The Heavys H1H is a $274 over-ear headphone built specifically for rock and metal listeners, with an eight-driver design intended to recreate the feel of a live show. It is an unusual product in a crowded market, and it makes its case on a very specific promise.

Most headphones are designed to be broadly neutral, or to flatter whatever genre the buyer happens to favor. The Heavys H1H takes a different approach entirely.

It is built around the idea that rock and metal have specific sonic characteristics that standard headphone tuning does not serve well. The multi-driver configuration is designed to address that directly, spreading frequency reproduction across eight drivers per side rather than relying on a single unit.

The headphones were engineered by Axel Grell, formerly of Sennheiser, where he led development of the HD 800 and HD 600 series. So, it’s got good bona fides.

I’ve replaced my AirPods Max with them for six weeks.

Heavys H1H review: Specifications

Heavys H1H review: Design and build

The H1H is a full-size over-ear headphone. At 14.5 oz, it is on the heavier side versus most headphones, but not the AirPods Max.

The headband and ear cups have a fairly conventional layout from the outside. The interchangeable outer shells are the most visually distinctive element, letting buyers swap in licensed artist designs from bands including Motorhead, Lamb of God, and Slayer, among others.

The ear cup shells are replaceable without tools and a wide range of official artist designs are available from Heavys separately. It is a smart system for a brand built around fan identity.

Heavys H1H review: Folded down

Advertisement

The headphones fold for travel and come bundled with a protective hard case in this configuration. USB-C handles both charging and digital audio input, and a 2.5mm to 3.5mm cable is included for wired passive use.

The balance is good on the headset. They are heavier than most as I’ve already said, but not so much that it’s a problem. The headset exaands to fit most heads, and I am fully aware that I have a big dome, so that was nice.

Build quality is excellent. This is not a headset shipped by a brand with too many adjacent consonants next to their name.

Heavys H1H review: The eight-driver system

The core technical claim of the H1H is its eight-driver configuration. Each side contains four drivers: two handling low and mid frequencies, and two high-frequency tweeters.

Most consumer headphones use a single dynamic driver per side. The multi-driver approach is more common in in-ear monitors used by musicians on stage, where separating frequencies across dedicated drivers can improve clarity and reduce distortion at high volumes.

Heavys H1H review: Extra directional speakers in the earcup.

Heavys claims the placement of the drivers is patented and specifically optimized for the way rock and metal are mixed, with an emphasis on guitar presence, drum impact, and the wide dynamic range those genres use.

The frequency range extends from 5 Hz to 46 kHz in wired mode, which is wider than most headphones at either end. Bluetooth operation narrows the upper limit to 24 kHz, which is still beyond the range of human hearing.

Let’s be clear, here. I am in the middle of the target market. I grew up on a steady diet of what is now called yacht rock, spent some time DJing at a rock station before my Navy stint when hair metal was popular, and just continued to listen.

These are the anti-Beats. They know what market they want, and shoot right at it.

And that Heavys claim about guitar and drums? Absolutely true.

Heavys H1H review: Noise cancellation and modes

The H1H uses what Heavys calls HellBlocker ANC, which it describes as a combination of passive noise cancellation and a mild active noise cancellation layer.

Passive noise cancellation (PNC) refers to the physical blocking of sound by the ear cup seal, while active noise cancellation (ANC) uses microphones and processing to cancel out remaining ambient noise electronically.

Heavys H1H review: Multiple physical switches and dials are in play here.

The result is four operating modes: wired passive, Bluetooth passive, Bluetooth with ANC active, and Bluetooth with transparency mode on. Transparency mode uses the microphones to let outside sound in, which is useful for conversations or navigating in public.

The five-microphone setup handles calls via a two-mic end-fire array. End-fire configuration means the mics face outward in the direction of the mouth for better voice pickup and background noise rejection.

AirPods used to be better across the board at noise reduction. It’s not terrible, but it’s not as good as it was.

