Mandiant Traces Zero-Day Root Escalation via CVE-2026-20245 in Cisco SD-WAN at Unnamed Telecom

Mandiant documented two intrusion waves. The first leveraged undisclosed authentication bypasses (CVE-2026-20127 or CVE-2026-20182) for rogue peering; the second, after a patch cycle, relied on stolen certificates followed by the CSV upload that granted root via insufficient input validation. Attackers consistently reversed config changes, deleted artifacts, and ran validation scripts to confirm removal of traces.

The activity matches a documented pattern of edge-device targeting where SD-WAN controllers lack EDR telemetry and serve as persistent observation points across customer fabrics. Cisco’s advisory confirms netadmin-level access is required, yet the initial vector appears to have included credential theft rather than direct external exposure.

Procurement records show Cisco SD-WAN deployments in multiple Tier-1 carriers; contract vehicles list these controllers as critical for traffic steering and peering. The two-month pre-disclosure exploitation window and anti-forensic discipline indicate an operator prioritizing long-term access over immediate monetization.

Patching cadence and certificate hygiene remain the immediate controls. Carriers should audit SD-WAN fabric configurations for unauthorized peering entries and validate /etc/passwd integrity against known-good baselines.