Mandiant’s findings detail the exploitation of a Cisco SD-WAN zero-day vulnerability allowing attackers to achieve root access. (Illustrative AI-generated image).
- Hackers exploited a Cisco SD-WAN zero-day vulnerability (CVE-2026-20245) to gain unauthenticated root access.
- The exploit allowed attackers to create persistent rogue root accounts that survived reboots and patching.
- Attacks began at least two months before Cisco disclosed the vulnerability, giving attackers a significant head start.
- Compromised SD-WAN controllers provide attackers with a powerful pivot point to monitor traffic, steal data, and attack other network devices.
- CISA has mandated patching for federal agencies, but all organizations using Cisco SD-WAN must audit for rogue accounts even after applying the patch.
- This incident highlights a concerning pattern of multiple zero-day vulnerabilities in Cisco SD-WAN products.
Attackers exploited a previously unknown vulnerability in Cisco’s SD-WAN software to secretly create root-level accounts on devices, security firm Mandiant revealed Wednesday. The attacks started at least two months before Cisco issued a patch.
The flaw, tracked as CVE-2026-20245, allowed hackers to gain full administrative control over Cisco Catalyst SD-WAN controllers without any login credentials. Once inside, they planted hidden accounts that could survive even after a system reboot or software update.
Mandiant’s report provides the first detailed look at how the Cisco SD-WAN zero-day root access vulnerability worked in real-world attacks. The company said the attackers were sophisticated but did not name any specific group or country behind the campaign.
Understanding the Cisco SD-WAN Zero-Day Vulnerability
CVE-2026-20245 is a high-severity vulnerability in Cisco Catalyst SD-WAN software. It affects multiple versions of the software used to manage wide-area networks for large organizations.
The flaw is what security experts call an “unauthenticated remote code execution” bug. This means an attacker with network access to the device could run commands on it without needing a password or any other form of identity check.
Mandiant’s analysis shows that attackers exploited this weakness to gain root access. Root is the most powerful account on any Linux-based system, giving the holder complete control over the device’s operating system, files, and network connections.
Once attackers had root, they created new user accounts with full privileges. These accounts were not part of the normal Cisco configuration. They were rogue accounts designed to give the attackers a permanent backdoor into the device.
How the Exploit Enabled Rogue Root Accounts
The attack chain started with a specially crafted network request sent to the vulnerable SD-WAN controller. The request exploited a flaw in how the software handled certain types of data.
Mandiant did not publish the full exploit code, but the company described the general method. The vulnerability allowed the attacker to bypass authentication entirely. The controller processed the malicious request as if it came from a trusted administrator.
After gaining a foothold, the attackers executed commands to create new user accounts. These accounts had root-level privileges and were added to the system’s password file. Mandiant said the accounts used names that might blend in with legitimate system accounts, making them harder to spot during a quick review.
A critical detail is that the rogue accounts persisted even after the device was rebooted or after Cisco’s security patch was applied. This is because the accounts were stored in the device’s persistent file system, not in temporary memory. Simply patching the vulnerability did not remove the backdoor accounts.
Mandiant shared specific indicators of compromise (IoCs) to help defenders detect these attacks. The IoCs include unusual entries in the /etc/passwd file, unexpected SSH keys added to the authorized_keys file for the root user, and suspicious processes running with root privileges.
The company also warned that attackers might have modified system binaries or installed rootkits to hide their presence. Defenders should check for any files in common directories like /usr/bin or /sbin that were changed around the time of the attack.
Timeline: Exploitation Preceded Disclosure by Two Months
Mandiant’s investigation revealed that the first known exploitation of CVE-2026-20245 occurred at least two months before Cisco publicly disclosed the vulnerability. This means attackers had a head start, exploiting the flaw while no patch existed.
Shortly after Cisco’s disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20245 to its Known Exploited Vulnerabilities catalog. CISA then set a deadline for federal agencies to patch the flaw. While the deadline applies to government networks, Mandiant urged all organizations using Cisco SD-WAN to treat the situation as urgent.
Mandiant did not say how many organizations were affected. But given the widespread use of Cisco SD-WAN in enterprise and government networks, the potential impact is significant.
The Dangers of Compromised SD-WAN Controllers
SD-WAN controllers sit at the center of an organization’s network. They manage traffic between branch offices, data centers, and cloud services. Compromising an SD-WAN controller gives attackers a powerful position.
With root access to the controller, attackers can monitor all network traffic passing through it. They can redirect traffic to malicious servers, steal data as it moves across the network, or launch attacks against other devices connected to the SD-WAN.
Because the SD-WAN controller often has administrative privileges to configure other network devices, an attacker with root could potentially spread the compromise deeper into the network. This is what security professionals call a “pivot point.”
Mandiant’s report emphasizes that the rogue root accounts are especially dangerous because they persist after patching. An organization that applies the Cisco patch but does not audit for unauthorized accounts could remain compromised without knowing it.
The attackers could also use the root access to disable logging or delete evidence of their activity. Mandiant said defenders should assume that any compromised device may have been fully controlled for an extended period.
A Pattern of Vulnerabilities in Cisco SD-WAN?
CVE-2026-20245 marks the seventh zero-day vulnerability affecting Cisco SD-WAN products in 2026 alone. This is an unusually high number for a single product line in less than six months.