The Heavys H1H is just about as good as the AirPods Max is at sound reduction. I tested the feature in a moving car, in a noisy crowd before a concert, in a plane, and on a train.

The AirPods Max and Heavys H1H were about the same. The Heavys H1H seemed to be a bit better in the car, and the AirPods Max on the train and plane, but the differences are minute.

Heavys H1H review: Connectivity and app

Bluetooth 5.1 handles wireless connection, with support for SBC, AAC, and aptX Adaptive codecs. AAC is the relevant codec for iPhone users, as it is Apple’s preferred Bluetooth audio format and is used by AirPods and most Apple devices.

AptX Adaptive is a higher-quality codec for Android and compatible devices, offering lower latency and better dynamic bitrate management. iPhone users will be limited to AAC, which is still a good-quality option.

Heavys H1H review: The case for the headphones

The companion app provides EQ customization and firmware updates. EQ access is a meaningful addition here, since the multi-driver tuning may benefit from adjustment depending on personal preference or the genre being played.

Having a built-in EQ in an app is nice. It’s so nice, in fact, that Apple is getting to it in iOS 27.

This is an incredibly personal experience. The app works pretty well, and it’s obvious to tell that there’s tuning going on in real-time as you move the sliders.

Heavys H1H review: Battery

Heavys claims up to 50 hours of battery life. That is a strong figure, comfortably above the 30-hour range that most competitors in this price bracket offer.

In my experience, I saw between 41 and 52 hours of battery life. There does not appear to be any noticeable idle drain.

Heavys H1H review: HomePod mini for scale.

Advertisement

This may be helped by an obvious on and off switch, that the AirPods Max do not have. You know when it’s off, and you have to guess with AirPods Max, for the most part.

I still don’t like that carrying case for the AirPods Max.

Heavys H1H review: A headphone with a very clear point of view

The H1H does not try to be for everyone. It is designed for a specific listener with a specific taste, and it is confident in that positioning.

The eight-driver system, Axel Grell’s involvement, and the genre-specific tuning are all genuine differentiators. There is no comparable product from the major headphone brands aimed this specifically at rock and metal fans.

Heavys H1H review: You can buy covers with your favorite band on them for the earcups.

At $274, it sits in a competitive price range. Sony’s WH-1000XM5 and Apple’s AirPods Max are both options a buyer in this bracket might also consider. Neither of those is tuned for this audience, and neither offers the customization ecosystem that the shell system provides.

For Apple users, the AAC codec support and USB-C connection mean it will work well with iPhone and Mac. It is not an Apple product, but it fits into the Apple ecosystem without friction.

The multi-driver system delivers on the company’s promises, and the ANC is strong enough to hold up against the competition at this price.

What’s not to like?

Heavys H1H Pros

• Eight-driver system designed for rock and metal
• 50-hour claimed battery life
• Interchangeable artist shells

Heavys H1H Cons

• Heavier than most wireless competitors
• iPhone users limited to AAC codec
• Genre focus may not suit all listeners, but that’s the case with Beats too

Rating: 4.5 out of 5

Where to buy the Heavys H1H

The Heavys H1H are available from Heavys directly, with a 10% discount at press time bringing the price down to $269.

With evidence that the tools had overlapping infrastructure, company attorneys invoked RICO statutes that target organized crime; the legal action was then able to treat both tools as part of a single conspiracy. As a result, Microsoft said, it disrupted more than 200 command-and-control servers and severed criminal control of more than 18,000 infected computers. Europol, which helped coordinate the law-enforcement part of the operation, said it recovered as many as 27 million stolen login credentials and uncovered $47 million worth of “crypto assets of criminal origin.”

“During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network,” Europol said. “By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover.”

Other companies assisting in “Operation Endgame” include ESET, Proofpoint and IBM X-Force, Bitsight, and Mitsui Bussan Secure Directions.

