Mandiant has shared new details about how hackers exploited a Cisco Catalyst SD-WAN vulnerability, tracked as CVE-2026-20245, in zero-day attacks.
The high-severity flaw allowed attackers with access to affected devices to run commands as root by uploading a specially crafted file. Cisco previously confirmed the bug had been used in a small number of attacks but released few details at the time.
According to researchers, attackers first gained access to targeted SD-WAN systems before using CVE-2026-20245 to escalate privileges. The attacks began in March 2026, when threat actors created rogue SD-WAN peering connections and accessed devices using the vmanage-admin account.
After logging in, the attackers gathered configuration data and then exploited the vulnerability by uploading a malicious CSV file called ‘evil_tenant.csv.’ The file created a hidden root-level account named ‘troot,’ giving the attackers full control of the device.
Mandiant said the attackers restored modified files, deleted malicious tools, removed traces of the rogue account, and ran scripts to verify that evidence of the intrusion had been wiped.
Researchers believe the attackers may have initially gained access through previously disclosed Cisco SD-WAN vulnerabilities or by using stolen certificates from earlier breaches.