Bright Nexus

Published on June 5, 2026

[CVE-2026-20245] Cisco SD-WAN 0-day exploited, no patch available

Severity

High

Detail

Cisco has disclosed an actively exploited privilege escalation vulnerability, tracked as CVE-2026-20245, affecting Cisco Catalyst SD-WAN Manager. At the time of disclosure, no security patch or workaround is available.

The vulnerability affects the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager and is caused by insufficient validation of user-supplied input. An authenticated attacker with netadmin privileges can exploit the flaw by uploading a specially crafted file, potentially allowing arbitrary command execution with root-level privileges.

According to Cisco, successful exploitation requires valid credentials or prior exploitation of vulnerabilities such as CVE-2026-20182 or CVE-2026-20127 to obtain the necessary access. Cisco stated that it is not aware of successful exploitation through any other methods.

Cisco has observed limited instances where exploitation of the vulnerability resulted in unauthorized configuration changes being pushed to managed SD-WAN edge devices. This indicates that a compromise of the management platform could potentially impact downstream network infrastructure.

The vulnerability was reported by Mandiant. Cisco has published indicators of compromise (IoCs) that may assist organizations in identifying potentially affected systems and recommends reviewing relevant logs for suspicious activity.

Cisco is currently developing a software update to address CVE-2026-20245. Until a dedicated fix becomes available, customers are advised to upgrade to the fixed software releases referenced in the advisory for CVE-2026-20182 and verify the configuration of managed edge devices.

CVE IDSummaryCVSS Score
CVE-2026-20245Cisco Catalyst SD-WAN Manager contains an input validation vulnerability that could allow an authenticated attacker with netadmin privileges to execute arbitrary commands as root through the upload of a crafted file.7.8 (High)

Affected Products

This vulnerability affects Cisco Catalyst SD-WAN Manager regardless of device configuration, including the following deployment types:

  • On-Prem Deployment
  • Cisco SD-WAN Cloud-Pro
  • Cisco SD-WAN Cloud (Cisco Managed)
  • Cisco SD-WAN for Government (FedRAMP)

Recommendation

Organizations using affected Cisco Catalyst SD-WAN Manager deployments are advised to upgrade to the fixed software versions referenced in Cisco’s advisory for CVE-2026-20182 and verify that no unauthorized changes have been made to managed edge device configurations.


Source

https://www.helpnetsecurity.com/2026/06/05/cisco-sd-wan-cve-2026-20245-0-day-exploited