Europol said that another tool disrupted in Operation Endgame is SocGholish, a malware loader linked to the Russian cybercrime group Evil Corp. that spreads through compromised websites. Visitors to these sites are tricked into installing trojanized apps posing as browser extensions or other legitimate software. Europol said it has responded by cleaning infected WordPress sites and urging administrators of the sites to change credentials and tighten security. It has also worked to notify parties whose data and credentials were exposed through SocGholish activities. Countries involved in the enforcement action include Canada, Denmark, Germany, the Netherlands, the UK, and the US.

For decades, IT services firms made billions of dollars by allowing companies to outsource tech tasks like customizing, integrating, and maintaining enterprise software. Vishal Sikka, former CEO of Infosys, one of the largest such firms in India, is now betting that AI can do much of that work instead.

His new startup, Hang Ten Systems, has raised a $32 million seed round led by Mayfield, it said Wednesday, with a strategic investment from Aramco Ventures and participation from angel investors. The startup, whose board includes Yahoo co-founder Jerry Yang, said it helps enterprises continuously build, modify, and operate software using AI-driven development and automation.

Hang Ten enters a market where IT services firms, including Infosys, are racing to adapt to AI through partnerships with companies like Anthropic and OpenAI.

The startup’s launch comes amid a growing debate over whether AI will expand the industry’s addressable market or fundamentally alter how enterprise software is built, maintained, and delivered.

Clearly, some enterprises are eager to try the AI-services idea, especially from someone as experienced as Sikka, who spent 12 years building enterprise software at SAP, and later as a board member for Oracle. Mayfield Managing Partner Navin Chaddha told TechCrunch that the company “just got started a month back” and already has customers.

The startup said it is working with customers including Siemens Gamesa Renewable Energy and Fresenius on AI-native project delivery. In a separate blog post announcing the venture, Sikka, 59, said Hang Ten was already helping large enterprises “hang ten on the biggest wave of our lifetimes.”

Headquartered in the Bay Area, Hang Ten told TechCrunch that it is hiring across delivery, engineering, sales, and leadership and plans to expand across multiple locations globally to meet enterprise demand.

The early crew at the startup includes executives who have worked with Sikka for years across SAP, Infosys and his previous enterprise AI startup, VianAI, according to their LinkedIn profiles. Among them are co-founders Navin Budhiraja, the startup’s CTO, Sanjay Rajagopalan, its chief design officer, and Tao Liu, its senior vice president of forward deployed engineering.

After stepping down as Infosys’ chief executive in 2017, Sikka founded VianAI, which emerged from stealth in 2019 with $50 million in seed funding and later raised $140 million in a 2021 round led by SoftBank Vision Fund 2.

Chaddha told TechCrunch Hang Ten is distinct from VianAI, describing Sikka’s earlier venture as focused on a different market. VianAI focused on enterprise AI applications and analytics tools designed to help businesses use artificial intelligence in decision-making. Hang Ten, by contrast, describes itself as an enterprise AI services company built around agentic code generation, reusable AI skills, and domain expertise.

Mayfield backed Hang Ten because of Sikka’s career experience, as well as its belief that the startup’s AI-native model can scale differently from traditional services firms.

“Traditional services scale linearly with headcount,” Mayfield said. “Hang Ten is built so its leverage grows with every project.”

Hang Ten emerges as investors debate how AI will affect the economics of the IT services industry. Analysts at Jefferies argued earlier this year that IT services may be among the first sectors to face meaningful AI disruption. Infosys chairman Nandan Nilekani, however, this week said AI could expand the industry’s addressable market.

Infosys itself has sought to position AI as an opportunity rather than a threat, telling investors this month that “AI-first services” could represent a $300 billion-$400 billion market by 2030. The debate comes as investors reassess the outlook for traditional IT services firms, with Infosys shares down over 35% this year.

