Cisco SD-WAN CVE-2026-20245: 7th Zero-Day Hit, No Patch
Cisco SD-WAN Zero-Day CVE-2026-20245
Cisco disclosed CVE-2026-20245 on June 5, 2026 — a high-severity command-injection flaw in Catalyst SD-WAN Manager that grants root-level access and is already being exploited in the wild. There is no patch and no workaround. Reported by Mandiant, the vulnerability represents the seventh SD-WAN zero-day Cisco has flagged as actively exploited this year, and it may be the most dangerous of the bunch because of how it chains with prior flaws.
Here is what network and security teams need to know, what Cisco has confirmed, and what you should do right now.
What CVE-2026-20245 Actually Does
The vulnerability lives in the command-line interface of Cisco Catalyst SD-WAN Manager, the centralized management platform formerly known as vManage that controls up to 6,000 SD-WAN edge devices from a single dashboard. This is not the first time centralized management tools have become high-value targets — SolarWinds Serv-U was also exploited at scale for the same reason: one compromise, thousands of downstream devices affected.
According to Cisco’s advisory, the flaw stems from insufficient validation of user-supplied input. An authenticated local attacker with netadmin privileges can upload a crafted file that triggers command injection, escalating privileges to root on the SD-WAN Manager host.
The CVSS 3.1 base score is 7.8 (high). Every deployment type is affected: On-Prem, Cloud-Pro, Cloud (Cisco Managed), and the FedRAMP-authorized Government instance. That last detail should make any public-sector security team pay close attention.
The Chaining Problem
CVE-2026-20245 is not a standalone risk. Cisco explicitly stated that exploitation requires netadmin credentials, which can be obtained either through compromised accounts or by first exploiting CVE-2026-20182 or CVE-2026-20127.
This creates an attack chain that looks like this:
- Step 1: Exploit CVE-2026-20127 (critical auth bypass, exploited since 2023 by threat cluster UAT-8616) or CVE-2026-20182 (maximum-severity auth bypass patched in mid-May 2026) to gain netadmin-level access.
- Step 2: Use that access to exploit CVE-2026-20245, uploading a malicious file to escalate to root on the SD-WAN Manager host.
- Step 3: With root on the management plane, push unauthorized configuration changes to all managed edge devices.
Cisco confirmed it has “observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.” In a worst-case scenario, an attacker gains control of routing, disables security controls, manipulates VPN tunnels, and establishes persistent access across the entire enterprise WAN.
The 2026 SD-WAN Exploit Timeline
The SD-WAN attack surface has been under sustained assault throughout 2026. Here is the timeline of Cisco SD-WAN vulnerabilities flagged as exploited this year:
| CVE | Type | Severity | Disclosed |
|---|---|---|---|
| CVE-2026-20127 | Auth bypass | Critical | March 2026 |
| CVE-2026-20128 | Privilege escalation | High | April 2026 |
| CVE-2026-20122 | Information disclosure | Medium | April 2026 |
| CVE-2026-20133 | Information disclosure | Medium | February 2026 |
| CVE-2026-20182 | Auth bypass | Critical | May 2026 |
| CVE-2022-20775 | Auth bypass (legacy) | Critical | Flagged in 2026 |
| CVE-2026-20245 | Command injection | High | June 2026 |
The pattern is clear: SD-WAN management infrastructure is being methodically targeted. The threat cluster UAT-8616 has been linked to exploitation of these flaws dating back to 2023. This is not opportunistic scanning. It is a sustained campaign against enterprise WAN infrastructure.
Indicators of Compromise
Cisco published IOCs alongside the advisory. The primary indicator appears in /var/log/scripts.log on the SD-WAN Manager. Teams should look for entries matching this pattern:
Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
Field Effect notes that some of these log entries can also appear during normal SD-WAN operations, so teams must validate findings against known operational patterns. Cisco recommends collecting admin-tech files from all SD-WAN control components before performing any upgrades, preserving forensic evidence in case investigation is needed.
Immediate Mitigation Steps
With no patch and no workaround available, defenders are in a difficult position. Here is a prioritized action plan:
- Upgrade to CVE-2026-20182-fixed releases immediately. Cisco’s May 14 patches close the most likely initial access vector. If you have not applied those patches yet, the chain from initial access to root is fully open.
- Audit netadmin accounts. Rotate credentials for all accounts with netadmin privileges. Enable multi-factor authentication where possible and review login logs for anomalous access patterns.
- Restrict SD-WAN Manager access. Limit management-plane access to dedicated administrative networks. Remove any internet-facing management interfaces.
- Hunt for IOCs. Review
/var/log/scripts.logacross all SD-WAN Manager and controller instances. Compare baseline configurations on edge devices against known-good templates. - Centralize logging. Forward SD-WAN Manager and controller logs to your SIEM. Set up alerting for the specific IOCs Cisco published.
- Verify edge device configurations. Check routing tables, templates, policies, and VPN tunnel settings for unauthorized changes. Any configuration modification not initiated by a known administrator should trigger an investigation.
The Bigger Picture
Seven zero-days exploited in a single product line in under six months is not a patching problem. It is a design problem. SD-WAN management platforms sit at the center of enterprise network control, yet they are treated with the same security posture as any other management appliance. This mirrors the Firestarter backdoor campaign that haunted Cisco cloud firewalls — a recurring pattern of infrastructure-grade compromise.
The Cisco PSIRT team has been responsive in disclosing these flaws, but the underlying issue is architectural. Concentrating control of thousands of edge devices behind a single management plane — without robust compartmentalization, mandatory access controls, and runtime integrity verification — creates a target that nation-state actors and advanced threat groups will continue to pursue.
For security teams running Cisco SD-WAN, the immediate priority is patching CVE-2026-20182 and hunting for compromise indicators. The strategic priority is harder: evaluating whether your SD-WAN management architecture can survive this level of sustained targeting, or whether it needs fundamental redesign. For a broader view of the vulnerability landscape putting pressure on SecOps teams, see our action plan for Microsoft Defender’s active exploitation — the same “attackers chaining flaws” pattern is repeating across vendors.
References
- BleepingComputer — Cisco warns of unpatched SD-WAN zero-day exploited in attacks
- SecurityWeek — Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026
- Field Effect — Active exploitation of unpatched Cisco SD-WAN Manager flaw
- Rescana — Active Exploitation Alert: Cisco Catalyst SD-WAN Manager CVE-2026-20245