An investigation by Google owned Mandiant has revealed that an unidentified threat actor exploited a high severity vulnerability affecting Cisco Catalyst SD WAN devices as a zero day at least two months before Cisco publicly disclosed the issue. The vulnerability, tracked as CVE 2026 20245 and assigned a CVSS score of 7.8, allows an authenticated local attacker to execute arbitrary commands with elevated privileges by uploading a specially crafted file to a vulnerable device. According to Cisco, successful exploitation requires the attacker to already possess netadmin privileges on the affected system. Earlier this month, Cisco confirmed it had become aware of active exploitation of the vulnerability before public disclosure. Mandiant’s investigation found that the attackers consistently relied on anti forensic methods throughout the intrusion to avoid detection. Researchers observed that modified system configuration files were selectively deleted and later restored, allowing the attackers to remove traces of their activity while preserving operational access. The attack targeted an unidentified communications service provider where the threat actor successfully elevated a compromised administrator account to full root level control of the affected Cisco Catalyst SD WAN device.
Mandiant identified two separate periods of unauthorized activity during its investigation. The first occurred between late 2025 and January 2026, while a second wave of activity was detected during March 2026. Researchers said it remains unclear whether both campaigns were conducted by the same threat actor or involved separate groups using similar techniques. During the initial compromise, investigators observed unauthorized peering connections that are believed to have exploited one of two authentication bypass vulnerabilities affecting Cisco Catalyst SD WAN controllers, identified as CVE 2026 20127 and CVE 2026 20182. At the time of those attacks, neither vulnerability had been publicly disclosed, meaning they were also being exploited as zero day flaws. During the second intrusion, attackers established additional unauthorized peering connections against a newer software version that had already been patched against CVE 2026 20127. Cisco later confirmed that this activity did not exploit CVE 2026 20182, leading researchers to consider that the attackers may have relied on previously stolen certificates obtained during an earlier compromise of the same device to regain access rather than exploiting another authentication bypass vulnerability.
After obtaining administrative access, the attackers changed the default administrator password before exploiting CVE 2026 20245 using a malicious CSV file named evil_tenant.csv. According to Mandiant, the crafted file enabled privilege escalation to full root level access, allowing the attackers to create a hidden user account named troot within the system. This concealed account was added directly to critical system authentication files, providing persistent shell access with unrestricted administrative privileges. Investigators found that the attackers also extracted the SD WAN fabric configuration before restoring the original administrator password, ensuring that routine logins by legitimate administrators would not immediately reveal unauthorized activity. Mandiant explained that this tactic significantly reduced the likelihood of early detection because administrators would continue using familiar credentials without realizing they had previously been altered during the attack. Researchers also documented extensive efforts by the attackers to erase operational evidence by deleting files they had created, reversing configuration changes after completing their objectives, and executing validation scripts to confirm that forensic indicators had been successfully removed from compromised systems.
According to Google Threat Intelligence Group and Mandiant, the incident reflects a continuing trend in which advanced threat actors increasingly focus on exploiting vulnerabilities in network infrastructure devices that typically lack Endpoint Detection and Response capabilities. These systems often generate limited forensic telemetry, making it significantly more difficult for security teams to reconstruct attack timelines or determine the full extent of unauthorized activity after a compromise occurs. Once attackers establish control over SD WAN infrastructure, they can potentially gain persistent visibility into internal network traffic while maintaining privileged access across connected environments. Mandiant noted that sophisticated attackers continue to prioritize network appliances and other infrastructure systems because traditional endpoint security solutions are often unavailable on these platforms, allowing malicious activity to remain hidden for extended periods. The findings highlight the importance of promptly applying Cisco security updates, monitoring administrative account activity, protecting authentication credentials and certificates, and conducting thorough reviews of network infrastructure for signs of unauthorized configuration changes or hidden privileged accounts.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