There is a phenomenon where as you get older, your sense of scale becomes somewhat fixed in the earlier era that shaped you– things like expecting the Dollar Store to carry items for 1$, or to get a burger and fries for less than twenty bucks– or, in this case, thinking of supercomputers as being petaflop-scale machines. That’s not wrong, per se– most of the world’s fastest machines benchmarks are best measured in petaflops– but when you’re clocking at 2198 of the things, it becomes easier just to say that the LineShine computer can do 2.188 exaflops. At double precision. With CPUs only. Yes, we are impressed.

Even more impressive is that this machine just debuted in China, which means it was built without the benefit of the latest-and-greatest Western chips, thanks to US sanctions. It’s using a made-in-China LX2 CPU with 304 ARMv9 cores onboard. Well, it’s actually using around 46 thousand of them, but who’s counting?

Each CPU actually consists of two separate compute dies and onboard high bandwith memory (HBM) and DRAM– 4GB of HBM and 32GB of DDR5. The 152 ARMv9 CPU cores on each chip are all built with Scalable Vector Extensions (SVE) and Scalable Matrix Extensions (SME), so despite the lack of GPUs LineShine will have no problem doing the sorts of vector processing that is traditional for high-performance computing, given the 13.79 million cores.

On the other hand, the lack of GPUs shows when you change benchmarks– LineShine is number one in the rankings for High Performance Linpack (HPL), but getting outside the 64-bit box, the supercomputer only hits number four on the HPL-MxP mixed-precision benchmark, behind machines that pair their CPUs with accelerators like GPUs or NPUs. That may mollify the American ego, as while their El Capitain was bumped to second place on the HPL list, they can still claim the pole position on HPL-MxP. Which computer is actually more capable depends entirely on what you want to do with it, and neither Lawrence Livermore National Laboratory nor China’s National Supercomputing Centre in Shenzhen advertise their compute queues, though this paper suggests at least one job will be crunching earth observation data.

The definition of a supercomputer has shifted over time, and it’s only a matter of time before LineShine and El Capitain end up on the auction block, like other supercomputers before them. We might question it when it comes to desktops, but for institutional HPC, no amount of computing ever seems to be enough.

Two educators are reckoning with who is really in charge: technology or the teacher. First, a teacher notices her students are quietly forming their professional knowledge on TikTok and decides to lean in rather than fight it. Then a high school engineering teacher builds an AI grading tool so efficient that it sent feedback to students without him ever reading it, and confronts what that actually means for his role in the classroom. Together, they raise urgent questions about judgment, accountability, and what teaching is really for.

What You’ll Learn:

• Pre-service teachers are forming their professional knowledge partly through TikTok and social media reels, including content from former teachers who left the profession, raising questions about how teacher prep programs should respond.

• Evi Wusk argues that the information gleaned from social media is already shaping how future teachers think, so the more productive move is to help them engage with it critically rather than dismiss or ignore it.

• Steven Swanson built a fully automated AI grading tool that sent feedback directly to students without his review, and after a student thanked him for words he never wrote, he rebuilt the tool to put himself back in the loop.

• Swanson describes specific assignment types where AI grading adds value versus where it falls short, including the risk of missing opportunities to learn who students actually are as people.

Listen to the episode:

This Week with EdSurge is produced by the EdSurge newsroom. Subscribe to the EdSurge newsletter for the latest in education news delivered straight to your inbox.

Meta’s controversial surveillance tool, which tracked staff’s keystrokes, mouse clicks and content to train the company’s AI models, didn’t quite work out as planned. The Model Capability Initiative, which was implemented in April and strongly opposed by staff, has been paused following an incident in which employee data became accessible to the entire company.

Over the last several weeks, more than 1,600 Meta employees, including software engineers, research scientists and designers, signed a petition calling on the company to stop collecting and repurposing employee computer data. 

“We collectively believe that empowering individuals and communities through building responsible AI includes respecting their boundaries and privacy,” the petition states. “Any approach to AI that relies on intrusive, coercive, non-consensual data collection contradicts that principle.” 

Business Insider reported that the software tracked apps and programs such as Gmail, GChat and Metamate, an employee AI assistant, as part of its data collection. The data-tracking software also captured screenshots. It’s unclear if it will be reinstated. 

