Cisco Catalyst SD-WAN Manager Vulnerability
Cisco has warned of a high-severity, unpatched zero-day vulnerability in the Cisco Catalyst SD-WAN Manager, tracked as CVE-2026-20245. This vulnerability is actively being exploited in attacks to gain root privilege escalation.
The zero-day flaw impacts all deployment types, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). According to Cisco, the issue stems from insufficient validation of user-supplied input, allowing local attackers with low privileges to execute arbitrary commands as root.
Exploitation and Impact
An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system, which would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127.
Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. The company's Product Security Incident Response Team (PSIRT) became aware of CVE-2026-20245 exploitation in June after Google Cloud cybersecurity subsidiary Mandiant reported the flaw.
Indicators of Compromise
Mandiant shared indicators of compromise (IOCs) warning admins to check their SD-WAN /var/log/scripts.log file for attempts to upload tenant configuration data to vSmart controllers to escalate privileges through legitimate commands. For example:
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
For help determining if a Cisco Catalyst SD-WAN Manager has been compromised, customers may open a case with the Cisco TAC. Cisco advises admins to first generate an admin-tech file to help with the review.
Security Patches and Recommendations
While Cisco has not yet released patches for CVE-2026-20245, the company advises customers to upgrade to the software fixed for CVE-2026-20182 on May 14. In February, Cisco patched another Catalyst SD-WAN Manager information disclosure security flaw (CVE-2026-20133), which CISA flagged as actively exploited in late April.
In March, Cisco addressed and flagged a critical authentication-bypass vulnerability (CVE-2026-20127) that has been exploited in zero-day attacks since at least 2023. Over the last several years, CISA has tagged 90 Cisco vulnerabilities as abused in the wild, four of them in Cisco Catalyst SD-WAN Manager and six others exploited by ransomware operations.
Conclusion
The CVE-2026-20245 vulnerability in the Cisco Catalyst SD-WAN Manager is a high-severity, unpatched zero-day flaw that is actively being exploited in attacks. Cisco recommends that customers upgrade to the software fixed for CVE-2026-20182 and generate an admin-tech file to help with the review. It is essential for organizations to prioritize patching and monitoring their systems to prevent exploitation of this vulnerability.
- Related Articles:
- CISA says ‘Copy Fail’ flaw now exploited to root Linux systems
- CISA flags new SD-WAN flaw as actively exploited in attacks
- Recently leaked Windows zero-days now exploited in attacks
- Exploit released for new PinTheft Arch Linux root escalation flaw
- Exploit available for new DirtyDecrypt Linux root escalation flaw
Source: BleepingComputer