Mandiant reveals Cisco SD-WAN zero-day root breach

Mandiant has disclosed a zero-day attack on Cisco Catalyst SD-WAN Manager devices that gave an attacker root-level access at a communications service provider.

The attacker first compromised an administrator account, then exploited a vulnerability tracked as CVE-2026-20245, according to Mandiant. Investigators found that a malicious CSV file was uploaded to the management platform, allowing the attacker to escalate privileges and create a rogue root account called troot.

Cisco Catalyst SD-WAN Manager serves as a central control system for software-defined wide area networks, allowing organisations to configure and manage connectivity across sites and cloud environments. A compromise of that control layer can give an intruder broad access to the systems that route traffic across an enterprise network.

Mandiant found no evidence that the attacker used that access to monitor enterprise communications. But investigators could not establish the full extent of activity after the initial breach because the attacker used anti-forensic methods to erase traces of the intrusion.

Attack chain

The investigation identified two separate periods of suspicious activity over several months. Mandiant could not determine whether the same threat actor was responsible for both.

The first phase ran from late 2025 to January 2026 and involved unauthorised peering connections. Investigators said those connections may have relied on one of two authentication bypass flaws, CVE-2026-20127 or CVE-2026-20182, which were not publicly known at the time and had no available patches.

A second phase emerged in March 2026 and affected a newer software version that was not vulnerable to one of those earlier authentication flaws. Cisco confirmed that the attackers also did not use the second authentication bypass vulnerability in that later activity, according to Mandiant's account of the incident.

That led investigators to assess that stolen certificates may have been used to gain initial access before the attacker exploited CVE-2026-20245. Once inside, the intruder changed default administrator credentials, uploaded the malicious CSV file, and created the troot account with unrestricted shell access.

The use of a file named evil_tenant.csv stood out because it turned a legitimate management function into a path to root access. By abusing that upload process, the attacker was able to take control of the affected SD-WAN management system rather than just a single user account.

Limited telemetry

The attacker showed a high level of operational discipline during the intrusion, Mandiant said. Investigators observed file deletion, restoration of modified settings, removal of malicious artefacts, and the use of scripts intended to check whether forensic evidence had been wiped.

Those steps made it harder to reconstruct the full scope of the breach. The problem was compounded by the limited telemetry many network infrastructure devices generate compared with conventional servers and employee endpoints.

That lack of detailed logging has become a recurring issue in investigations involving network appliances. These systems often sit at critical control points inside corporate environments but are monitored less comprehensively than laptops, servers, or cloud workloads.

The findings add to a broader pattern identified by incident response teams across the security industry: attackers are increasingly targeting administrative systems that govern identity, connectivity, and policy enforcement. In these cases, management platforms can offer a more efficient route into an organisation than attacking individual machines one by one.

For service providers and large enterprises, SD-WAN platforms are especially sensitive because they act as orchestration layers for distributed networks. Access to those platforms can expose configuration data, authentication material, and network relationships that may help an attacker move further into an environment.

Security response

Mandiant urged organisations using Cisco Catalyst SD-WAN Manager to apply Cisco's available security updates and review administrative accounts for unauthorised changes. It also recommended validating device certificates and investigating indicators of compromise such as unexpected user accounts, suspicious file uploads, and unexplained configuration changes.

The incident also highlights the need to preserve forensic data from network infrastructure where possible. Without logs, retained system artefacts, and visibility into administrator actions, investigators can struggle to determine whether a breach was contained or whether persistence remained after a clean-up effort.

Organisations are also being pushed to treat network management systems as critical assets that require the same scrutiny as other high-value systems. That means tighter protection for administrative credentials, stronger monitoring, and incident response plans that include routers, controllers, and other infrastructure devices rather than focusing only on user and server estates.

The attack shows how threat actors are shifting towards the enterprise control plane, where a single compromise can yield broad control while leaving fewer traces than activity on traditional endpoints, Mandiant said.