Citing an internal security notice and information from three Meta employees, Wired reported that private conversations, prompts, transcriptions, and performance reviews were exposed to “anyone inside the company.” 

In a statement obtained by Wired, a Meta spokesperson said the company was investigating the incident and would stop data tracking indefinitely. 

“We have carefully designed this program with privacy safeguards, and while we have no indication at this time that any data was improperly accessed by Meta employees, we’re pausing it while we investigate,” the spokesperson said.

A representative for Meta did not respond to CNET’s request for comment. 

Employers ramp up AI use 

Meta, which is spending at least $135 billion on AI infrastructure this year, is among several major tech companies ramping up AI investment, including Amazon ($200 billion), Microsoft ($190 billion), and Alphabet ($185 billion).

Meta AI, the company’s main chatbot, is integrated into its main social media platforms such as WhatsApp, Instagram and Facebook.

According to leaked audio from an in-house company meeting on April 30, Meta CEO Mark Zuckerberg said it made sense to use his own employees to train the AI.

“The AI models learn from watching really smart people do things… The average intelligence of the people who are at this company is significantly higher than the average set of people that you can get to do tasks,” Zuckerberg said.

Rory Mir, director of open access and tech community engagement at the digital rights group Electronic Frontier Foundation, said Meta employees were right to oppose an invasive practice that raises privacy, consent, and trust concerns.

“Seeking new data for AI training is no excuse,” Mir told CNET. “Such disproportionate monitoring of workers is an abuse of power and highlights the necessity of legislation to protect worker privacy by requiring consent and due process.”

Companies are monitoring how much their employees use company AI tools in their daily work. CNBC reported in May that “almost every Fortune 500 is tracking overall AI usage” to determine whether workers are using it effectively and maximizing its potential.

It’s official: the 2026 TV Shootout is happening next month and it will include six of the top performing TVs of 2026. As usual, the Shootout event will be hosted by the good folks at Value Electronics at their headquarters on 35 Popham Road in Scarsdale, NY, starting at 9:30 AM and running as long as it takes until a new KING OF TV is crowned.

With Panasonic effectively dropping back out of the high end TV market in the United States, just three manufacturers will be represented this year: LG, Samsung and Sony. Each manufacturer will have one OLED TV and one RGB-lit LCD TV, for a total of six models.

Competitors in the OLED TV Shootout (65-inch):

• Sony BRAVIA 8, Mark II QD-OLED TV (K65XR80M2) – $3,299 (MSRP)
• Samsung S95H QD-OLED TV (QN65S95H) – $3,399 (MSRP)
• LG G6 Quad Stack W-OLED TV (OLED65G6WUA) – $3,399 (MSRP)

Competitors in the RGB-Backlit LCD TV Shootout (75-inch)

• Sony BRAVIA 9 II True RGB LCD TV (K75XR90M2) – $4,599 (MSRP)
• LG RGB95B Micro RGB Evo LCD TV (75MRGB95BUA) – $4,999 (MSRP
• Samsung R95H Micro RGB LCD TV (MRN75R95H) – $4,499 (MSRP)

As in previous competitions, all TVs will be evaluated by professional judges from within the A/V community, including tech journalists (including yours truly), trained calibrators and creative video content professionals. The evaluation will feature video clips and stills chosen to highlight specific areas of video performance including contrast, brightness, color volume, color accuracy, motion reproduction, HDR tone mapping and image uniformity. After the tests, the judges’ scorecards will be tabulated an a new “King of TV” crowned for 2026.

Consumers can use the results of the TV Shootout to select the best TV for their own liking and specific use-case. Performance in both bright and light-controlled rooms will be considered.

Event creator, Robert Zohn, says: “The arrival of Micro RGB TVs marks one of the most intriguing developments in display technology in recent years. We are eager to see how the 2026 TV lineup performs in our side-by-side comparison with all the excellent contenders this year. This is a must-see event for all who are interested in the best video displays.”

