An Unpatched Flaw With Active Exploitation Already Confirmed
Cisco disclosed a high-severity zero-day vulnerability in its Catalyst SD-WAN Manager platform on Thursday, warning that attackers are already exploiting it in the wild. The flaw, tracked as CVE-2026-20245, allows a local attacker with low privileges to escalate to root by uploading a crafted file — and no security patch exists yet.
What makes this disclosure particularly difficult for network administrators is the scope. The vulnerability affects every deployment variant of Cisco Catalyst SD-WAN Manager: On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). There is no version or configuration that avoids exposure.
How the Exploit Works
The vulnerability originates from insufficient validation of user-supplied input. An attacker uploads a malicious file to the affected system, which then enables command injection and privilege escalation to root. Cisco described it directly in its advisory: “A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.”
The attack does require a starting foothold. To exploit CVE-2026-20245, an attacker must already hold netadmin privileges on the system — either through valid credentials or by chaining the exploit with two other recently disclosed vulnerabilities: CVE-2026-20182, a maximum-severity authentication bypass flaw in Cisco Catalyst SD-WAN Controller, and CVE-2026-20127, a critical authentication-bypass vulnerability that has been exploited in zero-day attacks since at least 2023. Cisco stated explicitly that it is not aware of successful exploitation through any other method.
The practical consequence of a successful attack extends beyond the compromised management server. Cisco has observed cases where exploitation of CVE-2026-20245 resulted in configuration changes being pushed to edge devices — meaning an attacker who compromises the management plane can alter the behavior of the physical infrastructure beneath it.
Formerly known as SD-WAN vManage, Cisco Catalyst SD-WAN Manager is the centralized control point for monitoring and managing up to 6,000 Catalyst SD-WAN devices from a single dashboard. Administrative access to this system is, by design, access to an organization’s entire SD-WAN deployment.
How Cisco Learned About This
Cisco’s Product Security Incident Response Team (PSIRT) became aware of CVE-2026-20245 in June, after Mandiant — the Google Cloud cybersecurity subsidiary — reported the flaw to Cisco. Mandiant did not publicly disclose technical details of the vulnerability at the time of reporting.
Cisco has published indicators of compromise (IOCs) to help administrators detect whether their systems have already been targeted. The key signal is in the /var/log/scripts.log file on the SD-WAN Manager instance. Administrators should look for attempts to upload tenant configuration data to vSmart controllers using legitimate system commands — a technique that abuses expected system behavior to avoid standing out.
Cisco provided a concrete log example showing what malicious activity looks like in that file:
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0The presence of an unexpected or unrecognized .csv file path in that log entry — particularly one referencing a file in a user’s home directory — is the indicator administrators should act on immediately.
No Patch Yet, But a Partial Mitigation Path Exists
Cisco has not released a dedicated patch for CVE-2026-20245. The advisory directs customers to upgrade to the software version that already addresses CVE-2026-20182, which Cisco made available on May 14. That upgrade does not fix the root escalation flaw directly, but it eliminates one of the two known paths attackers use to acquire the netadmin privileges required to launch it in the first place.
For organizations that need to assess whether their SD-WAN Manager has already been compromised, Cisco advises opening a support case with Cisco TAC. Before doing so, administrators should collect admin-tech files from the affected system — Cisco’s standard diagnostic package — to assist with the forensic review.
This advisory lands in the context of sustained, multi-year pressure on Cisco’s SD-WAN product line. In February, Cisco patched an information disclosure flaw in SD-WAN Manager, CVE-2026-20133, which the Cybersecurity and Infrastructure Security Agency (CISA) flagged as actively exploited in late April. Two weeks after that CISA alert, Cisco warned that two additional flaws — CVE-2026-20128 and CVE-2026-20122 — were also being abused. In March, Cisco addressed CVE-2026-20127, the critical authentication-bypass that had apparently been exploited since at least 2023 before it was formally patched.
The Broader Pattern in Cisco Vulnerability Exploitation
CISA has designated 90 Cisco vulnerabilities as actively exploited in the wild over the past several years. Four of those involve Cisco Catalyst SD-WAN Manager specifically. Six Cisco vulnerabilities have been tied to ransomware operations.
That accumulation raises a structural question for organizations that have standardized on Cisco’s SD-WAN architecture: the management plane — the software responsible for configuring and controlling the entire network — has repeatedly been the entry point. CVE-2026-20245 continues that pattern, with a twist: the root escalation it enables means an attacker who gets in through a chained exploit doesn’t just observe the network, they can rewrite it.
The chaining dynamic here is worth dwelling on. CVE-2026-20127 was exploited for at least three years before a patch arrived in March. CVE-2026-20182 was flagged as actively exploited last month. CVE-2026-20245, which requires one of those two as a prerequisite, is now confirmed exploited with no fix available. An environment that delayed patching CVE-2026-20182 after last month’s advisory may have already provided the access needed to trigger today’s disclosed flaw.
Administrators running Cisco Catalyst SD-WAN Manager should treat the upgrade addressing CVE-2026-20182 as the most immediate priority — not because it patches CVE-2026-20245, but because it closes the most accessible prerequisite. After that upgrade, reviewing /var/log/scripts.log for the IOC pattern Cisco published is the next concrete step. The Cisco TAC case option exists for environments that need a deeper forensic assessment.
Whether Mandiant’s involvement in reporting this vulnerability will eventually produce a fuller public technical account of how CVE-2026-20245 is being exploited in the wild — including who is doing the exploiting and toward what ends — remains an open question. For now, the public advisory contains no attribution.
