Do Son 
At a glance
- Actor: Unknown threat actor
- Activity Type: Privilege escalation and zero-day exploitation
- Targets: Service provider infrastructure
- Scale: Unknown victim count
- Jurisdiction: Active investigation; no arrests reported
- Source: Mandiant
TL;DR
Attackers breached a service provider using a Cisco SD-WAN zero-day flaw. They exploited CVE-2026-20245 to gain root-level control over network systems. Therefore, administrators must upgrade their software immediately to block further intrusions.
What happened
In early 2026, Mandiant discovered an attack against a service provider. Initially, hackers established unauthorized peering connections during March. This action gave them Secure Shell (SSH) access to the network. Next, the intruders manipulated default account passwords to hide their tracks.
Then, the attackers launched a Cisco SD-WAN zero-day exploit. They targeted the Cisco Catalyst SD-WAN Manager specifically. The hackers uploaded a malicious CSV file to bypass normal security controls. A recent Mandiant analysis explains the core issue. The report states, “The vulnerability stems from the device’s file upload feature lacking the ability to properly filter malicious data.”
Consequently, this flaw allowed the attackers to escalate their privileges heavily. They moved from a compromised admin account to full root-level access. After gaining control, the hackers performed extensive anti-forensic operations. They deleted malicious files and restored modified configuration files to erase their footprints.
Who is behind it
Security researchers have not named a specific hacking group yet. Mandiant identified the attackers simply as an unnamed threat actor. Furthermore, attribution remains suspected and completely unconfirmed. Authorities have not announced any official charges regarding this incident.
Impact or scale
The true scale of the campaign remains hidden. Currently, reports only confirm a single service provider as a victim. However, zero-day attacks often target highly valuable systems. Hackers could potentially breach other organizations running vulnerable Cisco software. A root-level intrusion allows total control over the underlying network routing fabric.
What comes next and protection
Organizations must secure their network devices right away. You can find more details about this Cisco SD-WAN zero-day analysis on the Google Cloud blog.
First, administrators must upgrade Cisco Catalyst SD-WAN Manager to fixed releases. Safe versions include 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2. This upgrade removes CVE-2026-20245 entirely.
Second, security teams should hunt for indicators of compromise actively. You must collect logs by executing the request admin-tech command on your control-plane components. If you find suspicious activity, contact the Cisco Technical Assistance Center (TAC) immediately. Finally, enforce strict configuration standards to defend against unauthorized administrative access.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
