What is CVE-2026-20245 and why is it significant?

CVE-2026-20245 is a high-severity command injection vulnerability in Cisco Catalyst SD-WAN Manager, Controller, and Validator. It allows authenticated attackers to execute arbitrary commands as root, making it significant due to its potential for serious system compromise.

How does an attacker exploit CVE-2026-20245?

An attacker can exploit CVE-2026-20245 by uploading a malicious CSV file named 'evil_tenant.csv' through the tenant-upload feature in the SD-WAN command-line interface.

How many zero-day vulnerabilities have been disclosed in Cisco Catalyst SD-WAN this year?

Seven actively exploited zero-day vulnerabilities have been disclosed in Cisco Catalyst SD-WAN this year.

What is the recommended action for users affected by CVE-2026-20245?

Users are advised to apply the patch provided by Cisco to address CVE-2026-20245 and implement additional security measures to protect their SD-WAN infrastructure.

Cisco Catalyst SD-WAN Manager Hit by Seventh Zero-Day Vulnerability in 2026

Q: Which deployment types of Cisco Catalyst SD-WAN are affected by CVE-2026-20245?

CVE-2026-20245 affects all deployment types of Cisco Catalyst SD-WAN, including on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP environments.

Mandiant discovers a high-severity command injection flaw in Cisco's Catalyst SD-WAN Manager, affecting all deployment types. Attackers exploit the vulnerability through a tenant-upload feature to gain root access.

Cisco's Catalyst SD-WAN Manager has been hit by a seventh zero-day vulnerability this year, tracked as CVE-2026-20245, which allows an authenticated attacker to execute arbitrary commands as root. The flaw affects all deployment types of Cisco Catalyst SD-WAN, including on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP environments.

What Happened

Mandiant, a cybersecurity firm that is part of Google Cloud, discovered the vulnerability while observing limited exploitation in the wild. The researchers reported their findings to Cisco, which confirmed the activity and disclosed that in the cases it had observed, attackers had used their elevated position to push configuration changes to edge devices managed by the compromised SD-WAN Manager.

The attack begins with unauthorized SD-WAN peering connections observed on a service provider's infrastructure. The threat actor establishes new rogue peer connections and authenticates to affected SD-WAN Manager devices using the vmanage-admin account. Once inside, the attackers change the default admin account password, log in to the SD-WAN Manager web interface, and extract configuration information for edge devices, controllers, and SD-WAN templates.

After gaining access, the attackers exploit CVE-2026-20245 through a tenant-upload feature in the SD-WAN command-line interface by uploading a malicious CSV file named "evil_tenant.csv." The malicious payload creates backups of system configuration files, including /etc/passwd and /etc/shadow, before creating a new account named "troot" with root-level privileges.

Background and Context

Cisco has disclosed seven actively exploited zero-day vulnerabilities in its Catalyst SD-WAN product this year. The prior six zero-days confirmed exploited in 2026 include CVE-2026-20182 (patched in May), CVE-2026-20127, CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, and CVE-2022-20775. Seven actively exploited vulnerabilities in a single Cisco product line within one calendar year points to deliberate, sustained attacker investment in SD-WAN infrastructure.

The vulnerability, tracked as CVE-2026-20245, is a high-severity command injection flaw in Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond) that allows authenticated attackers to execute arbitrary commands as root by uploading a crafted file. The flaw stems from insufficient validation of user-supplied input and can be exploited by attackers with local access to affected devices.

Why It Matters

The risk is amplified by the access requirements. Cisco says the attacker must already have netadmin privileges, which can come from stolen credentials or from chaining previously disclosed SD-WAN flaws such as CVE-2026-20182 or CVE-2026-20127. According to Cisco's disclosure, the issue affects all Cisco Catalyst SD-WAN deployment types, including on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP environments.

The attack's blast radius is significant, as a root-level compromise in the SD-WAN Manager can alter routing behavior, inject backdoor connectivity paths, and modify security enforcement policies across every edge device in the organization's WAN architecture. This highlights the importance of robust access controls and regular software updates to prevent such attacks.

What Comes Next

Cisco has not released any patches for CVE-2026-20245 yet but is urging customers to upgrade to fixed software versions as soon as possible. Mandiant has published indicators of compromise, attacker IP addresses, and guidance to help organizations determine whether they were compromised.

Key Facts

CVE-2026-20245: a high-severity command injection flaw in Cisco Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond)
Authenticated attackers can execute arbitrary commands as root by uploading a crafted file
The flaw stems from insufficient validation of user-supplied input
Cisco has not released any patches for CVE-2026-20245 yet but is urging customers to upgrade to fixed software versions
Mandiant has published indicators of compromise, attacker IP addresses, and guidance to help organizations determine whether they were compromised
The attack's blast radius is significant, as a root-level compromise in the SD-WAN Manager can alter routing behavior, inject backdoor connectivity paths, and modify security enforcement policies across every edge device in the organization's WAN architecture