Cisco Warns of Actively Exploited Zero-Day (CVE-2026-20245) in Catalyst SD-WAN Manager

Executive Summary

Cisco has issued a security advisory for a critical zero-day vulnerability, CVE-2026-20245, affecting its Cisco Catalyst SD-WAN Manager product. The vulnerability is a command injection flaw with a CVSS score of 7.8 and is confirmed to be under active, albeit limited, exploitation. A remote attacker who has already gained administrative (netadmin) privileges on a target system can exploit this flaw by uploading a specially crafted file to the CLI. Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with root privileges. The vulnerability, reported by Mandiant, affects all deployment models, including on-premise and cloud-hosted versions. At the time of disclosure, no patches were available.

Vulnerability Details

The vulnerability, CVE-2026-20245, stems from insufficient input validation within the command-line interface (CLI) of the Cisco Catalyst SD-WAN Manager. An attacker with netadmin privileges can craft a file and upload it via the CLI. The system fails to properly sanitize the input from this file, allowing the attacker to inject and execute arbitrary shell commands.

• CVE ID: CVE-2026-20245
• CVSS Score: 7.8 (High)
• Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
• Attack Vector: Remote, requires high privileges (netadmin).
• Impact: Arbitrary command execution as root.

An attacker must first be authenticated as a high-privileged user. This could be achieved through stolen credentials or by chaining this vulnerability with a prior authentication bypass flaw, such as CVE-2026-20182. This marks the seventh zero-day vulnerability disclosed by Cisco for its SD-WAN products in 2026, indicating a sustained targeting of this technology by threat actors.

Affected Systems

The vulnerability impacts all deployment types of Cisco Catalyst SD-WAN Manager. This includes:

• On-premise deployments
• Cloud-Pro
• Cisco Managed Cloud
• FedRAMP environments

Administrators should consult the official Cisco security advisory for a complete list of affected software versions. As of the initial disclosure, no patched versions are available.

Exploitation Status

Cisco has confirmed that it is aware of "a limited number of instances" where CVE-2026-20245 has been actively exploited in the wild. The observed exploitation resulted in attackers pushing unauthorized configuration changes to managed edge devices. The fact that it is being exploited in the wild, even if limited, significantly raises the urgency for mitigation. The vulnerability was responsibly disclosed by researchers at Mandiant.

Impact Assessment

The impact of exploiting CVE-2026-20245 is severe. Gaining root access on the SD-WAN Manager grants an attacker complete control over the network's orchestration layer. From this position, an attacker can:

• Modify Network Configurations: Reroute traffic, create backdoors, or cause widespread network outages.
• Intercept Traffic: Decrypt and monitor sensitive data flowing through the SD-WAN fabric.
• Lateral Movement: Use the SD-WAN Manager as a pivot point to attack other connected devices and segments of the corporate network.
• Deploy Malware: Push malicious software or configurations to all managed edge devices.

Given that SD-WAN is central to modern enterprise networking, a compromise of the manager component can undermine the security and availability of the entire organization's WAN.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Detection Methods

Organizations should focus on detecting both exploitation attempts and post-compromise activity.

1. Log Analysis: Forward all administrative and system logs from Cisco Catalyst SD-WAN Manager to a central SIEM. Create alerting rules for:

   • Multiple failed login attempts followed by a success for a netadmin account.
   • File uploads via the CLI outside of normal maintenance windows.
   • Any configuration changes pushed to edge devices that are not documented in change management systems. This leverages the D3FEND technique Authentication Event Thresholding.

2. Network Monitoring: Implement Network Traffic Analysis on traffic to and from the SD-WAN Manager's management interface. Baseline normal traffic patterns and alert on anomalies, such as connections from unknown IP ranges or data exfiltration patterns.

3. Integrity Monitoring: Use file integrity monitoring on the SD-WAN Manager appliance to detect unauthorized changes to system files or the creation of suspicious scripts in executable directories.

Remediation Steps

As there is no patch available at the time of writing, mitigation is critical.

1. Apply Previous Patches: Cisco's primary recommendation is to upgrade to a software version that addresses CVE-2026-20182 (an authentication bypass). While this does not fix CVE-2026-20245, it makes it much harder for an unauthenticated attacker to gain the necessary privileges to exploit it. This is a form of D3FEND's Software Update.
2. Restrict Access: Strictly limit access to the SD-WAN Manager's management interface. Use a firewall or access control lists (ACLs) to ensure it is only reachable from a secure management network or specific administrative jump hosts. This is a key principle of Network Isolation.
3. Privileged Access Management: Tightly control and monitor all accounts with netadmin privileges. Implement Multi-factor Authentication for all administrative access.
4. Monitor for Updates: Continuously monitor for the release of a patch from Cisco and apply it as soon as it becomes available.