Google-owned Mandiant has disclosed a compromise at a communications service provider in which attackers exploited a previously unknown vulnerability in Cisco Catalyst SD-WAN Manager, potentially giving them visibility into traffic flowing through the provider’s corporate network.
Investigators were unable to determine the full extent of the activity because forensic evidence had been erased.
Cisco has since patched the flaw, CVE-2026-20245, one of seven Cisco SD-WAN zero-day vulnerabilities actively exploited this year.
According to Mandiant, the campaign unfolded over several months, beginning with the exploitation of CVE-2026-20127 and CVE-2026-20182 to establish unauthorized peering relationships, manipulate default account credentials, and access SD-WAN configuration data. The attackers later exploited CVE-2026-20245 to create a rogue “troot” account with unrestricted root privileges.
Mandiant did not attribute the activity to a specific threat actor.
Investigators found that the attackers restored modified system files and removed malicious artifacts, limiting the forensic evidence available for analysis. The use of zero-day vulnerabilities alongside anti-forensic techniques is consistent with activity seen in some cyber espionage operations.
Why It Matters: The investigation shows that applying a patch does not answer every question after a compromise. Although Cisco remediated the vulnerability, investigators could not determine the full scope of the intrusion because evidence had been removed. Organizations that rely on centralized network management platforms may need additional investigation to determine whether unauthorized activity occurred.
- Attackers Chained Multiple Zero-Days Together: They established unauthorized peering relationships, manipulated administrative credentials, accessed SD-WAN configuration data, and then exploited CVE-2026-20245 to obtain unrestricted root access. Chaining multiple vulnerabilities allowed them to move methodically from initial access to full control of the SD-WAN Manager.
- Configuration Data Was an Early Objective: After gaining administrative access, the attackers collected SD-WAN configuration data that provided insight into the enterprise network’s architecture, connectivity, and potential paths for movement. Access to that information can help identify high-value systems and opportunities for additional access.
- Limited Forensic Evidence Hindered the Investigation: According to Mandiant, the attackers restored modified configurations and removed artifacts associated with the intrusion, making it difficult to reconstruct the full sequence of events. Without complete forensic evidence, organizations may have a harder time determining what systems or data were affected.
- Network Infrastructure Was the Primary Target: Mandiant described the activity as a “living off the edge” approach that focuses on network appliances. Because SD-WAN managers orchestrate connectivity across distributed environments, compromising one platform can provide visibility into traffic across a large portion of the enterprise.
- Recovery Requires More Than Patching: Cisco’s update addresses the disclosed vulnerability, but organizations should also review logs, privileged accounts, and available forensic evidence to determine whether additional activity occurred. Confirming what happened during the intrusion may take longer than remediating the underlying flaw.
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
