
An unnamed communications service provider’s Cisco SD-WAN infrastructure sat under a threat actor’s root level control for months and its own administrators never noticed.
Google-owned threat intelligence firm Mandiant disclosed this intrusion last month, tracing the attacker’s full path through a vulnerability now tracked as CVE-2026-20245.
It is important to note that Cisco built the software and is not the party that was breached. The flaw only lived inside Cisco’s SD-WAN products, and the actual intrusion took place in a customer’s network of an unnamed service provider that had deployed those products to run its own infrastructure. Mandiant investigated that customer’s environment and later published its findings, with Cisco responsible for fixing the underlying flaw once it learned of it.
How the Intrusion Began
Mandiant traced the campaign back to late 2025, when it first observed unauthorized peering connections reaching the victim’s SD-WAN Manager devices. Peering is the cryptographic handshake that lets SD-WAN components trust each other, and Mandiant said these early connections likely exploited one of two previously disclosed authentication bypass flaws, CVE-2026-20127 or CVE-2026-20182, both unpatched zero days at the time.
In March 2026, a second wave of rogue peering hit the same environment, but Cisco confirmed this round did not rely on either bypass flaw. The company said the attacker likely used certificates stolen during the earlier compromise instead.
After establishing an SSH session using the default vmanage-admin account, the attacker quietly changed the account’s password, then changed it back before ending the session, a move meant to avoid raising suspicion during routine administrator logins.
In April, working from that same access, the attacker uploaded a file named evil_tenant.csv through the SD-WAN command line’s tenant upload feature. The file carried a command injection payload that exploited what would later be assigned CVE-2026-20245, letting the attacker create a new account named troot with full root shell access.
Erasing the Trail
Mandiant described the cleanup that followed as unusually thorough. The attacker deleted files it had created, restored configuration settings it had altered, and ran a verification script to confirm no trace remained. Cisco confirmed that in some of the intrusions tied to this flaw, the attacker’s changes reached beyond the management console and altered configurations on downstream edge devices. This meant the exposure was not contained to a single appliance.
How CISA Responded This Time
Unlike the February emergency directive covering CVE-2026-20127, this flaw did not trigger a new emergency order. CISA instead added CVE-2026-20245 to its Known Exploited Vulnerabilities catalog on June 9, days after Cisco’s advisory. That listing carries its own remediation clock under Binding Operational Directive 22-01, and it gave federal agencies until June 23 to patch the flaw or stop using the affected systems. Cisco has released fixed builds across every affected release line, from the 20.9 branch through the newest 26.1 line.
A Pattern That Keeps Repeating
CVE-2026-20245 is the seventh actively exploited zero day found in Cisco’s SD-WAN product line in 2026 alone. “Advanced adversaries continue to primarily target and exploit network devices and other systems that don’t natively support EDR solutions,” said Charles Carmakal, chief technology officer of Mandiant Consulting, pointing to their lack of coverage from standard endpoint detection tools. Mandiant has not identified who carried out the intrusion, and says the attacker’s anti-forensic work limited how much of the compromise it could reconstruct.
For any organization running Cisco Catalyst SD-WAN Manager, Controller, or Validator, the guidance from both companies is the same regardless of whether a federal deadline applies. Patch to the fixed release, but treat a clean log review with suspicion, especially since this threat actor built cleanup scripts specifically to produce one.
