Cisco warns of unpatched SD-WAN zero-day exploited in attack
Cisco has disclosed a high-severity zero-day vulnerability in Cisco Catalyst SD-WAN Manager, tracked as CVE-2026-20245, that is currently being exploited in active attacks to gain root-level access on affected systems.
The vulnerability affects all deployment models, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
According to a security advisory released on Thursday, the flaw is caused by insufficient validation of user-supplied input. Attackers with limited privileges can exploit the issue to execute arbitrary commands with root privileges.
Cisco explained that an attacker could upload a specially crafted file to a vulnerable system, triggering a command injection attack that results in privilege escalation to the root user.
To successfully exploit the vulnerability, an attacker must already possess netadmin-level access to the affected device. This access could be obtained through valid credentials or by exploiting previously disclosed vulnerabilities CVE-2026-20182 or CVE-2026-20127. Cisco stated that it has not observed successful exploitation through any other methods.
The company noted that in the limited number of observed attacks, exploitation resulted in configuration changes being pushed to SD-WAN edge devices.
Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage, is a centralized management platform that allows administrators to monitor and control up to 6,000 Catalyst SD-WAN devices from a single interface.
Cisco's Product Security Incident Response Team (PSIRT) became aware of the active exploitation after receiving a report from Mandiant, Google's cloud cybersecurity division, in June. While Mandiant disclosed the existence of the vulnerability, it did not provide additional technical details.
To assist customers in identifying potential compromises, Cisco published indicators of compromise (IOCs). Administrators are advised to review the /var/log/scripts.log file on SD-WAN systems for suspicious attempts to upload tenant configuration data to vSmart controllers, which could indicate privilege escalation activity through legitimate system commands.
Cisco also recommends that organizations concerned about potential compromise contact Cisco Technical Assistance Center (TAC) support and generate an admin-tech file to facilitate investigation.
At present, security patches for CVE-2026-20245 are not yet available. As a mitigation measure, Cisco recommends upgrading to software versions that address CVE-2026-20182, an authentication bypass vulnerability that was patched on May 14 and has also been actively exploited as a zero-day.
The latest disclosure follows several recent security issues affecting Cisco SD-WAN products. In February, Cisco fixed CVE-2026-20133, an information disclosure vulnerability that was later added by CISA to its Known Exploited Vulnerabilities catalog. Shortly afterward, CISA warned that CVE-2026-20128 and CVE-2026-20122 were also being actively exploited.
Earlier in March, Cisco patched CVE-2026-20127, a critical authentication bypass vulnerability that had reportedly been exploited in zero-day attacks since at least 2023.
Over the past several years, the Cybersecurity and Infrastructure Security Agency (CISA) has identified approximately 90 Cisco vulnerabilities that have been exploited in real-world attacks. Among these, four affected Cisco Catalyst SD-WAN Manager, while six others were linked to ransomware-related activity.
