Cisco Catalyst SD-WAN Manager Zero-Day Exploited for Root Command Execution
Cisco disclosed active exploitation of CVE-2026-20245, a high-severity command injection flaw in Cisco Catalyst SD-WAN Manager that lets an authenticated attacker with netadmin privileges upload a crafted file and execute arbitrary commands as root. The vulnerability affects all deployment models, including on-premises, Cisco SD-WAN Cloud, Cloud-Pro, and FedRAMP environments, and Cisco said attackers have already used it in limited incidents to push unauthorized configuration changes to SD-WAN edge devices.
Cisco said the flaw stems from insufficient validation and sanitization of user-supplied input in the CLI processing path, and warned that attackers may obtain the required privileges with valid credentials or by chaining previously disclosed bugs such as CVE-2026-20182 or CVE-2026-20127. No dedicated patch or workaround was available at disclosure, so Cisco urged customers to upgrade to software versions that fix earlier exploited issues, review indicators of compromise such as suspicious entries in /var/log/scripts.log, preserve forensic evidence, collect diagnostics with the command:
request admin-tech
and contact Cisco TAC if compromise is suspected.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Cisco publishes IOCs and mitigation guidance for compromised systems
Alongside the disclosure, Cisco shared indicators of compromise such as suspicious entries in /var/log/scripts.log and advised customers to preserve forensic evidence, collect admin-tech data, and contact Cisco TAC for compromise assessment. Cisco also recommended upgrading to software versions that already fix the previously exploited CVE-2026-20182 while awaiting a dedicated fix for CVE-2026-20245.
Cisco discloses actively exploited CVE-2026-20245 with no patch yet
Cisco publicly disclosed CVE-2026-20245, a high-severity command injection and privilege-escalation flaw in Cisco Catalyst SD-WAN Manager that can let an authenticated attacker with netadmin privileges execute commands as root. At disclosure, Cisco said the vulnerability was being actively exploited in the wild, affected all deployment models, and had no dedicated patch or workaround available.
Cisco receives Mandiant report of SD-WAN zero-day exploitation
Cisco said it learned in June of active exploitation of CVE-2026-20245 in Catalyst SD-WAN Manager after receiving a report from Mandiant. The observed activity included limited incidents in which attackers pushed unauthorized configuration changes to SD-WAN edge devices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited - No Patch Available
thehackernews.com
Open sourceCVE-2026-20245 - Cisco Catalyst SD-WAN Manager Privilege Escalation - TheCyberThrone
thecyberthrone.in
Open sourceAnother Cisco Catalyst SD-WAN Manager bug actively exploited | news | SC Media
scworld.com
Open sourceCVE-2026-20245: Cisco SD-WAN Manager Zero-Day
socprime.com
Open sourceCisco SD-WAN 0-day exploited, no patch available (CVE-2026-20245) - Help Net Security
helpnetsecurity.com
Open sourceCisco warns of unpatched SD-WAN zero-day exploited in attacks
bleepingcomputer.com
Open sourceYet another Cisco SD-WAN 0-day under attack, and no patch in sight
theregister.com
Open sourceCisco's SD-WAN nightmare continues with fresh root access vulnerability - SDxCentral
sdxcentral.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco SD-WAN Manager Command Injection Exploited for Root-Level Device Changes
Cisco disclosed a critical command injection flaw in **Cisco Catalyst SD-WAN Manager** (`CVE-2026-20245`) that is being actively exploited in the wild, allowing an authenticated local attacker with `netadmin` privileges to execute arbitrary commands as `root`. The vulnerability is caused by insufficient validation of file-transfer payloads in the CLI, and Cisco said observed exploitation has already resulted in unauthorized configuration changes being pushed from the manager to edge devices, raising the risk of broader network compromise in affected SD-WAN environments. Cisco also warned the issue could be chained with the previously disclosed authenticated privilege-escalation bug `CVE-2026-20182` to obtain the required access level before triggering command execution. At the time of disclosure, no standard software fix was available; administrators were advised to review logs, inspect `scripts.log` for suspicious activity, and work with Cisco Technical Assistance Center for mitigations and workarounds while assessing whether managed edge infrastructure had been altered.
Jun 5, 2026
Cisco SD-WAN Authentication Bypass Exploited for Admin Access and Persistence
Cisco disclosed and patched **CVE-2026-20182**, a critical `CVSS 10.0` authentication bypass flaw in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** that has been exploited in the wild. The bug affects the `vdaemon` control-plane service over **DTLS/UDP 12346** and allows an unauthenticated attacker to impersonate a trusted peer, gain high-privilege administrative access, reach **NETCONF** on `TCP/830`, and manipulate SD-WAN fabric configuration. Rapid7 said the flaw stems from missing authentication checks when a peer claims to be a vHub device, enabling attackers to inject SSH keys for the `vmanage-admin` account and establish persistent access; Cisco said there are **no workarounds** and released fixed software versions for affected on-premises, cloud, managed-cloud, and FedRAMP deployments. Cisco Talos attributed the most sophisticated exploitation of `CVE-2026-20182` with high confidence to **UAT-8616**, which was observed adding SSH keys, modifying NETCONF settings, and escalating privileges to root, with infrastructure overlap noted with Operational Relay Box networks. Talos also reported broader ongoing attacks against SD-WAN environments, including widespread exploitation of previously disclosed **CVE-2026-20133**, **CVE-2026-20128**, and **CVE-2026-20122** after public proof-of-concept release, leading to deployment of JSP webshells such as **XenShell**, **Godzilla**, and **Behinder**, along with tools including Sliver, AdaptixC2, XMRig, gsocket, and credential-stealing scripts. **CISA added CVE-2026-20182 to the KEV catalog** and ordered federal agencies to remediate quickly, while Cisco and national cyber agencies urged organizations to preserve forensic evidence, review logs for unauthorized peering and `vmanage-admin` public-key logins, and patch all vulnerable control components immediately.
Jun 8, 2026
Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access
Cisco and multiple government cyber agencies warned that attackers are actively exploiting **CVE-2026-20127**, a critical `CVSS 10.0` authentication bypass in **Cisco Catalyst SD-WAN Controller** and **Catalyst SD-WAN Manager**. The flaw affects the peering authentication process and lets unauthenticated remote attackers gain administrative access, use `NETCONF`, and alter SD-WAN fabric configuration, including adding **malicious rogue peers**. Cisco Talos attributed the activity to a sophisticated cluster tracked as **UAT-8616**, with evidence suggesting exploitation dates back to at least 2023 and has affected high-value targets, including critical infrastructure and government networks. Investigators said the intrusions often continued with a downgrade of the appliance software to exploit **CVE-2022-20775** for **root** privilege escalation, after which the original version was restored to help conceal the compromise while maintaining persistence. In response, **CISA** added both CVEs to the **Known Exploited Vulnerabilities** catalog and issued **Emergency Directive 26-03** for U.S. federal civilian agencies, while the **UK NCSC**, **ACSC**, **Canadian Centre for Cyber Security**, and other partners released joint hunting and hardening guidance. Cisco said there are **no complete workarounds**, urged immediate upgrades to fixed releases, and advised defenders to review peering events, SSH key activity, version history, and logs for signs of tampering or unauthorized access.
Apr 21, 2026