Cisco SD-WAN Zero-Day CVE-2026-20245 Gave Attackers Root Inside a Telecom Fabric

An unknown threat actor ran inside a communications service provider's Cisco Catalyst SD-WAN fabric for at least two months before anyone knew the bug existed. According to Mandiant, the actor weaponized CVE-2026-20245 (CVSS 7.8) as a zero-day, turned a compromised admin account into full root, stole the fabric configuration, then deleted nearly every artifact behind them. Cisco confirmed active exploitation earlier this month.

This is the edge-device problem in one incident: a high-value box that sees internal traffic across the fabric, has no native EDR, and lacks the telemetry defenders need to reconstruct what happened. The attacker exploited all three conditions deliberately.

The intrusion chain

Mandiant identified two distinct windows of unauthorized activity, and it is still unclear whether the same actor was behind both. The first ran from late 2025 into January 2026; the second hit in March 2026. Both began with rogue peering connections into the SD-WAN controllers.

In the first wave, the rogue peering likely abused one of two authentication bypass flaws, CVE-2026-20127 or CVE-2026-20182, both undisclosed zero-days at the time. In March, the target device had already been patched against CVE-2026-20127, and Cisco confirmed the connections did not use CVE-2026-20182. That points to stolen certificates from a prior breach of the same device, the attacker reusing trust they had already harvested rather than burning a fresh exploit.

From netadmin to root via a CSV file

CVE-2026-20245 requires an authenticated local attacker with netadmin privileges, then exploits the device's insufficient validation of a user-supplied file. The actor changed the default admin credentials, then uploaded a crafted CSV named evil_tenant.csv. That single file triggered the privilege escalation.

With root, the attacker created a hidden account called 'troot' written directly into /etc/passwd and /etc/shadow, giving them a full root shell that did not depend on the original compromised account. The crafted-file pattern is exactly why edge appliances keep falling: a parser that trusts operator input becomes a code-execution primitive.

Why edge devices keep losing

Google Threat Intelligence Group framed this as a continuing trend: advanced adversaries primarily target network devices and systems that do not support EDR. Mandiant CTO Charles Carmakal made the same point publicly. An SD-WAN controller is an ideal foothold because it sits at a traffic chokepoint, offers persistent visibility into internal flows across the fabric, and cannot easily be watched the way an endpoint can.

The selective delete-and-restore tradecraft here was not opportunistic. It was the work of an actor who understood that the device's weak telemetry was their best ally, and who invested in staying invisible rather than moving fast.

What to do now

• Patch CVE-2026-20245, CVE-2026-20127, and CVE-2026-20182 across all Catalyst SD-WAN controllers and managed edge devices immediately.
• Treat any device with unexplained peering connections as compromised; patching alone does not evict an actor holding stolen certificates.
• Rotate and re-issue device certificates and all admin credentials, since stolen certs enabled the March re-entry on an already-patched box.
• Hunt for the known indicators: a user named 'troot' in /etc/passwd or /etc/shadow, and a file named evil_tenant.csv or other unexpected CSV uploads.
• Ship SD-WAN logs and configuration state off-box to a SIEM so revert-and-restore anti-forensics cannot erase the only copy.
• Alert on admin password changes, and verify that a password matching its prior value is not masking activity.

The victim was a communications service provider, but the lesson generalizes to anyone running unmonitored network gear at a chokepoint. The exploit was not loud or clever in execution; it was patient, and it counted on no one looking. That is the part worth fixing first.