solutions,” said Charles Carmakal, chief technology officer of Mandiant Consulting, in a post on LinkedIn.



