Overview
- Mandiant published a detailed report on June 24 documenting how CVE-2026-20245 was used to elevate a compromised admin account to full root on a communications service provider.
- The attackers uploaded a malicious CSV file through the SD‑WAN CLI to trigger a command‑injection flaw and create a hidden 'troot' account that provided a root shell.
- CVE-2026-20245 requires netadmin-level access to exploit, meaning initial access came from stolen credentials, stolen certificates, or earlier authentication‑bypass bugs that established rogue SD‑WAN peering.
- The intruders ran extensive anti‑forensics: they backed up and restored configs, deleted payloads and temp files, and ran validation scripts, which limits defenders’ ability to determine the full impact.
- Cisco published an advisory on June 4 and released fixes in early June, but Mandiant and others warn that patching alone cannot remove attackers and urge collecting device diagnostics, checking for unauthorized peering and rogue accounts, and performing forensic remediation.