On Thursday, Cisco warned of a serious, undated vulnerability in Cisco Catalyst SD-WAN Manager (tracked as CVE-2026-20245) that was exploited by an attack that enabled root privilege escalation.
The zero-day bug affects all types of deployments, including On-Prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
In an advisory on Thursday, Cisco said the issue stems from insufficient authentication of user-provided logins, and could allow local attackers with low privileges to issue arbitrary commands as root.
“An attacker can exploit this vulnerability by uploading a crafted file to an affected system. A successful exploit can allow an attacker to perform a command injection attack on an affected system and elevate their privileges as the root user,” the company explained.
“In order to exploit this vulnerability, an attacker must have netadmin privileges on the affected system. This would require valid credentials or exploit CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploits by other means,” it added. “Cisco cannot be successfully exploited by other means. Cisco has seen limited cases where exploitation of this bug resulted in a configuration change pushed to edge devices.”
Formerly known as SD-WAN vManage, this network management software helps administrators monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard.
Cisco’s Product Security Incident Response Team (PSIRT) became aware of the CVE-2026-20245 exploit in June after Google Cloud cybersecurity subsidiary Mandiant reported the flaw but did not share any details.
However, shared indicators of compromise (IOCs) warn administrators to check their SD-WAN /var/log/scripts.log file for attempts to upload tenant configuration data to vSmart controllers to elevate privileges with legitimate commands, as in the following example:
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0“For help determining whether Cisco Catalyst SD-WAN Manager is compromised, customers may open a case with Cisco TAC,” the company added, advising administrators to first create a technical management file to assist in the review.
Security patches are not yet available
Last month, Cisco also marked the critical vulnerability of the Catalyst SD-WAN Controller bypass flaw (CVE-2026-20182) as it was actively exploited as a zero-day to gain administrative privileges on unpatched devices.
While Cisco has not yet issued patches for CVE-2026-20245, it advised customers to upgrade to the software patch for CVE-2026-20182 by May 14.
In February, Cisco patched another Catalyst SD-WAN Manager information disclosure security flaw (CVE-2026-20133), which CISA flagged as being exploited in late April, and, two weeks later, warned that two other flaws (CVE-2026-20128 and CVE-2026-20122) were being exploited.
In March, it also addressed and flagged a critical authentication bypass vulnerability (CVE-2026-20127) that has been exploited in zero-day attacks since at least 2023.
Over the past few years, CISA has flagged 90 Cisco vulnerabilities as being exploited in the wild, four of them in Cisco Catalyst SD-WAN Manager and six others being exploited by ransomware activities.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
