Cisco has warned of two unpatched zero-day vulnerabilities in its SD-WAN products, which have been exploited by attackers to gain root privileges and conduct command injection attacks. The flaws, tracked as CVE-2026-20245 and CVE-2026-20262, affect the Cisco Catalyst SD-WAN Manager and can be exploited by attackers with valid credentials or prior exploitation of other vulnerabilities.
What Happened
Cisco's Product Security Incident Response Team (PSIRT) became aware of the exploitation of CVE-2026-20245 in June 2026, after Google Cloud cybersecurity subsidiary Mandiant reported the flaw but did not share any details. However, Mandiant shared indicators of compromise (IOCs) warning admins to check their SD-WAN /var/log/scripts.log file for attempts to upload tenant configuration data to vSmart controllers to escalate privileges through legitimate commands.
The vulnerability, which has a severity score of 7.8, can allow an attacker to conduct command-injection attacks and elevate privileges as the root user. Cisco confirmed a limited number of cases where the flaw was exploited, leading to a configuration change being pushed to edge devices. The company is recommending customers upgrade to the software version disclosed in the May 14 advisory, which was linked to the disclosure of CVE-2026-20182.
Background and Context
The Cisco Catalyst SD-WAN Manager is a network management software that helps admins monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard. The software is used by many organizations, including those in the adult industry, which relies heavily on streaming and webcam infrastructure.
Cisco has been patching several vulnerabilities in its SD-WAN products this year, with CVE-2026-20182 being a critical vulnerability with a severity score of 10. That vulnerability was immediately added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Why it Matters to the Industry
The exploitation of these vulnerabilities by attackers highlights the importance of keeping software up-to-date and patching known vulnerabilities. In the adult industry, where streaming and webcam infrastructure is critical, downtime or security breaches can have significant financial consequences.
The use of SD-WAN products also raises concerns about data privacy and security. If an attacker gains root privileges on a device, they may be able to access sensitive information or compromise the entire network. The adult industry relies heavily on streaming and webcam infrastructure, which requires robust security measures to protect against such threats.
What Comes Next
Cisco has not yet released any patches for CVE-2026-20245 and CVE-2026-20262, but the company is recommending customers upgrade to the software version disclosed in the May 14 advisory. Customers needing help addressing these steps should contact the Cisco Technical Assistance Center.
Timeline
Cisco's PSIRT became aware of the exploitation of CVE-2026-20245 in June 2026, after Mandiant reported the flaw but did not share any details. The company is recommending customers upgrade to the software version disclosed in the May 14 advisory.
Key Facts
- Cisco has warned of two unpatched zero-day vulnerabilities in its SD-WAN products, CVE-2026-20245 and CVE-2026-20262.
- The flaws affect the Cisco Catalyst SD-WAN Manager and can be exploited by attackers with valid credentials or prior exploitation of other vulnerabilities.
- Cisco confirmed a limited number of cases where the flaw was exploited, leading to a configuration change being pushed to edge devices.
- The company is recommending customers upgrade to the software version disclosed in the May 14 advisory.
- No patches have been released yet for CVE-2026-20245 and CVE-2026-20262.
