threat-wire

Cisco SD-WAN Bug Was Exploited as a Zero-Day for Months

Mandiant says an unknown attacker exploited a Cisco Catalyst SD-WAN flaw, CVE-2026-20245, for at least two months before it was public, using it to take full root control of a network device. The attacker created a hidden admin account and then erased their own tracks. Any business running Cisco SD-WAN edge gear should run the checks below and confirm the patch is applied.

By SecureBusinessHub Editorial, International cybersecurity desk — 2026-06-25 · 5 min read

An unknown attacker was using a Cisco Catalyst SD-WAN vulnerability to seize root access on network devices at least two months before anyone outside knew the flaw existed. That timeline comes from Mandiant, Google's incident response arm, which investigated the intrusions. Cisco has since confirmed the activity and rates the bug, CVE-2026-20245, as high severity.

What the attacker actually did

The target was a communications service provider. The attacker started from a compromised account that already held netadmin rights, changed the default admin credentials, then uploaded a booby-trapped CSV file named evil_tenant.csv. That upload triggered CVE-2026-20245 and escalated their access from admin to a full root shell.

With root, they created a hidden account called troot, writing it straight into /etc/passwd and /etc/shadow so it would survive reboots and sit outside the normal admin console. Then they cleaned up: deleting the files they had created, reversing their configuration changes, and running a script to confirm none of their indicators were left behind.

Are you exposed?

• Confirm the running software version against Cisco's advisory for CVE-2026-20245 and apply the fixed release if you have not already.
• Search /etc/passwd and /etc/shadow on affected devices for any account you did not create, including one named troot.
• Look for a CSV upload named evil_tenant.csv, or tenant configuration changes you cannot account for.
• Confirm default admin credentials were changed, and rotate them again if there is any doubt about who had access.
• Audit who holds netadmin-level accounts, since the attack needed that access to begin.

Mandiant flagged a wider pattern here. Edge devices like SD-WAN appliances rarely keep the detailed logs that let investigators reconstruct an attack, which is exactly why they appeal to skilled intruders. A foothold on one gives quiet visibility into traffic moving across the whole network.

Cisco stressed that the attacker needed netadmin privileges to start, which lowers the odds of a purely external smash-and-grab. It does not lower them to zero. Those credentials can be phished, reused from an earlier breach, or, as in the March wave, sidestepped using stolen device certificates instead of a password. Treat the privilege requirement as a speed bump, not a wall.

Investigators saw two separate bursts of activity, one from late 2025 into January 2026 and another in March 2026. The March wave hit a device that had already been patched against an earlier flaw, and Cisco said those connections relied on stolen certificates from a previous breach of the same device rather than the new bug. It is not confirmed whether the same group was behind both.

Most small businesses do not run Cisco SD-WAN directly, but plenty sit downstream of a provider that does. If a managed service provider runs your connectivity, ask them in writing whether they have patched CVE-2026-20245 and checked for the troot account. One detail matters most: this attacker erased their own evidence, so a clean dashboard is not proof you were missed.

• The Hacker News: Cisco Catalyst SD-WAN zero-day
• Dark Reading: Attackers hit Cisco SD-WAN flaw before disclosure
• NVD: CVE-2026-20245 detail