Cisco disclosed CVE-2026-20245 on June 5 — a command-injection flaw in the CLI of Catalyst SD-WAN Manager (formerly vManage) that lets an authenticated attacker with netadmin privileges upload a crafted file and execute arbitrary commands as root. Cisco confirms active exploitation, says Mandiant reported the bug, and shipped no patch and no workaround at disclosure. This is the seventh SD-WAN zero-day Cisco has acknowledged being exploited in 2026.
If you run Catalyst SD-WAN Manager in any form, this is incident-response territory, not routine patching.
What happened
The root cause is insufficient validation of user-supplied input in the SD-WAN Manager CLI. An attacker who already holds netadmin rights can upload a specially crafted file that triggers command injection and elevates to root on the management appliance. Cisco rates it CVSS 7.8 — the score is held down by the privilege prerequisite, not by limited impact. Root on SD-WAN Manager is root on the control plane of your entire overlay.
Crucially, this is not a standalone, unauthenticated RCE. The attacker needs netadmin first. Cisco says that access comes from either stolen credentials or chaining earlier SD-WAN flaws — specifically CVE-2026-20182 (the CVSS 10.0 vdaemon auth bypass from May) or CVE-2026-20127 (the February vdaemon bug). Both were tied to UAT-8616. Treat CVE-2026-20245 as the privilege-escalation tail of an intrusion chain, not the front door.
Cisco PSIRT learned of exploitation in June, which is why disclosure was accelerated ahead of a fix. The company observed limited cases where exploitation pushed configuration changes to edge devices — meaning a compromised Manager doesn’t stay contained to the management node; it can rewrite the behavior of downstream routers across the fabric.
Who’s affected
All Catalyst SD-WAN deployment types are in scope: on-prem, Cloud-Pro, Cisco-Managed Cloud, and FedRAMP/Government environments. There is no “you’re fine because you’re SaaS” exception here.
What to do right now
There is no patch as of disclosure, so mitigation is about evidence preservation and compromise review, not a clean upgrade-and-move-on:
- Preserve evidence first. Run
request admin-techfrom each control component in the SD-WAN deployment before any upgrade activity. Upgrading over a compromised system can destroy the forensic trail without removing the intrusion. - Hunt for the chain, not just the bug. Confirm CVE-2026-20182 and CVE-2026-20127 are fully remediated across every controller and Manager. If those are open, the
netadminprerequisite is trivially met. - Review Cisco’s published log indicators. Cisco has released IOCs and log guidance. Look for unauthorized root-level activity, unexpected file uploads through the CLI workflow, and configuration pushes to edge devices you didn’t initiate.
- Verify edge-device configs. Because exploitation has altered edge configs, audit downstream devices against your known-good baseline, not just the Manager.
- Engage Cisco TAC if compromise is confirmed. Cisco explicitly warns that installing the future fixed release will not by itself secure an already-compromised system.
Cisco’s interim direction is to follow the fixed-software guidance in the CVE-2026-20182 advisory and apply the dedicated CVE-2026-20245 release as soon as it ships. Watch the Cisco Security Advisories portal for the update.
The pattern across 2026 is unmistakable: SD-WAN Manager and Controller sit at the top of the network trust hierarchy, and attackers keep stacking auth bypasses with post-auth root bugs to own the whole overlay. If your SD-WAN management plane is reachable from anything you don’t fully trust, assume it’s a target and instrument it accordingly.