Mandiant revealed that CVE-2026-20245 in Cisco Catalyst SD-WAN was used in zero-day attacks to escalate privileges and create a rogue root account named “troot” on targeted devices. The intrusion involved unauthorized SD-WAN peering, stolen or bypassed access, malicious CSV uploads, and extensive cleanup to hide evidence of compromise. #Cisco #CatalystSDWAN #Mandiant #CVE202620245 #troot
Keypoints
- CVE-2026-20245 is a high-severity command injection flaw in Cisco Catalyst SD-WAN components.
- Attackers used it after gaining access to escalate privileges on targeted SD-WAN devices.
- The intrusion began with unauthorized SD-WAN peering connections on a service provider network.
- Threat actors uploaded a malicious CSV file to create a root-level account named “troot.”
- The attackers deleted files, restored changes, and ran checks to hide their activity.