Security researchers have noted a troubling pattern. Cisco has been struggling to keep its SD-WAN software free of critical flaws. Each new zero-day gives attackers another chance to break into networks that rely on Cisco’s technology.
Some experts suggest that the complexity of SD-WAN software makes it difficult to secure. Others point to the increasing interest from advanced threat actors who see SD-WAN controllers as high-value targets.
Mandiant did not explicitly link this campaign to previous Cisco zero-day attacks. However, the techniques used in this case are consistent with those seen in earlier incidents, such as the exploitation of CVE-2025-20128 and CVE-2025-20156, both of which targeted Cisco SD-WAN products.
The repeated vulnerabilities raise questions about Cisco’s software development and testing processes. The company has not publicly commented on the trend beyond releasing patches for each flaw.
CISA’s Patch Deadline and Essential Administrator Actions
CISA’s Binding Operational Directive requires federal civilian agencies to patch CVE-2026-20245 by the specified deadline. But Mandiant’s message is clear: every organization using Cisco Catalyst SD-WAN should treat this as an emergency.
The first step is to apply the latest Cisco software update for the affected SD-WAN products. Cisco has released fixed versions for all supported releases. Administrators should check Cisco’s security advisory for the exact version numbers.
However, patching alone is not enough. Because the attackers created persistent root accounts, organizations must audit their SD-WAN controllers for any unauthorized users. Mandiant recommends checking the /etc/passwd file and comparing it against a known good baseline.
Administrators should also look for unexpected SSH keys in the root user’s authorized_keys file. Any keys that were added without proper change management should be investigated and removed.
If a device is found to be compromised, Mandiant advises a full forensic investigation. The device should be treated as untrusted. In some cases, the safest option is to wipe the device and restore from a clean backup taken before the attack.
For organizations that cannot patch immediately, Mandiant offers some temporary mitigations. Restrict network access to the SD-WAN controller to only trusted IP addresses. Enable logging and monitor logs for unusual activity. Disable any services on the controller that are not strictly necessary.
However, Mandiant warns that these are only stopgap measures. The vulnerability allows unauthenticated access, so any network path to the controller is a potential attack vector. The only complete fix is to apply the patch.
Implications for SD-WAN Security Best Practices
Mandiant’s report serves as a wake-up call for the entire industry. SD-WAN technology is intended to simplify network management, but it also creates new attack surfaces that are attractive to adversaries.
The fact that attackers exploited this flaw for months before discovery highlights the difficulty of detecting zero-day attacks. Without a patch, defenders had no way to block the exploit. Even after the patch, the rogue accounts remain a threat if not actively sought out.
Mandiant’s technical analysis provides defenders with tools to hunt for signs of compromise. The IoCs shared in the report are specific and actionable. Security teams should immediately scan their SD-WAN infrastructure for any of the indicators.
The broader lesson is that organizations should not assume their SD-WAN controllers are safe just because they are behind a firewall. Any device with a management interface exposed to the network is a potential target. Segmentation, monitoring, and rapid patching are essential.
Cisco has not commented on whether it plans to make broader changes to its SD-WAN software development process. For now, the company continues to release patches as vulnerabilities are discovered.
Mandiant’s investigation is ongoing. The firm stated it will publish additional technical details in the coming weeks, including more specific IoCs and detection rules. Security teams should subscribe to Mandiant’s threat intelligence feeds to stay updated.
In the meantime, the message from both Mandiant and CISA is simple: patch now, audit thoroughly, and assume nothing. The attackers have had months of free access. It is time to take it back.
Frequently Asked Questions
What is the Cisco SD-WAN zero-day vulnerability?
The Cisco SD-WAN zero-day vulnerability, tracked as CVE-2026-20245, allowed attackers to gain unauthenticated remote code execution on Cisco Catalyst SD-WAN controllers. This enabled them to achieve root access without needing any credentials.
How did attackers exploit this vulnerability?
Attackers sent specially crafted network requests to vulnerable SD-WAN controllers. This bypassed authentication entirely, allowing them to execute commands and create hidden, privileged user accounts with root-level access.
Why are the rogue root accounts so dangerous?
These rogue accounts are dangerous because they are persistent, meaning they survive system reboots and even the application of Cisco's security patch if not manually removed. This creates a long-term backdoor for attackers.
When did these attacks begin?
Mandiant's investigation revealed that the exploitation of CVE-2026-20245 began at least two months before Cisco publicly disclosed the vulnerability. This gave attackers a significant window of opportunity.
What actions should administrators take?
Administrators must first apply the latest Cisco software update. Crucially, they must then audit their SD-WAN controllers for unauthorized user accounts, particularly by checking the /etc/passwd file and looking for unexpected SSH keys.
Is patching alone sufficient?
No, patching alone is not sufficient. Because the attackers created persistent rogue accounts, organizations must actively audit their systems to detect and remove these unauthorized accounts even after applying the security patch.
What is CISA's role in this?
CISA added CVE-2026-20245 to its Known Exploited Vulnerabilities catalog and issued a directive requiring federal civilian agencies to patch the vulnerability by a specific deadline.
Is this an isolated incident for Cisco SD-WAN?
No, CVE-2026-20245 is reportedly the seventh zero-day vulnerability affecting Cisco SD-WAN products in 2026 alone, suggesting a potential pattern of security challenges with the product line.
