Skip to content
hacker_posts

Cisco SD-WAN Manager CVE-2026-20245 exploited, no patch yet

Cisco disclosed a command-injection zero-day in Catalyst SD-WAN Manager on June 5. Mandiant credited as reporter. CVSS 7.8, exploitation observed, no fix available.

Published 4 min read
cveciscosd-wanzero-dayadvisory

Cisco disclosed CVE-2026-20245 on June 5, 2026 via advisory cisco-sa-sdwan-mltvnps2-JxpWm7R — a command-injection flaw in the Catalyst SD-WAN Manager CLI that lets an authenticated attacker with netadmin privileges execute arbitrary commands as root. CVSS v3.1 is 7.8 (High). Cisco PSIRT credits Mandiant with reporting the bug and notes exploitation has been observed in limited cases. There is no patch and no workaround at disclosure time.

What the bug does

Per the Cisco advisory, the root cause is insufficient validation of user-supplied input in the SD-WAN Manager CLI. An attacker who already holds netadmin credentials can upload a crafted file and have its contents executed as root on the appliance. From there, configuration changes can be pushed to the edge devices the Manager controls — which is the impact pattern Cisco specifically calls out in its observed-exploitation note.

Netadmin is a high-privilege role, but it is not the highest. Cisco frames the access requirement two ways: stolen credentials, or chaining one of the two earlier SD-WAN bugs both already on KEV — CVE-2026-20182 and CVE-2026-20127 — to reach netadmin first, then pivot through 20245 to root.

Affected products

The advisory states the bug affects all SD-WAN Manager deployment types, regardless of device configuration:

  • On-Prem Catalyst SD-WAN Manager
  • Cisco SD-WAN Cloud-Pro
  • Cisco SD-WAN Cloud (Cisco Managed)
  • Cisco SD-WAN for Government (FedRAMP)

Cisco lists no fixed release for CVE-2026-20245. Customers are pointed to the existing fix train for CVE-2026-20182 — releases 20.9.9.1, 20.12.7.1, 20.15.5.2, and 20.18.2.2 for on-prem branches, and 20.15.506 for the Cisco-managed cloud — because closing 20182 removes the easier path to netadmin while a fix for 20245 itself is in development.

Exploitation status

The exploited-in-the-wild call is Cisco's own, in the body of the advisory, attributed via PSIRT learning of in-the-wild use during the June 2026 disclosure cycle. Reporting at The Hacker News and Help Net Security repeats the same Cisco-sourced framing — "limited cases" with "configuration changes pushed to edge devices." No public PoC has been published. No named victim has been disclosed. Attribution beyond "discovered and reported by Mandiant" is not in the advisory; treat ambient framing about specific actors as speculation until upstream says otherwise.

To preserve evidence ahead of any future upgrade, Cisco asks operators to issue request admin-tech from each control component before patching. The output bundle is what Cisco TAC needs to validate compromise against the IOC guidance shipped with the advisory.

Action checklist

  1. Read the Cisco advisory end-to-end and ingest the indicators-of-compromise section. The advisory is the only authoritative IOC source for CVE-2026-20245 — do not paraphrase, copy verbatim into your detection rules.
  2. Patch CVE-2026-20182 now if you have not. Upgrade on-prem SD-WAN Manager to 20.9.9.1, 20.12.7.1, 20.15.5.2, or 20.18.2.2 on the matching branch, and verify Cisco-managed cloud tenants are at 20.15.506. This removes the chained path to netadmin even though 20245 itself remains unpatched.
  3. Rotate every netadmin credential and require MFA on every account with the role. Until a 20245 fix ships, any netadmin compromise is a root compromise of the Manager.
  4. Capture request admin-tech on every control component before any upgrade, archive the bundle, and hold it for forensic review. Cisco wants this output as the IOC matching surface; you want it as evidence the appliance was clean at a known point.
  5. Verify edge device configurations against your last known-good baseline. The observed exploitation impact pattern is configuration push from Manager to edges — diff what is actually running on each device against what your change-management system says should be there.
  6. If you operate a Cisco-managed cloud tenant, open a TAC case to confirm your appliance has been audited; the cloud-deployment population is Cisco's to instrument, not yours.

Context

This is the seventh actively-exploited Catalyst SD-WAN zero-day SecurityWeek has counted in 2026, after CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775. The pattern is consistent across the year: an authenticated bug exploitable via stolen or chained credentials, disclosed with no fix, sometimes shipped with IOCs Cisco asks operators to apply against admin-tech output. SD-WAN Manager is, on Cisco's own count, the most-targeted Catalyst component of the year.

The structural reading is uncomfortable but not new. Centralised SDN controllers — by design — concentrate enough authority that "authenticated attacker with netadmin" becomes synonymous with "owns the network." Every patch cycle that closes the path to netadmin only buys time on the next one. If you operate SD-WAN Manager on-prem and your change-management practice does not already treat Manager as a Tier-0 system, CVE-2026-20245 is the prompt to reclassify it today.

Related stories