New details have been revealed on how hackers exploited a **Cisco Catalyst SD-WAN** vulnerability, tracked as **CVE-2026-20245**, in zero-day attacks to create rogue root accounts on targeted devices. The **CVE-2026-20245** vulnerability is a high-severity command injection flaw in **Cisco Catalyst SD-WAN Manager** (vManage), **Controller** (vSmart), and **Validator** (vBond). It allows authenticated attackers to execute arbitrary commands as root by uploading a crafted file. **Cisco** stated the vulnerability stemmed from insufficient validation of user-supplied input and could be exploited by authenticated attackers with local access to affected devices. When **Cisco** initially disclosed the flaw earlier this month, the company warned that it had been exploited in a limited number of attacks but did not provide specific details. **Cisco** only stated that successful exploitation allowed attackers to gain root privileges and that some incidents involved unauthorized configuration changes being pushed to edge devices. The company released security updates and urged customers to upgrade to fixed software versions, stating that no workarounds were available. ## New Exploitation Details Emerge In a report published today, **Mandiant** revealed that **CVE-2026-20245** was exploited as a privilege-escalation vulnerability after attackers had already gained access to targeted SD-WAN devices. According to the researchers, the intrusion began with unauthorized SD-WAN peering connections observed on a service provider's infrastructure. Beginning in March 2026, the threat actor established new rogue peer connections and authenticated to affected SD-WAN Manager devices using the `vmanage-admin` account. **Mandiant** believes the rogue peering may have been created by exploiting previously disclosed **Cisco SD-WAN** authentication bypass zero-days, **CVE-2026-20127** and **CVE-2026-20182**, though the exact method remains unclear. After gaining access, the attackers changed the default admin account password, logged in to the SD-WAN Manager web interface, and extracted configuration information for edge devices, controllers, and SD-WAN templates. **Mandiant** says the attackers subsequently restored the admin account to its original password after completing their activity, likely to reduce detection. The researchers say the attackers then exploited **CVE-2026-20245** through a tenant-upload feature in the SD-WAN command-line interface by uploading a malicious CSV file named "evil_tenant.csv." "**CVE-2026-20245**, a vulnerability reported to **Cisco** by **Mandiant**, exists in the command-line interface (CLI) of **Cisco Catalyst SD-WAN Controllers** that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system," explains **Mandiant**. **Mandiant** says the malicious payload first created backups of system configuration files, including `/etc/passwd` and `/etc/shadow`, before creating a new account named "`troot`" with root-level privileges. The attackers then used the Linux "`su`" command to switch from the compromised administrative account to the newly created root account, giving them full control over the device. **Mandiant** says the attackers heavily relied on anti-forensic tactics to evade detection. This includes backing up configuration files before modifying them and then restoring them after exploitation. They also cleaned up traces of exploitation by deleting the malicious CSV payload, removing temporary files created during the attack, and erasing evidence of the rogue root account. The researchers also observed the execution of a validation script to confirm that all traces of the compromise had been removed from the device. **Mandiant** says some rogue peering activity observed in March 2026 occurred on systems that were not vulnerable to any of the previously disclosed authentication-bypass flaws. **Cisco** told the researchers that the breach did not involve **CVE-2026-20182** and said it was possible the attackers used certificates stolen during a previous compromise to regain access to devices. **Mandiant** has published indicators of compromise, attacker IP addresses, and guidance to help organizations determine whether they were compromised. Organizations should collect diagnostic data from SD-WAN devices, check for signs of unauthorized peering connections, and upgrade to the latest software releases if they have not already done so.