Close Menu

    Stay Ahead with Exclusive Updates!

    Enter your email below and be the first to know what’s happening in the ever-evolving world of technology!

    What's Hot

    Buying World Cup Tickets Online? Scammers Are Already Waiting. Here Is How to Protect Yourself for the Rest of the Tournament.

    July 4, 2026

    Researchers Found an Attack Spreading Through GitHub Like a Parasite. They Named It Cordyceps and It Is Already in 300+ Repositories

    July 4, 2026

    AI Is Now Writing Phishing Emails Good Enough to Fool Your Best Employees. Here Is How to Spot Them

    July 4, 2026
    Facebook X (Twitter) Instagram
    Facebook X (Twitter)
    PhronewsPhronews
    • Home
    • Big Tech & Startups

      Nvidia Has Dominated AI Data Centers for Years. Qualcomm Just Announced It Wants That Market Too. Here Is Whether It Can Win

      July 4, 2026

      Google’s New Smart Speaker Has Gemini Built In and Works With Everything. Here Is Whether It Is Finally Worth Switching From Amazon Echo or Apple HomePod

      July 4, 2026

      IBM Just Broke a Barrier Physicists Said Could Not Be Broken. Its Sub-1-Nanometer Chip Has 100 Billion Transistors and Changes Everything About What AI Hardware Can Do

      July 4, 2026

      The AI Training Bottleneck Just Got a Lot Smaller. Amazon’s New AWS Tools Could Change Who Can Afford to Build Frontier Models

      July 1, 2026

      Tesla Is Teaching Its Self-Driving AI With Millions of Fake Crashes. Here Is Why That Might Make Real Roads Safer

      June 30, 2026
    • Crypto

      Market Collapse: What Happened to NFTs?

      April 23, 2026

      Quantum Computing Advances Force Coinbase and Institutional Custodians to Rethink Crypto Security

      March 8, 2026

      AI Assisted Hacking Groups Target Crypto Firms With Multi-Layered Social Engineering

      February 18, 2026

      Global Crypto Regulations Expand as 2026 Begins With New Data Collection Frameworks and National Laws

      January 16, 2026

      Coinbase Bets on Stablecoin and On-Chain Growth as Key Market Drivers in 2026 Strategy

      January 10, 2026
    • Gadgets & Smart Tech
      Featured

      Google’s New Smart Speaker Has Gemini Built In and Works With Everything. Here Is Whether It Is Finally Worth Switching From Amazon Echo or Apple HomePod

      By fariehanJuly 4, 2026
      Recent

      Google’s New Smart Speaker Has Gemini Built In and Works With Everything. Here Is Whether It Is Finally Worth Switching From Amazon Echo or Apple HomePod

      July 4, 2026

      Tesla Is Teaching Its Self-Driving AI With Millions of Fake Crashes. Here Is Why That Might Make Real Roads Safer

      June 30, 2026

      Apple Just Rebuilt Siri With AI Across Every Device It Makes. WWDC 2026 Was Not a Software Update. It Was a Strategic Repositioning

      June 20, 2026
    • Cybersecurity & Online Safety

      Buying World Cup Tickets Online? Scammers Are Already Waiting. Here Is How to Protect Yourself for the Rest of the Tournament.

      July 4, 2026

      Researchers Found an Attack Spreading Through GitHub Like a Parasite. They Named It Cordyceps and It Is Already in 300+ Repositories

      July 4, 2026

      AI Is Now Writing Phishing Emails Good Enough to Fool Your Best Employees. Here Is How to Spot Them

      July 4, 2026

      Hackers Were Inside Cisco’s SD-WAN for Months Before Anyone Noticed. Now CISA Is Forcing Every Company to Patch It

      July 4, 2026

      Anthropic Says Chinese Rival Alibaba Copied Claude at Scale. Here Is What Model Extraction Actually Means and Why It Matters

      June 30, 2026
    PhronewsPhronews
    Home»Cybersecurity & Online Safety»Hackers Were Inside Cisco’s SD-WAN for Months Before Anyone Noticed. Now CISA Is Forcing Every Company to Patch It
    Cybersecurity & Online Safety

    Hackers Were Inside Cisco’s SD-WAN for Months Before Anyone Noticed. Now CISA Is Forcing Every Company to Patch It

    preciousBy preciousJuly 4, 2026No Comments
    Facebook Twitter Pinterest LinkedIn WhatsApp Reddit Tumblr Email
    Share
    Facebook Twitter LinkedIn Pinterest Email
    Photo Credit: Igor Golovniov/SOPA Images/LightRocket via Getty Images

    An unnamed communications service provider’s Cisco SD-WAN infrastructure sat under a threat actor’s root level control for months and its own administrators never noticed. 

    Google-owned threat intelligence firm Mandiant disclosed this intrusion last month, tracing the attacker’s full path through a vulnerability now tracked as CVE-2026-20245.

    It is important to note that Cisco built the software and is not the party that was breached. The flaw only lived inside Cisco’s SD-WAN products, and the actual intrusion took place in a customer’s network of an unnamed service provider that had deployed those products to run its own infrastructure. Mandiant investigated that customer’s environment and later published its findings, with Cisco responsible for fixing the underlying flaw once it learned of it.

    How the Intrusion Began

    Mandiant traced the campaign back to late 2025, when it first observed unauthorized peering connections reaching the victim’s SD-WAN Manager devices. Peering is the cryptographic handshake that lets SD-WAN components trust each other, and Mandiant said these early connections likely exploited one of two previously disclosed authentication bypass flaws, CVE-2026-20127 or CVE-2026-20182, both unpatched zero days at the time. 

