What is the zero-day vulnerability in Cisco's Catalyst SD-WAN Manager and how does it affect affected systems?

The zero-day vulnerability, tracked as CVE-2026-20245, allows attackers to execute arbitrary commands as root and gain full control over affected systems.

How are attackers exploiting this vulnerability?

Attackers are exploiting the vulnerability by uploading a crafted file to the affected system.

Cisco's Catalyst SD-WAN Manager Zero-Day Vulnerability Actively Exploited

Q: What is the current status of patches for CVE-2026-20245?

No patches are currently available from Cisco.

A zero-day vulnerability in Cisco's Catalyst SD-WAN Manager, tracked as CVE-2026-20245, is being actively exploited by attackers. No patches are currently available.

A zero-day vulnerability in Cisco's Catalyst SD-WAN Manager has been exploited by attackers, allowing them to execute arbitrary commands as root and gain full control over affected systems. The flaw, tracked as CVE-2026-20245, was disclosed by Mandiant and affects all deployment types of the software, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). Despite being actively exploited in attacks, no patches are currently available from Cisco.

What Happened

The vulnerability was first discovered by Mandiant, a cybersecurity subsidiary of Google Cloud, which reported the flaw to Cisco but did not share any details. However, they shared indicators of compromise (IOCs) warning admins to check their SD-WAN /var/log/scripts.log file for attempts to upload tenant configuration data to vSmart controllers to escalate privileges through legitimate commands. The attackers exploited the vulnerability by uploading a crafted file to the affected system, allowing them to execute arbitrary commands as root.

Cisco's Product Security Incident Response Team (PSIRT) became aware of CVE-2026-20245 exploitation in June after Mandiant reported the flaw. However, it was not until Thursday that Cisco warned of the unpatched zero-day in the Cisco Catalyst SD-WAN Manager being actively exploited in attacks enabling root privilege escalation.

Background and Context

The vulnerability affects the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager, which is a network management software that helps admins monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard. The flaw stems from insufficient validation of user-supplied input, allowing authenticated local attackers to exploit it by uploading a crafted file to the affected system.

This is not the first zero-day vulnerability in Cisco's SD-WAN products this year. In May, Cisco tagged a maximum severity Catalyst SD-WAN Controller authentication bypass flaw (CVE-2026-20182) as actively exploited as a zero-day to gain administrative privileges on unpatched devices. The company has observed limited cases where the exploitation of CVE-2026-20245 resulted in a configuration change pushed to edge devices.

Why it Matters

The exploitation of this vulnerability highlights the importance of patching and updating software regularly, especially for critical infrastructure like SD-WAN systems. The fact that attackers must have netadmin privileges on an affected system to exploit the flaw means that valid credentials or prior exploitation of other vulnerabilities are required. This makes it a high-severity vulnerability that requires immediate attention from admins.

For adult-industry platforms and operators, this vulnerability is particularly concerning due to the sensitive nature of their data and infrastructure. The exploitation of CVE-2026-20245 could potentially allow attackers to gain full control over affected systems, compromising user data and disrupting operations. It is essential for these companies to take immediate action to patch and update their SD-WAN systems to prevent further exploitation.

What Comes Next

Cisco has not yet released any patches for CVE-2026-20245, but the company recommends customers upgrade to the software version disclosed in the May 14 advisory, which was linked to the disclosure of CVE-2026-20182. The company also advises admins to collect admin-tech files to help with the review and contact the Cisco Technical Assistance Center if needed.

A patch will be issued for CVE-2026-20245 in a future release date, but officials did not disclose a specific time frame. In the meantime, it is crucial for admins to take proactive measures to prevent further exploitation, such as monitoring their systems closely and implementing additional security measures.

Key Facts

CVE-2026-20245 is a zero-day vulnerability in Cisco's Catalyst SD-WAN Manager that allows authenticated local attackers to execute arbitrary commands as root.
The flaw affects all deployment types of the software, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
No patches are currently available from Cisco, but a patch will be issued in a future release date.
Attackers must have netadmin privileges on an affected system to exploit the flaw, which can be obtained through valid credentials or prior exploitation of other vulnerabilities.
Cisco has observed limited cases where the exploitation of CVE-2026-20245 resulted in a configuration change pushed to edge devices.