As in previous years, it “takes a village” to put the event together. It also takes a fair amount of gear. AVPro Global is supplying the latest state-of-the-art switching, distribution, and test equipment for the event. Magnetar’s UDP-900MKII flagship 4K universal disc player and Kaleidescape’s Strato K 8K-capable Media Player will be the reference sources for content. The Strato K is the company’s first player to support 4:4:4 color encoding and video bandwidth that exceeds that of UHD Blu-ray Disc.

As in previous year’s Sony Professional’s BVM-HX3110 mastering monitors will be used as the reference, against which all displays will be compared.

Portions of the event will be webcast live to reach the largest audience of A/V enthusiasts and media. After the TV Shootout is completed several of the top YouTube TV specialty channels (including our friends Stop the FOMO and Brian’s Tech Therapy) will have edited content of the TV Shootout for everyone worldwide to see the key components of the event.

The Bottom Line

While previous TV Shootouts have not been without controversy, as some TVs have not always performed as well as expected, the TV Shootout remains one of the premier TV comparison events as it pits the top performing TVs against each other and hits them with a wide range of content to reveal each of their strengths and weaknesses. The event’s results will help inform TV buyers’ choices through the remainder of the 2026 and beyond.

Related Reading:

TV Shootout 2025 Results Revealed: Meet the King of TV for 2025

TV Shootout 2025 Results Discussed with Special Guest, B The Installer (YouTube)

Darkness swallows the apartment building as the Category 5 hurricane slams the coast in Netflix’s Unhinged. The electricity goes out, the stairwell locks, and Ava soon realizes she’s sharing the space with something far more dangerous than wind and rain. Her only way to contact anyone who can help her is through the device that most people carry with them wherever they go.

A quick scan of the QR code on the TV screen connects your phone directly to the game. From that point on, your phone no longer behaves like a normal phone, but rather changes into Ava’s lifeline while navigating the game simultaneously. Just move the phone around in the air, and Ava’s in-game hands will lock on with precision. It’s just as simple to sweep the virtual flashlight beam across a dark room or whatever just tilting the phone in your palm. You can even reach into a drawer or pick up something that has fallen over by making the same gesture you would in real life. The way the game tracks even the simplest motions just makes them part of the survival attempt.

Google Pixel 10a – 30+ Hours Battery, Camera Coach, Gemini – Obsidian 128GB

• Google Pixel 10a is a durable, everyday phone with more[1]; snap brilliant photography on a simple, powerful camera, get 30+ hours out of a full…
• Unlocked Android phone gives you the flexibility to change carriers and choose your own data plan; it works with Google Fi, Verizon, T-Mobile, AT&T…
• Pixel 10a is sleek and durable, with a super smooth finish, scratch-resistant Corning Gorilla Glass 7i display, and IP68 water and dust protection[4]

Ava’s story centered around one particularly traumatic night spent locked inside a building. As the game’s principal character, Zoë Kravitz’s voice conveys Ava’s fragility and determination as she navigates storm devastation and an unknown menace. Sadie Sink plays Claire, a friend who can see into Ava’s apartment from her own window and offers advice via phone calls and messages. Troy Baker plays Ben, the building superintendent, who adds to the danger by being present but is unclear about his motivations.

The game was developed by Night School Studio, the same team that created the Oxenfree series. They specialize in tight, character-based horror that moves at a speed that seems like an intense discussion or a story that is so captivating that you can’t help but want to keep listening. They took that approach with Unhinged, which keeps the overall experience limited while still allowing for exploration of new paths on subsequent visits.

Two game modes are available to control the tension in the game. Story Mode allows you to relax without any strain. There is no timer, and Ava cannot die because the performances, ambiance, and twists make what is effectively a blackout feel much more intense. Standard Mode raises the stakes, with a diminishing timer bar in critical moments. You must find and interact with the correct object before time runs out, or the scenario will reset to where you last left off. Both modes are approximately thirty to forty minutes long, similar to a single episode of a television show.

