Attackers behind the Cisco SD-WAN zero-day attacks didn't just plant a root account named 'troot' - they backed up /etc/passwd and /etc/shadow before modifying them, then restored those files and deleted every trace of their exploitation. Mandiant's new report on CVE-2026-20245 lays out the full attack chain, and the anti-forensic discipline is the most telling part.
The Rogue Peer Entry Point
The intrusion began with unauthorized SD-WAN peering connections observed on a service provider's infrastructure in March 2026. Mandiant says the threat actor established new rogue peer connections and authenticated to affected SD-WAN Manager devices using the vmanage-admin account. The exact method for the initial breach remains unclear - Mandiant suspects previously disclosed authentication bypass zero-days (CVE-2026-20127 and CVE-2026-20182), but Cisco told Mandiant that CVE-2026-20182 was not involved. One possibility: attackers used certificates stolen during a prior compromise to regain access.
After gaining a foothold, the attackers changed the default admin account password, logged into the SD-WAN Manager web interface, and extracted configuration information for edge devices, controllers, and SD-WAN templates. They then restored the admin account to its original password after completing their activity - a low-and-slow tactic to avoid detection.
The Evil CSV and the 'troot' Account
CVE-2026-20245 is a command injection flaw in Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond). Cisco's advisory called it insufficient validation of user-supplied input. Mandiant reports that the attackers exploited it through a tenant-upload feature in the SD-WAN command-line interface by uploading a malicious CSV file named "evil_tenant.csv."
The payload did more than just drop a root account. First it created backups of /etc/passwd and /etc/shadow. Then it created a new account named "troot" with root-level privileges. The attackers used the Linux su command to switch from the compromised administrative account to the newly created root account, giving them full control over the device.
Anti-Forensic Cleanup and Open Questions
Mandiant emphasizes how heavily the attackers relied on anti-forensic tactics. After exploitation, they deleted the malicious CSV payload, removed temporary files created during the attack, and erased evidence of the rogue root account. They even executed a validation script to confirm all traces were gone. This level of operational security suggests an experienced adversary.
Some rogue peering activity observed in March 2026 occurred on systems that were not vulnerable to any previously disclosed authentication-bypass flaws. That leaves a gap in attribution - were certificates stolen elsewhere, or is there another unpatched path? Mandiant has published indicators of compromise, attacker IP addresses, and guidance. Organizations should collect diagnostic data from SD-WAN devices and check for unauthorized peering connections before the next wave of attacks.
Source: Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access
Domain: bleepingcomputer.com
Comments load interactively on the live page.