Full Report
Mandiant detailed the incident in a blog post Wednesday, but it’s unclear who was behind it or if they managed to get broad visibility into the victim’s internal traffic. The post Malicious hackers exploit Cisco zero-day for highest access level at communications service provider appeared first on CyberScoop.
Analysis Summary
# Incident Report: Exploitation of Cisco SD-WAN Zero-Day
## Executive Summary
A sophisticated threat actor, likely engaged in cyber espionage, exploited a zero-day vulnerability in Cisco’s Catalyst SD-WAN Manager to compromise a communications service provider. The attackers achieved root-level access ("troot"), potentially allowing for broad visibility into internal network traffic. While Cisco has since patched the flaws, the attacker's advanced anti-forensic techniques hindered a full assessment of the data compromise.
## Incident Details
- **Discovery Date:** June 2026 (Publicly reported by Mandiant)
- **Incident Date:** Late 2025 to March 2026
- **Affected Organization:** Undisclosed
- **Sector:** Telecommunications / Communications Service Provider
- **Geography:** Undisclosed
## Timeline of Events
### Initial Access
- **Date/Time:** Late 2025 – Early 2026
- **Vector:** Exploitation of unpatched vulnerabilities (CVE-2026-20127 or CVE-2026-20182).
- **Details:** The attacker established unauthorized "peering" connections with the victim’s SD-WAN Manager devices to establish a trusted digital handshake.
### Lateral Movement
- **Details:** Following the initial entry, the attacker manipulated default account passwords to maintain a low profile and facilitate further movement within the SD-WAN orchestration layer.
### Data Exfiltration/Impact
- **Details:** In March 2026, the attacker exploited zero-day CVE-2026-20245 to create a rogue root-level account. This provided the highest possible access level, potentially allowing the interception of internal corporate traffic across the provider's network.
### Detection & Response
- **How it was discovered:** Mandiant identified the activity through forensic analysis of network appliances.
- **Response actions taken:** Cisco released patches for the identified vulnerabilities; Mandiant conducted an investigation (though limited by the attacker’s data deletion).
## Attack Methodology
- **Initial Access:** Exploitation of SD-WAN edge vulnerabilities and unauthorized peering.
- **Persistence:** Creation of a rogue user account named "troot".
- **Privilege Escalation:** Exploitation of CVE-2026-20245 to gain root-level control.
- **Defense Evasion:** "Living off the edge" paradigm; deletion of logs and forensic evidence; manipulation of default account passwords.
- **Credential Access:** Manipulation of default account credentials.
- **Discovery:** Reconnaissance of the SD-WAN control plane.
- **Impact:** Potential long-term strategic intelligence collection and visibility into internal traffic.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** High potential for interception of internal network traffic; specific volume unknown due to anti-forensic measures.
- **Operational:** Compromise of the central "orchestrator" for the organization’s wide area network.
- **Reputational:** High-profile compromise of a communications provider’s core infrastructure.
## Indicators of Compromise
- **Network indicators:** hxxp[://]unauthorized-peering-connection[.]internal (Behavioral)
- **File indicators:** Evidence of log deletion and forensic scrubbing on Cisco Catalyst SD-WAN Manager.
- **Behavioral indicators:** Creation of unauthorized user account named `troot`; unexpected password changes on default accounts.
## Response Actions
- **Containment measures:** Isolation of compromised SD-WAN Manager instances.
- **Eradication steps:** Application of Cisco patches for CVE-2026-20245, CVE-2026-20127, and CVE-2026-20182; removal of the "troot" account.
- **Recovery actions:** Forensic imaging (where possible) and restoration of secure configurations.
## Lessons Learned
- **Edge Device Risks:** Network appliances are "black boxes" that often lack sufficient telemetry for deep forensic analysis, making them ideal targets for stealth.
- **Orchestration Vulnerability:** Software-defined networking (SDN) orchestrators are high-value targets because they provide a central control plane for the entire enterprise.
- **Anti-Forensics:** Sophisticated actors prioritize the deletion of evidence, making it difficult to determine the true scope of a breach once edge devices are compromised.
## Recommendations
- **Patch Management:** Immediately apply updates to Cisco Catalyst SD-WAN Manager.
- **Centralized Logging:** Export logs from edge devices to a secure, external SIEM to prevent attackers from deleting evidence locally.
- **Zero Trust Architecture:** Implement strict identity verification for peering and administrative access to SD-WAN orchestrators.
- **Audit Accounts:** Regularly audit local user accounts on network appliances for unauthorized entries like "root" or "troot."