    In March 2026, a second wave of rogue peering hit the same environment, but Cisco confirmed this round did not rely on either bypass flaw. The company said the attacker likely used certificates stolen during the earlier compromise instead.

    After establishing an SSH session using the default vmanage-admin account, the attacker quietly changed the account’s password, then changed it back before ending the session, a move meant to avoid raising suspicion during routine administrator logins. 

    In April, working from that same access, the attacker uploaded a file named evil_tenant.csv through the SD-WAN command line’s tenant upload feature. The file carried a command injection payload that exploited what would later be assigned CVE-2026-20245, letting the attacker create a new account named troot with full root shell access.

    Erasing the Trail

    Mandiant described the cleanup that followed as unusually thorough. The attacker deleted files it had created, restored configuration settings it had altered, and ran a verification script to confirm no trace remained. Cisco confirmed that in some of the intrusions tied to this flaw, the attacker’s changes reached beyond the management console and altered configurations on downstream edge devices. This meant the exposure was not contained to a single appliance.

    How CISA Responded This Time

    Unlike the February emergency directive covering CVE-2026-20127, this flaw did not trigger a new emergency order. CISA instead added CVE-2026-20245 to its Known Exploited Vulnerabilities catalog on June 9, days after Cisco’s advisory. That listing carries its own remediation clock under Binding Operational Directive 22-01, and it gave federal agencies until June 23 to patch the flaw or stop using the affected systems. Cisco has released fixed builds across every affected release line, from the 20.9 branch through the newest 26.1 line.

    A Pattern That Keeps Repeating

    CVE-2026-20245 is the seventh actively exploited zero day found in Cisco’s SD-WAN product line in 2026 alone. “Advanced adversaries continue to primarily target and exploit network devices and other systems that don’t natively support EDR solutions,” said Charles Carmakal, chief technology officer of Mandiant Consulting, pointing to their lack of coverage from standard endpoint detection tools. Mandiant has not identified who carried out the intrusion, and says the attacker’s anti-forensic work limited how much of the compromise it could reconstruct.

    For any organization running Cisco Catalyst SD-WAN Manager, Controller, or Validator, the guidance from both companies is the same regardless of whether a federal deadline applies. Patch to the fixed release, but treat a clean log review with suspicion, especially since this threat actor built cleanup scripts specifically to produce one.

    CISA cisco CVE-2026-20245 Google Cloud KEV catalog Mandiant network security root access SD-WAN zero-day
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email
    precious
    • LinkedIn

    I’m Precious Amusat, Phronews’ Content Writer. I conduct in-depth research and write on the latest developments in the tech industry, including trends in big tech, startups, cybersecurity, artificial intelligence and their global impacts. When I’m off the clock, you’ll find me cheering on women’s footy, curled up with a romance novel, or binge-watching crime thrillers.

    Related Posts

    Buying World Cup Tickets Online? Scammers Are Already Waiting. Here Is How to Protect Yourself for the Rest of the Tournament.

    July 4, 2026

    Researchers Found an Attack Spreading Through GitHub Like a Parasite. They Named It Cordyceps and It Is Already in 300+ Repositories

    July 4, 2026

    AI Is Now Writing Phishing Emails Good Enough to Fool Your Best Employees. Here Is How to Spot Them

    July 4, 2026

    Comments are closed.

    Top Posts

    Coinbase responds to hack: customer impact and official statement

    May 22, 2025

    Anthropic Will Use Claude User Chats For Data Training

    October 16, 2025

    Cursor AI Hits 1 Million Daily Users. Why Developers Are Switching to This Coding Tool

    March 23, 2026

    MIT Study Reveals ChatGPT Impairs Brain Activity & Thinking

    June 29, 2025
    Don't Miss
    Cybersecurity & Online Safety

    Buying World Cup Tickets Online? Scammers Are Already Waiting. Here Is How to Protect Yourself for the Rest of the Tournament.

    By preciousJuly 4, 2026

    More than 270,000 login credentials tied to World Cup ticketing and fan platforms have already…

    Researchers Found an Attack Spreading Through GitHub Like a Parasite. They Named It Cordyceps and It Is Already in 300+ Repositories

    July 4, 2026

    AI Is Now Writing Phishing Emails Good Enough to Fool Your Best Employees. Here Is How to Spot Them

    July 4, 2026

    Nvidia Has Dominated AI Data Centers for Years. Qualcomm Just Announced It Wants That Market Too. Here Is Whether It Can Win

    July 4, 2026
    Stay In Touch
    • Facebook
    • Twitter
    About Us
    About Us

    Evolving from Phronesis News, Phronews brings deep insight and smart analysis to the world of technology. Stay informed, stay ahead, and navigate tech with wisdom.
    We're accepting new partnerships right now.

    Email Us: info@phronews.com

    Facebook X (Twitter) Pinterest YouTube
    Our Picks
    Most Popular

    Coinbase responds to hack: customer impact and official statement

    May 22, 2025

    Anthropic Will Use Claude User Chats For Data Training

    October 16, 2025

    Cursor AI Hits 1 Million Daily Users. Why Developers Are Switching to This Coding Tool

    March 23, 2026
    © 2025. Phronews.
    • Home
    • About Us
    • Get In Touch
    • Privacy Policy
    • Terms and Conditions

    Type above and press Enter to search. Press Esc to cancel.