An unknown threat actor exploited a recently disclosed high-severity security flaw impacting **Cisco Catalyst SD-WAN** as a zero-day, at least two months prior to its public disclosure. This critical finding comes from **Google**-owned **Mandiant**, shedding light on advanced persistent threats targeting critical infrastructure.  The vulnerability, identified as **CVE-2026-20245** (CVSS score: 7.8), enables an authenticated, local attacker to execute arbitrary commands with elevated privileges. This is achieved by supplying a crafted file to the affected system, exploiting insufficient validation of user-supplied input. **Cisco** acknowledged awareness of the exploitation earlier this month, noting that a successful attack requires netadmin privileges on the affected system. ### Sophisticated Anti-Forensic Techniques Employed **Mandiant** researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan highlighted the threat actor's operational security measures. "Throughout the intrusion, to maintain operational security and avoid detection, the threat actor consistently employed anti-forensic techniques, selectively deleting and restoring system configuration files that were modified during their activities," they stated. The incident, investigated by **Google**'s incident response and threat intelligence arm, targeted an unspecified communications service provider. The goal was to escalate a compromised admin account to full root-level access. ### Two Waves of Unauthorized Activity Two distinct periods of unauthorized activity were detected: one between late 2025 and January 2026, and another in March 2026. At present, it remains unclear if these two events are connected or the work of the same threat actor. During the initial wave, the victim experienced unauthorized peering connections. These connections likely exploited one of two authentication bypass flaws in **Cisco Catalyst SD-WAN** controllers: **CVE-2026-20127** or **CVE-2026-20182**. Both vulnerabilities were undisclosed zero-days at the time of exploitation. The second wave in March 2026 saw rogue peering connections targeting a device running a newer software version, which had been patched against **CVE-2026-20127**. **Cisco** confirmed that **CVE-2026-20182** was not leveraged in this instance. This raises the possibility that the attacker, potentially distinct from the first incident, relied on stolen certificates from a prior breach of the same device to gain initial access. ### Privilege Escalation and Covert Persistence **Mandiant** detailed the privilege escalation process: "The attacker then changed default admin credentials before exploiting **CVE-2026-20245** as a zero-day via a malicious CSV file upload (evil_tenant.csv). This exploit allowed them to escalate privileges and create a rogue user account (named 'troot') with full root-level shell control." The attackers meticulously covered their tracks by deleting created files, reversing configuration changes, and running scripts to ensure no evidence remained, limiting the defenders' ability to fully assess the compromise. Austin Larsen, principal threat analyst at **Google Threat Intelligence Group (GTIG)**, elaborated on the stealth tactics: "After changing the default admin password and exfiltrating the SD-WAN fabric configuration, the actor changed the password back to its original value so an administrator logging in would not notice anything was off." He added, "They escalated to root through a malicious CSV upload, created a hidden 'troot' account in /etc/passwd and /etc/shadow, then deleted every file they touched and ran a validation script to confirm their indicators were gone." ### The Allure of Edge Devices for Adversaries **Google** highlighted that this activity underscores a "continuing trend" of malicious actors weaponizing zero-days in edge devices like SD-WAN. These devices often lack the comprehensive telemetry necessary for deep forensic analysis. A foothold in such systems can provide persistent visibility into internal network traffic across the entire fabric. Charles Carmakal, Chief Technology Officer of **Mandiant Consulting**, reinforced this point: "Advanced adversaries continue to primarily target and exploit network devices and other systems that don't natively support EDR solutions."