Rogue Root Account Exposes Cisco SD-WAN Zero-Day Hack

On June 24, 2026, Mandiant turned the Cisco SD-WAN zero-day story from a patch advisory into a root-compromise case: attackers used CVE-2026-20245 to create a rogue root account named “troot” on targeted devices, according to BleepingComputer.

That timing matters because Cisco had already warned earlier in June that the flaw was exploited in limited attacks. The new Mandiant detail shows what “exploited” meant in practice: not just command execution, but privileged control over Cisco Catalyst SD-WAN infrastructure after the attackers had already gained access.

June 24 disclosure: Cisco SD-WAN zero-day shifted from bug to root-control case

CVE-2026-20245 is a high-severity command injection flaw affecting Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond). Cisco said the issue came from insufficient validation of user-supplied input and allowed authenticated attackers with local access to execute arbitrary commands as root by uploading a crafted file.

Mandiant’s account makes the risk sharper. The attacker did not merely touch one appliance. They moved through SD-WAN trust relationships, authenticated to SD-WAN Manager devices, pulled configuration data, and then escalated to root.

“CVE-2026-20245, a vulnerability reported to Cisco by Mandiant, exists in the command-line interface (CLI) of Cisco Catalyst SD-WAN Controllers that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system,” Mandiant said.

XOOMAR analysis: the danger here is control-plane compromise. SD-WAN controllers sit close to routing, branch connectivity, cloud access, and device configuration. If an attacker owns that layer, the intrusion can become harder to see than a normal server breach, especially when the device keeps routing traffic while hiding local changes.

For adjacent Cisco appliance risk, see XOOMAR’s coverage of Cisco Unified CM Flaw Now Hands Attackers a Root Path and Attackers Hit Cisco SD-WAN Flaw Cisco Says It Found First.

March 2026 chain: rogue peering, admin access, then “troot”

Mandiant said the intrusion began with unauthorized SD-WAN peering connections on a service provider’s infrastructure. In SD-WAN terms, peering is the trusted relationship that lets components authenticate and participate in the fabric. If that trust is abused, the attacker is no longer just knocking at the perimeter. They are joining the network’s management structure.

Beginning in March 2026, the threat actor created new rogue peer connections and authenticated to affected SD-WAN Manager devices using the vmanage-admin account. Mandiant believes the rogue peering may have involved previously disclosed Cisco SD-WAN authentication bypass zero-days, CVE-2026-20127 and CVE-2026-20182, but the exact method remains unresolved.

The attacker then changed the default admin account password, logged into the SD-WAN Manager web interface, and extracted configuration information for edge devices, controllers, and SD-WAN templates. Afterward, Mandiant said, the attacker restored the admin account to its original password, likely to reduce detection.

The escalation step was blunt. The attacker used a tenant-upload feature in the SD-WAN command-line interface and uploaded a malicious CSV file named “evil_tenant.csv.” That payload backed up system files including /etc/passwd and /etc/shadow, created “troot” with root-level privileges, and then allowed the attacker to switch users with the Linux su command.

That is persistence behavior, not a quick smash-and-grab.

June advisory facts: the Cisco Catalyst SD-WAN zero-day risk in hard data

Cisco had said some incidents involved unauthorized configuration changes being pushed to edge devices. Mandiant’s new detail shows how attackers could get there: gain access, manipulate accounts, extract SD-WAN configuration, escalate to root, then clean up.

SecurityWeek reported that CVE-2026-20245 was the seventh Cisco SD-WAN zero-day whose exploitation was detected in 2026. That count matters, but the operational lesson is narrower: once attackers have root on SD-WAN gear, patching the CVE does not prove the device is clean.

Late 2025 to March 2026: the attacker’s path exposed a visibility gap

Mandiant observed earlier unauthorized peering activity from late 2025 to early 2026, according to additional reporting and Mandiant’s own analysis. The later March activity was more complex because some rogue peering appeared on systems not vulnerable to previously disclosed authentication-bypass flaws.

Cisco told Mandiant that the breach did not involve CVE-2026-20182 and said attackers may have used certificates stolen during a previous compromise to regain access.

That point is central. If stolen certificate material helped reestablish trust, defenders cannot treat this as only a software defect. They also have to validate the trust objects and credentials that let SD-WAN components recognize each other.

Mandiant said the attacker leaned heavily on anti-forensic tactics:

• File restoration: Backed up system files before modifying them, then restored them after exploitation.
• Payload cleanup: Deleted the malicious CSV and temporary files.
• Account erasure: Removed evidence of the rogue root account.
• Validation: Ran a script to confirm traces of compromise had been removed.

XOOMAR analysis: this is why networking gear is attractive to skilled intruders. These devices occupy privileged positions, but they often do not give defenders the same depth of endpoint-style evidence. A server compromise may leave rich logs and EDR traces. A network appliance can leave less, while controlling more.

The same CVE looks different to SOC teams, network operators, and Cisco

For enterprise security teams, CVE-2026-20245 is now an incident-response problem. The immediate task is not only patching. Teams need to hunt for unauthorized peering, suspicious SSH sessions, unexpected admin logins, strange password changes, rogue accounts, and unexplained configuration drift.

For network operations teams, the pressure is different. SD-WAN upgrades can affect branch connectivity, voice systems, payments, logistics, and remote-site access. Emergency patching collides with uptime risk. That tension is exactly why attackers prize these systems: defenders may hesitate, and the device may be hard to rebuild quickly.

Cisco’s job is to maintain trust through fast advisories, fixed releases, indicators of compromise, and customer guidance. The company disclosed exploitation, said no workarounds were available, and urged customers to upgrade to fixed versions.

For attackers, root access on SD-WAN gear offers three advantages supported by Mandiant’s findings:

• Stealth: The attacker restored passwords and deleted files.
• Control: Root privileges gave full device authority.
• Position: SD-WAN infrastructure exposes configuration and trust relationships across the network fabric.

The next audit: proving “troot” is gone, not just patching CVE-2026-20245

The practical response starts with Cisco’s guidance: upgrade affected systems to fixed software releases. But the Mandiant report makes clear that defenders should not stop there.

Security teams should preserve diagnostics before rebooting or rebuilding devices, then review:

• Accounts: Local users, privileged accounts, and any evidence of “troot” or similar rogue entries.
• Peering: Unauthorized SD-WAN peer relationships or unexpected certificate trust.
• Authentication: SSH activity tied to vmanage-admin and the default admin account.
• Configuration: Changes to edge devices, controllers, templates, and routing policy.
• Artifacts: Signs of crafted uploads, temporary files, deleted payloads, or restored /etc/passwd and /etc/shadow data.

The business risk is plain. A compromised SD-WAN controller can affect branch uptime, sensitive traffic routing, segmentation, cloud connectivity, and audit exposure. Even if no traffic theft is confirmed in a given environment, the control position is enough to demand deeper review.

The forward-looking watch item is evidence quality. If enterprises can baseline appliance accounts, detect configuration drift, centralize logs, and validate SD-WAN trust relationships continuously, the next Cisco SD-WAN zero-day will be easier to contain. If they only patch and move on, Mandiant’s lesson stands: attackers may already be logged in as root before the advisory lands.

Impact Analysis

• The attack shows Cisco SD-WAN exploitation led to root-level control, not just limited command execution.
• Compromised SD-WAN controllers can expose routing, branch connectivity, cloud access, and device configuration data.
• Organizations using affected Cisco Catalyst SD-WAN components should treat this as a control-plane compromise risk.