Cisco SD-WAN Zero-Day Exploited for Months to Achieve Root Access

Executive Summary

Google's Mandiant threat intelligence division has revealed that a high-severity vulnerability in Cisco Catalyst SD-WAN Manager, CVE-2026-20245, was exploited as a zero-day for at least two months before Cisco disclosed it on June 4, 2026. The vulnerability, a command injection flaw in the product's command-line interface (CLI), allowed an authenticated local attacker to execute arbitrary commands with root privileges. The threat actor, who gained initial access to an SD-WAN Manager instance at a service provider in March 2026, used this flaw to escalate privileges, create a rogue root-level user account named troot, and employ anti-forensic techniques to cover their tracks. This incident is a stark example of attackers targeting network edge devices to bypass traditional security perimeters and establish long-term persistence.

Threat Overview

The attack campaign targeted the SD-WAN infrastructure of a major communications service provider. The threat actor's primary objective was to gain persistent, high-level access to the core network management plane.

Initial Access: The attacker gained initial access to a Cisco Catalyst SD-WAN Manager instance via SSH in March 2026, using legitimate administrator credentials. It is suspected this access may have been facilitated by previously disclosed zero-day vulnerabilities from late 2025 (CVE-2026-20127 or CVE-2026-20182).
Privilege Escalation: Once on the device with admin rights, the attacker exploited the then-undisclosed zero-day, CVE-2026-20245.
Execution & Persistence: The exploit involved uploading a malicious CSV file named evil_tenant.csv via a CLI feature. This file contained injected commands that, when processed, executed with root privileges. The commands were used to back up sensitive files like /etc/passwd and /etc/shadow before creating a new user, troot, with UID 0 (root).
Defense Evasion: The attacker demonstrated high operational security by deleting the malicious CSV file and restoring original configuration files to hide their presence.

This "living off the edge" approach, focusing on compromising network appliances themselves, is increasingly common as it allows attackers to control traffic and move laterally with high stealth.

Technical Analysis

The core of this attack is the exploitation of CVE-2026-20245, a command injection vulnerability. This aligns with T1068 - Exploitation for Privilege Escalation. The attacker, already having authenticated access (T1078 - Valid Accounts), used a legitimate but flawed feature—the tenant-upload function in the CLI—to trigger the vulnerability.

The malicious payload was embedded within the evil_tenant.csv file. When the SD-WAN Manager parsed this file, it failed to properly sanitize the input, leading to the execution of the embedded shell commands. This is a form of T1059.004 - Command and Scripting Interpreter: Unix Shell.

The creation of the troot account is a clear persistence mechanism, falling under T1136.001 - Create Account: Local Account. By giving this account a UID of 0, the attacker effectively created a secondary, hidden root account.

The final step, cleaning up their tools and logs, is a classic defense evasion technique, T1070.004 - Indicator Removal: File Deletion.

Impact Assessment

A compromise of the Cisco Catalyst SD-WAN Manager has severe implications for an organization, especially a service provider. The SD-WAN Manager is the central brain of the software-defined network, controlling routing policies, security configurations, and traffic flow for the entire WAN.

An attacker with root access can:

Redirect or Intercept Traffic: Manipulate routing policies to redirect sensitive traffic to attacker-controlled infrastructure for eavesdropping or man-in-the-middle attacks.
Disable Security Controls: Deactivate firewalls, IPS, and other security features across the entire network fabric.
Achieve Widespread Lateral Movement: Use the SD-WAN Manager as a pivot point to access any site or system connected to the SD-WAN.
Deploy Malware at Scale: Push malicious configurations or software to all connected edge devices.
Cause a Total Network Outage: Disrupt connectivity for all sites, leading to catastrophic business interruption.

For a service provider, this level of compromise could affect multiple downstream customers, leading to widespread outages and a massive loss of trust.

IOCs — Directly from Articles

Type

file_name

Value

evil_tenant.csv

Description

The name of the malicious CSV file uploaded by the attacker to exploit the vulnerability.

Type

user_account

Value

troot

Description

The name of the rogue user account with root privileges created by the attacker.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to identify related activity:

Type

log_source

Value

SD-WAN Manager Audit Logs

Description

Search for CLI commands related to tenant uploads, especially if the source is an interactive shell session rather than an automated process.

Type

file_path

Value

/tmp/ or other staging directories

Description

Look for the presence of unusually named CSV files or backup files like passwd.bak or shadow.bak on the SD-WAN Manager filesystem.

Type

command_line_pattern

Value

useradd -o -u 0 -g 0

Description

Monitor process execution logs for commands used to create a new user with UID 0, which is a highly suspicious indicator of a rogue root account.

Type

log_source

Value

System Authentication Logs

Description

Audit /etc/passwd or equivalent user databases for accounts with UID 0 other than the standard root account. The presence of troot or similar is a red flag.

Detection & Response

Audit User Accounts: The most direct detection method is to regularly audit all user accounts on Cisco SD-WAN appliances. Specifically, look for any accounts with a UID of 0 besides the default root user. The presence of the troot account is a definitive sign of compromise.
Log Analysis (D3-LAM): Ingest audit logs from the SD-WAN Manager into a SIEM. Create alerts for the creation of new local accounts, especially those with high privileges. Monitor for SSH logins from unexpected source IPs or at unusual times.
File Integrity Monitoring: Monitor for the creation of suspicious files in temporary or configuration directories, such as .csv files being uploaded via the CLI or backups of /etc/passwd.
Incident Response: If a rogue root account is discovered, assume full system compromise. Isolate the device, preserve it for forensics, and initiate the organization's incident response plan. A full rebuild of the affected appliance from a known-good state is necessary. All credentials associated with the device must be rotated.

Mitigation

Apply Patches: The primary mitigation is to upgrade all affected Cisco Catalyst SD-WAN components (vManage, vSmart, vBond) to a fixed software version as recommended in the Cisco security advisory. (D3FEND: D3-SU - Software Update)
Restrict CLI Access: Limit access to the device's CLI. Access should be restricted to a small number of authorized administrators connecting from trusted management subnets or jump hosts. (D3FEND: D3-UAP - User Account Permissions)
Implement MFA: Enforce phishing-resistant MFA for all administrative access to the SD-WAN Manager, including SSH. This would have made the initial access step more difficult for the attacker.
Regular Auditing: Implement a regular, automated process to audit user accounts and system configurations on all network appliances, comparing them against a golden image or baseline. (D3FEND: D3-SFA - System File Analysis)

The creation of the 'troot' account is the key indicator of this specific attack. Security teams must implement automated, continuous monitoring of local accounts on all critical network appliances, including Cisco SD-WAN Managers. This involves forwarding system audit logs to a SIEM and creating high-priority alerts for any event that adds a user or modifies an existing user's privileges, especially changes to UID/GID 0. A more direct approach is to run a scheduled script on the devices themselves (or via an orchestration tool) that executes awk -F: '($3 == 0)' /etc/passwd and compares the output against a known-good baseline (e.g., ['root']). Any deviation should trigger an immediate security incident. This proactive hunting is essential because attackers exploiting a zero-day may not generate obvious crash or exploit logs, but they almost always create a persistence mechanism.

Mandiant: Cisco SD-WAN Zero-Day (CVE-2026-20245) Exploited in the Wild for Months Before Patch