Netflix created Unhinged for those who already have the app installed on their phones and televisions. There is no need for any additional hardware, such as a controller, or a lengthy setup process to get started. The design introduces this sort of horror to those who enjoy the genre on television but rarely devote the time to play a regular game. It also provides a quick fix for genre aficionados who want to squeeze in a short, intensive session between other commitments – all without breaking a sweat. The game will become available to all Netflix subscribers on June 30.
[Source]

Security

CVE-2026-20230 under exploitation, while an earlier SD-WAN 0-day looks even worse than we thought

It’s looking like another tough week (month? year?) for Switchzilla amid reports of new serious vulnerabilities under attack.

First up is a server-side request forgery bug in its Unified Communications Manager tracked as CVE-2026-20230.

Cisco disclosed and patched this flaw in early June. The comms control platform doesn’t properly validate some HTTP requests, and an attacker could exploit this bug to gain root privileges on a compromised device.

At the time, Cisco said that a proof-of-concept exploit was available – and now it seems unknown miscreants are putting that exploit code to use, with threat intel company Defused warning that it observed miscreants exploiting CVE-2026-20230 over the weekend.

“The observed chain abuses the WebDialer SSRF to deploy a rogue Apache Axis service, uses that service to write a first-stage JSP file-writer, then drops a second-stage command-execution shell under /platform-services/axis2-web/,” the firm noted on LinkedIn.

Cisco Catalyst SD-WAN zero day

Then, a Mandiant advisory on Wednesday warned that a Cisco SD-WAN zero-day tracked as CVE-2026-20245 was exploited much earlier than initially disclosed, including at a communications service provider where the attacker elevated a compromised admin account to full root-level access.

While the Google-owned threat hunting biz said it can’t assess the full scope of the intruders’ post-compromise activity, this SD-WAN device compromise could have been dire, potentially giving the attacker total visibility across an entire corporation’s internet traffic. This is what makes SD-WAN zero-days such a hot target for government-sponsored spies looking to set up shop for long-term snooping activities. 

It also explains the rash of attackers battering Cisco SD-WAN devices since the start of the year.

Cisco had issued an advisory for CVE-2026-20245 in early June, admitting that attackers had a head start on abusing this security hole. “In June 2026, the Cisco PSIRT became aware of exploitation of this vulnerability,” the vendor said at the time. 

In a Wednesday report, however, Google’s Mandiant incident response and consulting biz reported that exploitation of this bug – Cisco’s sixth SD-WAN vulnerability listed as under attack since the start of the year, and the second zero-day in two months – began much earlier.

“In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider,” Mandiant threat hunters Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan wrote. “After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access.”

The attacker gained initial access via an unauthorized peering connection, abusing the SD-WAN fabric to authenticate between network components and facilitate Secure Shell (SSH) access. In this case, they authenticated to the SD-WAN manager device via SSH using the vmanage-admin account on the same victim devices.

Then, they changed the default password on the admin account,  authenticated directly to the SD-WAN Manager web application interface using the admin account, and exfiltrated SD-WAN fabric configurations.

Likely in an effort to cover their tracks and not get caught, the attacker changed the password of the admin account back to its original one before terminating their active session. 

Neither the vmanage-admin nor the admin accounts on Cisco Catalyst SD-WAN controllers possess root shell access, however. To gain root access, the attacker exploited CVE-2026-20245, which allows an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the vulnerable system.

The attacker uploaded a file named evil_tenant.csv that contained the exploit payload. Upon execution, the digital intruder created a user account named troot with full root privileges. Mandiant says it later observed the miscreant accessing this new troot account from the admin account using the substitute user command.

The Register reached out to Cisco about the reported exploitation of CVE-2026-20230, and Mandiant’s investigation into CVE-2026-20245. The company pointed us to its June advisory on the latter matter, and is working on response to our first question. ®