Cisco SD-WAN Manager Command Injection Exploited for Root-Level Device Changes
Cisco disclosed a critical command injection flaw in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) that is being actively exploited in the wild, allowing an authenticated local attacker with netadmin privileges to execute arbitrary commands as root. The vulnerability is caused by insufficient validation of file-transfer payloads in the CLI, and Cisco said observed exploitation has already resulted in unauthorized configuration changes being pushed from the manager to edge devices, raising the risk of broader network compromise in affected SD-WAN environments.
Cisco also warned the issue could be chained with the previously disclosed authenticated privilege-escalation bug CVE-2026-20182 to obtain the required access level before triggering command execution. At the time of disclosure, no standard software fix was available; administrators were advised to review logs, inspect scripts.log for suspicious activity, and work with Cisco Technical Assistance Center for mitigations and workarounds while assessing whether managed edge infrastructure had been altered.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Cisco reports active exploitation of CVE-2026-20245
Cisco disclosed that CVE-2026-20245, a critical command injection flaw in Cisco Catalyst SD-WAN Manager, was being actively exploited in the wild as of June 2026. Observed exploitation led to configuration changes being pushed to edge devices, and Cisco said no standard patch was yet available while mitigations were provided through TAC.
Acer releases urgent firmware update for Connect W6x devices
Acer released firmware version W6x_GBL_2.00.000008 or later for affected Connect W6x consumer wireless devices. The update fixes critical flaws including CVE-2026-49197 and CVE-2026-49199, along with three additional high-severity vulnerabilities.
Multiple Acer vulnerability CVE records are published
On June 4, 2026, CVE records were published for several Acer issues, including CVE-2026-49190, CVE-2026-49193, CVE-2026-50206, CVE-2026-50207, and CVE-2026-50209. The entries describe impacts ranging from command injection and unauthorized command execution to public telemetry exposure and MDM endpoint takeover.
Acer posts security advisory for upcoming firmware update
An Acer community security advisory about an upcoming firmware update for the Acer Connect M6E 5G Portable WiFi Router was published. This advisory is cited by later CVE records tied to multiple Acer vulnerabilities.
Cisco publishes SD-WAN Manager privilege escalation advisory
Cisco published a security advisory for an authenticated privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager. The advisory corresponds to CVE-2026-20182, which was later noted as chainable with CVE-2026-20245.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Cisco SD-WAN Vulnerability Exploited in the Wild
securityonline.info
Open sourceAcer Router Flaw: Critical Authentication Bypass
securityonline.info
Open sourceCVE-2026-50209 - MDM Server Registration Overriding
cvefeed.io
Open sourceCVE-2026-50206 - VPN Command Injection Vulnerability
cvefeed.io
Open sourceCVE-2026-49193 - Publicly Readable AWS S3 Telemetry Buckets
cvefeed.io
Open sourceCVE-2026-49190 - Missing Per-Instruction Authorization Checks
cvefeed.io
Open sourceCVE-2026-50207 - Local Modem Manipulation via Binder Interfaces
cvefeed.io
Open sourceSecurity Advisory: Upcoming Firmware Update for Acer Connect M6E 5G Portable WiFi Router - Acer Community
community.acer.com
Open sourceCisco Catalyst SD-WAN Manager Authenticated Privilege Escalation Vulnerability
sec.cloudapps.cisco.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco Catalyst SD-WAN Manager Zero-Day Exploited for Root Command Execution
Cisco disclosed active exploitation of **CVE-2026-20245**, a high-severity command injection flaw in **Cisco Catalyst SD-WAN Manager** that lets an authenticated attacker with `netadmin` privileges upload a crafted file and execute arbitrary commands as **root**. The vulnerability affects all deployment models, including on-premises, **Cisco SD-WAN Cloud**, Cloud-Pro, and FedRAMP environments, and Cisco said attackers have already used it in limited incidents to push unauthorized configuration changes to SD-WAN edge devices. Cisco said the flaw stems from insufficient validation and sanitization of user-supplied input in the CLI processing path, and warned that attackers may obtain the required privileges with valid credentials or by chaining previously disclosed bugs such as **CVE-2026-20182** or **CVE-2026-20127**. No dedicated patch or workaround was available at disclosure, so Cisco urged customers to upgrade to software versions that fix earlier exploited issues, review indicators of compromise such as suspicious entries in `/var/log/scripts.log`, preserve forensic evidence, collect diagnostics with the command: ```bash request admin-tech ``` and contact Cisco TAC if compromise is suspected.
Jun 15, 2026
Cisco Patches Actively Exploited Root Escalation Flaw in SD-WAN Manager
Cisco released fixes for **CVE-2026-20262**, an actively exploited vulnerability in **Cisco Catalyst SD-WAN Manager** (`vManage`) that allows an authenticated remote attacker with low privileges to upload or overwrite files through crafted HTTP requests and ultimately execute commands as **root**. The flaw stems from insufficient validation of user-supplied input during file uploads in the web UI and affects **all deployment models**, including on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP environments. Cisco said it became aware of in-the-wild exploitation in June and urged customers to patch immediately, warning that the product’s central role in orchestrating SD-WAN fabrics raises the operational impact of compromise. The company published indicators of compromise tied to uploaded `.jsp` and `.war` files, including filenames such as `index.jsp` and `suspicious.war`, and advised defenders to inspect `vmanage-server`, `vmanage-appserver`, and `serviceproxy-access` logs, reduce internet exposure, audit accounts, and contact TAC with an admin-tech file if intrusion is suspected.
Jun 19, 2026
Cisco SD-WAN Authentication Bypass Exploited for Admin Access and Persistence
Cisco disclosed and patched **CVE-2026-20182**, a critical `CVSS 10.0` authentication bypass flaw in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** that has been exploited in the wild. The bug affects the `vdaemon` control-plane service over **DTLS/UDP 12346** and allows an unauthenticated attacker to impersonate a trusted peer, gain high-privilege administrative access, reach **NETCONF** on `TCP/830`, and manipulate SD-WAN fabric configuration. Rapid7 said the flaw stems from missing authentication checks when a peer claims to be a vHub device, enabling attackers to inject SSH keys for the `vmanage-admin` account and establish persistent access; Cisco said there are **no workarounds** and released fixed software versions for affected on-premises, cloud, managed-cloud, and FedRAMP deployments. Cisco Talos attributed the most sophisticated exploitation of `CVE-2026-20182` with high confidence to **UAT-8616**, which was observed adding SSH keys, modifying NETCONF settings, and escalating privileges to root, with infrastructure overlap noted with Operational Relay Box networks. Talos also reported broader ongoing attacks against SD-WAN environments, including widespread exploitation of previously disclosed **CVE-2026-20133**, **CVE-2026-20128**, and **CVE-2026-20122** after public proof-of-concept release, leading to deployment of JSP webshells such as **XenShell**, **Godzilla**, and **Behinder**, along with tools including Sliver, AdaptixC2, XMRig, gsocket, and credential-stealing scripts. **CISA added CVE-2026-20182 to the KEV catalog** and ordered federal agencies to remediate quickly, while Cisco and national cyber agencies urged organizations to preserve forensic evidence, review logs for unauthorized peering and `vmanage-admin` public-key logins, and patch all vulnerable control components immediately.
Jun 8, 2026