699eee792235758e12e070c1
Cisco warns of unpatched SD-WAN zero-day exploited in attacks (CVE-2026-20245)
Cisco warns of a high-severity, unpatched zero-day in Catalyst SD-WAN Manager (CVE-2026-20245) that is actively exploited to escalate privileges to root across all deployment types. Exploitation requires netadmin privileges—typically via valid credentials or by chaining with CVE-2026-20182 or CVE-2026-20127—and can be triggered by uploading a crafted file. There is no patch yet; admins should upgrade to the fixed release for CVE-2026-20182 (May 14) and monitor /var/log/scripts.log for IOCs, contacting Cisco TAC if a compromise is suspected. Cisco notes this follows a pattern of previously exploited SD-WAN vulnerabilities.
CISCO WARNS OF UNPATCHED SD-WAN ZERO-DAY EXPLOITED IN ATTACKS
OverviewCisco has issued a high-severity advisory about an unpatched zero-day in the Cisco Catalyst SD-WAN Manager, tracked as CVE-2026-20245, which is actively exploited to achieve root privilege escalation. The flaw affects all deployment modes, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). The vulnerability arises from insufficient validation of user-supplied input, enabling local attackers with low privileges to run arbitrary commands with root privileges.
Technical Summary
- Nature of the flaw: Insufficient input validation that allows crafted files to be uploaded to the affected system, enabling command injection and privilege escalation.
- Privilege requirement: An attacker must possess netadmin privileges on the compromised system, which could be obtained through valid credentials or by exploiting other related vulnerabilities.
- Related vulnerabilities: Cisco notes that exploitation could be facilitated by prior access gained through CVE-2026-20182 or CVE-2026-20127. Cisco also indicated that exploitation has, on occasion, produced configuration changes pushed to edge devices.
- Affected products: All deployment types of Cisco Catalyst SD-WAN Manager, including on-premises and cloud-based variants, as well as government deployments.
Exploitation Details
- How it can occur: An attacker could exploit the vulnerability by uploading a specially crafted file to the affected SD-WAN Manager, enabling command injection and root-level privilege escalation.
- Conditions for exploitation: The attacker must have netadmin rights on the target system, which may be achieved via valid credentials or the exploitation of existing flaws.
- Observed impact: In certain limited cases, exploitation has led to a configuration change being pushed to edge devices, indicating that attackers can influence device behavior beyond mere code execution.
Affected Deployment Models
- On-Prem Deployment: Local management appliances and gateways are within reach of susceptible configurations and user input vectors.
- Cisco SD-WAN Cloud-Pro: Cloud-delivered management plane services are included in the exposure.
- Cisco SD-WAN Cloud (Cisco Managed): Managed cloud deployments are affected by the same validation gaps.
- Cisco SD-WAN for Government (FedRAMP): Government-grade deployments are subject to the same vulnerability class and exploitation risk.
Indicators of Compromise and Early Warning Signs
- A notable indicator involves attempts to upload tenant configuration data to vSmart controllers via script-based channels, which may be logged in system logs as scripted upload activities.
- Specific log patterns may include references to tenant lists being uploaded through scripted processes, sometimes showing paths to scripts and malicious configuration files on edge or management components.
- Administrators are advised to review logs for unusual vScript or script-upload events that correlate with changes to tenant or edge device configurations.
Patch Status and Mitigation Context
- Patch timeline: As of the advisory, there were no patches released specifically for CVE-2026-20245. Cisco recommended upgrading to software versions fixed for related CVEs (notably CVE-2026-20182) when those fixes became available—published earlier in the year.
- Related CVEs and patches: Prior disclosures and patches include authentication bypass and information-disclosure vulnerabilities within the Catalyst SD-WAN ecosystem (e.g., CVE-2026-20182, CVE-2026-20127, CVE-2026-20133). Cisco has indicated ongoing activity around these families of flaws, with some being actively exploited in the wild.
- Broader context: In the years leading up to 2026, the security ecosystem has tracked multiple Cisco SD-WAN flaws, with several categorized by security authorities as actively exploited. CISA has documented a broader set of Cisco vulnerabilities flagged as abused in the wild, including a subset tied to Catalyst SD-WAN Manager and related components.
Threat Landscape and Industry Context
- Observed pattern: The SD-WAN management stack has repeatedly surfaced as a target for zero-days and privilege-escalation exploits, underscoring the criticality of secure input handling, strict access controls, and robust monitoring of management planes.
- Historical exploitation: Since early 2023, several flaws within the SD-WAN ecosystem have moved from disclosure to exploitation, reinforcing a trend where attackers seek to gain high privileges and alter network configurations.
- Security testing insights: Breach and attack simulation and related research highlight the importance of validating detection rules in SIEM and EDR tooling, since many breaches progress stealthily through multiple layers before a defender detects anomalies.
Contextual References and Related Vulnerability Trends
- The SD-WAN management stack has featured in multiple publicly documented advisories and security analyses, with emphasis on privilege escalation, authentication bypass, and information disclosure vectors.
- The-related vulnerability family includes authentication bypass and privilege-escalation vectors that have seen active exploitation in various environments, prompting ongoing vigilance from administrators managing Catalyst SD-WAN deployments.
- Industry observers note that a substantial share of successful attacks are logged by security teams, while a smaller portion trigger alerts, underscoring gaps between detection and actual breach events and the value of proactive breach testing.
Administrative and Operational Footnotes
- When anomalies arise: Security teams have reported that breaches can manifest as configuration changes or unusual script-driven operations within the SD-WAN management environment.
- Cross-team collaboration: In suspected compromise scenarios, coordination between network operations, security operations, and incident response teams is essential to correlate logs, verify configurations, and assess exposure across deployments.
ConclusionThe emergence of an unpatched zero-day in Cisco Catalyst SD-WAN Manager that enables root privilege escalation represents a significant risk for organizations relying on SD-WAN to orchestrate large-scale network fabrics. The exploitation reality—where attackers may ascend to root privileges and push changes across edge devices—highlights the necessity for careful monitoring of management-plane activities, rigorous access controls, and timely response to advisory updates as patches become available. The broader vulnerability lineage within the Catalyst SD-WAN family reinforces the ongoing need for vigilance around zero-days, active exploitation, and the integrity of configuration workflows across both on-premises and cloud-managed deployments.
