Vaarta.space
Back to Blog
2026-06-24· 5 min read

Cisco SD-WAN Zero-Day Exploited: Hackers Gained Root Access at Major Communications Provider

Mandiant revealed that attackers exploited a previously unknown Cisco vulnerability to gain root-level access at a communications service provider, potentially intercepting all internal traffic.

Zero-Day Cisco Network Security State-Sponsored Vulnerability

A Sophisticated Attack


Google-owned cybersecurity firm Mandiant disclosed that attackers exploited a previously unknown Cisco vulnerability to infiltrate a communications service provider and gain the highest level of access possible — root-level control.


The Vulnerability


**CVE-2026-20245** — A zero-day vulnerability in Cisco Catalyst SD-WAN Manager, one of seven actively exploited zero-day vulnerabilities in Cisco's SD-WAN software this year.


SD-WAN (software-defined wide area network) software is used to manage internet traffic within organizations, typically those with widely distributed networks like banks with numerous branches.


How the Attack Unfolded


Wave 1: Initial Access (Late 2025 - Early 2026)

The attacker exploited one of two then-unpatched vulnerabilities:

  • CVE-2026-20127
  • CVE-2026-20182

    • They made unauthorized "peering" connections to the victim's SD-WAN Manager devices — a digital handshake to verify identity and trust.


    Wave 2: Privilege Escalation (March 2026)

    The attacker exploited the zero-day vulnerability (CVE-2026-20245) and:


    1. Created a rogue user account named "troot"

    2. Gained full root-level control

    3. Manipulated default account passwords to avoid detection


    The Impact


    Mandiant stated the attacker could have used root-level access to obtain:


  • Broad visibility into internal traffic throughout the entire corporate network
  • Undetected monitoring of communications
  • Potential interception of sensitive data

    • The caveat: Mandiant couldn't fully assess how far the compromise went because of how cleverly the perpetrators hid their activity.


    Attribution


    Mandiant didn't attribute the attack to any specific group, citing the extensive work done to cover tracks. However, they noted:


    > "For state-sponsored actors, the ability to exploit zero-day vulnerabilities in these platforms remains a premier vector for long-term strategic intelligence collection."


    Who's Affected


    Cisco has patched the flaw, but organizations running older versions of SD-WAN software remain vulnerable. This is particularly concerning for:


  • Communications service providers
  • Financial institutions with distributed networks
  • Government agencies
  • Large enterprises with branch offices

    • How to Protect Yourself


    Immediate Actions

    1. **Patch Cisco SD-WAN** to the latest version immediately

    2. **Review user accounts** for unauthorized entries (especially "troot")

    3. **Audit SSH access** to SD-WAN Manager devices

    4. **Monitor for unusual peering connections**


    Detection Indicators

  • Unknown user accounts on SD-WAN devices
  • Unexpected SSH connections
  • Anomalous configuration changes
  • Traffic patterns that don't match normal operations

    • Long-Term Security

  • Implement network segmentation
  • Deploy intrusion detection systems
  • Regular vulnerability scanning
  • Zero-trust architecture

    • Check Your Domain


    Use Vaarta.space to scan your domain for security issues including exposed services and misconfigurations.


    [Free security scan](https://vaarta.space)


    Related Articles

    2026-05-05

    Zero Trust Architecture Implementation Guide — Identity, Network, Apps | Vaarta

    Complete guide to implement Zero Trust security. Step-by-step identity, device, network, and application security for modern organizations.

    2026-06-05

    Ransomware as a Service (RaaS) in 2026 — The Underground Economy Explained

    Understand how RaaS platforms operate, who the major players are, and how to protect your organization from the fastest-growing cybercrime model.

    2026-05-28

    IoT Botnets in 2026 — How Your Smart Devices Are Being Weaponized

    Understand how IoT botnets like Mirai variants infect smart devices. Learn to secure your cameras, routers, and IoT devices from being recruited into botnets.

    Ready to check your domain security?

    Run a free scan to identify potential vulnerabilities.

    Start Free Scan