Key Takeaways
- Mandiant disclosed that an unidentified threat actor exploited a previously unknown Cisco zero‑day to gain root‑level access to a communications service provider’s SD‑WAN infrastructure.
- The vulnerability (CVE‑2026-20245) in Cisco Catalyst SD‑WAN Manager was patched in June 2026, but the attacker had already used it to create a privileged “troot” account.
- Because the attackers employed extensive anti‑forensic techniques, Mandiant could not determine the full scope of the compromise, though the access allowed broad, stealthy visibility into internal traffic.
- The incident highlights a growing trend of threat actors targeting edge devices—network appliances that sit outside traditional security perimeters—to achieve persistent, wide‑scale infiltration.
- Mandiant and Google Threat Intelligence noted that such zero‑day exploitation aligns with state‑sponsored espionage tactics aimed at long‑term intelligence collection.
Overview of the Attack
Mandiant reported on Wednesday that an adversary leveraged a previously unknown, unpatched Cisco vulnerability earlier this year to breach a communications service provider and obtain the highest level of system access possible. The intrusion was detected by Mandiant’s threat‑hunting team, which observed anomalous activity targeting the provider’s SD‑WAN Manager appliances. Although Cisco has since released a fix, the incident underscores how quickly attackers can weaponize zero‑day flaws before vendors become aware of them.
Details of the Zero‑Day Vulnerability
The flaw exploited resides in Cisco Catalyst SD‑WAN Manager, a component of Cisco’s software‑defined wide area network (SD‑WAN) portfolio used to orchestrate traffic across dispersed sites such as bank branches. Mandiant identified the vulnerability as CVE‑2026-20245, a privilege‑escalation bug that allowed an attacker to elevate from a standard user to root privileges. Cisco confirmed the issue in a security advisory published on June 4, 2026, and urged customers to upgrade to a patched release.
Patch Timeline and Vendor Response
Cisco’s advisory noted that the vulnerability had been actively exploited in the wild before a fix was available. The company released updated software versions that address CVE‑2026-20245 and recommended immediate deployment for all SD‑WAN Manager installations. Despite the patch, the earlier compromise had already given the intruder footholds that persisted until the provider completed the upgrade cycle.
Impact: Root‑Level Access and Network Visibility
With root‑level control over the SD‑WAN Manager, the attacker could manipulate configuration files, create privileged accounts, and monitor or alter traffic flowing through the provider’s entire corporate network. Mandiant warned that such access granted the adversary “broad and undetected visibility” into internal communications, potentially enabling data exfiltration, credential harvesting, or the planting of backdoors for future operations.
Limitations of the Assessment
Although Mandiant could establish that the attacker achieved high privileges, the firm cautioned that a full damage assessment remained incomplete. The threat actor employed sophisticated anti‑forensic measures—including log wiping, timestamp manipulation, and the use of legitimate‑looking processes—to obscure their footprint. Consequently, Mandiant could not definitively determine whether data was exfiltrated, how long the presence lasted, or which specific systems were touched beyond the SD‑WAN Manager.
Broader Trend: Targeting Edge Devices
The incident exemplifies a persistent shift in adversary tactics toward compromising edge devices—routers, firewalls, VPN concentrators, and SD‑WAN controllers that sit at the network periphery. Mandiant noted that attacks on such appliances have been “very common” and have featured in several high‑profile breaches in recent years. The Cybersecurity and Infrastructure Agency (CISA) has consequently urged federal agencies to prioritize hardening these devices in 2026.
Living Off the Edge Paradigm
In its blog post, Mandiant articulated the strategy as a “living off the edge” approach: threat actors focus on network appliances to bypass conventional security perimeters that protect endpoints and servers. Because SD‑WAN orchestrators act as a central control plane, they offer a stealthy platform for persistent, wide‑scale access while often lacking the deep telemetry needed for thorough forensic analysis. This makes them attractive targets for actors seeking long‑term presence.
Attribution Challenges and State‑Sponsored Implications
Mantiant refrained from attributing the attack to any specific group, citing the attacker’s diligent efforts to cover tracks and delete evidence. However, the firm highlighted that for state‑sponsored actors, exploiting zero‑day vulnerabilities in edge platforms remains a premier vector for long‑term strategic intelligence collection. The ability to remain hidden for months while harvesting data aligns with the objectives of espionage‑focused campaigns.
Comment from Google Threat Intelligence
Kelli Vanderlee, senior manager for Google Threat Intelligence Group, told CyberScoop that the observed behavior—exploiting a zero‑day in an edge device coupled with extensive anti‑forensic activity—matches patterns seen in previously documented cyber‑espionage threat actors. She emphasized that such tactics enable adversaries to maintain a low profile while achieving high‑value access to sensitive communications.
Two‑Wave Attack Timeline and Techniques
Mandiant’s analysis revealed that the intrusion unfolded in two distinct waves. The first wave, occurring from late 2025 to early 2026, leveraged one of two then‑unpatched vulnerabilities (CVE‑2026-20127 or CVE‑2026-20182). During this phase, the attacker established unauthorized “peering” connections to the victim’s SD‑WAN Manager devices, effectively performing a digital handshake to verify trust.
The second wave, observed in March 2026, involved exploitation of the zero‑day CVE‑2026-20245. Using this flaw, the attacker created a rogue user account named “troot” that conferred full root privileges on the SD‑WAN Manager. This account allowed the adversary to modify configurations, add hidden users, and maintain persistence even after the initial peering connections were terminated.
Creation of the Rogue “troot” Account
The “troot” account was a deliberate attempt to blend in with legitimate administrative accounts while bypassing typical alerting mechanisms. By assigning it a seemingly innocuous name and granting it unrestricted access, the attacker could issue privileged commands without triggering standard privilege‑escalation detections. Mandiant noted that the account remained undiscovered until the provider reviewed audit logs after Cisco’s advisory prompted a deeper investigation.
Cisco’s Advisory and Recommendations
On June 4, 2026, Cisco released a security advisory detailing the privilege‑escalation vulnerability and provided specific software versions that mitigate CVE‑2026-20245. The advisory urged all Cisco Catalyst SD‑WAN Manager customers to upgrade immediately and to review configurations for unauthorized accounts. Mandiant echoed this guidance, stressing that timely patching, combined with robust monitoring of privileged account creation, is essential to prevent similar compromises.
Conclusion and Organizational Implications
The Mandiant investigation serves as a stark reminder that edge devices are increasingly lucrative targets for sophisticated adversaries. Organizations that rely on SD‑WAN or similar centralized network‑management platforms must treat these appliances as critical assets, applying the same rigor of patch management, privileged‑access controls, and continuous monitoring used for servers and endpoints. By adopting a defense‑in‑depth strategy that includes network‑segmentation, anomaly detection, and regular forensic readiness reviews, enterprises can reduce the likelihood that a zero‑day exploit translates into prolonged, undetected access to their internal traffic.