Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Brazilian Banking Trojan Ousaban Targets Spain and Portugal

July 1, 2026

Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access

July 1, 2026

Microsoft Accelerates Quantum-Safe Push with New Timeline

July 1, 2026
Facebook X (Twitter) Instagram
Wednesday, July 1
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
News

Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access

Team-CWDBy Team-CWDJuly 1, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


An unknown threat actor exploited a recently disclosed high-severity security flaw impacting Cisco Catalyst SD-WAN as a zero-day at least two months before it was publicly disclosed, according to new findings from Google-owned Mandiant.

The vulnerability, tracked as CVE-2026-20245 (CVSS score: 7.8), allows an authenticated, local attacker to execute arbitrary commands with elevated privileges by supplying a crafted file to the affected system by taking advantage of the device’s insufficient validation of user-supplied input.

Earlier this month, Cisco acknowledged that it became aware of exploitation of this vulnerability, adding that a malicious actor must have netadmin privileges on an affected system to pull off a successful attack.

“Throughout the intrusion, to maintain operational security and avoid detection, the threat actor consistently employed anti-forensic techniques, selectively deleting and restoring system configuration files that were modified during their activities,” Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said.

The incident, the tech giant’s incident response and threat intelligence arm added, targeted an unspecified communications service provider to elevate a compromised admin account to full root-level access.

Two distinct periods of unauthorized activity have been detected, one taking place between late 2025 and January 2026 and the other in March 2026. At this stage, it’s unclear if these two events are connected and the work of the same threat actor.

During the first wave, the victim is said to have experienced unauthorized peering connections that likely exploited one of two authentication bypass flaws in Cisco Catalyst SD-WAN controllers (CVE-2026-20127 or CVE-2026-20182). It’s worth noting that both the security vulnerabilities were undisclosed zero-days at that point.

Then in March 2026, a second wave of rogue peering connections targeted a device running a newer software version that was patched against CVE-2026-20127. Cisco has since confirmed that these connections did not leverage CVE-2026-20182, raising the possibility that the attacker, who may or may not have been behind the previous unauthorized peering connections, relied on stolen certificates from a prior breach of the same device to obtain initial access.

“The attacker then changed default admin credentials before exploiting CVE-2026-20245 as a zero-day via a malicious CSV file upload (evil_tenant.csv),” Mandiant said. “This exploit allowed them to escalate privileges and create a rogue user account (named ‘troot’) with full root-level shell control.”

The attackers have also been found to consistently cover their tracks by deleting files created by them, reversing configuration changes, and running scripts to ensure that no evidence was left behind and limit defenders’ ability to assess the full extent of the compromise.

“After changing the default admin password and exfiltrating the SD-WAN fabric configuration, the actor changed the password back to its original value so an administrator logging in would not notice anything was off,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), said.

“They escalated to root through a malicious CSV upload, created a hidden “troot” account in /etc/passwd and /etc/shadow, then deleted every file they touched and ran a validation script to confirm their indicators were gone.”

Google pointed out that the activity once again highlights the “continuing trend” of bad actors weaponizing zero-days in edge devices like SD-WAN, as they lack the telemetry needed for deep forensic analysis, and a foothold in those systems can facilitate persistent visibility into internal traffic across the fabric.

“Advanced adversaries continue to primarily target and exploit network devices and other systems that don’t natively support EDR solutions,” Charles Carmakal, chief technology officer of Mandiant Consulting, said in a post on LinkedIn. 



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleMicrosoft Accelerates Quantum-Safe Push with New Timeline
Next Article Brazilian Banking Trojan Ousaban Targets Spain and Portugal
Team-CWD
  • Website

Related Posts

News

Brazilian Banking Trojan Ousaban Targets Spain and Portugal

July 1, 2026
News

Microsoft Accelerates Quantum-Safe Push with New Timeline

July 1, 2026
News

Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

July 1, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

What’s at stake if your employees post too much online

December 1, 2025

Watch out for SVG files booby-trapped with malware

September 22, 2025

Is it OK to let your children post selfies online?

February 17, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.